Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / 61c324bbdd9a1d4037399c916db17d28f1eb6f8a / . / library / rsa.c
blob: 333e25c417905b8a95dcecc833e006863edca009 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
27 *
28 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
29 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
38#include <stdlib.h>
39#include <string.h>
40#include <stdio.h>
41
42/*
43 * Initialize an RSA context
44 */
45void rsa_init( rsa_context *ctx,
46 int padding,
47 int hash_id,
48 int (*f_rng)(void *),
49 void *p_rng )
50{
51 memset( ctx, 0, sizeof( rsa_context ) );
52
53 ctx->padding = padding;
54 ctx->hash_id = hash_id;
55
56 ctx->f_rng = f_rng;
57 ctx->p_rng = p_rng;
58}
59
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]60#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61
62/*
63 * Generate an RSA keypair
64 */
65int rsa_gen_key( rsa_context *ctx, int nbits, int exponent )
66{
67 int ret;
68 mpi P1, Q1, H, G;
69
70 if( ctx->f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]71 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
73 mpi_init( &P1, &Q1, &H, &G, NULL );
74
75 /*
76 * find primes P and Q with Q < P so that:
77 * GCD( E, (P-1)*(Q-1) ) == 1
78 */
79 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
80
81 do
82 {
83 MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
84 ctx->f_rng, ctx->p_rng ) );
85
86 MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
87 ctx->f_rng, ctx->p_rng ) );
88
89 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
90 mpi_swap( &ctx->P, &ctx->Q );
91
92 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
93 continue;
94
95 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
96 if( mpi_msb( &ctx->N ) != nbits )
97 continue;
98
99 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
100 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
101 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
102 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
103 }
104 while( mpi_cmp_int( &G, 1 ) != 0 );
105
106 /*
107 * D = E^-1 mod ((P-1)*(Q-1))
108 * DP = D mod (P - 1)
109 * DQ = D mod (Q - 1)
110 * QP = Q^-1 mod P
111 */
112 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
113 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
114 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
115 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
116
117 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
118
119cleanup:
120
121 mpi_free( &G, &H, &Q1, &P1, NULL );
122
123 if( ret != 0 )
124 {
125 rsa_free( ctx );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]126 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]127 }
128
129 return( 0 );
130}
131
132#endif
133
134/*
135 * Check a public RSA key
136 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]137int rsa_check_pubkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]138{
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]139 if( !ctx->N.p || !ctx->E.p )
140 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
141
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]142 if( ( ctx->N.p[0] & 1 ) == 0 ||
143 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]144 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]145
146 if( mpi_msb( &ctx->N ) < 128 ||
147 mpi_msb( &ctx->N ) > 4096 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]148 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]149
150 if( mpi_msb( &ctx->E ) < 2 ||
151 mpi_msb( &ctx->E ) > 64 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]152 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]153
154 return( 0 );
155}
156
157/*
158 * Check a private RSA key
159 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]160int rsa_check_privkey( const rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]161{
162 int ret;
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]163 mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]164
165 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
166 return( ret );
167
Paul Bakker37940d9f2009-07-10 22:38:58 +0000[diff] [blame]168 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
169 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
170
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]171 mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, &G2, &L1, &L2, NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]172
173 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
174 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
175 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
176 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
177 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]178 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
179
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]180 MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
181 MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
182 MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
183
184 /*
185 * Check for a valid PKCS1v2 private key
186 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187 if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]188 mpi_cmp_int( &L2, 0 ) == 0 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]189 mpi_cmp_int( &I, 1 ) == 0 &&
190 mpi_cmp_int( &G, 1 ) == 0 )
191 {
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]192 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, &G2, &L1, &L2, NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]193 return( 0 );
194 }
195
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]196
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]197cleanup:
198
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]199 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, &G2, &L1, &L2, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]200 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]201}
202
203/*
204 * Do an RSA public key operation
205 */
206int rsa_public( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]207 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208 unsigned char *output )
209{
210 int ret, olen;
211 mpi T;
212
213 mpi_init( &T, NULL );
214
215 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
216
217 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
218 {
219 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]220 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]221 }
222
223 olen = ctx->len;
224 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
225 MPI_CHK( mpi_write_binary( &T, output, olen ) );
226
227cleanup:
228
229 mpi_free( &T, NULL );
230
231 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]232 return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]233
234 return( 0 );
235}
236
237/*
238 * Do an RSA private key operation
239 */
240int rsa_private( rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]241 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]242 unsigned char *output )
243{
244 int ret, olen;
245 mpi T, T1, T2;
246
247 mpi_init( &T, &T1, &T2, NULL );
248
249 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
250
251 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
252 {
253 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]254 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]255 }
256
257#if 0
258 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
259#else
260 /*
261 * faster decryption using the CRT
262 *
263 * T1 = input ^ dP mod P
264 * T2 = input ^ dQ mod Q
265 */
266 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
267 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
268
269 /*
270 * T = (T1 - T2) * (Q^-1 mod P) mod P
271 */
272 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
273 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
274 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
275
276 /*
277 * output = T2 + T * Q
278 */
279 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
280 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
281#endif
282
283 olen = ctx->len;
284 MPI_CHK( mpi_write_binary( &T, output, olen ) );
285
286cleanup:
287
288 mpi_free( &T, &T1, &T2, NULL );
289
290 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]291 return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]292
293 return( 0 );
294}
295
296/*
297 * Add the message padding, then do an RSA operation
298 */
299int rsa_pkcs1_encrypt( rsa_context *ctx,
300 int mode, int ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]301 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]302 unsigned char *output )
303{
304 int nb_pad, olen;
305 unsigned char *p = output;
306
307 olen = ctx->len;
308
309 switch( ctx->padding )
310 {
311 case RSA_PKCS_V15:
312
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]313 if( ilen < 0 || olen < ilen + 11 || ctx->f_rng == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]314 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315
316 nb_pad = olen - 3 - ilen;
317
318 *p++ = 0;
319 *p++ = RSA_CRYPT;
320
321 while( nb_pad-- > 0 )
322 {
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]323 int rng_dl = 100;
324
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325 do {
Paul Bakkerb572adf2010-07-18 08:29:32 +0000[diff] [blame]326 *p = (unsigned char) ctx->f_rng( ctx->p_rng );
327 } while( *p == 0 && --rng_dl );
328
329 // Check if RNG failed to generate data
330 //
331 if( rng_dl == 0 )
332 return POLARSSL_ERR_RSA_RNG_FAILED;
333
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]334 p++;
335 }
336 *p++ = 0;
337 memcpy( p, input, ilen );
338 break;
339
340 default:
341
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]342 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343 }
344
345 return( ( mode == RSA_PUBLIC )
346 ? rsa_public( ctx, output, output )
347 : rsa_private( ctx, output, output ) );
348}
349
350/*
351 * Do an RSA operation, then remove the message padding
352 */
353int rsa_pkcs1_decrypt( rsa_context *ctx,
354 int mode, int *olen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]355 const unsigned char *input,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]356 unsigned char *output,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]357 int output_max_len)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358{
359 int ret, ilen;
360 unsigned char *p;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]361 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362
363 ilen = ctx->len;
364
365 if( ilen < 16 || ilen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]366 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368 ret = ( mode == RSA_PUBLIC )
369 ? rsa_public( ctx, input, buf )
370 : rsa_private( ctx, input, buf );
371
372 if( ret != 0 )
373 return( ret );
374
375 p = buf;
376
377 switch( ctx->padding )
378 {
379 case RSA_PKCS_V15:
380
381 if( *p++ != 0 || *p++ != RSA_CRYPT )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]382 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]383
384 while( *p != 0 )
385 {
386 if( p >= buf + ilen - 1 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]387 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]388 p++;
389 }
390 p++;
391 break;
392
393 default:
394
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]395 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]396 }
397
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]398 if (ilen - (int)(p - buf) > output_max_len)
Paul Bakker38e2b482009-07-19 20:41:06 +0000[diff] [blame]399 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]400
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401 *olen = ilen - (int)(p - buf);
402 memcpy( output, p, *olen );
403
404 return( 0 );
405}
406
407/*
408 * Do an RSA operation to sign the message digest
409 */
410int rsa_pkcs1_sign( rsa_context *ctx,
411 int mode,
412 int hash_id,
413 int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]414 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415 unsigned char *sig )
416{
417 int nb_pad, olen;
418 unsigned char *p = sig;
419
420 olen = ctx->len;
421
422 switch( ctx->padding )
423 {
424 case RSA_PKCS_V15:
425
426 switch( hash_id )
427 {
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]428 case SIG_RSA_RAW:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]429 nb_pad = olen - 3 - hashlen;
430 break;
431
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]432 case SIG_RSA_MD2:
433 case SIG_RSA_MD4:
434 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]435 nb_pad = olen - 3 - 34;
436 break;
437
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]438 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]439 nb_pad = olen - 3 - 35;
440 break;
441
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]442 case SIG_RSA_SHA224:
443 nb_pad = olen - 3 - 47;
444 break;
445
446 case SIG_RSA_SHA256:
447 nb_pad = olen - 3 - 51;
448 break;
449
450 case SIG_RSA_SHA384:
451 nb_pad = olen - 3 - 67;
452 break;
453
454 case SIG_RSA_SHA512:
455 nb_pad = olen - 3 - 83;
456 break;
457
458
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]460 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461 }
462
463 if( nb_pad < 8 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]464 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465
466 *p++ = 0;
467 *p++ = RSA_SIGN;
468 memset( p, 0xFF, nb_pad );
469 p += nb_pad;
470 *p++ = 0;
471 break;
472
473 default:
474
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]475 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477
478 switch( hash_id )
479 {
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]480 case SIG_RSA_RAW:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 memcpy( p, hash, hashlen );
482 break;
483
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]484 case SIG_RSA_MD2:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485 memcpy( p, ASN1_HASH_MDX, 18 );
486 memcpy( p + 18, hash, 16 );
487 p[13] = 2; break;
488
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]489 case SIG_RSA_MD4:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]490 memcpy( p, ASN1_HASH_MDX, 18 );
491 memcpy( p + 18, hash, 16 );
492 p[13] = 4; break;
493
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]494 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495 memcpy( p, ASN1_HASH_MDX, 18 );
496 memcpy( p + 18, hash, 16 );
497 p[13] = 5; break;
498
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]499 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500 memcpy( p, ASN1_HASH_SHA1, 15 );
501 memcpy( p + 15, hash, 20 );
502 break;
503
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]504 case SIG_RSA_SHA224:
505 memcpy( p, ASN1_HASH_SHA2X, 19 );
506 memcpy( p + 19, hash, 28 );
507 p[1] += 28; p[14] = 4; p[18] += 28; break;
508
509 case SIG_RSA_SHA256:
510 memcpy( p, ASN1_HASH_SHA2X, 19 );
511 memcpy( p + 19, hash, 32 );
512 p[1] += 32; p[14] = 1; p[18] += 32; break;
513
514 case SIG_RSA_SHA384:
515 memcpy( p, ASN1_HASH_SHA2X, 19 );
516 memcpy( p + 19, hash, 48 );
517 p[1] += 48; p[14] = 2; p[18] += 48; break;
518
519 case SIG_RSA_SHA512:
520 memcpy( p, ASN1_HASH_SHA2X, 19 );
521 memcpy( p + 19, hash, 64 );
522 p[1] += 64; p[14] = 3; p[18] += 64; break;
523
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]525 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]526 }
527
528 return( ( mode == RSA_PUBLIC )
529 ? rsa_public( ctx, sig, sig )
530 : rsa_private( ctx, sig, sig ) );
531}
532
533/*
534 * Do an RSA operation and check the message digest
535 */
536int rsa_pkcs1_verify( rsa_context *ctx,
537 int mode,
538 int hash_id,
539 int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]540 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541 unsigned char *sig )
542{
543 int ret, len, siglen;
544 unsigned char *p, c;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]545 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]546
547 siglen = ctx->len;
548
549 if( siglen < 16 || siglen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]550 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551
552 ret = ( mode == RSA_PUBLIC )
553 ? rsa_public( ctx, sig, buf )
554 : rsa_private( ctx, sig, buf );
555
556 if( ret != 0 )
557 return( ret );
558
559 p = buf;
560
561 switch( ctx->padding )
562 {
563 case RSA_PKCS_V15:
564
565 if( *p++ != 0 || *p++ != RSA_SIGN )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]566 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567
568 while( *p != 0 )
569 {
570 if( p >= buf + siglen - 1 || *p != 0xFF )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]571 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 p++;
573 }
574 p++;
575 break;
576
577 default:
578
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]579 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]580 }
581
582 len = siglen - (int)( p - buf );
583
584 if( len == 34 )
585 {
586 c = p[13];
587 p[13] = 0;
588
589 if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]590 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]592 if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
593 ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
594 ( c == 5 && hash_id == SIG_RSA_MD5 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]595 {
596 if( memcmp( p + 18, hash, 16 ) == 0 )
597 return( 0 );
598 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]599 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600 }
601 }
602
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]603 if( len == 35 && hash_id == SIG_RSA_SHA1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]604 {
605 if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
606 memcmp( p + 15, hash, 20 ) == 0 )
607 return( 0 );
608 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]609 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]610 }
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]611 if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
612 ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
613 ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
614 ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
615 {
616 c = p[1] - 17;
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]617 p[1] = 17;
618 p[14] = 0;
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]619
620 if( p[18] == c &&
Paul Bakkercde51572009-05-17 10:11:56 +0000[diff] [blame]621 memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
622 memcmp( p + 19, hash, c ) == 0 )
623 return( 0 );
624 else
625 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]626 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627
Paul Bakkerfc22c442009-07-19 20:36:27 +0000[diff] [blame]628 if( len == hashlen && hash_id == SIG_RSA_RAW )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629 {
630 if( memcmp( p, hash, hashlen ) == 0 )
631 return( 0 );
632 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]633 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634 }
635
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]636 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637}
638
639/*
640 * Free the components of an RSA key
641 */
642void rsa_free( rsa_context *ctx )
643{
644 mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN,
645 &ctx->QP, &ctx->DQ, &ctx->DP,
646 &ctx->Q, &ctx->P, &ctx->D,
647 &ctx->E, &ctx->N, NULL );
648}
649
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]650#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]652#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654/*
655 * Example RSA-1024 keypair, for test purposes
656 */
657#define KEY_LEN 128
658
659#define RSA_N "9292758453063D803DD603D5E777D788" \
660 "8ED1D5BF35786190FA2F23EBC0848AEA" \
661 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
662 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
663 "93A89813FBF3C4F8066D2D800F7C38A8" \
664 "1AE31942917403FF4946B0A83D3D3E05" \
665 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
666 "5E94BB77B07507233A0BC7BAC8F90F79"
667
668#define RSA_E "10001"
669
670#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
671 "66CA472BC44D253102F8B4A9D3BFA750" \
672 "91386C0077937FE33FA3252D28855837" \
673 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
674 "DF79C5CE07EE72C7F123142198164234" \
675 "CABB724CF78B8173B9F880FC86322407" \
676 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
677 "071513A1E85B5DFA031F21ECAE91A34D"
678
679#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
680 "2C01CAD19EA484A87EA4377637E75500" \
681 "FCB2005C5C7DD6EC4AC023CDA285D796" \
682 "C3D9E75E1EFC42488BB4F1D13AC30A57"
683
684#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
685 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
686 "910E4168387E3C30AA1E00C339A79508" \
687 "8452DD96A9A5EA5D9DCA68DA636032AF"
688
689#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
690 "3C94D22288ACD763FD8E5600ED4A702D" \
691 "F84198A5F06C2E72236AE490C93F07F8" \
692 "3CC559CD27BC2D1CA488811730BB5725"
693
694#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
695 "D8AAEA56749EA28623272E4F7D0592AF" \
696 "7C1F1313CAC9471B5C523BFE592F517B" \
697 "407A1BD76C164B93DA2D32A383E58357"
698
699#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
700 "F38D18D2B2F0E2DD275AA977E2BF4411" \
701 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
702 "A74206CEC169D74BF5A8C50D6F48EA08"
703
704#define PT_LEN 24
705#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
706 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
707
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]708static int myrand( void *rng_state )
709{
710 if( rng_state != NULL )
711 rng_state = NULL;
712
713 return( rand() );
714}
715
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716/*
717 * Checkup routine
718 */
719int rsa_self_test( int verbose )
720{
721 int len;
722 rsa_context rsa;
723 unsigned char sha1sum[20];
724 unsigned char rsa_plaintext[PT_LEN];
725 unsigned char rsa_decrypted[PT_LEN];
726 unsigned char rsa_ciphertext[KEY_LEN];
727
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]728 rsa_init( &rsa, RSA_PKCS_V15, 0, &myrand, NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]729
730 rsa.len = KEY_LEN;
731 mpi_read_string( &rsa.N , 16, RSA_N );
732 mpi_read_string( &rsa.E , 16, RSA_E );
733 mpi_read_string( &rsa.D , 16, RSA_D );
734 mpi_read_string( &rsa.P , 16, RSA_P );
735 mpi_read_string( &rsa.Q , 16, RSA_Q );
736 mpi_read_string( &rsa.DP, 16, RSA_DP );
737 mpi_read_string( &rsa.DQ, 16, RSA_DQ );
738 mpi_read_string( &rsa.QP, 16, RSA_QP );
739
740 if( verbose != 0 )
741 printf( " RSA key validation: " );
742
743 if( rsa_check_pubkey( &rsa ) != 0 ||
744 rsa_check_privkey( &rsa ) != 0 )
745 {
746 if( verbose != 0 )
747 printf( "failed\n" );
748
749 return( 1 );
750 }
751
752 if( verbose != 0 )
753 printf( "passed\n PKCS#1 encryption : " );
754
755 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
756
757 if( rsa_pkcs1_encrypt( &rsa, RSA_PUBLIC, PT_LEN,
758 rsa_plaintext, rsa_ciphertext ) != 0 )
759 {
760 if( verbose != 0 )
761 printf( "failed\n" );
762
763 return( 1 );
764 }
765
766 if( verbose != 0 )
767 printf( "passed\n PKCS#1 decryption : " );
768
769 if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]770 rsa_ciphertext, rsa_decrypted,
771 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]772 {
773 if( verbose != 0 )
774 printf( "failed\n" );
775
776 return( 1 );
777 }
778
779 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
780 {
781 if( verbose != 0 )
782 printf( "failed\n" );
783
784 return( 1 );
785 }
786
787 if( verbose != 0 )
788 printf( "passed\n PKCS#1 data sign : " );
789
790 sha1( rsa_plaintext, PT_LEN, sha1sum );
791
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]792 if( rsa_pkcs1_sign( &rsa, RSA_PRIVATE, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]793 sha1sum, rsa_ciphertext ) != 0 )
794 {
795 if( verbose != 0 )
796 printf( "failed\n" );
797
798 return( 1 );
799 }
800
801 if( verbose != 0 )
802 printf( "passed\n PKCS#1 sig. verify: " );
803
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame]804 if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]805 sha1sum, rsa_ciphertext ) != 0 )
806 {
807 if( verbose != 0 )
808 printf( "failed\n" );
809
810 return( 1 );
811 }
812
813 if( verbose != 0 )
814 printf( "passed\n\n" );
815
816 rsa_free( &rsa );
817
818 return( 0 );
819}
820
821#endif
822
823#endif