PolarSSL v1.2.12
rsa.c
Go to the documentation of this file.
1 /*
2  * The RSA public-key cryptosystem
3  *
4  * Copyright (C) 2006-2011, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
27  *
28  * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
29  * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_RSA_C)
35 
36 #include "polarssl/rsa.h"
37 
38 #if defined(POLARSSL_PKCS1_V21)
39 #include "polarssl/md.h"
40 #endif
41 
42 #include <stdlib.h>
43 #include <stdio.h>
44 
45 /*
46  * Initialize an RSA context
47  */
48 void rsa_init( rsa_context *ctx,
49  int padding,
50  int hash_id )
51 {
52  memset( ctx, 0, sizeof( rsa_context ) );
53 
54  ctx->padding = padding;
55  ctx->hash_id = hash_id;
56 }
57 
58 #if defined(POLARSSL_GENPRIME)
59 
60 /*
61  * Generate an RSA keypair
62  */
63 int rsa_gen_key( rsa_context *ctx,
64  int (*f_rng)(void *, unsigned char *, size_t),
65  void *p_rng,
66  unsigned int nbits, int exponent )
67 {
68  int ret;
69  mpi P1, Q1, H, G;
70 
71  if( f_rng == NULL || nbits < 128 || exponent < 3 )
73 
74  mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G );
75 
76  /*
77  * find primes P and Q with Q < P so that:
78  * GCD( E, (P-1)*(Q-1) ) == 1
79  */
80  MPI_CHK( mpi_lset( &ctx->E, exponent ) );
81 
82  do
83  {
84  MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
85  f_rng, p_rng ) );
86 
87  MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
88  f_rng, p_rng ) );
89 
90  if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
91  mpi_swap( &ctx->P, &ctx->Q );
92 
93  if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
94  continue;
95 
96  MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
97  if( mpi_msb( &ctx->N ) != nbits )
98  continue;
99 
100  MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
101  MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
102  MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
103  MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
104  }
105  while( mpi_cmp_int( &G, 1 ) != 0 );
106 
107  /*
108  * D = E^-1 mod ((P-1)*(Q-1))
109  * DP = D mod (P - 1)
110  * DQ = D mod (Q - 1)
111  * QP = Q^-1 mod P
112  */
113  MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
114  MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
115  MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
116  MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
117 
118  ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
119 
120 cleanup:
121 
122  mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
123 
124  if( ret != 0 )
125  {
126  rsa_free( ctx );
127  return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
128  }
129 
130  return( 0 );
131 }
132 
133 #endif
134 
135 /*
136  * Check a public RSA key
137  */
138 int rsa_check_pubkey( const rsa_context *ctx )
139 {
140  if( !ctx->N.p || !ctx->E.p )
142 
143  if( ( ctx->N.p[0] & 1 ) == 0 ||
144  ( ctx->E.p[0] & 1 ) == 0 )
146 
147  if( mpi_msb( &ctx->N ) < 128 ||
148  mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
150 
151  if( mpi_msb( &ctx->E ) < 2 ||
152  mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
154 
155  return( 0 );
156 }
157 
158 /*
159  * Check a private RSA key
160  */
161 int rsa_check_privkey( const rsa_context *ctx )
162 {
163  int ret;
164  mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
165 
166  if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
167  return( ret );
168 
169  if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
171 
172  mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
173  mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
174  mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
175  mpi_init( &QP );
176 
177  MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
178  MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
179  MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
180  MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
181  MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
182  MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
183 
184  MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
185  MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
186  MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
187 
188  MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
189  MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
190  MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
191  /*
192  * Check for a valid PKCS1v2 private key
193  */
194  if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
195  mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
196  mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
197  mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
198  mpi_cmp_int( &L2, 0 ) != 0 ||
199  mpi_cmp_int( &I, 1 ) != 0 ||
200  mpi_cmp_int( &G, 1 ) != 0 )
201  {
203  }
204 
205 cleanup:
206  mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
207  mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
208  mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
209  mpi_free( &QP );
210 
212  return( ret );
213 
214  if( ret != 0 )
215  return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
216 
217  return( 0 );
218 }
219 
220 /*
221  * Do an RSA public key operation
222  */
223 int rsa_public( rsa_context *ctx,
224  const unsigned char *input,
225  unsigned char *output )
226 {
227  int ret;
228  size_t olen;
229  mpi T;
230 
231  mpi_init( &T );
232 
233  MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
234 
235  if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
236  {
237  mpi_free( &T );
239  }
240 
241  olen = ctx->len;
242  MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
243  MPI_CHK( mpi_write_binary( &T, output, olen ) );
244 
245 cleanup:
246 
247  mpi_free( &T );
248 
249  if( ret != 0 )
250  return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
251 
252  return( 0 );
253 }
254 
255 /*
256  * Do an RSA private key operation
257  */
258 int rsa_private( rsa_context *ctx,
259  int (*f_rng)(void *, unsigned char *, size_t),
260  void *p_rng,
261  const unsigned char *input,
262  unsigned char *output )
263 {
264  int ret;
265  size_t olen;
266  mpi T, T1, T2, Vi, Vf;
267 
268  mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
269  mpi_init( &Vi ); mpi_init( &Vf );
270 
271  MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
272 
273  if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
274  {
275  mpi_free( &T );
277  }
278 
279 #if defined(POLARSSL_RSA_NO_CRT)
280  ((void) f_rng);
281  ((void) p_rng);
282  MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
283 #else
284  if( f_rng != NULL )
285  {
286  int count = 0;
287 
288  /*
289  * Blinding
290  * T = T * Vi mod N
291  */
292  /* Unblinding value: Vf = random number */
293  do {
294  if( count++ > 10 )
295  return( POLARSSL_ERR_RSA_RNG_FAILED );
296 
297  MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
298  MPI_CHK( mpi_gcd( &Vi, &Vf, &ctx->N ) );
299  } while( mpi_cmp_int( &Vi, 1 ) != 0 );
300 
301  /* Mathematically speaking, the algorithm should check Vf
302  * against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N),
303  * so that Vf^-1 exists.
304  */
305 
306  /* Blinding value: Vi = Vf^(-e) mod N */
307  MPI_CHK( mpi_inv_mod( &Vi, &Vf, &ctx->N ) );
308  MPI_CHK( mpi_exp_mod( &Vi, &Vi, &ctx->E, &ctx->N, &ctx->RN ) );
309 
310  MPI_CHK( mpi_mul_mpi( &T, &T, &Vi ) );
311  MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
312  }
313 
314  /*
315  * faster decryption using the CRT
316  *
317  * T1 = input ^ dP mod P
318  * T2 = input ^ dQ mod Q
319  */
320  MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
321  MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
322 
323  /*
324  * T = (T1 - T2) * (Q^-1 mod P) mod P
325  */
326  MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
327  MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
328  MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
329 
330  /*
331  * output = T2 + T * Q
332  */
333  MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
334  MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
335 
336  if( f_rng != NULL )
337  {
338  /*
339  * Unblind
340  * T = T * Vf mod N
341  */
342  MPI_CHK( mpi_mul_mpi( &T, &T, &Vf ) );
343  MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
344  }
345 #endif
346 
347  olen = ctx->len;
348  MPI_CHK( mpi_write_binary( &T, output, olen ) );
349 
350 cleanup:
351 
352  mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
353  mpi_free( &Vi ); mpi_free( &Vf );
354 
355  if( ret != 0 )
356  return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
357 
358  return( 0 );
359 }
360 
361 #if defined(POLARSSL_PKCS1_V21)
362 
371 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen,
372  md_context_t *md_ctx )
373 {
374  unsigned char mask[POLARSSL_MD_MAX_SIZE];
375  unsigned char counter[4];
376  unsigned char *p;
377  unsigned int hlen;
378  size_t i, use_len;
379 
380  memset( mask, 0, POLARSSL_MD_MAX_SIZE );
381  memset( counter, 0, 4 );
382 
383  hlen = md_ctx->md_info->size;
384 
385  // Generate and apply dbMask
386  //
387  p = dst;
388 
389  while( dlen > 0 )
390  {
391  use_len = hlen;
392  if( dlen < hlen )
393  use_len = dlen;
394 
395  md_starts( md_ctx );
396  md_update( md_ctx, src, slen );
397  md_update( md_ctx, counter, 4 );
398  md_finish( md_ctx, mask );
399 
400  for( i = 0; i < use_len; ++i )
401  *p++ ^= mask[i];
402 
403  counter[3]++;
404 
405  dlen -= use_len;
406  }
407 }
408 #endif
409 
410 #if defined(POLARSSL_PKCS1_V21)
411 /*
412  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
413  */
415  int (*f_rng)(void *, unsigned char *, size_t),
416  void *p_rng,
417  int mode,
418  const unsigned char *label, size_t label_len,
419  size_t ilen,
420  const unsigned char *input,
421  unsigned char *output )
422 {
423  size_t olen;
424  int ret;
425  unsigned char *p = output;
426  unsigned int hlen;
427  const md_info_t *md_info;
428  md_context_t md_ctx;
429 
430  if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
432 
433  md_info = md_info_from_type( ctx->hash_id );
434 
435  if( md_info == NULL )
437 
438  olen = ctx->len;
439  hlen = md_get_size( md_info );
440 
441  if( olen < ilen + 2 * hlen + 2 || f_rng == NULL )
443 
444  memset( output, 0, olen );
445 
446  *p++ = 0;
447 
448  // Generate a random octet string seed
449  //
450  if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
451  return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
452 
453  p += hlen;
454 
455  // Construct DB
456  //
457  md( md_info, label, label_len, p );
458  p += hlen;
459  p += olen - 2 * hlen - 2 - ilen;
460  *p++ = 1;
461  memcpy( p, input, ilen );
462 
463  md_init_ctx( &md_ctx, md_info );
464 
465  // maskedDB: Apply dbMask to DB
466  //
467  mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
468  &md_ctx );
469 
470  // maskedSeed: Apply seedMask to seed
471  //
472  mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
473  &md_ctx );
474 
475  md_free_ctx( &md_ctx );
476 
477  return( ( mode == RSA_PUBLIC )
478  ? rsa_public( ctx, output, output )
479  : rsa_private( ctx, f_rng, p_rng, output, output ) );
480 }
481 #endif /* POLARSSL_PKCS1_V21 */
482 
483 /*
484  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
485  */
487  int (*f_rng)(void *, unsigned char *, size_t),
488  void *p_rng,
489  int mode, size_t ilen,
490  const unsigned char *input,
491  unsigned char *output )
492 {
493  size_t nb_pad, olen;
494  int ret;
495  unsigned char *p = output;
496 
497  if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL )
499 
500  olen = ctx->len;
501 
502  if( olen < ilen + 11 )
504 
505  nb_pad = olen - 3 - ilen;
506 
507  *p++ = 0;
508  if( mode == RSA_PUBLIC )
509  {
510  *p++ = RSA_CRYPT;
511 
512  while( nb_pad-- > 0 )
513  {
514  int rng_dl = 100;
515 
516  do {
517  ret = f_rng( p_rng, p, 1 );
518  } while( *p == 0 && --rng_dl && ret == 0 );
519 
520  // Check if RNG failed to generate data
521  //
522  if( rng_dl == 0 || ret != 0)
523  return POLARSSL_ERR_RSA_RNG_FAILED + ret;
524 
525  p++;
526  }
527  }
528  else
529  {
530  *p++ = RSA_SIGN;
531 
532  while( nb_pad-- > 0 )
533  *p++ = 0xFF;
534  }
535 
536  *p++ = 0;
537  memcpy( p, input, ilen );
538 
539  return( ( mode == RSA_PUBLIC )
540  ? rsa_public( ctx, output, output )
541  : rsa_private( ctx, f_rng, p_rng, output, output ) );
542 }
543 
544 /*
545  * Add the message padding, then do an RSA operation
546  */
548  int (*f_rng)(void *, unsigned char *, size_t),
549  void *p_rng,
550  int mode, size_t ilen,
551  const unsigned char *input,
552  unsigned char *output )
553 {
554  switch( ctx->padding )
555  {
556  case RSA_PKCS_V15:
557  return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
558  input, output );
559 
560 #if defined(POLARSSL_PKCS1_V21)
561  case RSA_PKCS_V21:
562  return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
563  ilen, input, output );
564 #endif
565 
566  default:
568  }
569 }
570 
571 #if defined(POLARSSL_PKCS1_V21)
572 /*
573  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
574  */
576  int (*f_rng)(void *, unsigned char *, size_t),
577  void *p_rng,
578  int mode,
579  const unsigned char *label, size_t label_len,
580  size_t *olen,
581  const unsigned char *input,
582  unsigned char *output,
583  size_t output_max_len )
584 {
585  int ret;
586  size_t ilen, i, pad_len;
587  unsigned char *p, bad, pad_done;
588  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
589  unsigned char lhash[POLARSSL_MD_MAX_SIZE];
590  unsigned int hlen;
591  const md_info_t *md_info;
592  md_context_t md_ctx;
593 
594  /*
595  * Parameters sanity checks
596  */
597  if( ctx->padding != RSA_PKCS_V21 )
599 
600  ilen = ctx->len;
601 
602  if( ilen < 16 || ilen > sizeof( buf ) )
604 
605  md_info = md_info_from_type( ctx->hash_id );
606  if( md_info == NULL )
608 
609  /*
610  * RSA operation
611  */
612  ret = ( mode == RSA_PUBLIC )
613  ? rsa_public( ctx, input, buf )
614  : rsa_private( ctx, f_rng, p_rng, input, buf );
615 
616  if( ret != 0 )
617  return( ret );
618 
619  /*
620  * Unmask data and generate lHash
621  */
622  hlen = md_get_size( md_info );
623 
624  md_init_ctx( &md_ctx, md_info );
625 
626  /* Generate lHash */
627  md( md_info, label, label_len, lhash );
628 
629  /* seed: Apply seedMask to maskedSeed */
630  mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
631  &md_ctx );
632 
633  /* DB: Apply dbMask to maskedDB */
634  mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
635  &md_ctx );
636 
637  md_free_ctx( &md_ctx );
638 
639  /*
640  * Check contents, in "constant-time"
641  */
642  p = buf;
643  bad = 0;
644 
645  bad |= *p++; /* First byte must be 0 */
646 
647  p += hlen; /* Skip seed */
648 
649  /* Check lHash */
650  for( i = 0; i < hlen; i++ )
651  bad |= lhash[i] ^ *p++;
652 
653  /* Get zero-padding len, but always read till end of buffer
654  * (minus one, for the 01 byte) */
655  pad_len = 0;
656  pad_done = 0;
657  for( i = 0; i < ilen - 2 * hlen - 2; i++ )
658  {
659  pad_done |= p[i];
660  pad_len += ( pad_done == 0 );
661  }
662 
663  p += pad_len;
664  bad |= *p++ ^ 0x01;
665 
666  /*
667  * The only information "leaked" is whether the padding was correct or not
668  * (eg, no data is copied if it was not correct). This meets the
669  * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
670  * the different error conditions.
671  */
672  if( bad != 0 )
674 
675  if (ilen - (p - buf) > output_max_len)
677 
678  *olen = ilen - (p - buf);
679  memcpy( output, p, *olen );
680 
681  return( 0 );
682 }
683 #endif /* POLARSSL_PKCS1_V21 */
684 
685 /*
686  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
687  */
689  int (*f_rng)(void *, unsigned char *, size_t),
690  void *p_rng,
691  int mode, size_t *olen,
692  const unsigned char *input,
693  unsigned char *output,
694  size_t output_max_len)
695 {
696  int ret;
697  size_t ilen, pad_count = 0, i;
698  unsigned char *p, bad, pad_done = 0;
699  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
700 
701  if( ctx->padding != RSA_PKCS_V15 )
703 
704  ilen = ctx->len;
705 
706  if( ilen < 16 || ilen > sizeof( buf ) )
708 
709  ret = ( mode == RSA_PUBLIC )
710  ? rsa_public( ctx, input, buf )
711  : rsa_private( ctx, f_rng, p_rng, input, buf );
712 
713  if( ret != 0 )
714  return( ret );
715 
716  p = buf;
717  bad = 0;
718 
719  /*
720  * Check and get padding len in "constant-time"
721  */
722  bad |= *p++; /* First byte must be 0 */
723 
724  /* This test does not depend on secret data */
725  if( mode == RSA_PRIVATE )
726  {
727  bad |= *p++ ^ RSA_CRYPT;
728 
729  /* Get padding len, but always read till end of buffer
730  * (minus one, for the 00 byte) */
731  for( i = 0; i < ilen - 3; i++ )
732  {
733  pad_done |= ( p[i] == 0 );
734  pad_count += ( pad_done == 0 );
735  }
736 
737  p += pad_count;
738  bad |= *p++; /* Must be zero */
739  }
740  else
741  {
742  bad |= *p++ ^ RSA_SIGN;
743 
744  /* Get padding len, but always read till end of buffer
745  * (minus one, for the 00 byte) */
746  for( i = 0; i < ilen - 3; i++ )
747  {
748  pad_done |= ( p[i] != 0xFF );
749  pad_count += ( pad_done == 0 );
750  }
751 
752  p += pad_count;
753  bad |= *p++; /* Must be zero */
754  }
755 
756  if( bad )
758 
759  if (ilen - (p - buf) > output_max_len)
761 
762  *olen = ilen - (p - buf);
763  memcpy( output, p, *olen );
764 
765  return( 0 );
766 }
767 
768 /*
769  * Do an RSA operation, then remove the message padding
770  */
772  int (*f_rng)(void *, unsigned char *, size_t),
773  void *p_rng,
774  int mode, size_t *olen,
775  const unsigned char *input,
776  unsigned char *output,
777  size_t output_max_len)
778 {
779  switch( ctx->padding )
780  {
781  case RSA_PKCS_V15:
782  return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
783  input, output, output_max_len );
784 
785 #if defined(POLARSSL_PKCS1_V21)
786  case RSA_PKCS_V21:
787  return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
788  olen, input, output, output_max_len );
789 #endif
790 
791  default:
793  }
794 }
795 
796 #if defined(POLARSSL_PKCS1_V21)
797 /*
798  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
799  */
801  int (*f_rng)(void *, unsigned char *, size_t),
802  void *p_rng,
803  int mode,
804  int hash_id,
805  unsigned int hashlen,
806  const unsigned char *hash,
807  unsigned char *sig )
808 {
809  size_t olen;
810  unsigned char *p = sig;
811  unsigned char salt[POLARSSL_MD_MAX_SIZE];
812  unsigned int slen, hlen, offset = 0;
813  int ret;
814  size_t msb;
815  const md_info_t *md_info;
816  md_context_t md_ctx;
817 
818  if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
820 
821  olen = ctx->len;
822 
823  switch( hash_id )
824  {
825  case SIG_RSA_MD2:
826  case SIG_RSA_MD4:
827  case SIG_RSA_MD5:
828  hashlen = 16;
829  break;
830 
831  case SIG_RSA_SHA1:
832  hashlen = 20;
833  break;
834 
835  case SIG_RSA_SHA224:
836  hashlen = 28;
837  break;
838 
839  case SIG_RSA_SHA256:
840  hashlen = 32;
841  break;
842 
843  case SIG_RSA_SHA384:
844  hashlen = 48;
845  break;
846 
847  case SIG_RSA_SHA512:
848  hashlen = 64;
849  break;
850 
851  default:
853  }
854 
855  md_info = md_info_from_type( ctx->hash_id );
856  if( md_info == NULL )
858 
859  hlen = md_get_size( md_info );
860  slen = hlen;
861 
862  if( olen < hlen + slen + 2 )
864 
865  memset( sig, 0, olen );
866 
867  msb = mpi_msb( &ctx->N ) - 1;
868 
869  // Generate salt of length slen
870  //
871  if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
872  return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
873 
874  // Note: EMSA-PSS encoding is over the length of N - 1 bits
875  //
876  msb = mpi_msb( &ctx->N ) - 1;
877  p += olen - hlen * 2 - 2;
878  *p++ = 0x01;
879  memcpy( p, salt, slen );
880  p += slen;
881 
882  md_init_ctx( &md_ctx, md_info );
883 
884  // Generate H = Hash( M' )
885  //
886  md_starts( &md_ctx );
887  md_update( &md_ctx, p, 8 );
888  md_update( &md_ctx, hash, hashlen );
889  md_update( &md_ctx, salt, slen );
890  md_finish( &md_ctx, p );
891 
892  // Compensate for boundary condition when applying mask
893  //
894  if( msb % 8 == 0 )
895  offset = 1;
896 
897  // maskedDB: Apply dbMask to DB
898  //
899  mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
900 
901  md_free_ctx( &md_ctx );
902 
903  sig[0] &= 0xFF >> ( olen * 8 - msb );
904 
905  p += hlen;
906  *p++ = 0xBC;
907 
908  return( ( mode == RSA_PUBLIC )
909  ? rsa_public( ctx, sig, sig )
910  : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
911 }
912 #endif /* POLARSSL_PKCS1_V21 */
913 
914 /*
915  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
916  */
917 /*
918  * Do an RSA operation to sign the message digest
919  */
921  int (*f_rng)(void *, unsigned char *, size_t),
922  void *p_rng,
923  int mode,
924  int hash_id,
925  unsigned int hashlen,
926  const unsigned char *hash,
927  unsigned char *sig )
928 {
929  size_t nb_pad, olen;
930  unsigned char *p = sig;
931 
932  if( ctx->padding != RSA_PKCS_V15 )
934 
935  olen = ctx->len;
936 
937  switch( hash_id )
938  {
939  case SIG_RSA_RAW:
940  nb_pad = olen - 3 - hashlen;
941  break;
942 
943  case SIG_RSA_MD2:
944  case SIG_RSA_MD4:
945  case SIG_RSA_MD5:
946  nb_pad = olen - 3 - 34;
947  break;
948 
949  case SIG_RSA_SHA1:
950  nb_pad = olen - 3 - 35;
951  break;
952 
953  case SIG_RSA_SHA224:
954  nb_pad = olen - 3 - 47;
955  break;
956 
957  case SIG_RSA_SHA256:
958  nb_pad = olen - 3 - 51;
959  break;
960 
961  case SIG_RSA_SHA384:
962  nb_pad = olen - 3 - 67;
963  break;
964 
965  case SIG_RSA_SHA512:
966  nb_pad = olen - 3 - 83;
967  break;
968 
969 
970  default:
972  }
973 
974  if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
976 
977  *p++ = 0;
978  *p++ = RSA_SIGN;
979  memset( p, 0xFF, nb_pad );
980  p += nb_pad;
981  *p++ = 0;
982 
983  switch( hash_id )
984  {
985  case SIG_RSA_RAW:
986  memcpy( p, hash, hashlen );
987  break;
988 
989  case SIG_RSA_MD2:
990  memcpy( p, ASN1_HASH_MDX, 18 );
991  memcpy( p + 18, hash, 16 );
992  p[13] = 2; break;
993 
994  case SIG_RSA_MD4:
995  memcpy( p, ASN1_HASH_MDX, 18 );
996  memcpy( p + 18, hash, 16 );
997  p[13] = 4; break;
998 
999  case SIG_RSA_MD5:
1000  memcpy( p, ASN1_HASH_MDX, 18 );
1001  memcpy( p + 18, hash, 16 );
1002  p[13] = 5; break;
1003 
1004  case SIG_RSA_SHA1:
1005  memcpy( p, ASN1_HASH_SHA1, 15 );
1006  memcpy( p + 15, hash, 20 );
1007  break;
1008 
1009  case SIG_RSA_SHA224:
1010  memcpy( p, ASN1_HASH_SHA2X, 19 );
1011  memcpy( p + 19, hash, 28 );
1012  p[1] += 28; p[14] = 4; p[18] += 28; break;
1013 
1014  case SIG_RSA_SHA256:
1015  memcpy( p, ASN1_HASH_SHA2X, 19 );
1016  memcpy( p + 19, hash, 32 );
1017  p[1] += 32; p[14] = 1; p[18] += 32; break;
1018 
1019  case SIG_RSA_SHA384:
1020  memcpy( p, ASN1_HASH_SHA2X, 19 );
1021  memcpy( p + 19, hash, 48 );
1022  p[1] += 48; p[14] = 2; p[18] += 48; break;
1023 
1024  case SIG_RSA_SHA512:
1025  memcpy( p, ASN1_HASH_SHA2X, 19 );
1026  memcpy( p + 19, hash, 64 );
1027  p[1] += 64; p[14] = 3; p[18] += 64; break;
1028 
1029  default:
1031  }
1032 
1033  return( ( mode == RSA_PUBLIC )
1034  ? rsa_public( ctx, sig, sig )
1035  : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1036 }
1037 
1038 /*
1039  * Do an RSA operation to sign the message digest
1040  */
1041 int rsa_pkcs1_sign( rsa_context *ctx,
1042  int (*f_rng)(void *, unsigned char *, size_t),
1043  void *p_rng,
1044  int mode,
1045  int hash_id,
1046  unsigned int hashlen,
1047  const unsigned char *hash,
1048  unsigned char *sig )
1049 {
1050  switch( ctx->padding )
1051  {
1052  case RSA_PKCS_V15:
1053  return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, hash_id,
1054  hashlen, hash, sig );
1055 
1056 #if defined(POLARSSL_PKCS1_V21)
1057  case RSA_PKCS_V21:
1058  return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, hash_id,
1059  hashlen, hash, sig );
1060 #endif
1061 
1062  default:
1064  }
1065 }
1066 
1067 #if defined(POLARSSL_PKCS1_V21)
1068 /*
1069  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1070  */
1072  int (*f_rng)(void *, unsigned char *, size_t),
1073  void *p_rng,
1074  int mode,
1075  int hash_id,
1076  unsigned int hashlen,
1077  const unsigned char *hash,
1078  unsigned char *sig )
1079 {
1080  int ret;
1081  size_t siglen;
1082  unsigned char *p;
1083  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1084  unsigned char result[POLARSSL_MD_MAX_SIZE];
1085  unsigned char zeros[8];
1086  unsigned int hlen;
1087  size_t slen, msb;
1088  const md_info_t *md_info;
1089  md_context_t md_ctx;
1090 
1091  if( ctx->padding != RSA_PKCS_V21 )
1093 
1094  siglen = ctx->len;
1095 
1096  if( siglen < 16 || siglen > sizeof( buf ) )
1098 
1099  ret = ( mode == RSA_PUBLIC )
1100  ? rsa_public( ctx, sig, buf )
1101  : rsa_private( ctx, f_rng, p_rng, sig, buf );
1102 
1103  if( ret != 0 )
1104  return( ret );
1105 
1106  p = buf;
1107 
1108  if( buf[siglen - 1] != 0xBC )
1110 
1111  switch( hash_id )
1112  {
1113  case SIG_RSA_MD2:
1114  case SIG_RSA_MD4:
1115  case SIG_RSA_MD5:
1116  hashlen = 16;
1117  break;
1118 
1119  case SIG_RSA_SHA1:
1120  hashlen = 20;
1121  break;
1122 
1123  case SIG_RSA_SHA224:
1124  hashlen = 28;
1125  break;
1126 
1127  case SIG_RSA_SHA256:
1128  hashlen = 32;
1129  break;
1130 
1131  case SIG_RSA_SHA384:
1132  hashlen = 48;
1133  break;
1134 
1135  case SIG_RSA_SHA512:
1136  hashlen = 64;
1137  break;
1138 
1139  default:
1141  }
1142 
1143  md_info = md_info_from_type( ctx->hash_id );
1144  if( md_info == NULL )
1146 
1147  hlen = md_get_size( md_info );
1148  slen = siglen - hlen - 1;
1149 
1150  memset( zeros, 0, 8 );
1151 
1152  // Note: EMSA-PSS verification is over the length of N - 1 bits
1153  //
1154  msb = mpi_msb( &ctx->N ) - 1;
1155 
1156  // Compensate for boundary condition when applying mask
1157  //
1158  if( msb % 8 == 0 )
1159  {
1160  p++;
1161  siglen -= 1;
1162  }
1163  if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1165 
1166  md_init_ctx( &md_ctx, md_info );
1167 
1168  mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
1169 
1170  buf[0] &= 0xFF >> ( siglen * 8 - msb );
1171 
1172  while( *p == 0 && p < buf + siglen )
1173  p++;
1174 
1175  if( p == buf + siglen ||
1176  *p++ != 0x01 )
1177  {
1178  md_free_ctx( &md_ctx );
1180  }
1181 
1182  slen -= p - buf;
1183 
1184  // Generate H = Hash( M' )
1185  //
1186  md_starts( &md_ctx );
1187  md_update( &md_ctx, zeros, 8 );
1188  md_update( &md_ctx, hash, hashlen );
1189  md_update( &md_ctx, p, slen );
1190  md_finish( &md_ctx, result );
1191 
1192  md_free_ctx( &md_ctx );
1193 
1194  if( memcmp( p + slen, result, hlen ) == 0 )
1195  return( 0 );
1196  else
1198 }
1199 #endif /* POLARSSL_PKCS1_V21 */
1200 
1201 /*
1202  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1203  */
1205  int (*f_rng)(void *, unsigned char *, size_t),
1206  void *p_rng,
1207  int mode,
1208  int hash_id,
1209  unsigned int hashlen,
1210  const unsigned char *hash,
1211  unsigned char *sig )
1212 {
1213  int ret;
1214  size_t len, siglen;
1215  unsigned char *p, c;
1216  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1217 
1218  if( ctx->padding != RSA_PKCS_V15 )
1220 
1221  siglen = ctx->len;
1222 
1223  if( siglen < 16 || siglen > sizeof( buf ) )
1225 
1226  ret = ( mode == RSA_PUBLIC )
1227  ? rsa_public( ctx, sig, buf )
1228  : rsa_private( ctx, f_rng, p_rng, sig, buf );
1229 
1230  if( ret != 0 )
1231  return( ret );
1232 
1233  p = buf;
1234 
1235  if( *p++ != 0 || *p++ != RSA_SIGN )
1237 
1238  while( *p != 0 )
1239  {
1240  if( p >= buf + siglen - 1 || *p != 0xFF )
1242  p++;
1243  }
1244  p++;
1245 
1246  len = siglen - ( p - buf );
1247 
1248  if( len == 33 && hash_id == SIG_RSA_SHA1 )
1249  {
1250  if( memcmp( p, ASN1_HASH_SHA1_ALT, 13 ) == 0 &&
1251  memcmp( p + 13, hash, 20 ) == 0 )
1252  return( 0 );
1253  else
1255  }
1256  if( len == 34 )
1257  {
1258  c = p[13];
1259  p[13] = 0;
1260 
1261  if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
1263 
1264  if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
1265  ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
1266  ( c == 5 && hash_id == SIG_RSA_MD5 ) )
1267  {
1268  if( memcmp( p + 18, hash, 16 ) == 0 )
1269  return( 0 );
1270  else
1272  }
1273  }
1274 
1275  if( len == 35 && hash_id == SIG_RSA_SHA1 )
1276  {
1277  if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
1278  memcmp( p + 15, hash, 20 ) == 0 )
1279  return( 0 );
1280  else
1282  }
1283  if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
1284  ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
1285  ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
1286  ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
1287  {
1288  c = p[1] - 17;
1289  p[1] = 17;
1290  p[14] = 0;
1291 
1292  if( p[18] == c &&
1293  memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
1294  memcmp( p + 19, hash, c ) == 0 )
1295  return( 0 );
1296  else
1298  }
1299 
1300  if( len == hashlen && hash_id == SIG_RSA_RAW )
1301  {
1302  if( memcmp( p, hash, hashlen ) == 0 )
1303  return( 0 );
1304  else
1306  }
1307 
1309 }
1310 
1311 /*
1312  * Do an RSA operation and check the message digest
1313  */
1314 int rsa_pkcs1_verify( rsa_context *ctx,
1315  int (*f_rng)(void *, unsigned char *, size_t),
1316  void *p_rng,
1317  int mode,
1318  int hash_id,
1319  unsigned int hashlen,
1320  const unsigned char *hash,
1321  unsigned char *sig )
1322 {
1323  switch( ctx->padding )
1324  {
1325  case RSA_PKCS_V15:
1326  return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode,
1327  hash_id, hashlen, hash, sig );
1328 
1329 #if defined(POLARSSL_PKCS1_V21)
1330  case RSA_PKCS_V21:
1331  return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, hash_id,
1332  hashlen, hash, sig );
1333 #endif
1334 
1335  default:
1337  }
1338 }
1339 
1340 /*
1341  * Free the components of an RSA key
1342  */
1343 void rsa_free( rsa_context *ctx )
1344 {
1345  mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
1346  mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
1347  mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
1348  mpi_free( &ctx->E ); mpi_free( &ctx->N );
1349 }
1350 
1351 #if defined(POLARSSL_SELF_TEST)
1352 
1353 #include "polarssl/sha1.h"
1354 
1355 /*
1356  * Example RSA-1024 keypair, for test purposes
1357  */
1358 #define KEY_LEN 128
1359 
1360 #define RSA_N "9292758453063D803DD603D5E777D788" \
1361  "8ED1D5BF35786190FA2F23EBC0848AEA" \
1362  "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1363  "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1364  "93A89813FBF3C4F8066D2D800F7C38A8" \
1365  "1AE31942917403FF4946B0A83D3D3E05" \
1366  "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1367  "5E94BB77B07507233A0BC7BAC8F90F79"
1368 
1369 #define RSA_E "10001"
1370 
1371 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1372  "66CA472BC44D253102F8B4A9D3BFA750" \
1373  "91386C0077937FE33FA3252D28855837" \
1374  "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1375  "DF79C5CE07EE72C7F123142198164234" \
1376  "CABB724CF78B8173B9F880FC86322407" \
1377  "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1378  "071513A1E85B5DFA031F21ECAE91A34D"
1379 
1380 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1381  "2C01CAD19EA484A87EA4377637E75500" \
1382  "FCB2005C5C7DD6EC4AC023CDA285D796" \
1383  "C3D9E75E1EFC42488BB4F1D13AC30A57"
1384 
1385 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1386  "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1387  "910E4168387E3C30AA1E00C339A79508" \
1388  "8452DD96A9A5EA5D9DCA68DA636032AF"
1389 
1390 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1391  "3C94D22288ACD763FD8E5600ED4A702D" \
1392  "F84198A5F06C2E72236AE490C93F07F8" \
1393  "3CC559CD27BC2D1CA488811730BB5725"
1394 
1395 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1396  "D8AAEA56749EA28623272E4F7D0592AF" \
1397  "7C1F1313CAC9471B5C523BFE592F517B" \
1398  "407A1BD76C164B93DA2D32A383E58357"
1399 
1400 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1401  "F38D18D2B2F0E2DD275AA977E2BF4411" \
1402  "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1403  "A74206CEC169D74BF5A8C50D6F48EA08"
1404 
1405 #define PT_LEN 24
1406 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1407  "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1408 
1409 static int myrand( void *rng_state, unsigned char *output, size_t len )
1410 {
1411 #if !defined(__OpenBSD__)
1412  size_t i;
1413 
1414  if( rng_state != NULL )
1415  rng_state = NULL;
1416 
1417  for( i = 0; i < len; ++i )
1418  output[i] = rand();
1419 #else
1420  if( rng_state != NULL )
1421  rng_state = NULL;
1422 
1423  arc4random_buf( output, len );
1424 #endif /* !OpenBSD */
1425 
1426  return( 0 );
1427 }
1428 
1429 /*
1430  * Checkup routine
1431  */
1432 int rsa_self_test( int verbose )
1433 {
1434  int ret = 0;
1435  size_t len;
1436  rsa_context rsa;
1437  unsigned char rsa_plaintext[PT_LEN];
1438  unsigned char rsa_decrypted[PT_LEN];
1439  unsigned char rsa_ciphertext[KEY_LEN];
1440 #if defined(POLARSSL_SHA1_C)
1441  unsigned char sha1sum[20];
1442 #endif
1443 
1444  rsa_init( &rsa, RSA_PKCS_V15, 0 );
1445 
1446  rsa.len = KEY_LEN;
1447  MPI_CHK( mpi_read_string( &rsa.N , 16, RSA_N ) );
1448  MPI_CHK( mpi_read_string( &rsa.E , 16, RSA_E ) );
1449  MPI_CHK( mpi_read_string( &rsa.D , 16, RSA_D ) );
1450  MPI_CHK( mpi_read_string( &rsa.P , 16, RSA_P ) );
1451  MPI_CHK( mpi_read_string( &rsa.Q , 16, RSA_Q ) );
1452  MPI_CHK( mpi_read_string( &rsa.DP, 16, RSA_DP ) );
1453  MPI_CHK( mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
1454  MPI_CHK( mpi_read_string( &rsa.QP, 16, RSA_QP ) );
1455 
1456  if( verbose != 0 )
1457  printf( " RSA key validation: " );
1458 
1459  if( rsa_check_pubkey( &rsa ) != 0 ||
1460  rsa_check_privkey( &rsa ) != 0 )
1461  {
1462  if( verbose != 0 )
1463  printf( "failed\n" );
1464 
1465  return( 1 );
1466  }
1467 
1468  if( verbose != 0 )
1469  printf( "passed\n PKCS#1 encryption : " );
1470 
1471  memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1472 
1473  if( rsa_pkcs1_encrypt( &rsa, &myrand, NULL, RSA_PUBLIC, PT_LEN,
1474  rsa_plaintext, rsa_ciphertext ) != 0 )
1475  {
1476  if( verbose != 0 )
1477  printf( "failed\n" );
1478 
1479  return( 1 );
1480  }
1481 
1482  if( verbose != 0 )
1483  printf( "passed\n PKCS#1 decryption : " );
1484 
1485  if( rsa_pkcs1_decrypt( &rsa, &myrand, NULL, RSA_PRIVATE, &len,
1486  rsa_ciphertext, rsa_decrypted,
1487  sizeof(rsa_decrypted) ) != 0 )
1488  {
1489  if( verbose != 0 )
1490  printf( "failed\n" );
1491 
1492  return( 1 );
1493  }
1494 
1495  if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1496  {
1497  if( verbose != 0 )
1498  printf( "failed\n" );
1499 
1500  return( 1 );
1501  }
1502 
1503 #if defined(POLARSSL_SHA1_C)
1504  if( verbose != 0 )
1505  printf( "passed\n PKCS#1 data sign : " );
1506 
1507  sha1( rsa_plaintext, PT_LEN, sha1sum );
1508 
1509  if( rsa_pkcs1_sign( &rsa, &myrand, NULL, RSA_PRIVATE, SIG_RSA_SHA1, 20,
1510  sha1sum, rsa_ciphertext ) != 0 )
1511  {
1512  if( verbose != 0 )
1513  printf( "failed\n" );
1514 
1515  return( 1 );
1516  }
1517 
1518  if( verbose != 0 )
1519  printf( "passed\n PKCS#1 sig. verify: " );
1520 
1521  if( rsa_pkcs1_verify( &rsa, &myrand, NULL, RSA_PUBLIC, SIG_RSA_SHA1, 20,
1522  sha1sum, rsa_ciphertext ) != 0 )
1523  {
1524  if( verbose != 0 )
1525  printf( "failed\n" );
1526 
1527  return( 1 );
1528  }
1529 
1530  if( verbose != 0 )
1531  printf( "passed\n\n" );
1532 #endif /* POLARSSL_SHA1_C */
1533 
1534 cleanup:
1535  rsa_free( &rsa );
1536  return( ret );
1537 }
1538 
1539 #endif
1540 
1541 #endif
int md(const md_info_t *md_info, const unsigned char *input, size_t ilen, unsigned char *output)
Output = message_digest( input buffer )
int mpi_cmp_int(const mpi *X, t_sint z)
Compare signed values.
#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE
The output buffer for decryption is not large enough.
Definition: rsa.h:42
#define SIG_RSA_MD5
Definition: rsa.h:51
void mpi_swap(mpi *X, mpi *Y)
Swap the contents of X and Y.
#define RSA_CRYPT
Definition: rsa.h:65
int rsa_self_test(int verbose)
Checkup routine.
#define ASN1_HASH_SHA2X
Definition: rsa.h:124
#define SIG_RSA_MD4
Definition: rsa.h:50
int rsa_rsaes_oaep_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t ilen, const unsigned char *input, unsigned char *output)
Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:87
int rsa_check_privkey(const rsa_context *ctx)
Check a private RSA key.
int mpi_gcd(mpi *G, const mpi *A, const mpi *B)
Greatest common divisor: G = gcd(A, B)
int padding
Definition: rsa.h:154
#define ASN1_HASH_SHA1
Definition: rsa.h:109
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
int mpi_fill_random(mpi *X, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Fill an MPI X with size bytes of random.
int rsa_rsaes_pkcs1_v15_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
int rsa_rsaes_oaep_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
int rsa_pkcs1_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 signature using the mode from the context.
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
#define RSA_PUBLIC
Definition: rsa.h:58
int rsa_rsassa_pkcs1_v15_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
#define RSA_PKCS_V21
Definition: rsa.h:62
mpi DQ
Definition: rsa.h:147
Configuration options (set of defines)
int rsa_check_pubkey(const rsa_context *ctx)
Check a public RSA key.
mpi RP
Definition: rsa.h:151
int mpi_div_mpi(mpi *Q, mpi *R, const mpi *A, const mpi *B)
Division by mpi: A = Q * B + R.
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:199
int rsa_rsassa_pss_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
int rsa_pkcs1_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Generic wrapper to perform a PKCS#1 decryption using the mode from the context.
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
#define POLARSSL_ERR_RSA_RNG_FAILED
The random generator failed to generate non-zeros.
Definition: rsa.h:43
MPI structure.
Definition: bignum.h:164
void mpi_init(mpi *X)
Initialize one MPI.
int mpi_cmp_mpi(const mpi *X, const mpi *Y)
Compare signed values.
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:121
size_t len
Definition: rsa.h:138
mpi P
Definition: rsa.h:144
int rsa_rsaes_pkcs1_v15_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
int mpi_add_mpi(mpi *X, const mpi *A, const mpi *B)
Signed addition: X = A + B.
mpi Q
Definition: rsa.h:145
#define ASN1_HASH_MDX
Definition: rsa.h:99
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
void rsa_free(rsa_context *ctx)
Free the components of an RSA key.
int rsa_private(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, const unsigned char *input, unsigned char *output)
Do an RSA private key operation.
RSA context structure.
Definition: rsa.h:135
mpi D
Definition: rsa.h:143
int rsa_pkcs1_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Generic wrapper to perform a PKCS#1 encryption using the mode from the context.
#define SIG_RSA_SHA512
Definition: rsa.h:56
#define POLARSSL_ERR_RSA_INVALID_PADDING
Input data contains invalid padding and is rejected.
Definition: rsa.h:36
mpi QP
Definition: rsa.h:148
#define RSA_PKCS_V15
Definition: rsa.h:61
#define RSA_PRIVATE
Definition: rsa.h:59
mpi N
Definition: rsa.h:140
#define SIG_RSA_SHA1
Definition: rsa.h:52
int mpi_inv_mod(mpi *X, const mpi *A, const mpi *N)
Modular inverse: X = A^-1 mod N.
void mpi_free(mpi *X)
Unallocate one MPI.
#define SIG_RSA_MD2
Definition: rsa.h:49
#define RSA_SIGN
Definition: rsa.h:64
int mpi_exp_mod(mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR)
Sliding-window exponentiation: X = A^E mod N.
mpi RQ
Definition: rsa.h:152
mpi E
Definition: rsa.h:141
mpi DP
Definition: rsa.h:146
#define POLARSSL_ERR_RSA_VERIFY_FAILED
The PKCS#1 verification failed.
Definition: rsa.h:41
int mpi_gen_prime(mpi *X, size_t nbits, int dh_flag, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Prime number generation.
#define ASN1_HASH_SHA1_ALT
Definition: rsa.h:117
int hash_id
Definition: rsa.h:156
size_t mpi_msb(const mpi *X)
Return the number of bits up to and including the most significant '1' bit'.
#define POLARSSL_MPI_MAX_BITS
Maximum number of bits for usable MPIs.
Definition: bignum.h:91
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
Generic message digest wrapper.
t_uint * p
Definition: bignum.h:168
int mpi_read_binary(mpi *X, const unsigned char *buf, size_t buflen)
Import X from unsigned binary data, big endian.
The RSA public-key cryptosystem.
#define POLARSSL_ERR_RSA_BAD_INPUT_DATA
Bad input parameters to function.
Definition: rsa.h:35
#define POLARSSL_ERR_RSA_PRIVATE_FAILED
The private key operation failed.
Definition: rsa.h:40
#define SIG_RSA_SHA224
Definition: rsa.h:53
#define POLARSSL_MD_MAX_SIZE
Definition: md.h:59
SHA-1 cryptographic hash function.
#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED
Key failed to pass the libraries validity check.
Definition: rsa.h:38
int rsa_rsassa_pkcs1_v15_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
int rsa_gen_key(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, unsigned int nbits, int exponent)
Generate an RSA keypair.
void rsa_init(rsa_context *ctx, int padding, int hash_id)
Initialize an RSA context.
int mpi_mod_mpi(mpi *R, const mpi *A, const mpi *B)
Modulo: R = A mod B.
int mpi_write_binary(const mpi *X, unsigned char *buf, size_t buflen)
Export X into unsigned binary data, big endian.
int rsa_rsassa_pss_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
#define SIG_RSA_SHA256
Definition: rsa.h:54
int size
Output length of the digest function.
Definition: md.h:73
#define POLARSSL_ERR_RSA_KEY_GEN_FAILED
Something failed during generation of a key.
Definition: rsa.h:37
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
#define SIG_RSA_SHA384
Definition: rsa.h:55
int mpi_mul_mpi(mpi *X, const mpi *A, const mpi *B)
Baseline multiplication: X = A * B.
#define POLARSSL_ERR_RSA_PUBLIC_FAILED
The public key operation failed.
Definition: rsa.h:39
#define SIG_RSA_RAW
Definition: rsa.h:48
int mpi_sub_mpi(mpi *X, const mpi *A, const mpi *B)
Signed substraction: X = A - B.
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
mpi RN
Definition: rsa.h:150
int mpi_sub_int(mpi *X, const mpi *A, t_sint b)
Signed substraction: X = A - b.
Message digest information.
Definition: md.h:65
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int rsa_pkcs1_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 verification using the mode from the context. ...
Generic message digest context.
Definition: md.h:119
#define MPI_CHK(f)
Definition: bignum.h:61
int rsa_public(rsa_context *ctx, const unsigned char *input, unsigned char *output)
Do an RSA public key operation.