PolarSSL v1.2.10
rsa.c
Go to the documentation of this file.
1 /*
2  * The RSA public-key cryptosystem
3  *
4  * Copyright (C) 2006-2011, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
27  *
28  * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
29  * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_RSA_C)
35 
36 #include "polarssl/rsa.h"
37 
38 #if defined(POLARSSL_PKCS1_V21)
39 #include "polarssl/md.h"
40 #endif
41 
42 #include <stdlib.h>
43 #include <stdio.h>
44 
45 /*
46  * Initialize an RSA context
47  */
48 void rsa_init( rsa_context *ctx,
49  int padding,
50  int hash_id )
51 {
52  memset( ctx, 0, sizeof( rsa_context ) );
53 
54  ctx->padding = padding;
55  ctx->hash_id = hash_id;
56 }
57 
58 #if defined(POLARSSL_GENPRIME)
59 
60 /*
61  * Generate an RSA keypair
62  */
63 int rsa_gen_key( rsa_context *ctx,
64  int (*f_rng)(void *, unsigned char *, size_t),
65  void *p_rng,
66  unsigned int nbits, int exponent )
67 {
68  int ret;
69  mpi P1, Q1, H, G;
70 
71  if( f_rng == NULL || nbits < 128 || exponent < 3 )
73 
74  mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G );
75 
76  /*
77  * find primes P and Q with Q < P so that:
78  * GCD( E, (P-1)*(Q-1) ) == 1
79  */
80  MPI_CHK( mpi_lset( &ctx->E, exponent ) );
81 
82  do
83  {
84  MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
85  f_rng, p_rng ) );
86 
87  MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
88  f_rng, p_rng ) );
89 
90  if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
91  mpi_swap( &ctx->P, &ctx->Q );
92 
93  if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
94  continue;
95 
96  MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
97  if( mpi_msb( &ctx->N ) != nbits )
98  continue;
99 
100  MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
101  MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
102  MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
103  MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
104  }
105  while( mpi_cmp_int( &G, 1 ) != 0 );
106 
107  /*
108  * D = E^-1 mod ((P-1)*(Q-1))
109  * DP = D mod (P - 1)
110  * DQ = D mod (Q - 1)
111  * QP = Q^-1 mod P
112  */
113  MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
114  MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
115  MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
116  MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
117 
118  ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
119 
120 cleanup:
121 
122  mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
123 
124  if( ret != 0 )
125  {
126  rsa_free( ctx );
127  return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
128  }
129 
130  return( 0 );
131 }
132 
133 #endif
134 
135 /*
136  * Check a public RSA key
137  */
138 int rsa_check_pubkey( const rsa_context *ctx )
139 {
140  if( !ctx->N.p || !ctx->E.p )
142 
143  if( ( ctx->N.p[0] & 1 ) == 0 ||
144  ( ctx->E.p[0] & 1 ) == 0 )
146 
147  if( mpi_msb( &ctx->N ) < 128 ||
148  mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
150 
151  if( mpi_msb( &ctx->E ) < 2 ||
152  mpi_msb( &ctx->E ) > 64 )
154 
155  return( 0 );
156 }
157 
158 /*
159  * Check a private RSA key
160  */
161 int rsa_check_privkey( const rsa_context *ctx )
162 {
163  int ret;
164  mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
165 
166  if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
167  return( ret );
168 
169  if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
171 
172  mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
173  mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
174  mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
175  mpi_init( &QP );
176 
177  MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
178  MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
179  MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
180  MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
181  MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
182  MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
183 
184  MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
185  MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
186  MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
187 
188  MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
189  MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
190  MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
191  /*
192  * Check for a valid PKCS1v2 private key
193  */
194  if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
195  mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
196  mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
197  mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
198  mpi_cmp_int( &L2, 0 ) != 0 ||
199  mpi_cmp_int( &I, 1 ) != 0 ||
200  mpi_cmp_int( &G, 1 ) != 0 )
201  {
203  }
204 
205 cleanup:
206  mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
207  mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
208  mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
209  mpi_free( &QP );
210 
212  return( ret );
213 
214  if( ret != 0 )
215  return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
216 
217  return( 0 );
218 }
219 
220 /*
221  * Do an RSA public key operation
222  */
223 int rsa_public( rsa_context *ctx,
224  const unsigned char *input,
225  unsigned char *output )
226 {
227  int ret;
228  size_t olen;
229  mpi T;
230 
231  mpi_init( &T );
232 
233  MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
234 
235  if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
236  {
237  mpi_free( &T );
239  }
240 
241  olen = ctx->len;
242  MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
243  MPI_CHK( mpi_write_binary( &T, output, olen ) );
244 
245 cleanup:
246 
247  mpi_free( &T );
248 
249  if( ret != 0 )
250  return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
251 
252  return( 0 );
253 }
254 
255 /*
256  * Do an RSA private key operation
257  */
258 int rsa_private( rsa_context *ctx,
259  int (*f_rng)(void *, unsigned char *, size_t),
260  void *p_rng,
261  const unsigned char *input,
262  unsigned char *output )
263 {
264  int ret;
265  size_t olen;
266  mpi T, T1, T2, Vi, Vf;
267 
268  mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
269  mpi_init( &Vi ); mpi_init( &Vf );
270 
271  MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
272 
273  if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
274  {
275  mpi_free( &T );
277  }
278 
279 #if defined(POLARSSL_RSA_NO_CRT)
280  ((void) f_rng);
281  ((void) p_rng);
282  MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
283 #else
284  if( f_rng != NULL )
285  {
286  /*
287  * Blinding
288  * T = T * Vi mod N
289  */
290  /* Unblinding value: Vf = random number */
291  MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
292 
293  /* Mathematically speaking, the algorithm should check Vf
294  * against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N),
295  * so that Vf^-1 exists.
296  */
297 
298  /* Blinding value: Vi = Vf^(-e) mod N */
299  MPI_CHK( mpi_inv_mod( &Vi, &Vf, &ctx->N ) );
300  MPI_CHK( mpi_exp_mod( &Vi, &Vi, &ctx->E, &ctx->N, &ctx->RN ) );
301 
302  MPI_CHK( mpi_mul_mpi( &T, &T, &Vi ) );
303  MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
304  }
305 
306  /*
307  * faster decryption using the CRT
308  *
309  * T1 = input ^ dP mod P
310  * T2 = input ^ dQ mod Q
311  */
312  MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
313  MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
314 
315  /*
316  * T = (T1 - T2) * (Q^-1 mod P) mod P
317  */
318  MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
319  MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
320  MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
321 
322  /*
323  * output = T2 + T * Q
324  */
325  MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
326  MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
327 
328  if( f_rng != NULL )
329  {
330  /*
331  * Unblind
332  * T = T * Vf mod N
333  */
334  MPI_CHK( mpi_mul_mpi( &T, &T, &Vf ) );
335  MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
336  }
337 #endif
338 
339  olen = ctx->len;
340  MPI_CHK( mpi_write_binary( &T, output, olen ) );
341 
342 cleanup:
343 
344  mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
345  mpi_free( &Vi ); mpi_free( &Vf );
346 
347  if( ret != 0 )
348  return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
349 
350  return( 0 );
351 }
352 
353 #if defined(POLARSSL_PKCS1_V21)
354 
363 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen,
364  md_context_t *md_ctx )
365 {
366  unsigned char mask[POLARSSL_MD_MAX_SIZE];
367  unsigned char counter[4];
368  unsigned char *p;
369  unsigned int hlen;
370  size_t i, use_len;
371 
372  memset( mask, 0, POLARSSL_MD_MAX_SIZE );
373  memset( counter, 0, 4 );
374 
375  hlen = md_ctx->md_info->size;
376 
377  // Generate and apply dbMask
378  //
379  p = dst;
380 
381  while( dlen > 0 )
382  {
383  use_len = hlen;
384  if( dlen < hlen )
385  use_len = dlen;
386 
387  md_starts( md_ctx );
388  md_update( md_ctx, src, slen );
389  md_update( md_ctx, counter, 4 );
390  md_finish( md_ctx, mask );
391 
392  for( i = 0; i < use_len; ++i )
393  *p++ ^= mask[i];
394 
395  counter[3]++;
396 
397  dlen -= use_len;
398  }
399 }
400 #endif
401 
402 #if defined(POLARSSL_PKCS1_V21)
403 /*
404  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
405  */
407  int (*f_rng)(void *, unsigned char *, size_t),
408  void *p_rng,
409  int mode,
410  const unsigned char *label, size_t label_len,
411  size_t ilen,
412  const unsigned char *input,
413  unsigned char *output )
414 {
415  size_t olen;
416  int ret;
417  unsigned char *p = output;
418  unsigned int hlen;
419  const md_info_t *md_info;
420  md_context_t md_ctx;
421 
422  if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
424 
425  md_info = md_info_from_type( ctx->hash_id );
426 
427  if( md_info == NULL )
429 
430  olen = ctx->len;
431  hlen = md_get_size( md_info );
432 
433  if( olen < ilen + 2 * hlen + 2 || f_rng == NULL )
435 
436  memset( output, 0, olen );
437 
438  *p++ = 0;
439 
440  // Generate a random octet string seed
441  //
442  if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
443  return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
444 
445  p += hlen;
446 
447  // Construct DB
448  //
449  md( md_info, label, label_len, p );
450  p += hlen;
451  p += olen - 2 * hlen - 2 - ilen;
452  *p++ = 1;
453  memcpy( p, input, ilen );
454 
455  md_init_ctx( &md_ctx, md_info );
456 
457  // maskedDB: Apply dbMask to DB
458  //
459  mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
460  &md_ctx );
461 
462  // maskedSeed: Apply seedMask to seed
463  //
464  mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
465  &md_ctx );
466 
467  md_free_ctx( &md_ctx );
468 
469  return( ( mode == RSA_PUBLIC )
470  ? rsa_public( ctx, output, output )
471  : rsa_private( ctx, f_rng, p_rng, output, output ) );
472 }
473 #endif /* POLARSSL_PKCS1_V21 */
474 
475 /*
476  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
477  */
479  int (*f_rng)(void *, unsigned char *, size_t),
480  void *p_rng,
481  int mode, size_t ilen,
482  const unsigned char *input,
483  unsigned char *output )
484 {
485  size_t nb_pad, olen;
486  int ret;
487  unsigned char *p = output;
488 
489  if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL )
491 
492  olen = ctx->len;
493 
494  if( olen < ilen + 11 )
496 
497  nb_pad = olen - 3 - ilen;
498 
499  *p++ = 0;
500  if( mode == RSA_PUBLIC )
501  {
502  *p++ = RSA_CRYPT;
503 
504  while( nb_pad-- > 0 )
505  {
506  int rng_dl = 100;
507 
508  do {
509  ret = f_rng( p_rng, p, 1 );
510  } while( *p == 0 && --rng_dl && ret == 0 );
511 
512  // Check if RNG failed to generate data
513  //
514  if( rng_dl == 0 || ret != 0)
515  return POLARSSL_ERR_RSA_RNG_FAILED + ret;
516 
517  p++;
518  }
519  }
520  else
521  {
522  *p++ = RSA_SIGN;
523 
524  while( nb_pad-- > 0 )
525  *p++ = 0xFF;
526  }
527 
528  *p++ = 0;
529  memcpy( p, input, ilen );
530 
531  return( ( mode == RSA_PUBLIC )
532  ? rsa_public( ctx, output, output )
533  : rsa_private( ctx, f_rng, p_rng, output, output ) );
534 }
535 
536 /*
537  * Add the message padding, then do an RSA operation
538  */
540  int (*f_rng)(void *, unsigned char *, size_t),
541  void *p_rng,
542  int mode, size_t ilen,
543  const unsigned char *input,
544  unsigned char *output )
545 {
546  switch( ctx->padding )
547  {
548  case RSA_PKCS_V15:
549  return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
550  input, output );
551 
552 #if defined(POLARSSL_PKCS1_V21)
553  case RSA_PKCS_V21:
554  return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
555  ilen, input, output );
556 #endif
557 
558  default:
560  }
561 }
562 
563 #if defined(POLARSSL_PKCS1_V21)
564 /*
565  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
566  */
568  int (*f_rng)(void *, unsigned char *, size_t),
569  void *p_rng,
570  int mode,
571  const unsigned char *label, size_t label_len,
572  size_t *olen,
573  const unsigned char *input,
574  unsigned char *output,
575  size_t output_max_len )
576 {
577  int ret;
578  size_t ilen;
579  unsigned char *p;
580  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
581  unsigned char lhash[POLARSSL_MD_MAX_SIZE];
582  unsigned int hlen;
583  const md_info_t *md_info;
584  md_context_t md_ctx;
585 
586  if( ctx->padding != RSA_PKCS_V21 )
588 
589  ilen = ctx->len;
590 
591  if( ilen < 16 || ilen > sizeof( buf ) )
593 
594  ret = ( mode == RSA_PUBLIC )
595  ? rsa_public( ctx, input, buf )
596  : rsa_private( ctx, f_rng, p_rng, input, buf );
597 
598  if( ret != 0 )
599  return( ret );
600 
601  p = buf;
602 
603  if( *p++ != 0 )
605 
606  md_info = md_info_from_type( ctx->hash_id );
607  if( md_info == NULL )
609 
610  hlen = md_get_size( md_info );
611 
612  md_init_ctx( &md_ctx, md_info );
613 
614  // Generate lHash
615  //
616  md( md_info, label, label_len, lhash );
617 
618  // seed: Apply seedMask to maskedSeed
619  //
620  mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
621  &md_ctx );
622 
623  // DB: Apply dbMask to maskedDB
624  //
625  mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
626  &md_ctx );
627 
628  p += hlen;
629  md_free_ctx( &md_ctx );
630 
631  // Check validity
632  //
633  if( memcmp( lhash, p, hlen ) != 0 )
635 
636  p += hlen;
637 
638  while( *p == 0 && p < buf + ilen )
639  p++;
640 
641  if( p == buf + ilen )
643 
644  if( *p++ != 0x01 )
646 
647  if (ilen - (p - buf) > output_max_len)
649 
650  *olen = ilen - (p - buf);
651  memcpy( output, p, *olen );
652 
653  return( 0 );
654 }
655 #endif /* POLARSSL_PKCS1_V21 */
656 
657 /*
658  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
659  */
661  int (*f_rng)(void *, unsigned char *, size_t),
662  void *p_rng,
663  int mode, size_t *olen,
664  const unsigned char *input,
665  unsigned char *output,
666  size_t output_max_len)
667 {
668  int ret, correct = 1;
669  size_t ilen, pad_count = 0;
670  unsigned char *p, *q;
671  unsigned char bt;
672  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
673 
674  if( ctx->padding != RSA_PKCS_V15 )
676 
677  ilen = ctx->len;
678 
679  if( ilen < 16 || ilen > sizeof( buf ) )
681 
682  ret = ( mode == RSA_PUBLIC )
683  ? rsa_public( ctx, input, buf )
684  : rsa_private( ctx, f_rng, p_rng, input, buf );
685 
686  if( ret != 0 )
687  return( ret );
688 
689  p = buf;
690 
691  if( *p++ != 0 )
692  correct = 0;
693 
694  bt = *p++;
695  if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) ||
696  ( bt != RSA_SIGN && mode == RSA_PUBLIC ) )
697  {
698  correct = 0;
699  }
700 
701  if( bt == RSA_CRYPT )
702  {
703  while( *p != 0 && p < buf + ilen - 1 )
704  pad_count += ( *p++ != 0 );
705 
706  correct &= ( *p == 0 && p < buf + ilen - 1 );
707 
708  q = p;
709 
710  // Also pass over all other bytes to reduce timing differences
711  //
712  while ( q < buf + ilen - 1 )
713  pad_count += ( *q++ != 0 );
714 
715  // Prevent compiler optimization of pad_count
716  //
717  correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
718  p++;
719  }
720  else
721  {
722  while( *p == 0xFF && p < buf + ilen - 1 )
723  pad_count += ( *p++ == 0xFF );
724 
725  correct &= ( *p == 0 && p < buf + ilen - 1 );
726 
727  q = p;
728 
729  // Also pass over all other bytes to reduce timing differences
730  //
731  while ( q < buf + ilen - 1 )
732  pad_count += ( *q++ != 0 );
733 
734  // Prevent compiler optimization of pad_count
735  //
736  correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
737  p++;
738  }
739 
740  if( correct == 0 )
742 
743  if (ilen - (p - buf) > output_max_len)
745 
746  *olen = ilen - (p - buf);
747  memcpy( output, p, *olen );
748 
749  return( 0 );
750 }
751 
752 /*
753  * Do an RSA operation, then remove the message padding
754  */
756  int (*f_rng)(void *, unsigned char *, size_t),
757  void *p_rng,
758  int mode, size_t *olen,
759  const unsigned char *input,
760  unsigned char *output,
761  size_t output_max_len)
762 {
763  switch( ctx->padding )
764  {
765  case RSA_PKCS_V15:
766  return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
767  input, output, output_max_len );
768 
769 #if defined(POLARSSL_PKCS1_V21)
770  case RSA_PKCS_V21:
771  return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
772  olen, input, output, output_max_len );
773 #endif
774 
775  default:
777  }
778 }
779 
780 #if defined(POLARSSL_PKCS1_V21)
781 /*
782  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
783  */
785  int (*f_rng)(void *, unsigned char *, size_t),
786  void *p_rng,
787  int mode,
788  int hash_id,
789  unsigned int hashlen,
790  const unsigned char *hash,
791  unsigned char *sig )
792 {
793  size_t olen;
794  unsigned char *p = sig;
795  unsigned char salt[POLARSSL_MD_MAX_SIZE];
796  unsigned int slen, hlen, offset = 0;
797  int ret;
798  size_t msb;
799  const md_info_t *md_info;
800  md_context_t md_ctx;
801 
802  if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
804 
805  olen = ctx->len;
806 
807  switch( hash_id )
808  {
809  case SIG_RSA_MD2:
810  case SIG_RSA_MD4:
811  case SIG_RSA_MD5:
812  hashlen = 16;
813  break;
814 
815  case SIG_RSA_SHA1:
816  hashlen = 20;
817  break;
818 
819  case SIG_RSA_SHA224:
820  hashlen = 28;
821  break;
822 
823  case SIG_RSA_SHA256:
824  hashlen = 32;
825  break;
826 
827  case SIG_RSA_SHA384:
828  hashlen = 48;
829  break;
830 
831  case SIG_RSA_SHA512:
832  hashlen = 64;
833  break;
834 
835  default:
837  }
838 
839  md_info = md_info_from_type( ctx->hash_id );
840  if( md_info == NULL )
842 
843  hlen = md_get_size( md_info );
844  slen = hlen;
845 
846  if( olen < hlen + slen + 2 )
848 
849  memset( sig, 0, olen );
850 
851  msb = mpi_msb( &ctx->N ) - 1;
852 
853  // Generate salt of length slen
854  //
855  if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
856  return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
857 
858  // Note: EMSA-PSS encoding is over the length of N - 1 bits
859  //
860  msb = mpi_msb( &ctx->N ) - 1;
861  p += olen - hlen * 2 - 2;
862  *p++ = 0x01;
863  memcpy( p, salt, slen );
864  p += slen;
865 
866  md_init_ctx( &md_ctx, md_info );
867 
868  // Generate H = Hash( M' )
869  //
870  md_starts( &md_ctx );
871  md_update( &md_ctx, p, 8 );
872  md_update( &md_ctx, hash, hashlen );
873  md_update( &md_ctx, salt, slen );
874  md_finish( &md_ctx, p );
875 
876  // Compensate for boundary condition when applying mask
877  //
878  if( msb % 8 == 0 )
879  offset = 1;
880 
881  // maskedDB: Apply dbMask to DB
882  //
883  mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
884 
885  md_free_ctx( &md_ctx );
886 
887  msb = mpi_msb( &ctx->N ) - 1;
888  sig[0] &= 0xFF >> ( olen * 8 - msb );
889 
890  p += hlen;
891  *p++ = 0xBC;
892 
893  return( ( mode == RSA_PUBLIC )
894  ? rsa_public( ctx, sig, sig )
895  : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
896 }
897 #endif /* POLARSSL_PKCS1_V21 */
898 
899 /*
900  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
901  */
902 /*
903  * Do an RSA operation to sign the message digest
904  */
906  int (*f_rng)(void *, unsigned char *, size_t),
907  void *p_rng,
908  int mode,
909  int hash_id,
910  unsigned int hashlen,
911  const unsigned char *hash,
912  unsigned char *sig )
913 {
914  size_t nb_pad, olen;
915  unsigned char *p = sig;
916 
917  if( ctx->padding != RSA_PKCS_V15 )
919 
920  olen = ctx->len;
921 
922  switch( hash_id )
923  {
924  case SIG_RSA_RAW:
925  nb_pad = olen - 3 - hashlen;
926  break;
927 
928  case SIG_RSA_MD2:
929  case SIG_RSA_MD4:
930  case SIG_RSA_MD5:
931  nb_pad = olen - 3 - 34;
932  break;
933 
934  case SIG_RSA_SHA1:
935  nb_pad = olen - 3 - 35;
936  break;
937 
938  case SIG_RSA_SHA224:
939  nb_pad = olen - 3 - 47;
940  break;
941 
942  case SIG_RSA_SHA256:
943  nb_pad = olen - 3 - 51;
944  break;
945 
946  case SIG_RSA_SHA384:
947  nb_pad = olen - 3 - 67;
948  break;
949 
950  case SIG_RSA_SHA512:
951  nb_pad = olen - 3 - 83;
952  break;
953 
954 
955  default:
957  }
958 
959  if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
961 
962  *p++ = 0;
963  *p++ = RSA_SIGN;
964  memset( p, 0xFF, nb_pad );
965  p += nb_pad;
966  *p++ = 0;
967 
968  switch( hash_id )
969  {
970  case SIG_RSA_RAW:
971  memcpy( p, hash, hashlen );
972  break;
973 
974  case SIG_RSA_MD2:
975  memcpy( p, ASN1_HASH_MDX, 18 );
976  memcpy( p + 18, hash, 16 );
977  p[13] = 2; break;
978 
979  case SIG_RSA_MD4:
980  memcpy( p, ASN1_HASH_MDX, 18 );
981  memcpy( p + 18, hash, 16 );
982  p[13] = 4; break;
983 
984  case SIG_RSA_MD5:
985  memcpy( p, ASN1_HASH_MDX, 18 );
986  memcpy( p + 18, hash, 16 );
987  p[13] = 5; break;
988 
989  case SIG_RSA_SHA1:
990  memcpy( p, ASN1_HASH_SHA1, 15 );
991  memcpy( p + 15, hash, 20 );
992  break;
993 
994  case SIG_RSA_SHA224:
995  memcpy( p, ASN1_HASH_SHA2X, 19 );
996  memcpy( p + 19, hash, 28 );
997  p[1] += 28; p[14] = 4; p[18] += 28; break;
998 
999  case SIG_RSA_SHA256:
1000  memcpy( p, ASN1_HASH_SHA2X, 19 );
1001  memcpy( p + 19, hash, 32 );
1002  p[1] += 32; p[14] = 1; p[18] += 32; break;
1003 
1004  case SIG_RSA_SHA384:
1005  memcpy( p, ASN1_HASH_SHA2X, 19 );
1006  memcpy( p + 19, hash, 48 );
1007  p[1] += 48; p[14] = 2; p[18] += 48; break;
1008 
1009  case SIG_RSA_SHA512:
1010  memcpy( p, ASN1_HASH_SHA2X, 19 );
1011  memcpy( p + 19, hash, 64 );
1012  p[1] += 64; p[14] = 3; p[18] += 64; break;
1013 
1014  default:
1016  }
1017 
1018  return( ( mode == RSA_PUBLIC )
1019  ? rsa_public( ctx, sig, sig )
1020  : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1021 }
1022 
1023 /*
1024  * Do an RSA operation to sign the message digest
1025  */
1026 int rsa_pkcs1_sign( rsa_context *ctx,
1027  int (*f_rng)(void *, unsigned char *, size_t),
1028  void *p_rng,
1029  int mode,
1030  int hash_id,
1031  unsigned int hashlen,
1032  const unsigned char *hash,
1033  unsigned char *sig )
1034 {
1035  switch( ctx->padding )
1036  {
1037  case RSA_PKCS_V15:
1038  return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, hash_id,
1039  hashlen, hash, sig );
1040 
1041 #if defined(POLARSSL_PKCS1_V21)
1042  case RSA_PKCS_V21:
1043  return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, hash_id,
1044  hashlen, hash, sig );
1045 #endif
1046 
1047  default:
1049  }
1050 }
1051 
1052 #if defined(POLARSSL_PKCS1_V21)
1053 /*
1054  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1055  */
1057  int (*f_rng)(void *, unsigned char *, size_t),
1058  void *p_rng,
1059  int mode,
1060  int hash_id,
1061  unsigned int hashlen,
1062  const unsigned char *hash,
1063  unsigned char *sig )
1064 {
1065  int ret;
1066  size_t siglen;
1067  unsigned char *p;
1068  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1069  unsigned char result[POLARSSL_MD_MAX_SIZE];
1070  unsigned char zeros[8];
1071  unsigned int hlen;
1072  size_t slen, msb;
1073  const md_info_t *md_info;
1074  md_context_t md_ctx;
1075 
1076  if( ctx->padding != RSA_PKCS_V21 )
1078 
1079  siglen = ctx->len;
1080 
1081  if( siglen < 16 || siglen > sizeof( buf ) )
1083 
1084  ret = ( mode == RSA_PUBLIC )
1085  ? rsa_public( ctx, sig, buf )
1086  : rsa_private( ctx, f_rng, p_rng, sig, buf );
1087 
1088  if( ret != 0 )
1089  return( ret );
1090 
1091  p = buf;
1092 
1093  if( buf[siglen - 1] != 0xBC )
1095 
1096  switch( hash_id )
1097  {
1098  case SIG_RSA_MD2:
1099  case SIG_RSA_MD4:
1100  case SIG_RSA_MD5:
1101  hashlen = 16;
1102  break;
1103 
1104  case SIG_RSA_SHA1:
1105  hashlen = 20;
1106  break;
1107 
1108  case SIG_RSA_SHA224:
1109  hashlen = 28;
1110  break;
1111 
1112  case SIG_RSA_SHA256:
1113  hashlen = 32;
1114  break;
1115 
1116  case SIG_RSA_SHA384:
1117  hashlen = 48;
1118  break;
1119 
1120  case SIG_RSA_SHA512:
1121  hashlen = 64;
1122  break;
1123 
1124  default:
1126  }
1127 
1128  md_info = md_info_from_type( ctx->hash_id );
1129  if( md_info == NULL )
1131 
1132  hlen = md_get_size( md_info );
1133  slen = siglen - hlen - 1;
1134 
1135  memset( zeros, 0, 8 );
1136 
1137  // Note: EMSA-PSS verification is over the length of N - 1 bits
1138  //
1139  msb = mpi_msb( &ctx->N ) - 1;
1140 
1141  // Compensate for boundary condition when applying mask
1142  //
1143  if( msb % 8 == 0 )
1144  {
1145  p++;
1146  siglen -= 1;
1147  }
1148  if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1150 
1151  md_init_ctx( &md_ctx, md_info );
1152 
1153  mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
1154 
1155  buf[0] &= 0xFF >> ( siglen * 8 - msb );
1156 
1157  while( *p == 0 && p < buf + siglen )
1158  p++;
1159 
1160  if( p == buf + siglen ||
1161  *p++ != 0x01 )
1162  {
1163  md_free_ctx( &md_ctx );
1165  }
1166 
1167  slen -= p - buf;
1168 
1169  // Generate H = Hash( M' )
1170  //
1171  md_starts( &md_ctx );
1172  md_update( &md_ctx, zeros, 8 );
1173  md_update( &md_ctx, hash, hashlen );
1174  md_update( &md_ctx, p, slen );
1175  md_finish( &md_ctx, result );
1176 
1177  md_free_ctx( &md_ctx );
1178 
1179  if( memcmp( p + slen, result, hlen ) == 0 )
1180  return( 0 );
1181  else
1183 }
1184 #endif /* POLARSSL_PKCS1_V21 */
1185 
1186 /*
1187  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1188  */
1190  int (*f_rng)(void *, unsigned char *, size_t),
1191  void *p_rng,
1192  int mode,
1193  int hash_id,
1194  unsigned int hashlen,
1195  const unsigned char *hash,
1196  unsigned char *sig )
1197 {
1198  int ret;
1199  size_t len, siglen;
1200  unsigned char *p, c;
1201  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1202 
1203  if( ctx->padding != RSA_PKCS_V15 )
1205 
1206  siglen = ctx->len;
1207 
1208  if( siglen < 16 || siglen > sizeof( buf ) )
1210 
1211  ret = ( mode == RSA_PUBLIC )
1212  ? rsa_public( ctx, sig, buf )
1213  : rsa_private( ctx, f_rng, p_rng, sig, buf );
1214 
1215  if( ret != 0 )
1216  return( ret );
1217 
1218  p = buf;
1219 
1220  if( *p++ != 0 || *p++ != RSA_SIGN )
1222 
1223  while( *p != 0 )
1224  {
1225  if( p >= buf + siglen - 1 || *p != 0xFF )
1227  p++;
1228  }
1229  p++;
1230 
1231  len = siglen - ( p - buf );
1232 
1233  if( len == 33 && hash_id == SIG_RSA_SHA1 )
1234  {
1235  if( memcmp( p, ASN1_HASH_SHA1_ALT, 13 ) == 0 &&
1236  memcmp( p + 13, hash, 20 ) == 0 )
1237  return( 0 );
1238  else
1240  }
1241  if( len == 34 )
1242  {
1243  c = p[13];
1244  p[13] = 0;
1245 
1246  if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
1248 
1249  if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
1250  ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
1251  ( c == 5 && hash_id == SIG_RSA_MD5 ) )
1252  {
1253  if( memcmp( p + 18, hash, 16 ) == 0 )
1254  return( 0 );
1255  else
1257  }
1258  }
1259 
1260  if( len == 35 && hash_id == SIG_RSA_SHA1 )
1261  {
1262  if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
1263  memcmp( p + 15, hash, 20 ) == 0 )
1264  return( 0 );
1265  else
1267  }
1268  if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
1269  ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
1270  ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
1271  ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
1272  {
1273  c = p[1] - 17;
1274  p[1] = 17;
1275  p[14] = 0;
1276 
1277  if( p[18] == c &&
1278  memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
1279  memcmp( p + 19, hash, c ) == 0 )
1280  return( 0 );
1281  else
1283  }
1284 
1285  if( len == hashlen && hash_id == SIG_RSA_RAW )
1286  {
1287  if( memcmp( p, hash, hashlen ) == 0 )
1288  return( 0 );
1289  else
1291  }
1292 
1294 }
1295 
1296 /*
1297  * Do an RSA operation and check the message digest
1298  */
1299 int rsa_pkcs1_verify( rsa_context *ctx,
1300  int (*f_rng)(void *, unsigned char *, size_t),
1301  void *p_rng,
1302  int mode,
1303  int hash_id,
1304  unsigned int hashlen,
1305  const unsigned char *hash,
1306  unsigned char *sig )
1307 {
1308  switch( ctx->padding )
1309  {
1310  case RSA_PKCS_V15:
1311  return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode,
1312  hash_id, hashlen, hash, sig );
1313 
1314 #if defined(POLARSSL_PKCS1_V21)
1315  case RSA_PKCS_V21:
1316  return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, hash_id,
1317  hashlen, hash, sig );
1318 #endif
1319 
1320  default:
1322  }
1323 }
1324 
1325 /*
1326  * Free the components of an RSA key
1327  */
1328 void rsa_free( rsa_context *ctx )
1329 {
1330  mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
1331  mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
1332  mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
1333  mpi_free( &ctx->E ); mpi_free( &ctx->N );
1334 }
1335 
1336 #if defined(POLARSSL_SELF_TEST)
1337 
1338 #include "polarssl/sha1.h"
1339 
1340 /*
1341  * Example RSA-1024 keypair, for test purposes
1342  */
1343 #define KEY_LEN 128
1344 
1345 #define RSA_N "9292758453063D803DD603D5E777D788" \
1346  "8ED1D5BF35786190FA2F23EBC0848AEA" \
1347  "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1348  "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1349  "93A89813FBF3C4F8066D2D800F7C38A8" \
1350  "1AE31942917403FF4946B0A83D3D3E05" \
1351  "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1352  "5E94BB77B07507233A0BC7BAC8F90F79"
1353 
1354 #define RSA_E "10001"
1355 
1356 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1357  "66CA472BC44D253102F8B4A9D3BFA750" \
1358  "91386C0077937FE33FA3252D28855837" \
1359  "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1360  "DF79C5CE07EE72C7F123142198164234" \
1361  "CABB724CF78B8173B9F880FC86322407" \
1362  "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1363  "071513A1E85B5DFA031F21ECAE91A34D"
1364 
1365 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1366  "2C01CAD19EA484A87EA4377637E75500" \
1367  "FCB2005C5C7DD6EC4AC023CDA285D796" \
1368  "C3D9E75E1EFC42488BB4F1D13AC30A57"
1369 
1370 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1371  "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1372  "910E4168387E3C30AA1E00C339A79508" \
1373  "8452DD96A9A5EA5D9DCA68DA636032AF"
1374 
1375 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1376  "3C94D22288ACD763FD8E5600ED4A702D" \
1377  "F84198A5F06C2E72236AE490C93F07F8" \
1378  "3CC559CD27BC2D1CA488811730BB5725"
1379 
1380 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1381  "D8AAEA56749EA28623272E4F7D0592AF" \
1382  "7C1F1313CAC9471B5C523BFE592F517B" \
1383  "407A1BD76C164B93DA2D32A383E58357"
1384 
1385 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1386  "F38D18D2B2F0E2DD275AA977E2BF4411" \
1387  "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1388  "A74206CEC169D74BF5A8C50D6F48EA08"
1389 
1390 #define PT_LEN 24
1391 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1392  "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1393 
1394 static int myrand( void *rng_state, unsigned char *output, size_t len )
1395 {
1396  size_t i;
1397 
1398  if( rng_state != NULL )
1399  rng_state = NULL;
1400 
1401  for( i = 0; i < len; ++i )
1402  output[i] = rand();
1403 
1404  return( 0 );
1405 }
1406 
1407 /*
1408  * Checkup routine
1409  */
1410 int rsa_self_test( int verbose )
1411 {
1412  size_t len;
1413  rsa_context rsa;
1414  unsigned char rsa_plaintext[PT_LEN];
1415  unsigned char rsa_decrypted[PT_LEN];
1416  unsigned char rsa_ciphertext[KEY_LEN];
1417 #if defined(POLARSSL_SHA1_C)
1418  unsigned char sha1sum[20];
1419 #endif
1420 
1421  rsa_init( &rsa, RSA_PKCS_V15, 0 );
1422 
1423  rsa.len = KEY_LEN;
1424  mpi_read_string( &rsa.N , 16, RSA_N );
1425  mpi_read_string( &rsa.E , 16, RSA_E );
1426  mpi_read_string( &rsa.D , 16, RSA_D );
1427  mpi_read_string( &rsa.P , 16, RSA_P );
1428  mpi_read_string( &rsa.Q , 16, RSA_Q );
1429  mpi_read_string( &rsa.DP, 16, RSA_DP );
1430  mpi_read_string( &rsa.DQ, 16, RSA_DQ );
1431  mpi_read_string( &rsa.QP, 16, RSA_QP );
1432 
1433  if( verbose != 0 )
1434  printf( " RSA key validation: " );
1435 
1436  if( rsa_check_pubkey( &rsa ) != 0 ||
1437  rsa_check_privkey( &rsa ) != 0 )
1438  {
1439  if( verbose != 0 )
1440  printf( "failed\n" );
1441 
1442  return( 1 );
1443  }
1444 
1445  if( verbose != 0 )
1446  printf( "passed\n PKCS#1 encryption : " );
1447 
1448  memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1449 
1450  if( rsa_pkcs1_encrypt( &rsa, &myrand, NULL, RSA_PUBLIC, PT_LEN,
1451  rsa_plaintext, rsa_ciphertext ) != 0 )
1452  {
1453  if( verbose != 0 )
1454  printf( "failed\n" );
1455 
1456  return( 1 );
1457  }
1458 
1459  if( verbose != 0 )
1460  printf( "passed\n PKCS#1 decryption : " );
1461 
1462  if( rsa_pkcs1_decrypt( &rsa, &myrand, NULL, RSA_PRIVATE, &len,
1463  rsa_ciphertext, rsa_decrypted,
1464  sizeof(rsa_decrypted) ) != 0 )
1465  {
1466  if( verbose != 0 )
1467  printf( "failed\n" );
1468 
1469  return( 1 );
1470  }
1471 
1472  if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1473  {
1474  if( verbose != 0 )
1475  printf( "failed\n" );
1476 
1477  return( 1 );
1478  }
1479 
1480 #if defined(POLARSSL_SHA1_C)
1481  if( verbose != 0 )
1482  printf( "passed\n PKCS#1 data sign : " );
1483 
1484  sha1( rsa_plaintext, PT_LEN, sha1sum );
1485 
1486  if( rsa_pkcs1_sign( &rsa, &myrand, NULL, RSA_PRIVATE, SIG_RSA_SHA1, 20,
1487  sha1sum, rsa_ciphertext ) != 0 )
1488  {
1489  if( verbose != 0 )
1490  printf( "failed\n" );
1491 
1492  return( 1 );
1493  }
1494 
1495  if( verbose != 0 )
1496  printf( "passed\n PKCS#1 sig. verify: " );
1497 
1498  if( rsa_pkcs1_verify( &rsa, &myrand, NULL, RSA_PUBLIC, SIG_RSA_SHA1, 20,
1499  sha1sum, rsa_ciphertext ) != 0 )
1500  {
1501  if( verbose != 0 )
1502  printf( "failed\n" );
1503 
1504  return( 1 );
1505  }
1506 
1507  if( verbose != 0 )
1508  printf( "passed\n\n" );
1509 #endif /* POLARSSL_SHA1_C */
1510 
1511  rsa_free( &rsa );
1512 
1513  return( 0 );
1514 }
1515 
1516 #endif
1517 
1518 #endif
int md(const md_info_t *md_info, const unsigned char *input, size_t ilen, unsigned char *output)
Output = message_digest( input buffer )
int mpi_cmp_int(const mpi *X, t_sint z)
Compare signed values.
#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE
The output buffer for decryption is not large enough.
Definition: rsa.h:42
#define SIG_RSA_MD5
Definition: rsa.h:51
void mpi_swap(mpi *X, mpi *Y)
Swap the contents of X and Y.
#define RSA_CRYPT
Definition: rsa.h:65
int rsa_self_test(int verbose)
Checkup routine.
#define ASN1_HASH_SHA2X
Definition: rsa.h:124
#define SIG_RSA_MD4
Definition: rsa.h:50
int rsa_rsaes_oaep_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t ilen, const unsigned char *input, unsigned char *output)
Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:87
int rsa_check_privkey(const rsa_context *ctx)
Check a private RSA key.
int mpi_gcd(mpi *G, const mpi *A, const mpi *B)
Greatest common divisor: G = gcd(A, B)
int padding
Definition: rsa.h:154
#define ASN1_HASH_SHA1
Definition: rsa.h:109
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
int mpi_fill_random(mpi *X, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Fill an MPI X with size bytes of random.
int rsa_rsaes_pkcs1_v15_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
int rsa_rsaes_oaep_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
int rsa_pkcs1_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 signature using the mode from the context.
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
#define RSA_PUBLIC
Definition: rsa.h:58
int rsa_rsassa_pkcs1_v15_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
#define RSA_PKCS_V21
Definition: rsa.h:62
mpi DQ
Definition: rsa.h:147
Configuration options (set of defines)
int rsa_check_pubkey(const rsa_context *ctx)
Check a public RSA key.
mpi RP
Definition: rsa.h:151
int mpi_div_mpi(mpi *Q, mpi *R, const mpi *A, const mpi *B)
Division by mpi: A = Q * B + R.
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:199
int rsa_rsassa_pss_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
int rsa_pkcs1_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Generic wrapper to perform a PKCS#1 decryption using the mode from the context.
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
#define POLARSSL_ERR_RSA_RNG_FAILED
The random generator failed to generate non-zeros.
Definition: rsa.h:43
MPI structure.
Definition: bignum.h:164
void mpi_init(mpi *X)
Initialize one MPI.
int mpi_cmp_mpi(const mpi *X, const mpi *Y)
Compare signed values.
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:121
size_t len
Definition: rsa.h:138
mpi P
Definition: rsa.h:144
int rsa_rsaes_pkcs1_v15_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
int mpi_add_mpi(mpi *X, const mpi *A, const mpi *B)
Signed addition: X = A + B.
mpi Q
Definition: rsa.h:145
#define ASN1_HASH_MDX
Definition: rsa.h:99
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
void rsa_free(rsa_context *ctx)
Free the components of an RSA key.
int rsa_private(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, const unsigned char *input, unsigned char *output)
Do an RSA private key operation.
RSA context structure.
Definition: rsa.h:135
mpi D
Definition: rsa.h:143
int rsa_pkcs1_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Generic wrapper to perform a PKCS#1 encryption using the mode from the context.
#define SIG_RSA_SHA512
Definition: rsa.h:56
#define POLARSSL_ERR_RSA_INVALID_PADDING
Input data contains invalid padding and is rejected.
Definition: rsa.h:36
mpi QP
Definition: rsa.h:148
#define RSA_PKCS_V15
Definition: rsa.h:61
#define RSA_PRIVATE
Definition: rsa.h:59
mpi N
Definition: rsa.h:140
#define SIG_RSA_SHA1
Definition: rsa.h:52
int mpi_inv_mod(mpi *X, const mpi *A, const mpi *N)
Modular inverse: X = A^-1 mod N.
void mpi_free(mpi *X)
Unallocate one MPI.
#define SIG_RSA_MD2
Definition: rsa.h:49
#define RSA_SIGN
Definition: rsa.h:64
int mpi_exp_mod(mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR)
Sliding-window exponentiation: X = A^E mod N.
mpi RQ
Definition: rsa.h:152
mpi E
Definition: rsa.h:141
mpi DP
Definition: rsa.h:146
#define POLARSSL_ERR_RSA_VERIFY_FAILED
The PKCS#1 verification failed.
Definition: rsa.h:41
int mpi_gen_prime(mpi *X, size_t nbits, int dh_flag, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Prime number generation.
#define ASN1_HASH_SHA1_ALT
Definition: rsa.h:117
int hash_id
Definition: rsa.h:156
size_t mpi_msb(const mpi *X)
Return the number of bits up to and including the most significant &#39;1&#39; bit&#39;.
#define POLARSSL_MPI_MAX_BITS
Maximum number of bits for usable MPIs.
Definition: bignum.h:91
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
Generic message digest wrapper.
t_uint * p
Definition: bignum.h:168
int mpi_read_binary(mpi *X, const unsigned char *buf, size_t buflen)
Import X from unsigned binary data, big endian.
The RSA public-key cryptosystem.
#define POLARSSL_ERR_RSA_BAD_INPUT_DATA
Bad input parameters to function.
Definition: rsa.h:35
#define POLARSSL_ERR_RSA_PRIVATE_FAILED
The private key operation failed.
Definition: rsa.h:40
#define SIG_RSA_SHA224
Definition: rsa.h:53
#define POLARSSL_MD_MAX_SIZE
Definition: md.h:59
SHA-1 cryptographic hash function.
#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED
Key failed to pass the libraries validity check.
Definition: rsa.h:38
int rsa_rsassa_pkcs1_v15_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
int rsa_gen_key(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, unsigned int nbits, int exponent)
Generate an RSA keypair.
void rsa_init(rsa_context *ctx, int padding, int hash_id)
Initialize an RSA context.
int mpi_mod_mpi(mpi *R, const mpi *A, const mpi *B)
Modulo: R = A mod B.
int mpi_write_binary(const mpi *X, unsigned char *buf, size_t buflen)
Export X into unsigned binary data, big endian.
int rsa_rsassa_pss_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
#define SIG_RSA_SHA256
Definition: rsa.h:54
int size
Output length of the digest function.
Definition: md.h:73
#define POLARSSL_ERR_RSA_KEY_GEN_FAILED
Something failed during generation of a key.
Definition: rsa.h:37
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
#define SIG_RSA_SHA384
Definition: rsa.h:55
int mpi_mul_mpi(mpi *X, const mpi *A, const mpi *B)
Baseline multiplication: X = A * B.
#define POLARSSL_ERR_RSA_PUBLIC_FAILED
The public key operation failed.
Definition: rsa.h:39
#define SIG_RSA_RAW
Definition: rsa.h:48
int mpi_sub_mpi(mpi *X, const mpi *A, const mpi *B)
Signed substraction: X = A - B.
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
mpi RN
Definition: rsa.h:150
int mpi_sub_int(mpi *X, const mpi *A, t_sint b)
Signed substraction: X = A - b.
Message digest information.
Definition: md.h:65
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int rsa_pkcs1_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 verification using the mode from the context. ...
Generic message digest context.
Definition: md.h:119
#define MPI_CHK(f)
Definition: bignum.h:61
int rsa_public(rsa_context *ctx, const unsigned char *input, unsigned char *output)
Do an RSA public key operation.