PolarSSL v1.2.9
rsa.c
Go to the documentation of this file.
1 /*
2  * The RSA public-key cryptosystem
3  *
4  * Copyright (C) 2006-2011, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
27  *
28  * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
29  * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_RSA_C)
35 
36 #include "polarssl/rsa.h"
37 
38 #if defined(POLARSSL_PKCS1_V21)
39 #include "polarssl/md.h"
40 #endif
41 
42 #include <stdlib.h>
43 #include <stdio.h>
44 
45 /*
46  * Initialize an RSA context
47  */
48 void rsa_init( rsa_context *ctx,
49  int padding,
50  int hash_id )
51 {
52  memset( ctx, 0, sizeof( rsa_context ) );
53 
54  ctx->padding = padding;
55  ctx->hash_id = hash_id;
56 }
57 
58 #if defined(POLARSSL_GENPRIME)
59 
60 /*
61  * Generate an RSA keypair
62  */
63 int rsa_gen_key( rsa_context *ctx,
64  int (*f_rng)(void *, unsigned char *, size_t),
65  void *p_rng,
66  unsigned int nbits, int exponent )
67 {
68  int ret;
69  mpi P1, Q1, H, G;
70 
71  if( f_rng == NULL || nbits < 128 || exponent < 3 )
73 
74  mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G );
75 
76  /*
77  * find primes P and Q with Q < P so that:
78  * GCD( E, (P-1)*(Q-1) ) == 1
79  */
80  MPI_CHK( mpi_lset( &ctx->E, exponent ) );
81 
82  do
83  {
84  MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
85  f_rng, p_rng ) );
86 
87  MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
88  f_rng, p_rng ) );
89 
90  if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
91  mpi_swap( &ctx->P, &ctx->Q );
92 
93  if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
94  continue;
95 
96  MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
97  if( mpi_msb( &ctx->N ) != nbits )
98  continue;
99 
100  MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
101  MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
102  MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
103  MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
104  }
105  while( mpi_cmp_int( &G, 1 ) != 0 );
106 
107  /*
108  * D = E^-1 mod ((P-1)*(Q-1))
109  * DP = D mod (P - 1)
110  * DQ = D mod (Q - 1)
111  * QP = Q^-1 mod P
112  */
113  MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
114  MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
115  MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
116  MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
117 
118  ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
119 
120 cleanup:
121 
122  mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
123 
124  if( ret != 0 )
125  {
126  rsa_free( ctx );
127  return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
128  }
129 
130  return( 0 );
131 }
132 
133 #endif
134 
135 /*
136  * Check a public RSA key
137  */
138 int rsa_check_pubkey( const rsa_context *ctx )
139 {
140  if( !ctx->N.p || !ctx->E.p )
142 
143  if( ( ctx->N.p[0] & 1 ) == 0 ||
144  ( ctx->E.p[0] & 1 ) == 0 )
146 
147  if( mpi_msb( &ctx->N ) < 128 ||
148  mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
150 
151  if( mpi_msb( &ctx->E ) < 2 ||
152  mpi_msb( &ctx->E ) > 64 )
154 
155  return( 0 );
156 }
157 
158 /*
159  * Check a private RSA key
160  */
161 int rsa_check_privkey( const rsa_context *ctx )
162 {
163  int ret;
164  mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
165 
166  if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
167  return( ret );
168 
169  if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
171 
172  mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
173  mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
174  mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
175  mpi_init( &QP );
176 
177  MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
178  MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
179  MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
180  MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
181  MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
182  MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
183 
184  MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
185  MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
186  MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
187 
188  MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
189  MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
190  MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
191  /*
192  * Check for a valid PKCS1v2 private key
193  */
194  if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
195  mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
196  mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
197  mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
198  mpi_cmp_int( &L2, 0 ) != 0 ||
199  mpi_cmp_int( &I, 1 ) != 0 ||
200  mpi_cmp_int( &G, 1 ) != 0 )
201  {
203  }
204 
205 cleanup:
206  mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
207  mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
208  mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
209  mpi_free( &QP );
210 
212  return( ret );
213 
214  if( ret != 0 )
215  return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
216 
217  return( 0 );
218 }
219 
220 /*
221  * Do an RSA public key operation
222  */
223 int rsa_public( rsa_context *ctx,
224  const unsigned char *input,
225  unsigned char *output )
226 {
227  int ret;
228  size_t olen;
229  mpi T;
230 
231  mpi_init( &T );
232 
233  MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
234 
235  if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
236  {
237  mpi_free( &T );
239  }
240 
241  olen = ctx->len;
242  MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
243  MPI_CHK( mpi_write_binary( &T, output, olen ) );
244 
245 cleanup:
246 
247  mpi_free( &T );
248 
249  if( ret != 0 )
250  return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
251 
252  return( 0 );
253 }
254 
255 #if !defined(POLARSSL_RSA_NO_CRT)
256 /*
257  * Generate or update blinding values, see section 10 of:
258  * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
259  * DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
260  * Berlin Heidelberg, 1996. p. 104-113.
261  */
262 static int rsa_prepare_blinding( rsa_context *ctx,
263  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
264 {
265  int ret;
266 
267  if( ctx->Vf.p != NULL )
268  {
269  /* We already have blinding values, just update them by squaring */
270  MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
271  MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
272  MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
273  MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
274 
275  return( 0 );
276  }
277 
278  /* Unblinding value: Vf = random number */
279  MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
280 
281  /* Blinding value: Vi = Vf^(-e) mod N */
282  MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
283  MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
284 
285 cleanup:
286  return( ret );
287 }
288 #endif
289 
290 /*
291  * Do an RSA private key operation
292  */
293 int rsa_private( rsa_context *ctx,
294  int (*f_rng)(void *, unsigned char *, size_t),
295  void *p_rng,
296  const unsigned char *input,
297  unsigned char *output )
298 {
299  int ret;
300  size_t olen;
301  mpi T, T1, T2;
302 
303  mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
304 
305  MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
306 
307  if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
308  {
309  mpi_free( &T );
311  }
312 
313 #if defined(POLARSSL_RSA_NO_CRT)
314  MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
315 #else
316  if( f_rng != NULL )
317  {
318  /*
319  * Blinding
320  * T = T * Vi mod N
321  */
322  MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
323  MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
324  MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
325  }
326 
327  /*
328  * faster decryption using the CRT
329  *
330  * T1 = input ^ dP mod P
331  * T2 = input ^ dQ mod Q
332  */
333  MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
334  MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
335 
336  /*
337  * T = (T1 - T2) * (Q^-1 mod P) mod P
338  */
339  MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
340  MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
341  MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
342 
343  /*
344  * output = T2 + T * Q
345  */
346  MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
347  MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
348 
349  if( f_rng != NULL )
350  {
351  /*
352  * Unblind
353  * T = T * Vf mod N
354  */
355  MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) );
356  MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
357  }
358 #endif
359 
360  olen = ctx->len;
361  MPI_CHK( mpi_write_binary( &T, output, olen ) );
362 
363 cleanup:
364 
365  mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
366 
367  if( ret != 0 )
368  return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
369 
370  return( 0 );
371 }
372 
373 #if defined(POLARSSL_PKCS1_V21)
374 
383 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen,
384  md_context_t *md_ctx )
385 {
386  unsigned char mask[POLARSSL_MD_MAX_SIZE];
387  unsigned char counter[4];
388  unsigned char *p;
389  unsigned int hlen;
390  size_t i, use_len;
391 
392  memset( mask, 0, POLARSSL_MD_MAX_SIZE );
393  memset( counter, 0, 4 );
394 
395  hlen = md_ctx->md_info->size;
396 
397  // Generate and apply dbMask
398  //
399  p = dst;
400 
401  while( dlen > 0 )
402  {
403  use_len = hlen;
404  if( dlen < hlen )
405  use_len = dlen;
406 
407  md_starts( md_ctx );
408  md_update( md_ctx, src, slen );
409  md_update( md_ctx, counter, 4 );
410  md_finish( md_ctx, mask );
411 
412  for( i = 0; i < use_len; ++i )
413  *p++ ^= mask[i];
414 
415  counter[3]++;
416 
417  dlen -= use_len;
418  }
419 }
420 #endif
421 
422 #if defined(POLARSSL_PKCS1_V21)
423 /*
424  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
425  */
427  int (*f_rng)(void *, unsigned char *, size_t),
428  void *p_rng,
429  int mode,
430  const unsigned char *label, size_t label_len,
431  size_t ilen,
432  const unsigned char *input,
433  unsigned char *output )
434 {
435  size_t olen;
436  int ret;
437  unsigned char *p = output;
438  unsigned int hlen;
439  const md_info_t *md_info;
440  md_context_t md_ctx;
441 
442  if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
444 
445  md_info = md_info_from_type( ctx->hash_id );
446 
447  if( md_info == NULL )
449 
450  olen = ctx->len;
451  hlen = md_get_size( md_info );
452 
453  if( olen < ilen + 2 * hlen + 2 || f_rng == NULL )
455 
456  memset( output, 0, olen );
457 
458  *p++ = 0;
459 
460  // Generate a random octet string seed
461  //
462  if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
463  return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
464 
465  p += hlen;
466 
467  // Construct DB
468  //
469  md( md_info, label, label_len, p );
470  p += hlen;
471  p += olen - 2 * hlen - 2 - ilen;
472  *p++ = 1;
473  memcpy( p, input, ilen );
474 
475  md_init_ctx( &md_ctx, md_info );
476 
477  // maskedDB: Apply dbMask to DB
478  //
479  mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
480  &md_ctx );
481 
482  // maskedSeed: Apply seedMask to seed
483  //
484  mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
485  &md_ctx );
486 
487  md_free_ctx( &md_ctx );
488 
489  return( ( mode == RSA_PUBLIC )
490  ? rsa_public( ctx, output, output )
491  : rsa_private( ctx, f_rng, p_rng, output, output ) );
492 }
493 #endif /* POLARSSL_PKCS1_V21 */
494 
495 /*
496  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
497  */
499  int (*f_rng)(void *, unsigned char *, size_t),
500  void *p_rng,
501  int mode, size_t ilen,
502  const unsigned char *input,
503  unsigned char *output )
504 {
505  size_t nb_pad, olen;
506  int ret;
507  unsigned char *p = output;
508 
509  if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL )
511 
512  olen = ctx->len;
513 
514  if( olen < ilen + 11 )
516 
517  nb_pad = olen - 3 - ilen;
518 
519  *p++ = 0;
520  if( mode == RSA_PUBLIC )
521  {
522  *p++ = RSA_CRYPT;
523 
524  while( nb_pad-- > 0 )
525  {
526  int rng_dl = 100;
527 
528  do {
529  ret = f_rng( p_rng, p, 1 );
530  } while( *p == 0 && --rng_dl && ret == 0 );
531 
532  // Check if RNG failed to generate data
533  //
534  if( rng_dl == 0 || ret != 0)
535  return POLARSSL_ERR_RSA_RNG_FAILED + ret;
536 
537  p++;
538  }
539  }
540  else
541  {
542  *p++ = RSA_SIGN;
543 
544  while( nb_pad-- > 0 )
545  *p++ = 0xFF;
546  }
547 
548  *p++ = 0;
549  memcpy( p, input, ilen );
550 
551  return( ( mode == RSA_PUBLIC )
552  ? rsa_public( ctx, output, output )
553  : rsa_private( ctx, f_rng, p_rng, output, output ) );
554 }
555 
556 /*
557  * Add the message padding, then do an RSA operation
558  */
560  int (*f_rng)(void *, unsigned char *, size_t),
561  void *p_rng,
562  int mode, size_t ilen,
563  const unsigned char *input,
564  unsigned char *output )
565 {
566  switch( ctx->padding )
567  {
568  case RSA_PKCS_V15:
569  return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
570  input, output );
571 
572 #if defined(POLARSSL_PKCS1_V21)
573  case RSA_PKCS_V21:
574  return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
575  ilen, input, output );
576 #endif
577 
578  default:
580  }
581 }
582 
583 #if defined(POLARSSL_PKCS1_V21)
584 /*
585  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
586  */
588  int (*f_rng)(void *, unsigned char *, size_t),
589  void *p_rng,
590  int mode,
591  const unsigned char *label, size_t label_len,
592  size_t *olen,
593  const unsigned char *input,
594  unsigned char *output,
595  size_t output_max_len )
596 {
597  int ret;
598  size_t ilen;
599  unsigned char *p;
600  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
601  unsigned char lhash[POLARSSL_MD_MAX_SIZE];
602  unsigned int hlen;
603  const md_info_t *md_info;
604  md_context_t md_ctx;
605 
606  if( ctx->padding != RSA_PKCS_V21 )
608 
609  ilen = ctx->len;
610 
611  if( ilen < 16 || ilen > sizeof( buf ) )
613 
614  ret = ( mode == RSA_PUBLIC )
615  ? rsa_public( ctx, input, buf )
616  : rsa_private( ctx, f_rng, p_rng, input, buf );
617 
618  if( ret != 0 )
619  return( ret );
620 
621  p = buf;
622 
623  if( *p++ != 0 )
625 
626  md_info = md_info_from_type( ctx->hash_id );
627  if( md_info == NULL )
629 
630  hlen = md_get_size( md_info );
631 
632  md_init_ctx( &md_ctx, md_info );
633 
634  // Generate lHash
635  //
636  md( md_info, label, label_len, lhash );
637 
638  // seed: Apply seedMask to maskedSeed
639  //
640  mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
641  &md_ctx );
642 
643  // DB: Apply dbMask to maskedDB
644  //
645  mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
646  &md_ctx );
647 
648  p += hlen;
649  md_free_ctx( &md_ctx );
650 
651  // Check validity
652  //
653  if( memcmp( lhash, p, hlen ) != 0 )
655 
656  p += hlen;
657 
658  while( *p == 0 && p < buf + ilen )
659  p++;
660 
661  if( p == buf + ilen )
663 
664  if( *p++ != 0x01 )
666 
667  if (ilen - (p - buf) > output_max_len)
669 
670  *olen = ilen - (p - buf);
671  memcpy( output, p, *olen );
672 
673  return( 0 );
674 }
675 #endif /* POLARSSL_PKCS1_V21 */
676 
677 /*
678  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
679  */
681  int (*f_rng)(void *, unsigned char *, size_t),
682  void *p_rng,
683  int mode, size_t *olen,
684  const unsigned char *input,
685  unsigned char *output,
686  size_t output_max_len)
687 {
688  int ret, correct = 1;
689  size_t ilen, pad_count = 0;
690  unsigned char *p, *q;
691  unsigned char bt;
692  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
693 
694  if( ctx->padding != RSA_PKCS_V15 )
696 
697  ilen = ctx->len;
698 
699  if( ilen < 16 || ilen > sizeof( buf ) )
701 
702  ret = ( mode == RSA_PUBLIC )
703  ? rsa_public( ctx, input, buf )
704  : rsa_private( ctx, f_rng, p_rng, input, buf );
705 
706  if( ret != 0 )
707  return( ret );
708 
709  p = buf;
710 
711  if( *p++ != 0 )
712  correct = 0;
713 
714  bt = *p++;
715  if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) ||
716  ( bt != RSA_SIGN && mode == RSA_PUBLIC ) )
717  {
718  correct = 0;
719  }
720 
721  if( bt == RSA_CRYPT )
722  {
723  while( *p != 0 && p < buf + ilen - 1 )
724  pad_count += ( *p++ != 0 );
725 
726  correct &= ( *p == 0 && p < buf + ilen - 1 );
727 
728  q = p;
729 
730  // Also pass over all other bytes to reduce timing differences
731  //
732  while ( q < buf + ilen - 1 )
733  pad_count += ( *q++ != 0 );
734 
735  // Prevent compiler optimization of pad_count
736  //
737  correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
738  p++;
739  }
740  else
741  {
742  while( *p == 0xFF && p < buf + ilen - 1 )
743  pad_count += ( *p++ == 0xFF );
744 
745  correct &= ( *p == 0 && p < buf + ilen - 1 );
746 
747  q = p;
748 
749  // Also pass over all other bytes to reduce timing differences
750  //
751  while ( q < buf + ilen - 1 )
752  pad_count += ( *q++ != 0 );
753 
754  // Prevent compiler optimization of pad_count
755  //
756  correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
757  p++;
758  }
759 
760  if( correct == 0 )
762 
763  if (ilen - (p - buf) > output_max_len)
765 
766  *olen = ilen - (p - buf);
767  memcpy( output, p, *olen );
768 
769  return( 0 );
770 }
771 
772 /*
773  * Do an RSA operation, then remove the message padding
774  */
776  int (*f_rng)(void *, unsigned char *, size_t),
777  void *p_rng,
778  int mode, size_t *olen,
779  const unsigned char *input,
780  unsigned char *output,
781  size_t output_max_len)
782 {
783  switch( ctx->padding )
784  {
785  case RSA_PKCS_V15:
786  return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
787  input, output, output_max_len );
788 
789 #if defined(POLARSSL_PKCS1_V21)
790  case RSA_PKCS_V21:
791  return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
792  olen, input, output, output_max_len );
793 #endif
794 
795  default:
797  }
798 }
799 
800 #if defined(POLARSSL_PKCS1_V21)
801 /*
802  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
803  */
805  int (*f_rng)(void *, unsigned char *, size_t),
806  void *p_rng,
807  int mode,
808  int hash_id,
809  unsigned int hashlen,
810  const unsigned char *hash,
811  unsigned char *sig )
812 {
813  size_t olen;
814  unsigned char *p = sig;
815  unsigned char salt[POLARSSL_MD_MAX_SIZE];
816  unsigned int slen, hlen, offset = 0;
817  int ret;
818  size_t msb;
819  const md_info_t *md_info;
820  md_context_t md_ctx;
821 
822  if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
824 
825  olen = ctx->len;
826 
827  switch( hash_id )
828  {
829  case SIG_RSA_MD2:
830  case SIG_RSA_MD4:
831  case SIG_RSA_MD5:
832  hashlen = 16;
833  break;
834 
835  case SIG_RSA_SHA1:
836  hashlen = 20;
837  break;
838 
839  case SIG_RSA_SHA224:
840  hashlen = 28;
841  break;
842 
843  case SIG_RSA_SHA256:
844  hashlen = 32;
845  break;
846 
847  case SIG_RSA_SHA384:
848  hashlen = 48;
849  break;
850 
851  case SIG_RSA_SHA512:
852  hashlen = 64;
853  break;
854 
855  default:
857  }
858 
859  md_info = md_info_from_type( ctx->hash_id );
860  if( md_info == NULL )
862 
863  hlen = md_get_size( md_info );
864  slen = hlen;
865 
866  if( olen < hlen + slen + 2 )
868 
869  memset( sig, 0, olen );
870 
871  msb = mpi_msb( &ctx->N ) - 1;
872 
873  // Generate salt of length slen
874  //
875  if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
876  return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
877 
878  // Note: EMSA-PSS encoding is over the length of N - 1 bits
879  //
880  msb = mpi_msb( &ctx->N ) - 1;
881  p += olen - hlen * 2 - 2;
882  *p++ = 0x01;
883  memcpy( p, salt, slen );
884  p += slen;
885 
886  md_init_ctx( &md_ctx, md_info );
887 
888  // Generate H = Hash( M' )
889  //
890  md_starts( &md_ctx );
891  md_update( &md_ctx, p, 8 );
892  md_update( &md_ctx, hash, hashlen );
893  md_update( &md_ctx, salt, slen );
894  md_finish( &md_ctx, p );
895 
896  // Compensate for boundary condition when applying mask
897  //
898  if( msb % 8 == 0 )
899  offset = 1;
900 
901  // maskedDB: Apply dbMask to DB
902  //
903  mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
904 
905  md_free_ctx( &md_ctx );
906 
907  msb = mpi_msb( &ctx->N ) - 1;
908  sig[0] &= 0xFF >> ( olen * 8 - msb );
909 
910  p += hlen;
911  *p++ = 0xBC;
912 
913  return( ( mode == RSA_PUBLIC )
914  ? rsa_public( ctx, sig, sig )
915  : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
916 }
917 #endif /* POLARSSL_PKCS1_V21 */
918 
919 /*
920  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
921  */
922 /*
923  * Do an RSA operation to sign the message digest
924  */
926  int (*f_rng)(void *, unsigned char *, size_t),
927  void *p_rng,
928  int mode,
929  int hash_id,
930  unsigned int hashlen,
931  const unsigned char *hash,
932  unsigned char *sig )
933 {
934  size_t nb_pad, olen;
935  unsigned char *p = sig;
936 
937  if( ctx->padding != RSA_PKCS_V15 )
939 
940  olen = ctx->len;
941 
942  switch( hash_id )
943  {
944  case SIG_RSA_RAW:
945  nb_pad = olen - 3 - hashlen;
946  break;
947 
948  case SIG_RSA_MD2:
949  case SIG_RSA_MD4:
950  case SIG_RSA_MD5:
951  nb_pad = olen - 3 - 34;
952  break;
953 
954  case SIG_RSA_SHA1:
955  nb_pad = olen - 3 - 35;
956  break;
957 
958  case SIG_RSA_SHA224:
959  nb_pad = olen - 3 - 47;
960  break;
961 
962  case SIG_RSA_SHA256:
963  nb_pad = olen - 3 - 51;
964  break;
965 
966  case SIG_RSA_SHA384:
967  nb_pad = olen - 3 - 67;
968  break;
969 
970  case SIG_RSA_SHA512:
971  nb_pad = olen - 3 - 83;
972  break;
973 
974 
975  default:
977  }
978 
979  if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
981 
982  *p++ = 0;
983  *p++ = RSA_SIGN;
984  memset( p, 0xFF, nb_pad );
985  p += nb_pad;
986  *p++ = 0;
987 
988  switch( hash_id )
989  {
990  case SIG_RSA_RAW:
991  memcpy( p, hash, hashlen );
992  break;
993 
994  case SIG_RSA_MD2:
995  memcpy( p, ASN1_HASH_MDX, 18 );
996  memcpy( p + 18, hash, 16 );
997  p[13] = 2; break;
998 
999  case SIG_RSA_MD4:
1000  memcpy( p, ASN1_HASH_MDX, 18 );
1001  memcpy( p + 18, hash, 16 );
1002  p[13] = 4; break;
1003 
1004  case SIG_RSA_MD5:
1005  memcpy( p, ASN1_HASH_MDX, 18 );
1006  memcpy( p + 18, hash, 16 );
1007  p[13] = 5; break;
1008 
1009  case SIG_RSA_SHA1:
1010  memcpy( p, ASN1_HASH_SHA1, 15 );
1011  memcpy( p + 15, hash, 20 );
1012  break;
1013 
1014  case SIG_RSA_SHA224:
1015  memcpy( p, ASN1_HASH_SHA2X, 19 );
1016  memcpy( p + 19, hash, 28 );
1017  p[1] += 28; p[14] = 4; p[18] += 28; break;
1018 
1019  case SIG_RSA_SHA256:
1020  memcpy( p, ASN1_HASH_SHA2X, 19 );
1021  memcpy( p + 19, hash, 32 );
1022  p[1] += 32; p[14] = 1; p[18] += 32; break;
1023 
1024  case SIG_RSA_SHA384:
1025  memcpy( p, ASN1_HASH_SHA2X, 19 );
1026  memcpy( p + 19, hash, 48 );
1027  p[1] += 48; p[14] = 2; p[18] += 48; break;
1028 
1029  case SIG_RSA_SHA512:
1030  memcpy( p, ASN1_HASH_SHA2X, 19 );
1031  memcpy( p + 19, hash, 64 );
1032  p[1] += 64; p[14] = 3; p[18] += 64; break;
1033 
1034  default:
1036  }
1037 
1038  return( ( mode == RSA_PUBLIC )
1039  ? rsa_public( ctx, sig, sig )
1040  : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1041 }
1042 
1043 /*
1044  * Do an RSA operation to sign the message digest
1045  */
1046 int rsa_pkcs1_sign( rsa_context *ctx,
1047  int (*f_rng)(void *, unsigned char *, size_t),
1048  void *p_rng,
1049  int mode,
1050  int hash_id,
1051  unsigned int hashlen,
1052  const unsigned char *hash,
1053  unsigned char *sig )
1054 {
1055  switch( ctx->padding )
1056  {
1057  case RSA_PKCS_V15:
1058  return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, hash_id,
1059  hashlen, hash, sig );
1060 
1061 #if defined(POLARSSL_PKCS1_V21)
1062  case RSA_PKCS_V21:
1063  return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, hash_id,
1064  hashlen, hash, sig );
1065 #endif
1066 
1067  default:
1069  }
1070 }
1071 
1072 #if defined(POLARSSL_PKCS1_V21)
1073 /*
1074  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1075  */
1077  int (*f_rng)(void *, unsigned char *, size_t),
1078  void *p_rng,
1079  int mode,
1080  int hash_id,
1081  unsigned int hashlen,
1082  const unsigned char *hash,
1083  unsigned char *sig )
1084 {
1085  int ret;
1086  size_t siglen;
1087  unsigned char *p;
1088  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1089  unsigned char result[POLARSSL_MD_MAX_SIZE];
1090  unsigned char zeros[8];
1091  unsigned int hlen;
1092  size_t slen, msb;
1093  const md_info_t *md_info;
1094  md_context_t md_ctx;
1095 
1096  if( ctx->padding != RSA_PKCS_V21 )
1098 
1099  siglen = ctx->len;
1100 
1101  if( siglen < 16 || siglen > sizeof( buf ) )
1103 
1104  ret = ( mode == RSA_PUBLIC )
1105  ? rsa_public( ctx, sig, buf )
1106  : rsa_private( ctx, f_rng, p_rng, sig, buf );
1107 
1108  if( ret != 0 )
1109  return( ret );
1110 
1111  p = buf;
1112 
1113  if( buf[siglen - 1] != 0xBC )
1115 
1116  switch( hash_id )
1117  {
1118  case SIG_RSA_MD2:
1119  case SIG_RSA_MD4:
1120  case SIG_RSA_MD5:
1121  hashlen = 16;
1122  break;
1123 
1124  case SIG_RSA_SHA1:
1125  hashlen = 20;
1126  break;
1127 
1128  case SIG_RSA_SHA224:
1129  hashlen = 28;
1130  break;
1131 
1132  case SIG_RSA_SHA256:
1133  hashlen = 32;
1134  break;
1135 
1136  case SIG_RSA_SHA384:
1137  hashlen = 48;
1138  break;
1139 
1140  case SIG_RSA_SHA512:
1141  hashlen = 64;
1142  break;
1143 
1144  default:
1146  }
1147 
1148  md_info = md_info_from_type( ctx->hash_id );
1149  if( md_info == NULL )
1151 
1152  hlen = md_get_size( md_info );
1153  slen = siglen - hlen - 1;
1154 
1155  memset( zeros, 0, 8 );
1156 
1157  // Note: EMSA-PSS verification is over the length of N - 1 bits
1158  //
1159  msb = mpi_msb( &ctx->N ) - 1;
1160 
1161  // Compensate for boundary condition when applying mask
1162  //
1163  if( msb % 8 == 0 )
1164  {
1165  p++;
1166  siglen -= 1;
1167  }
1168  if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1170 
1171  md_init_ctx( &md_ctx, md_info );
1172 
1173  mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
1174 
1175  buf[0] &= 0xFF >> ( siglen * 8 - msb );
1176 
1177  while( *p == 0 && p < buf + siglen )
1178  p++;
1179 
1180  if( p == buf + siglen ||
1181  *p++ != 0x01 )
1182  {
1183  md_free_ctx( &md_ctx );
1185  }
1186 
1187  slen -= p - buf;
1188 
1189  // Generate H = Hash( M' )
1190  //
1191  md_starts( &md_ctx );
1192  md_update( &md_ctx, zeros, 8 );
1193  md_update( &md_ctx, hash, hashlen );
1194  md_update( &md_ctx, p, slen );
1195  md_finish( &md_ctx, result );
1196 
1197  md_free_ctx( &md_ctx );
1198 
1199  if( memcmp( p + slen, result, hlen ) == 0 )
1200  return( 0 );
1201  else
1203 }
1204 #endif /* POLARSSL_PKCS1_V21 */
1205 
1206 /*
1207  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1208  */
1210  int (*f_rng)(void *, unsigned char *, size_t),
1211  void *p_rng,
1212  int mode,
1213  int hash_id,
1214  unsigned int hashlen,
1215  const unsigned char *hash,
1216  unsigned char *sig )
1217 {
1218  int ret;
1219  size_t len, siglen;
1220  unsigned char *p, c;
1221  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1222 
1223  if( ctx->padding != RSA_PKCS_V15 )
1225 
1226  siglen = ctx->len;
1227 
1228  if( siglen < 16 || siglen > sizeof( buf ) )
1230 
1231  ret = ( mode == RSA_PUBLIC )
1232  ? rsa_public( ctx, sig, buf )
1233  : rsa_private( ctx, f_rng, p_rng, sig, buf );
1234 
1235  if( ret != 0 )
1236  return( ret );
1237 
1238  p = buf;
1239 
1240  if( *p++ != 0 || *p++ != RSA_SIGN )
1242 
1243  while( *p != 0 )
1244  {
1245  if( p >= buf + siglen - 1 || *p != 0xFF )
1247  p++;
1248  }
1249  p++;
1250 
1251  len = siglen - ( p - buf );
1252 
1253  if( len == 33 && hash_id == SIG_RSA_SHA1 )
1254  {
1255  if( memcmp( p, ASN1_HASH_SHA1_ALT, 13 ) == 0 &&
1256  memcmp( p + 13, hash, 20 ) == 0 )
1257  return( 0 );
1258  else
1260  }
1261  if( len == 34 )
1262  {
1263  c = p[13];
1264  p[13] = 0;
1265 
1266  if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
1268 
1269  if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
1270  ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
1271  ( c == 5 && hash_id == SIG_RSA_MD5 ) )
1272  {
1273  if( memcmp( p + 18, hash, 16 ) == 0 )
1274  return( 0 );
1275  else
1277  }
1278  }
1279 
1280  if( len == 35 && hash_id == SIG_RSA_SHA1 )
1281  {
1282  if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
1283  memcmp( p + 15, hash, 20 ) == 0 )
1284  return( 0 );
1285  else
1287  }
1288  if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
1289  ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
1290  ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
1291  ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
1292  {
1293  c = p[1] - 17;
1294  p[1] = 17;
1295  p[14] = 0;
1296 
1297  if( p[18] == c &&
1298  memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
1299  memcmp( p + 19, hash, c ) == 0 )
1300  return( 0 );
1301  else
1303  }
1304 
1305  if( len == hashlen && hash_id == SIG_RSA_RAW )
1306  {
1307  if( memcmp( p, hash, hashlen ) == 0 )
1308  return( 0 );
1309  else
1311  }
1312 
1314 }
1315 
1316 /*
1317  * Do an RSA operation and check the message digest
1318  */
1319 int rsa_pkcs1_verify( rsa_context *ctx,
1320  int (*f_rng)(void *, unsigned char *, size_t),
1321  void *p_rng,
1322  int mode,
1323  int hash_id,
1324  unsigned int hashlen,
1325  const unsigned char *hash,
1326  unsigned char *sig )
1327 {
1328  switch( ctx->padding )
1329  {
1330  case RSA_PKCS_V15:
1331  return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode,
1332  hash_id, hashlen, hash, sig );
1333 
1334 #if defined(POLARSSL_PKCS1_V21)
1335  case RSA_PKCS_V21:
1336  return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, hash_id,
1337  hashlen, hash, sig );
1338 #endif
1339 
1340  default:
1342  }
1343 }
1344 
1345 /*
1346  * Free the components of an RSA key
1347  */
1348 void rsa_free( rsa_context *ctx )
1349 {
1350  mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
1351  mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
1352  mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
1353  mpi_free( &ctx->E ); mpi_free( &ctx->N );
1354 }
1355 
1356 #if defined(POLARSSL_SELF_TEST)
1357 
1358 #include "polarssl/sha1.h"
1359 
1360 /*
1361  * Example RSA-1024 keypair, for test purposes
1362  */
1363 #define KEY_LEN 128
1364 
1365 #define RSA_N "9292758453063D803DD603D5E777D788" \
1366  "8ED1D5BF35786190FA2F23EBC0848AEA" \
1367  "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1368  "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1369  "93A89813FBF3C4F8066D2D800F7C38A8" \
1370  "1AE31942917403FF4946B0A83D3D3E05" \
1371  "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1372  "5E94BB77B07507233A0BC7BAC8F90F79"
1373 
1374 #define RSA_E "10001"
1375 
1376 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1377  "66CA472BC44D253102F8B4A9D3BFA750" \
1378  "91386C0077937FE33FA3252D28855837" \
1379  "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1380  "DF79C5CE07EE72C7F123142198164234" \
1381  "CABB724CF78B8173B9F880FC86322407" \
1382  "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1383  "071513A1E85B5DFA031F21ECAE91A34D"
1384 
1385 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1386  "2C01CAD19EA484A87EA4377637E75500" \
1387  "FCB2005C5C7DD6EC4AC023CDA285D796" \
1388  "C3D9E75E1EFC42488BB4F1D13AC30A57"
1389 
1390 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1391  "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1392  "910E4168387E3C30AA1E00C339A79508" \
1393  "8452DD96A9A5EA5D9DCA68DA636032AF"
1394 
1395 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1396  "3C94D22288ACD763FD8E5600ED4A702D" \
1397  "F84198A5F06C2E72236AE490C93F07F8" \
1398  "3CC559CD27BC2D1CA488811730BB5725"
1399 
1400 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1401  "D8AAEA56749EA28623272E4F7D0592AF" \
1402  "7C1F1313CAC9471B5C523BFE592F517B" \
1403  "407A1BD76C164B93DA2D32A383E58357"
1404 
1405 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1406  "F38D18D2B2F0E2DD275AA977E2BF4411" \
1407  "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1408  "A74206CEC169D74BF5A8C50D6F48EA08"
1409 
1410 #define PT_LEN 24
1411 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1412  "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1413 
1414 static int myrand( void *rng_state, unsigned char *output, size_t len )
1415 {
1416  size_t i;
1417 
1418  if( rng_state != NULL )
1419  rng_state = NULL;
1420 
1421  for( i = 0; i < len; ++i )
1422  output[i] = rand();
1423 
1424  return( 0 );
1425 }
1426 
1427 /*
1428  * Checkup routine
1429  */
1430 int rsa_self_test( int verbose )
1431 {
1432  size_t len;
1433  rsa_context rsa;
1434  unsigned char rsa_plaintext[PT_LEN];
1435  unsigned char rsa_decrypted[PT_LEN];
1436  unsigned char rsa_ciphertext[KEY_LEN];
1437 #if defined(POLARSSL_SHA1_C)
1438  unsigned char sha1sum[20];
1439 #endif
1440 
1441  rsa_init( &rsa, RSA_PKCS_V15, 0 );
1442 
1443  rsa.len = KEY_LEN;
1444  mpi_read_string( &rsa.N , 16, RSA_N );
1445  mpi_read_string( &rsa.E , 16, RSA_E );
1446  mpi_read_string( &rsa.D , 16, RSA_D );
1447  mpi_read_string( &rsa.P , 16, RSA_P );
1448  mpi_read_string( &rsa.Q , 16, RSA_Q );
1449  mpi_read_string( &rsa.DP, 16, RSA_DP );
1450  mpi_read_string( &rsa.DQ, 16, RSA_DQ );
1451  mpi_read_string( &rsa.QP, 16, RSA_QP );
1452 
1453  if( verbose != 0 )
1454  printf( " RSA key validation: " );
1455 
1456  if( rsa_check_pubkey( &rsa ) != 0 ||
1457  rsa_check_privkey( &rsa ) != 0 )
1458  {
1459  if( verbose != 0 )
1460  printf( "failed\n" );
1461 
1462  return( 1 );
1463  }
1464 
1465  if( verbose != 0 )
1466  printf( "passed\n PKCS#1 encryption : " );
1467 
1468  memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1469 
1470  if( rsa_pkcs1_encrypt( &rsa, &myrand, NULL, RSA_PUBLIC, PT_LEN,
1471  rsa_plaintext, rsa_ciphertext ) != 0 )
1472  {
1473  if( verbose != 0 )
1474  printf( "failed\n" );
1475 
1476  return( 1 );
1477  }
1478 
1479  if( verbose != 0 )
1480  printf( "passed\n PKCS#1 decryption : " );
1481 
1482  if( rsa_pkcs1_decrypt( &rsa, &myrand, NULL, RSA_PRIVATE, &len,
1483  rsa_ciphertext, rsa_decrypted,
1484  sizeof(rsa_decrypted) ) != 0 )
1485  {
1486  if( verbose != 0 )
1487  printf( "failed\n" );
1488 
1489  return( 1 );
1490  }
1491 
1492  if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1493  {
1494  if( verbose != 0 )
1495  printf( "failed\n" );
1496 
1497  return( 1 );
1498  }
1499 
1500 #if defined(POLARSSL_SHA1_C)
1501  if( verbose != 0 )
1502  printf( "passed\n PKCS#1 data sign : " );
1503 
1504  sha1( rsa_plaintext, PT_LEN, sha1sum );
1505 
1506  if( rsa_pkcs1_sign( &rsa, &myrand, NULL, RSA_PRIVATE, SIG_RSA_SHA1, 20,
1507  sha1sum, rsa_ciphertext ) != 0 )
1508  {
1509  if( verbose != 0 )
1510  printf( "failed\n" );
1511 
1512  return( 1 );
1513  }
1514 
1515  if( verbose != 0 )
1516  printf( "passed\n PKCS#1 sig. verify: " );
1517 
1518  if( rsa_pkcs1_verify( &rsa, &myrand, NULL, RSA_PUBLIC, SIG_RSA_SHA1, 20,
1519  sha1sum, rsa_ciphertext ) != 0 )
1520  {
1521  if( verbose != 0 )
1522  printf( "failed\n" );
1523 
1524  return( 1 );
1525  }
1526 
1527  if( verbose != 0 )
1528  printf( "passed\n\n" );
1529 #endif /* POLARSSL_SHA1_C */
1530 
1531  rsa_free( &rsa );
1532 
1533  return( 0 );
1534 }
1535 
1536 #endif
1537 
1538 #endif
int md(const md_info_t *md_info, const unsigned char *input, size_t ilen, unsigned char *output)
Output = message_digest( input buffer )
int mpi_cmp_int(const mpi *X, t_sint z)
Compare signed values.
#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE
The output buffer for decryption is not large enough.
Definition: rsa.h:42
#define SIG_RSA_MD5
Definition: rsa.h:51
void mpi_swap(mpi *X, mpi *Y)
Swap the contents of X and Y.
#define RSA_CRYPT
Definition: rsa.h:65
int rsa_self_test(int verbose)
Checkup routine.
#define ASN1_HASH_SHA2X
Definition: rsa.h:124
#define SIG_RSA_MD4
Definition: rsa.h:50
int rsa_rsaes_oaep_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t ilen, const unsigned char *input, unsigned char *output)
Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:87
int rsa_check_privkey(const rsa_context *ctx)
Check a private RSA key.
int mpi_gcd(mpi *G, const mpi *A, const mpi *B)
Greatest common divisor: G = gcd(A, B)
int padding
Definition: rsa.h:159
#define ASN1_HASH_SHA1
Definition: rsa.h:109
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
int mpi_fill_random(mpi *X, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Fill an MPI X with size bytes of random.
mpi Vf
Definition: rsa.h:156
int rsa_rsaes_pkcs1_v15_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
int rsa_rsaes_oaep_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
int rsa_pkcs1_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 signature using the mode from the context.
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
#define RSA_PUBLIC
Definition: rsa.h:58
int rsa_rsassa_pkcs1_v15_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
#define RSA_PKCS_V21
Definition: rsa.h:62
mpi DQ
Definition: rsa.h:147
Configuration options (set of defines)
int rsa_check_pubkey(const rsa_context *ctx)
Check a public RSA key.
mpi RP
Definition: rsa.h:151
int mpi_div_mpi(mpi *Q, mpi *R, const mpi *A, const mpi *B)
Division by mpi: A = Q * B + R.
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:199
int rsa_rsassa_pss_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
int rsa_pkcs1_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Generic wrapper to perform a PKCS#1 decryption using the mode from the context.
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
#define POLARSSL_ERR_RSA_RNG_FAILED
The random generator failed to generate non-zeros.
Definition: rsa.h:43
MPI structure.
Definition: bignum.h:164
void mpi_init(mpi *X)
Initialize one MPI.
int mpi_cmp_mpi(const mpi *X, const mpi *Y)
Compare signed values.
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:121
size_t len
Definition: rsa.h:138
mpi P
Definition: rsa.h:144
mpi Vi
Definition: rsa.h:155
int rsa_rsaes_pkcs1_v15_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
int mpi_add_mpi(mpi *X, const mpi *A, const mpi *B)
Signed addition: X = A + B.
mpi Q
Definition: rsa.h:145
#define ASN1_HASH_MDX
Definition: rsa.h:99
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
void rsa_free(rsa_context *ctx)
Free the components of an RSA key.
int rsa_private(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, const unsigned char *input, unsigned char *output)
Do an RSA private key operation.
RSA context structure.
Definition: rsa.h:135
mpi D
Definition: rsa.h:143
int rsa_pkcs1_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Generic wrapper to perform a PKCS#1 encryption using the mode from the context.
#define SIG_RSA_SHA512
Definition: rsa.h:56
#define POLARSSL_ERR_RSA_INVALID_PADDING
Input data contains invalid padding and is rejected.
Definition: rsa.h:36
mpi QP
Definition: rsa.h:148
#define RSA_PKCS_V15
Definition: rsa.h:61
#define RSA_PRIVATE
Definition: rsa.h:59
mpi N
Definition: rsa.h:140
#define SIG_RSA_SHA1
Definition: rsa.h:52
int mpi_inv_mod(mpi *X, const mpi *A, const mpi *N)
Modular inverse: X = A^-1 mod N.
void mpi_free(mpi *X)
Unallocate one MPI.
#define SIG_RSA_MD2
Definition: rsa.h:49
#define RSA_SIGN
Definition: rsa.h:64
int mpi_exp_mod(mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR)
Sliding-window exponentiation: X = A^E mod N.
mpi RQ
Definition: rsa.h:152
mpi E
Definition: rsa.h:141
mpi DP
Definition: rsa.h:146
#define POLARSSL_ERR_RSA_VERIFY_FAILED
The PKCS#1 verification failed.
Definition: rsa.h:41
int mpi_gen_prime(mpi *X, size_t nbits, int dh_flag, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Prime number generation.
#define ASN1_HASH_SHA1_ALT
Definition: rsa.h:117
int hash_id
Definition: rsa.h:161
size_t mpi_msb(const mpi *X)
Return the number of bits up to and including the most significant &#39;1&#39; bit&#39;.
#define POLARSSL_MPI_MAX_BITS
Maximum number of bits for usable MPIs.
Definition: bignum.h:91
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
Generic message digest wrapper.
t_uint * p
Definition: bignum.h:168
int mpi_read_binary(mpi *X, const unsigned char *buf, size_t buflen)
Import X from unsigned binary data, big endian.
The RSA public-key cryptosystem.
#define POLARSSL_ERR_RSA_BAD_INPUT_DATA
Bad input parameters to function.
Definition: rsa.h:35
#define POLARSSL_ERR_RSA_PRIVATE_FAILED
The private key operation failed.
Definition: rsa.h:40
#define SIG_RSA_SHA224
Definition: rsa.h:53
#define POLARSSL_MD_MAX_SIZE
Definition: md.h:59
SHA-1 cryptographic hash function.
#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED
Key failed to pass the libraries validity check.
Definition: rsa.h:38
int rsa_rsassa_pkcs1_v15_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
int rsa_gen_key(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, unsigned int nbits, int exponent)
Generate an RSA keypair.
void rsa_init(rsa_context *ctx, int padding, int hash_id)
Initialize an RSA context.
int mpi_mod_mpi(mpi *R, const mpi *A, const mpi *B)
Modulo: R = A mod B.
int mpi_write_binary(const mpi *X, unsigned char *buf, size_t buflen)
Export X into unsigned binary data, big endian.
int rsa_rsassa_pss_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
#define SIG_RSA_SHA256
Definition: rsa.h:54
int size
Output length of the digest function.
Definition: md.h:73
#define POLARSSL_ERR_RSA_KEY_GEN_FAILED
Something failed during generation of a key.
Definition: rsa.h:37
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
#define SIG_RSA_SHA384
Definition: rsa.h:55
int mpi_mul_mpi(mpi *X, const mpi *A, const mpi *B)
Baseline multiplication: X = A * B.
#define POLARSSL_ERR_RSA_PUBLIC_FAILED
The public key operation failed.
Definition: rsa.h:39
#define SIG_RSA_RAW
Definition: rsa.h:48
int mpi_sub_mpi(mpi *X, const mpi *A, const mpi *B)
Signed substraction: X = A - B.
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
mpi RN
Definition: rsa.h:150
int mpi_sub_int(mpi *X, const mpi *A, t_sint b)
Signed substraction: X = A - b.
Message digest information.
Definition: md.h:65
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int rsa_pkcs1_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 verification using the mode from the context. ...
Generic message digest context.
Definition: md.h:119
#define MPI_CHK(f)
Definition: bignum.h:61
int rsa_public(rsa_context *ctx, const unsigned char *input, unsigned char *output)
Do an RSA public key operation.