TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 4593aeadaf1d861fbea4d21619e72e0321521da7 / . / library / rsa.c
blob: ed703425aad57cd136008e5760cb9e4d4530b40a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker785a9ee2009-01-25 14:15:10 +0000[diff] [blame]6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
24 *
25 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
26 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
35#include <stdlib.h>
36#include <string.h>
37#include <stdio.h>
38
39/*
40 * Initialize an RSA context
41 */
42void rsa_init( rsa_context *ctx,
43 int padding,
44 int hash_id,
45 int (*f_rng)(void *),
46 void *p_rng )
47{
48 memset( ctx, 0, sizeof( rsa_context ) );
49
50 ctx->padding = padding;
51 ctx->hash_id = hash_id;
52
53 ctx->f_rng = f_rng;
54 ctx->p_rng = p_rng;
55}
56
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]57#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
59/*
60 * Generate an RSA keypair
61 */
62int rsa_gen_key( rsa_context *ctx, int nbits, int exponent )
63{
64 int ret;
65 mpi P1, Q1, H, G;
66
67 if( ctx->f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]68 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]69
70 mpi_init( &P1, &Q1, &H, &G, NULL );
71
72 /*
73 * find primes P and Q with Q < P so that:
74 * GCD( E, (P-1)*(Q-1) ) == 1
75 */
76 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
77
78 do
79 {
80 MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
81 ctx->f_rng, ctx->p_rng ) );
82
83 MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
84 ctx->f_rng, ctx->p_rng ) );
85
86 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
87 mpi_swap( &ctx->P, &ctx->Q );
88
89 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
90 continue;
91
92 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
93 if( mpi_msb( &ctx->N ) != nbits )
94 continue;
95
96 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
97 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
98 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
99 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
100 }
101 while( mpi_cmp_int( &G, 1 ) != 0 );
102
103 /*
104 * D = E^-1 mod ((P-1)*(Q-1))
105 * DP = D mod (P - 1)
106 * DQ = D mod (Q - 1)
107 * QP = Q^-1 mod P
108 */
109 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
110 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
111 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
112 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
113
114 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
115
116cleanup:
117
118 mpi_free( &G, &H, &Q1, &P1, NULL );
119
120 if( ret != 0 )
121 {
122 rsa_free( ctx );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]123 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]124 }
125
126 return( 0 );
127}
128
129#endif
130
131/*
132 * Check a public RSA key
133 */
134int rsa_check_pubkey( rsa_context *ctx )
135{
136 if( ( ctx->N.p[0] & 1 ) == 0 ||
137 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]138 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]139
140 if( mpi_msb( &ctx->N ) < 128 ||
141 mpi_msb( &ctx->N ) > 4096 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]142 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]143
144 if( mpi_msb( &ctx->E ) < 2 ||
145 mpi_msb( &ctx->E ) > 64 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]146 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]147
148 return( 0 );
149}
150
151/*
152 * Check a private RSA key
153 */
154int rsa_check_privkey( rsa_context *ctx )
155{
156 int ret;
157 mpi PQ, DE, P1, Q1, H, I, G;
158
159 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
160 return( ret );
161
162 mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, NULL );
163
164 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
165 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
166 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
167 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
168 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
169 MPI_CHK( mpi_mod_mpi( &I, &DE, &H ) );
170 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
171
172 if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
173 mpi_cmp_int( &I, 1 ) == 0 &&
174 mpi_cmp_int( &G, 1 ) == 0 )
175 {
176 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
177 return( 0 );
178 }
179
180cleanup:
181
182 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]183 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]184}
185
186/*
187 * Do an RSA public key operation
188 */
189int rsa_public( rsa_context *ctx,
190 unsigned char *input,
191 unsigned char *output )
192{
193 int ret, olen;
194 mpi T;
195
196 mpi_init( &T, NULL );
197
198 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
199
200 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
201 {
202 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]203 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204 }
205
206 olen = ctx->len;
207 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
208 MPI_CHK( mpi_write_binary( &T, output, olen ) );
209
210cleanup:
211
212 mpi_free( &T, NULL );
213
214 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]215 return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216
217 return( 0 );
218}
219
220/*
221 * Do an RSA private key operation
222 */
223int rsa_private( rsa_context *ctx,
224 unsigned char *input,
225 unsigned char *output )
226{
227 int ret, olen;
228 mpi T, T1, T2;
229
230 mpi_init( &T, &T1, &T2, NULL );
231
232 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
233
234 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
235 {
236 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]237 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238 }
239
240#if 0
241 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
242#else
243 /*
244 * faster decryption using the CRT
245 *
246 * T1 = input ^ dP mod P
247 * T2 = input ^ dQ mod Q
248 */
249 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
250 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
251
252 /*
253 * T = (T1 - T2) * (Q^-1 mod P) mod P
254 */
255 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
256 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
257 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
258
259 /*
260 * output = T2 + T * Q
261 */
262 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
263 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
264#endif
265
266 olen = ctx->len;
267 MPI_CHK( mpi_write_binary( &T, output, olen ) );
268
269cleanup:
270
271 mpi_free( &T, &T1, &T2, NULL );
272
273 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]274 return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]275
276 return( 0 );
277}
278
279/*
280 * Add the message padding, then do an RSA operation
281 */
282int rsa_pkcs1_encrypt( rsa_context *ctx,
283 int mode, int ilen,
284 unsigned char *input,
285 unsigned char *output )
286{
287 int nb_pad, olen;
288 unsigned char *p = output;
289
290 olen = ctx->len;
291
292 switch( ctx->padding )
293 {
294 case RSA_PKCS_V15:
295
296 if( ilen < 0 || olen < ilen + 11 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]297 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]298
299 nb_pad = olen - 3 - ilen;
300
301 *p++ = 0;
302 *p++ = RSA_CRYPT;
303
304 while( nb_pad-- > 0 )
305 {
306 do {
307 *p = (unsigned char) rand();
308 } while( *p == 0 );
309 p++;
310 }
311 *p++ = 0;
312 memcpy( p, input, ilen );
313 break;
314
315 default:
316
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]317 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318 }
319
320 return( ( mode == RSA_PUBLIC )
321 ? rsa_public( ctx, output, output )
322 : rsa_private( ctx, output, output ) );
323}
324
325/*
326 * Do an RSA operation, then remove the message padding
327 */
328int rsa_pkcs1_decrypt( rsa_context *ctx,
329 int mode, int *olen,
330 unsigned char *input,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]331 unsigned char *output,
332 int output_max_len)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333{
334 int ret, ilen;
335 unsigned char *p;
336 unsigned char buf[512];
337
338 ilen = ctx->len;
339
340 if( ilen < 16 || ilen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]341 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342
343 ret = ( mode == RSA_PUBLIC )
344 ? rsa_public( ctx, input, buf )
345 : rsa_private( ctx, input, buf );
346
347 if( ret != 0 )
348 return( ret );
349
350 p = buf;
351
352 switch( ctx->padding )
353 {
354 case RSA_PKCS_V15:
355
356 if( *p++ != 0 || *p++ != RSA_CRYPT )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]357 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
359 while( *p != 0 )
360 {
361 if( p >= buf + ilen - 1 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]362 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363 p++;
364 }
365 p++;
366 break;
367
368 default:
369
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]370 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371 }
372
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]373 if (ilen - (int)(p - buf) > output_max_len)
374 return( POLARSSL_ERR_RSA_OUTPUT_TO_LARGE );
375
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]376 *olen = ilen - (int)(p - buf);
377 memcpy( output, p, *olen );
378
379 return( 0 );
380}
381
382/*
383 * Do an RSA operation to sign the message digest
384 */
385int rsa_pkcs1_sign( rsa_context *ctx,
386 int mode,
387 int hash_id,
388 int hashlen,
389 unsigned char *hash,
390 unsigned char *sig )
391{
392 int nb_pad, olen;
393 unsigned char *p = sig;
394
395 olen = ctx->len;
396
397 switch( ctx->padding )
398 {
399 case RSA_PKCS_V15:
400
401 switch( hash_id )
402 {
403 case RSA_RAW:
404 nb_pad = olen - 3 - hashlen;
405 break;
406
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]407 case SIG_RSA_MD2:
408 case SIG_RSA_MD4:
409 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410 nb_pad = olen - 3 - 34;
411 break;
412
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]413 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]414 nb_pad = olen - 3 - 35;
415 break;
416
417 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]418 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419 }
420
421 if( nb_pad < 8 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]422 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423
424 *p++ = 0;
425 *p++ = RSA_SIGN;
426 memset( p, 0xFF, nb_pad );
427 p += nb_pad;
428 *p++ = 0;
429 break;
430
431 default:
432
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]433 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434 }
435
436 switch( hash_id )
437 {
438 case RSA_RAW:
439 memcpy( p, hash, hashlen );
440 break;
441
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]442 case SIG_RSA_MD2:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 memcpy( p, ASN1_HASH_MDX, 18 );
444 memcpy( p + 18, hash, 16 );
445 p[13] = 2; break;
446
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]447 case SIG_RSA_MD4:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448 memcpy( p, ASN1_HASH_MDX, 18 );
449 memcpy( p + 18, hash, 16 );
450 p[13] = 4; break;
451
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]452 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453 memcpy( p, ASN1_HASH_MDX, 18 );
454 memcpy( p + 18, hash, 16 );
455 p[13] = 5; break;
456
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]457 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458 memcpy( p, ASN1_HASH_SHA1, 15 );
459 memcpy( p + 15, hash, 20 );
460 break;
461
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]462 case SIG_RSA_SHA224:
463 memcpy( p, ASN1_HASH_SHA2X, 19 );
464 memcpy( p + 19, hash, 28 );
465 p[1] += 28; p[14] = 4; p[18] += 28; break;
466
467 case SIG_RSA_SHA256:
468 memcpy( p, ASN1_HASH_SHA2X, 19 );
469 memcpy( p + 19, hash, 32 );
470 p[1] += 32; p[14] = 1; p[18] += 32; break;
471
472 case SIG_RSA_SHA384:
473 memcpy( p, ASN1_HASH_SHA2X, 19 );
474 memcpy( p + 19, hash, 48 );
475 p[1] += 48; p[14] = 2; p[18] += 48; break;
476
477 case SIG_RSA_SHA512:
478 memcpy( p, ASN1_HASH_SHA2X, 19 );
479 memcpy( p + 19, hash, 64 );
480 p[1] += 64; p[14] = 3; p[18] += 64; break;
481
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]483 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]484 }
485
486 return( ( mode == RSA_PUBLIC )
487 ? rsa_public( ctx, sig, sig )
488 : rsa_private( ctx, sig, sig ) );
489}
490
491/*
492 * Do an RSA operation and check the message digest
493 */
494int rsa_pkcs1_verify( rsa_context *ctx,
495 int mode,
496 int hash_id,
497 int hashlen,
498 unsigned char *hash,
499 unsigned char *sig )
500{
501 int ret, len, siglen;
502 unsigned char *p, c;
503 unsigned char buf[512];
504
505 siglen = ctx->len;
506
507 if( siglen < 16 || siglen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]508 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]509
510 ret = ( mode == RSA_PUBLIC )
511 ? rsa_public( ctx, sig, buf )
512 : rsa_private( ctx, sig, buf );
513
514 if( ret != 0 )
515 return( ret );
516
517 p = buf;
518
519 switch( ctx->padding )
520 {
521 case RSA_PKCS_V15:
522
523 if( *p++ != 0 || *p++ != RSA_SIGN )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]524 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]525
526 while( *p != 0 )
527 {
528 if( p >= buf + siglen - 1 || *p != 0xFF )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]529 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530 p++;
531 }
532 p++;
533 break;
534
535 default:
536
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]537 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538 }
539
540 len = siglen - (int)( p - buf );
541
542 if( len == 34 )
543 {
544 c = p[13];
545 p[13] = 0;
546
547 if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]548 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]550 if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
551 ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
552 ( c == 5 && hash_id == SIG_RSA_MD5 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553 {
554 if( memcmp( p + 18, hash, 16 ) == 0 )
555 return( 0 );
556 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]557 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558 }
559 }
560
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]561 if( len == 35 && hash_id == SIG_RSA_SHA1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562 {
563 if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
564 memcmp( p + 15, hash, 20 ) == 0 )
565 return( 0 );
566 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]567 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568 }
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]569 if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
570 ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
571 ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
572 ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
573 {
574 c = p[1] - 17;
575 p[1] = 17;
576 p[14] = 0;
577
578 if( p[18] == c &&
579 memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
580 memcmp( p + 19, hash, c ) == 0 )
581 return( 0 );
582 else
583 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
584 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
586 if( len == hashlen && hash_id == RSA_RAW )
587 {
588 if( memcmp( p, hash, hashlen ) == 0 )
589 return( 0 );
590 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]591 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 }
593
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]594 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]595}
596
597/*
598 * Free the components of an RSA key
599 */
600void rsa_free( rsa_context *ctx )
601{
602 mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN,
603 &ctx->QP, &ctx->DQ, &ctx->DP,
604 &ctx->Q, &ctx->P, &ctx->D,
605 &ctx->E, &ctx->N, NULL );
606}
607
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]608#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]609
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]610#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]611
612/*
613 * Example RSA-1024 keypair, for test purposes
614 */
615#define KEY_LEN 128
616
617#define RSA_N "9292758453063D803DD603D5E777D788" \
618 "8ED1D5BF35786190FA2F23EBC0848AEA" \
619 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
620 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
621 "93A89813FBF3C4F8066D2D800F7C38A8" \
622 "1AE31942917403FF4946B0A83D3D3E05" \
623 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
624 "5E94BB77B07507233A0BC7BAC8F90F79"
625
626#define RSA_E "10001"
627
628#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
629 "66CA472BC44D253102F8B4A9D3BFA750" \
630 "91386C0077937FE33FA3252D28855837" \
631 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
632 "DF79C5CE07EE72C7F123142198164234" \
633 "CABB724CF78B8173B9F880FC86322407" \
634 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
635 "071513A1E85B5DFA031F21ECAE91A34D"
636
637#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
638 "2C01CAD19EA484A87EA4377637E75500" \
639 "FCB2005C5C7DD6EC4AC023CDA285D796" \
640 "C3D9E75E1EFC42488BB4F1D13AC30A57"
641
642#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
643 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
644 "910E4168387E3C30AA1E00C339A79508" \
645 "8452DD96A9A5EA5D9DCA68DA636032AF"
646
647#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
648 "3C94D22288ACD763FD8E5600ED4A702D" \
649 "F84198A5F06C2E72236AE490C93F07F8" \
650 "3CC559CD27BC2D1CA488811730BB5725"
651
652#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
653 "D8AAEA56749EA28623272E4F7D0592AF" \
654 "7C1F1313CAC9471B5C523BFE592F517B" \
655 "407A1BD76C164B93DA2D32A383E58357"
656
657#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
658 "F38D18D2B2F0E2DD275AA977E2BF4411" \
659 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
660 "A74206CEC169D74BF5A8C50D6F48EA08"
661
662#define PT_LEN 24
663#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
664 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
665
666/*
667 * Checkup routine
668 */
669int rsa_self_test( int verbose )
670{
671 int len;
672 rsa_context rsa;
673 unsigned char sha1sum[20];
674 unsigned char rsa_plaintext[PT_LEN];
675 unsigned char rsa_decrypted[PT_LEN];
676 unsigned char rsa_ciphertext[KEY_LEN];
677
678 memset( &rsa, 0, sizeof( rsa_context ) );
679
680 rsa.len = KEY_LEN;
681 mpi_read_string( &rsa.N , 16, RSA_N );
682 mpi_read_string( &rsa.E , 16, RSA_E );
683 mpi_read_string( &rsa.D , 16, RSA_D );
684 mpi_read_string( &rsa.P , 16, RSA_P );
685 mpi_read_string( &rsa.Q , 16, RSA_Q );
686 mpi_read_string( &rsa.DP, 16, RSA_DP );
687 mpi_read_string( &rsa.DQ, 16, RSA_DQ );
688 mpi_read_string( &rsa.QP, 16, RSA_QP );
689
690 if( verbose != 0 )
691 printf( " RSA key validation: " );
692
693 if( rsa_check_pubkey( &rsa ) != 0 ||
694 rsa_check_privkey( &rsa ) != 0 )
695 {
696 if( verbose != 0 )
697 printf( "failed\n" );
698
699 return( 1 );
700 }
701
702 if( verbose != 0 )
703 printf( "passed\n PKCS#1 encryption : " );
704
705 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
706
707 if( rsa_pkcs1_encrypt( &rsa, RSA_PUBLIC, PT_LEN,
708 rsa_plaintext, rsa_ciphertext ) != 0 )
709 {
710 if( verbose != 0 )
711 printf( "failed\n" );
712
713 return( 1 );
714 }
715
716 if( verbose != 0 )
717 printf( "passed\n PKCS#1 decryption : " );
718
719 if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000[diff] [blame]720 rsa_ciphertext, rsa_decrypted,
721 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]722 {
723 if( verbose != 0 )
724 printf( "failed\n" );
725
726 return( 1 );
727 }
728
729 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
730 {
731 if( verbose != 0 )
732 printf( "failed\n" );
733
734 return( 1 );
735 }
736
737 if( verbose != 0 )
738 printf( "passed\n PKCS#1 data sign : " );
739
740 sha1( rsa_plaintext, PT_LEN, sha1sum );
741
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]742 if( rsa_pkcs1_sign( &rsa, RSA_PRIVATE, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]743 sha1sum, rsa_ciphertext ) != 0 )
744 {
745 if( verbose != 0 )
746 printf( "failed\n" );
747
748 return( 1 );
749 }
750
751 if( verbose != 0 )
752 printf( "passed\n PKCS#1 sig. verify: " );
753
Paul Bakker4593aea2009-02-09 22:32:35 +0000[diff] [blame^]754 if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]755 sha1sum, rsa_ciphertext ) != 0 )
756 {
757 if( verbose != 0 )
758 printf( "failed\n" );
759
760 return( 1 );
761 }
762
763 if( verbose != 0 )
764 printf( "passed\n\n" );
765
766 rsa_free( &rsa );
767
768 return( 0 );
769}
770
771#endif
772
773#endif