blob: 525908afe31b5f22e575e311e8728391ae226309 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * The RSA public-key cryptosystem
3 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +00004 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker785a9ee2009-01-25 14:15:10 +00006 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakker5121ce52009-01-03 21:22:43 +00007 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
24 *
25 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
26 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +000029#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000030
Paul Bakker40e46942009-01-03 21:51:57 +000031#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000032
Paul Bakker40e46942009-01-03 21:51:57 +000033#include "polarssl/rsa.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000034
35#include <stdlib.h>
36#include <string.h>
37#include <stdio.h>
38
39/*
40 * Initialize an RSA context
41 */
42void rsa_init( rsa_context *ctx,
43 int padding,
44 int hash_id,
45 int (*f_rng)(void *),
46 void *p_rng )
47{
48 memset( ctx, 0, sizeof( rsa_context ) );
49
50 ctx->padding = padding;
51 ctx->hash_id = hash_id;
52
53 ctx->f_rng = f_rng;
54 ctx->p_rng = p_rng;
55}
56
Paul Bakker40e46942009-01-03 21:51:57 +000057#if defined(POLARSSL_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +000058
59/*
60 * Generate an RSA keypair
61 */
62int rsa_gen_key( rsa_context *ctx, int nbits, int exponent )
63{
64 int ret;
65 mpi P1, Q1, H, G;
66
67 if( ctx->f_rng == NULL || nbits < 128 || exponent < 3 )
Paul Bakker40e46942009-01-03 21:51:57 +000068 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +000069
70 mpi_init( &P1, &Q1, &H, &G, NULL );
71
72 /*
73 * find primes P and Q with Q < P so that:
74 * GCD( E, (P-1)*(Q-1) ) == 1
75 */
76 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
77
78 do
79 {
80 MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
81 ctx->f_rng, ctx->p_rng ) );
82
83 MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
84 ctx->f_rng, ctx->p_rng ) );
85
86 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
87 mpi_swap( &ctx->P, &ctx->Q );
88
89 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
90 continue;
91
92 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
93 if( mpi_msb( &ctx->N ) != nbits )
94 continue;
95
96 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
97 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
98 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
99 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
100 }
101 while( mpi_cmp_int( &G, 1 ) != 0 );
102
103 /*
104 * D = E^-1 mod ((P-1)*(Q-1))
105 * DP = D mod (P - 1)
106 * DQ = D mod (Q - 1)
107 * QP = Q^-1 mod P
108 */
109 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
110 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
111 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
112 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
113
114 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
115
116cleanup:
117
118 mpi_free( &G, &H, &Q1, &P1, NULL );
119
120 if( ret != 0 )
121 {
122 rsa_free( ctx );
Paul Bakker40e46942009-01-03 21:51:57 +0000123 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000124 }
125
126 return( 0 );
127}
128
129#endif
130
131/*
132 * Check a public RSA key
133 */
134int rsa_check_pubkey( rsa_context *ctx )
135{
136 if( ( ctx->N.p[0] & 1 ) == 0 ||
137 ( ctx->E.p[0] & 1 ) == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000138 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000139
140 if( mpi_msb( &ctx->N ) < 128 ||
141 mpi_msb( &ctx->N ) > 4096 )
Paul Bakker40e46942009-01-03 21:51:57 +0000142 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000143
144 if( mpi_msb( &ctx->E ) < 2 ||
145 mpi_msb( &ctx->E ) > 64 )
Paul Bakker40e46942009-01-03 21:51:57 +0000146 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000147
148 return( 0 );
149}
150
151/*
152 * Check a private RSA key
153 */
154int rsa_check_privkey( rsa_context *ctx )
155{
156 int ret;
157 mpi PQ, DE, P1, Q1, H, I, G;
158
159 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
160 return( ret );
161
162 mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, NULL );
163
164 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
165 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
166 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
167 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
168 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
169 MPI_CHK( mpi_mod_mpi( &I, &DE, &H ) );
170 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
171
172 if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
173 mpi_cmp_int( &I, 1 ) == 0 &&
174 mpi_cmp_int( &G, 1 ) == 0 )
175 {
176 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
177 return( 0 );
178 }
179
180cleanup:
181
182 mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000183 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000184}
185
186/*
187 * Do an RSA public key operation
188 */
189int rsa_public( rsa_context *ctx,
190 unsigned char *input,
191 unsigned char *output )
192{
193 int ret, olen;
194 mpi T;
195
196 mpi_init( &T, NULL );
197
198 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
199
200 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
201 {
202 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000203 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000204 }
205
206 olen = ctx->len;
207 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
208 MPI_CHK( mpi_write_binary( &T, output, olen ) );
209
210cleanup:
211
212 mpi_free( &T, NULL );
213
214 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000215 return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000216
217 return( 0 );
218}
219
220/*
221 * Do an RSA private key operation
222 */
223int rsa_private( rsa_context *ctx,
224 unsigned char *input,
225 unsigned char *output )
226{
227 int ret, olen;
228 mpi T, T1, T2;
229
230 mpi_init( &T, &T1, &T2, NULL );
231
232 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
233
234 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
235 {
236 mpi_free( &T, NULL );
Paul Bakker40e46942009-01-03 21:51:57 +0000237 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000238 }
239
240#if 0
241 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
242#else
243 /*
244 * faster decryption using the CRT
245 *
246 * T1 = input ^ dP mod P
247 * T2 = input ^ dQ mod Q
248 */
249 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
250 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
251
252 /*
253 * T = (T1 - T2) * (Q^-1 mod P) mod P
254 */
255 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
256 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
257 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
258
259 /*
260 * output = T2 + T * Q
261 */
262 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
263 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
264#endif
265
266 olen = ctx->len;
267 MPI_CHK( mpi_write_binary( &T, output, olen ) );
268
269cleanup:
270
271 mpi_free( &T, &T1, &T2, NULL );
272
273 if( ret != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000274 return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000275
276 return( 0 );
277}
278
279/*
280 * Add the message padding, then do an RSA operation
281 */
282int rsa_pkcs1_encrypt( rsa_context *ctx,
283 int mode, int ilen,
284 unsigned char *input,
285 unsigned char *output )
286{
287 int nb_pad, olen;
288 unsigned char *p = output;
289
290 olen = ctx->len;
291
292 switch( ctx->padding )
293 {
294 case RSA_PKCS_V15:
295
296 if( ilen < 0 || olen < ilen + 11 )
Paul Bakker40e46942009-01-03 21:51:57 +0000297 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000298
299 nb_pad = olen - 3 - ilen;
300
301 *p++ = 0;
302 *p++ = RSA_CRYPT;
303
304 while( nb_pad-- > 0 )
305 {
306 do {
307 *p = (unsigned char) rand();
308 } while( *p == 0 );
309 p++;
310 }
311 *p++ = 0;
312 memcpy( p, input, ilen );
313 break;
314
315 default:
316
Paul Bakker40e46942009-01-03 21:51:57 +0000317 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000318 }
319
320 return( ( mode == RSA_PUBLIC )
321 ? rsa_public( ctx, output, output )
322 : rsa_private( ctx, output, output ) );
323}
324
325/*
326 * Do an RSA operation, then remove the message padding
327 */
328int rsa_pkcs1_decrypt( rsa_context *ctx,
329 int mode, int *olen,
330 unsigned char *input,
Paul Bakker060c5682009-01-12 21:48:39 +0000331 unsigned char *output,
332 int output_max_len)
Paul Bakker5121ce52009-01-03 21:22:43 +0000333{
334 int ret, ilen;
335 unsigned char *p;
Paul Bakker1569ad82009-05-17 10:16:51 +0000336 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000337
338 ilen = ctx->len;
339
340 if( ilen < 16 || ilen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000341 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000342
343 ret = ( mode == RSA_PUBLIC )
344 ? rsa_public( ctx, input, buf )
345 : rsa_private( ctx, input, buf );
346
347 if( ret != 0 )
348 return( ret );
349
350 p = buf;
351
352 switch( ctx->padding )
353 {
354 case RSA_PKCS_V15:
355
356 if( *p++ != 0 || *p++ != RSA_CRYPT )
Paul Bakker40e46942009-01-03 21:51:57 +0000357 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000358
359 while( *p != 0 )
360 {
361 if( p >= buf + ilen - 1 )
Paul Bakker40e46942009-01-03 21:51:57 +0000362 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000363 p++;
364 }
365 p++;
366 break;
367
368 default:
369
Paul Bakker40e46942009-01-03 21:51:57 +0000370 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000371 }
372
Paul Bakker060c5682009-01-12 21:48:39 +0000373 if (ilen - (int)(p - buf) > output_max_len)
374 return( POLARSSL_ERR_RSA_OUTPUT_TO_LARGE );
375
Paul Bakker5121ce52009-01-03 21:22:43 +0000376 *olen = ilen - (int)(p - buf);
377 memcpy( output, p, *olen );
378
379 return( 0 );
380}
381
382/*
383 * Do an RSA operation to sign the message digest
384 */
385int rsa_pkcs1_sign( rsa_context *ctx,
386 int mode,
387 int hash_id,
388 int hashlen,
389 unsigned char *hash,
390 unsigned char *sig )
391{
392 int nb_pad, olen;
393 unsigned char *p = sig;
394
395 olen = ctx->len;
396
397 switch( ctx->padding )
398 {
399 case RSA_PKCS_V15:
400
401 switch( hash_id )
402 {
403 case RSA_RAW:
404 nb_pad = olen - 3 - hashlen;
405 break;
406
Paul Bakker4593aea2009-02-09 22:32:35 +0000407 case SIG_RSA_MD2:
408 case SIG_RSA_MD4:
409 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000410 nb_pad = olen - 3 - 34;
411 break;
412
Paul Bakker4593aea2009-02-09 22:32:35 +0000413 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000414 nb_pad = olen - 3 - 35;
415 break;
416
Paul Bakker1569ad82009-05-17 10:16:51 +0000417 case SIG_RSA_SHA224:
418 nb_pad = olen - 3 - 47;
419 break;
420
421 case SIG_RSA_SHA256:
422 nb_pad = olen - 3 - 51;
423 break;
424
425 case SIG_RSA_SHA384:
426 nb_pad = olen - 3 - 67;
427 break;
428
429 case SIG_RSA_SHA512:
430 nb_pad = olen - 3 - 83;
431 break;
432
433
Paul Bakker5121ce52009-01-03 21:22:43 +0000434 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000435 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000436 }
437
438 if( nb_pad < 8 )
Paul Bakker40e46942009-01-03 21:51:57 +0000439 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000440
441 *p++ = 0;
442 *p++ = RSA_SIGN;
443 memset( p, 0xFF, nb_pad );
444 p += nb_pad;
445 *p++ = 0;
446 break;
447
448 default:
449
Paul Bakker40e46942009-01-03 21:51:57 +0000450 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000451 }
452
453 switch( hash_id )
454 {
455 case RSA_RAW:
456 memcpy( p, hash, hashlen );
457 break;
458
Paul Bakker4593aea2009-02-09 22:32:35 +0000459 case SIG_RSA_MD2:
Paul Bakker5121ce52009-01-03 21:22:43 +0000460 memcpy( p, ASN1_HASH_MDX, 18 );
461 memcpy( p + 18, hash, 16 );
462 p[13] = 2; break;
463
Paul Bakker4593aea2009-02-09 22:32:35 +0000464 case SIG_RSA_MD4:
Paul Bakker5121ce52009-01-03 21:22:43 +0000465 memcpy( p, ASN1_HASH_MDX, 18 );
466 memcpy( p + 18, hash, 16 );
467 p[13] = 4; break;
468
Paul Bakker4593aea2009-02-09 22:32:35 +0000469 case SIG_RSA_MD5:
Paul Bakker5121ce52009-01-03 21:22:43 +0000470 memcpy( p, ASN1_HASH_MDX, 18 );
471 memcpy( p + 18, hash, 16 );
472 p[13] = 5; break;
473
Paul Bakker4593aea2009-02-09 22:32:35 +0000474 case SIG_RSA_SHA1:
Paul Bakker5121ce52009-01-03 21:22:43 +0000475 memcpy( p, ASN1_HASH_SHA1, 15 );
476 memcpy( p + 15, hash, 20 );
477 break;
478
Paul Bakker4593aea2009-02-09 22:32:35 +0000479 case SIG_RSA_SHA224:
480 memcpy( p, ASN1_HASH_SHA2X, 19 );
481 memcpy( p + 19, hash, 28 );
482 p[1] += 28; p[14] = 4; p[18] += 28; break;
483
484 case SIG_RSA_SHA256:
485 memcpy( p, ASN1_HASH_SHA2X, 19 );
486 memcpy( p + 19, hash, 32 );
487 p[1] += 32; p[14] = 1; p[18] += 32; break;
488
489 case SIG_RSA_SHA384:
490 memcpy( p, ASN1_HASH_SHA2X, 19 );
491 memcpy( p + 19, hash, 48 );
492 p[1] += 48; p[14] = 2; p[18] += 48; break;
493
494 case SIG_RSA_SHA512:
495 memcpy( p, ASN1_HASH_SHA2X, 19 );
496 memcpy( p + 19, hash, 64 );
497 p[1] += 64; p[14] = 3; p[18] += 64; break;
498
Paul Bakker5121ce52009-01-03 21:22:43 +0000499 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000500 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000501 }
502
503 return( ( mode == RSA_PUBLIC )
504 ? rsa_public( ctx, sig, sig )
505 : rsa_private( ctx, sig, sig ) );
506}
507
508/*
509 * Do an RSA operation and check the message digest
510 */
511int rsa_pkcs1_verify( rsa_context *ctx,
512 int mode,
513 int hash_id,
514 int hashlen,
515 unsigned char *hash,
516 unsigned char *sig )
517{
518 int ret, len, siglen;
519 unsigned char *p, c;
Paul Bakker1569ad82009-05-17 10:16:51 +0000520 unsigned char buf[1024];
Paul Bakker5121ce52009-01-03 21:22:43 +0000521
522 siglen = ctx->len;
523
524 if( siglen < 16 || siglen > (int) sizeof( buf ) )
Paul Bakker40e46942009-01-03 21:51:57 +0000525 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000526
527 ret = ( mode == RSA_PUBLIC )
528 ? rsa_public( ctx, sig, buf )
529 : rsa_private( ctx, sig, buf );
530
531 if( ret != 0 )
532 return( ret );
533
534 p = buf;
535
536 switch( ctx->padding )
537 {
538 case RSA_PKCS_V15:
539
540 if( *p++ != 0 || *p++ != RSA_SIGN )
Paul Bakker40e46942009-01-03 21:51:57 +0000541 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000542
543 while( *p != 0 )
544 {
545 if( p >= buf + siglen - 1 || *p != 0xFF )
Paul Bakker40e46942009-01-03 21:51:57 +0000546 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000547 p++;
548 }
549 p++;
550 break;
551
552 default:
553
Paul Bakker40e46942009-01-03 21:51:57 +0000554 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000555 }
556
557 len = siglen - (int)( p - buf );
558
559 if( len == 34 )
560 {
561 c = p[13];
562 p[13] = 0;
563
564 if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000565 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000566
Paul Bakker4593aea2009-02-09 22:32:35 +0000567 if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
568 ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
569 ( c == 5 && hash_id == SIG_RSA_MD5 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000570 {
571 if( memcmp( p + 18, hash, 16 ) == 0 )
572 return( 0 );
573 else
Paul Bakker40e46942009-01-03 21:51:57 +0000574 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000575 }
576 }
577
Paul Bakker4593aea2009-02-09 22:32:35 +0000578 if( len == 35 && hash_id == SIG_RSA_SHA1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000579 {
580 if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
581 memcmp( p + 15, hash, 20 ) == 0 )
582 return( 0 );
583 else
Paul Bakker40e46942009-01-03 21:51:57 +0000584 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000585 }
Paul Bakker4593aea2009-02-09 22:32:35 +0000586 if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
587 ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
588 ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
589 ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
590 {
591 c = p[1] - 17;
Paul Bakker1569ad82009-05-17 10:16:51 +0000592 p[1] = 17;
593 p[14] = 0;
Paul Bakker4593aea2009-02-09 22:32:35 +0000594
595 if( p[18] == c &&
Paul Bakker1569ad82009-05-17 10:16:51 +0000596 memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
597 memcmp( p + 19, hash, c ) == 0 )
598 return( 0 );
599 else
600 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker4593aea2009-02-09 22:32:35 +0000601 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000602
603 if( len == hashlen && hash_id == RSA_RAW )
604 {
605 if( memcmp( p, hash, hashlen ) == 0 )
606 return( 0 );
607 else
Paul Bakker40e46942009-01-03 21:51:57 +0000608 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000609 }
610
Paul Bakker40e46942009-01-03 21:51:57 +0000611 return( POLARSSL_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +0000612}
613
614/*
615 * Free the components of an RSA key
616 */
617void rsa_free( rsa_context *ctx )
618{
619 mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN,
620 &ctx->QP, &ctx->DQ, &ctx->DP,
621 &ctx->Q, &ctx->P, &ctx->D,
622 &ctx->E, &ctx->N, NULL );
623}
624
Paul Bakker40e46942009-01-03 21:51:57 +0000625#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000626
Paul Bakker40e46942009-01-03 21:51:57 +0000627#include "polarssl/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000628
629/*
630 * Example RSA-1024 keypair, for test purposes
631 */
632#define KEY_LEN 128
633
634#define RSA_N "9292758453063D803DD603D5E777D788" \
635 "8ED1D5BF35786190FA2F23EBC0848AEA" \
636 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
637 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
638 "93A89813FBF3C4F8066D2D800F7C38A8" \
639 "1AE31942917403FF4946B0A83D3D3E05" \
640 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
641 "5E94BB77B07507233A0BC7BAC8F90F79"
642
643#define RSA_E "10001"
644
645#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
646 "66CA472BC44D253102F8B4A9D3BFA750" \
647 "91386C0077937FE33FA3252D28855837" \
648 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
649 "DF79C5CE07EE72C7F123142198164234" \
650 "CABB724CF78B8173B9F880FC86322407" \
651 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
652 "071513A1E85B5DFA031F21ECAE91A34D"
653
654#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
655 "2C01CAD19EA484A87EA4377637E75500" \
656 "FCB2005C5C7DD6EC4AC023CDA285D796" \
657 "C3D9E75E1EFC42488BB4F1D13AC30A57"
658
659#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
660 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
661 "910E4168387E3C30AA1E00C339A79508" \
662 "8452DD96A9A5EA5D9DCA68DA636032AF"
663
664#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
665 "3C94D22288ACD763FD8E5600ED4A702D" \
666 "F84198A5F06C2E72236AE490C93F07F8" \
667 "3CC559CD27BC2D1CA488811730BB5725"
668
669#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
670 "D8AAEA56749EA28623272E4F7D0592AF" \
671 "7C1F1313CAC9471B5C523BFE592F517B" \
672 "407A1BD76C164B93DA2D32A383E58357"
673
674#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
675 "F38D18D2B2F0E2DD275AA977E2BF4411" \
676 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
677 "A74206CEC169D74BF5A8C50D6F48EA08"
678
679#define PT_LEN 24
680#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
681 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
682
683/*
684 * Checkup routine
685 */
686int rsa_self_test( int verbose )
687{
688 int len;
689 rsa_context rsa;
690 unsigned char sha1sum[20];
691 unsigned char rsa_plaintext[PT_LEN];
692 unsigned char rsa_decrypted[PT_LEN];
693 unsigned char rsa_ciphertext[KEY_LEN];
694
695 memset( &rsa, 0, sizeof( rsa_context ) );
696
697 rsa.len = KEY_LEN;
698 mpi_read_string( &rsa.N , 16, RSA_N );
699 mpi_read_string( &rsa.E , 16, RSA_E );
700 mpi_read_string( &rsa.D , 16, RSA_D );
701 mpi_read_string( &rsa.P , 16, RSA_P );
702 mpi_read_string( &rsa.Q , 16, RSA_Q );
703 mpi_read_string( &rsa.DP, 16, RSA_DP );
704 mpi_read_string( &rsa.DQ, 16, RSA_DQ );
705 mpi_read_string( &rsa.QP, 16, RSA_QP );
706
707 if( verbose != 0 )
708 printf( " RSA key validation: " );
709
710 if( rsa_check_pubkey( &rsa ) != 0 ||
711 rsa_check_privkey( &rsa ) != 0 )
712 {
713 if( verbose != 0 )
714 printf( "failed\n" );
715
716 return( 1 );
717 }
718
719 if( verbose != 0 )
720 printf( "passed\n PKCS#1 encryption : " );
721
722 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
723
724 if( rsa_pkcs1_encrypt( &rsa, RSA_PUBLIC, PT_LEN,
725 rsa_plaintext, rsa_ciphertext ) != 0 )
726 {
727 if( verbose != 0 )
728 printf( "failed\n" );
729
730 return( 1 );
731 }
732
733 if( verbose != 0 )
734 printf( "passed\n PKCS#1 decryption : " );
735
736 if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
Paul Bakker060c5682009-01-12 21:48:39 +0000737 rsa_ciphertext, rsa_decrypted,
738 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000739 {
740 if( verbose != 0 )
741 printf( "failed\n" );
742
743 return( 1 );
744 }
745
746 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
747 {
748 if( verbose != 0 )
749 printf( "failed\n" );
750
751 return( 1 );
752 }
753
754 if( verbose != 0 )
755 printf( "passed\n PKCS#1 data sign : " );
756
757 sha1( rsa_plaintext, PT_LEN, sha1sum );
758
Paul Bakker4593aea2009-02-09 22:32:35 +0000759 if( rsa_pkcs1_sign( &rsa, RSA_PRIVATE, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000760 sha1sum, rsa_ciphertext ) != 0 )
761 {
762 if( verbose != 0 )
763 printf( "failed\n" );
764
765 return( 1 );
766 }
767
768 if( verbose != 0 )
769 printf( "passed\n PKCS#1 sig. verify: " );
770
Paul Bakker4593aea2009-02-09 22:32:35 +0000771 if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000772 sha1sum, rsa_ciphertext ) != 0 )
773 {
774 if( verbose != 0 )
775 printf( "failed\n" );
776
777 return( 1 );
778 }
779
780 if( verbose != 0 )
781 printf( "passed\n\n" );
782
783 rsa_free( &rsa );
784
785 return( 0 );
786}
787
788#endif
789
790#endif