00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032 #include "polarssl/config.h"
00033
00034 #if defined(POLARSSL_RSA_C)
00035
00036 #include "polarssl/rsa.h"
00037 #include "polarssl/oid.h"
00038
00039 #if defined(POLARSSL_PKCS1_V21)
00040 #include "polarssl/md.h"
00041 #endif
00042
00043 #include <stdlib.h>
00044 #include <stdio.h>
00045
00046
00047
00048
00049 void rsa_init( rsa_context *ctx,
00050 int padding,
00051 int hash_id )
00052 {
00053 memset( ctx, 0, sizeof( rsa_context ) );
00054
00055 ctx->padding = padding;
00056 ctx->hash_id = hash_id;
00057
00058 #if defined(POLARSSL_THREADING_C)
00059 polarssl_mutex_init( &ctx->mutex );
00060 #endif
00061 }
00062
00063 #if defined(POLARSSL_GENPRIME)
00064
00065
00066
00067
00068 int rsa_gen_key( rsa_context *ctx,
00069 int (*f_rng)(void *, unsigned char *, size_t),
00070 void *p_rng,
00071 unsigned int nbits, int exponent )
00072 {
00073 int ret;
00074 mpi P1, Q1, H, G;
00075
00076 if( f_rng == NULL || nbits < 128 || exponent < 3 )
00077 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00078
00079 mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G );
00080
00081
00082
00083
00084
00085 MPI_CHK( mpi_lset( &ctx->E, exponent ) );
00086
00087 do
00088 {
00089 MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
00090 f_rng, p_rng ) );
00091
00092 MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
00093 f_rng, p_rng ) );
00094
00095 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
00096 mpi_swap( &ctx->P, &ctx->Q );
00097
00098 if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
00099 continue;
00100
00101 MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
00102 if( mpi_msb( &ctx->N ) != nbits )
00103 continue;
00104
00105 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
00106 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
00107 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
00108 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
00109 }
00110 while( mpi_cmp_int( &G, 1 ) != 0 );
00111
00112
00113
00114
00115
00116
00117
00118 MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
00119 MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
00120 MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
00121 MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
00122
00123 ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
00124
00125 cleanup:
00126
00127 mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
00128
00129 if( ret != 0 )
00130 {
00131 rsa_free( ctx );
00132 return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
00133 }
00134
00135 return( 0 );
00136 }
00137
00138 #endif
00139
00140
00141
00142
00143 int rsa_check_pubkey( const rsa_context *ctx )
00144 {
00145 if( !ctx->N.p || !ctx->E.p )
00146 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
00147
00148 if( ( ctx->N.p[0] & 1 ) == 0 ||
00149 ( ctx->E.p[0] & 1 ) == 0 )
00150 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
00151
00152 if( mpi_msb( &ctx->N ) < 128 ||
00153 mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
00154 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
00155
00156 if( mpi_msb( &ctx->E ) < 2 ||
00157 mpi_msb( &ctx->E ) > 64 )
00158 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
00159
00160 return( 0 );
00161 }
00162
00163
00164
00165
00166 int rsa_check_privkey( const rsa_context *ctx )
00167 {
00168 int ret;
00169 mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
00170
00171 if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
00172 return( ret );
00173
00174 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
00175 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
00176
00177 mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
00178 mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
00179 mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
00180 mpi_init( &QP );
00181
00182 MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
00183 MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
00184 MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
00185 MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
00186 MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
00187 MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
00188
00189 MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
00190 MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
00191 MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
00192
00193 MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
00194 MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
00195 MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
00196
00197
00198
00199 if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
00200 mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
00201 mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
00202 mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
00203 mpi_cmp_int( &L2, 0 ) != 0 ||
00204 mpi_cmp_int( &I, 1 ) != 0 ||
00205 mpi_cmp_int( &G, 1 ) != 0 )
00206 {
00207 ret = POLARSSL_ERR_RSA_KEY_CHECK_FAILED;
00208 }
00209
00210 cleanup:
00211 mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
00212 mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
00213 mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
00214 mpi_free( &QP );
00215
00216 if( ret == POLARSSL_ERR_RSA_KEY_CHECK_FAILED )
00217 return( ret );
00218
00219 if( ret != 0 )
00220 return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
00221
00222 return( 0 );
00223 }
00224
00225
00226
00227
00228 int rsa_public( rsa_context *ctx,
00229 const unsigned char *input,
00230 unsigned char *output )
00231 {
00232 int ret;
00233 size_t olen;
00234 mpi T;
00235
00236 mpi_init( &T );
00237
00238 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
00239
00240 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
00241 {
00242 mpi_free( &T );
00243 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00244 }
00245
00246 olen = ctx->len;
00247 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
00248 MPI_CHK( mpi_write_binary( &T, output, olen ) );
00249
00250 cleanup:
00251
00252 mpi_free( &T );
00253
00254 if( ret != 0 )
00255 return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
00256
00257 return( 0 );
00258 }
00259
00260 #if !defined(POLARSSL_RSA_NO_CRT)
00261
00262
00263
00264
00265
00266
00267 static int rsa_prepare_blinding( rsa_context *ctx, mpi *Vi, mpi *Vf,
00268 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
00269 {
00270 int ret, count = 0;
00271
00272 #if defined(POLARSSL_THREADING_C)
00273 polarssl_mutex_lock( &ctx->mutex );
00274 #endif
00275
00276 if( ctx->Vf.p != NULL )
00277 {
00278
00279 MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
00280 MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
00281 MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
00282 MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
00283
00284 goto done;
00285 }
00286
00287
00288 do {
00289 if( count++ > 10 )
00290 return( POLARSSL_ERR_RSA_RNG_FAILED );
00291
00292 MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
00293 MPI_CHK( mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
00294 } while( mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
00295
00296
00297 MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
00298 MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
00299
00300 done:
00301 if( Vi != &ctx->Vi )
00302 {
00303 MPI_CHK( mpi_copy( Vi, &ctx->Vi ) );
00304 MPI_CHK( mpi_copy( Vf, &ctx->Vf ) );
00305 }
00306
00307 cleanup:
00308 #if defined(POLARSSL_THREADING_C)
00309 polarssl_mutex_unlock( &ctx->mutex );
00310 #endif
00311
00312 return( ret );
00313 }
00314 #endif
00315
00316
00317
00318
00319 int rsa_private( rsa_context *ctx,
00320 int (*f_rng)(void *, unsigned char *, size_t),
00321 void *p_rng,
00322 const unsigned char *input,
00323 unsigned char *output )
00324 {
00325 int ret;
00326 size_t olen;
00327 mpi T, T1, T2;
00328 #if !defined(POLARSSL_RSA_NO_CRT)
00329 mpi *Vi, *Vf;
00330
00331
00332
00333
00334
00335
00336 #if defined(POLARSSL_THREADING_C)
00337 mpi Vi_copy, Vf_copy;
00338
00339 mpi_init( &Vi_copy ); mpi_init( &Vf_copy );
00340 Vi = &Vi_copy;
00341 Vf = &Vf_copy;
00342 #else
00343 Vi = &ctx->Vi;
00344 Vf = &ctx->Vf;
00345 #endif
00346 #endif
00347
00348 mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
00349
00350 MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
00351 if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
00352 {
00353 mpi_free( &T );
00354 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00355 }
00356
00357 #if defined(POLARSSL_RSA_NO_CRT)
00358 ((void) f_rng);
00359 ((void) p_rng);
00360 MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
00361 #else
00362 if( f_rng != NULL )
00363 {
00364
00365
00366
00367
00368 MPI_CHK( rsa_prepare_blinding( ctx, Vi, Vf, f_rng, p_rng ) );
00369 MPI_CHK( mpi_mul_mpi( &T, &T, Vi ) );
00370 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
00371 }
00372
00373
00374
00375
00376
00377
00378
00379 MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
00380 MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
00381
00382
00383
00384
00385 MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
00386 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
00387 MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
00388
00389
00390
00391
00392 MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
00393 MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
00394
00395 if( f_rng != NULL )
00396 {
00397
00398
00399
00400
00401 MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) );
00402 MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
00403 }
00404 #endif
00405
00406 olen = ctx->len;
00407 MPI_CHK( mpi_write_binary( &T, output, olen ) );
00408
00409 cleanup:
00410 mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
00411 #if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C)
00412 mpi_free( &Vi_copy ); mpi_free( &Vf_copy );
00413 #endif
00414
00415 if( ret != 0 )
00416 return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
00417
00418 return( 0 );
00419 }
00420
00421 #if defined(POLARSSL_PKCS1_V21)
00422
00431 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
00432 size_t slen, md_context_t *md_ctx )
00433 {
00434 unsigned char mask[POLARSSL_MD_MAX_SIZE];
00435 unsigned char counter[4];
00436 unsigned char *p;
00437 unsigned int hlen;
00438 size_t i, use_len;
00439
00440 memset( mask, 0, POLARSSL_MD_MAX_SIZE );
00441 memset( counter, 0, 4 );
00442
00443 hlen = md_ctx->md_info->size;
00444
00445
00446
00447 p = dst;
00448
00449 while( dlen > 0 )
00450 {
00451 use_len = hlen;
00452 if( dlen < hlen )
00453 use_len = dlen;
00454
00455 md_starts( md_ctx );
00456 md_update( md_ctx, src, slen );
00457 md_update( md_ctx, counter, 4 );
00458 md_finish( md_ctx, mask );
00459
00460 for( i = 0; i < use_len; ++i )
00461 *p++ ^= mask[i];
00462
00463 counter[3]++;
00464
00465 dlen -= use_len;
00466 }
00467 }
00468 #endif
00469
00470 #if defined(POLARSSL_PKCS1_V21)
00471
00472
00473
00474 int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
00475 int (*f_rng)(void *, unsigned char *, size_t),
00476 void *p_rng,
00477 int mode,
00478 const unsigned char *label, size_t label_len,
00479 size_t ilen,
00480 const unsigned char *input,
00481 unsigned char *output )
00482 {
00483 size_t olen;
00484 int ret;
00485 unsigned char *p = output;
00486 unsigned int hlen;
00487 const md_info_t *md_info;
00488 md_context_t md_ctx;
00489
00490 if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
00491 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00492
00493 md_info = md_info_from_type( ctx->hash_id );
00494 if( md_info == NULL )
00495 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00496
00497 olen = ctx->len;
00498 hlen = md_get_size( md_info );
00499
00500 if( olen < ilen + 2 * hlen + 2 || f_rng == NULL )
00501 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00502
00503 memset( output, 0, olen );
00504
00505 *p++ = 0;
00506
00507
00508
00509 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
00510 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
00511
00512 p += hlen;
00513
00514
00515
00516 md( md_info, label, label_len, p );
00517 p += hlen;
00518 p += olen - 2 * hlen - 2 - ilen;
00519 *p++ = 1;
00520 memcpy( p, input, ilen );
00521
00522 md_init_ctx( &md_ctx, md_info );
00523
00524
00525
00526 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
00527 &md_ctx );
00528
00529
00530
00531 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
00532 &md_ctx );
00533
00534 md_free_ctx( &md_ctx );
00535
00536 return( ( mode == RSA_PUBLIC )
00537 ? rsa_public( ctx, output, output )
00538 : rsa_private( ctx, f_rng, p_rng, output, output ) );
00539 }
00540 #endif
00541
00542 #if defined(POLARSSL_PKCS1_V15)
00543
00544
00545
00546 int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
00547 int (*f_rng)(void *, unsigned char *, size_t),
00548 void *p_rng,
00549 int mode, size_t ilen,
00550 const unsigned char *input,
00551 unsigned char *output )
00552 {
00553 size_t nb_pad, olen;
00554 int ret;
00555 unsigned char *p = output;
00556
00557 if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL )
00558 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00559
00560 olen = ctx->len;
00561
00562 if( olen < ilen + 11 )
00563 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00564
00565 nb_pad = olen - 3 - ilen;
00566
00567 *p++ = 0;
00568 if( mode == RSA_PUBLIC )
00569 {
00570 *p++ = RSA_CRYPT;
00571
00572 while( nb_pad-- > 0 )
00573 {
00574 int rng_dl = 100;
00575
00576 do {
00577 ret = f_rng( p_rng, p, 1 );
00578 } while( *p == 0 && --rng_dl && ret == 0 );
00579
00580
00581
00582 if( rng_dl == 0 || ret != 0)
00583 return POLARSSL_ERR_RSA_RNG_FAILED + ret;
00584
00585 p++;
00586 }
00587 }
00588 else
00589 {
00590 *p++ = RSA_SIGN;
00591
00592 while( nb_pad-- > 0 )
00593 *p++ = 0xFF;
00594 }
00595
00596 *p++ = 0;
00597 memcpy( p, input, ilen );
00598
00599 return( ( mode == RSA_PUBLIC )
00600 ? rsa_public( ctx, output, output )
00601 : rsa_private( ctx, f_rng, p_rng, output, output ) );
00602 }
00603 #endif
00604
00605
00606
00607
00608 int rsa_pkcs1_encrypt( rsa_context *ctx,
00609 int (*f_rng)(void *, unsigned char *, size_t),
00610 void *p_rng,
00611 int mode, size_t ilen,
00612 const unsigned char *input,
00613 unsigned char *output )
00614 {
00615 switch( ctx->padding )
00616 {
00617 #if defined(POLARSSL_PKCS1_V15)
00618 case RSA_PKCS_V15:
00619 return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
00620 input, output );
00621 #endif
00622
00623 #if defined(POLARSSL_PKCS1_V21)
00624 case RSA_PKCS_V21:
00625 return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
00626 ilen, input, output );
00627 #endif
00628
00629 default:
00630 return( POLARSSL_ERR_RSA_INVALID_PADDING );
00631 }
00632 }
00633
00634 #if defined(POLARSSL_PKCS1_V21)
00635
00636
00637
00638 int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
00639 int (*f_rng)(void *, unsigned char *, size_t),
00640 void *p_rng,
00641 int mode,
00642 const unsigned char *label, size_t label_len,
00643 size_t *olen,
00644 const unsigned char *input,
00645 unsigned char *output,
00646 size_t output_max_len )
00647 {
00648 int ret;
00649 size_t ilen;
00650 unsigned char *p;
00651 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
00652 unsigned char lhash[POLARSSL_MD_MAX_SIZE];
00653 unsigned int hlen;
00654 const md_info_t *md_info;
00655 md_context_t md_ctx;
00656
00657 if( ctx->padding != RSA_PKCS_V21 )
00658 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00659
00660 ilen = ctx->len;
00661
00662 if( ilen < 16 || ilen > sizeof( buf ) )
00663 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00664
00665 ret = ( mode == RSA_PUBLIC )
00666 ? rsa_public( ctx, input, buf )
00667 : rsa_private( ctx, f_rng, p_rng, input, buf );
00668
00669 if( ret != 0 )
00670 return( ret );
00671
00672 p = buf;
00673
00674 if( *p++ != 0 )
00675 return( POLARSSL_ERR_RSA_INVALID_PADDING );
00676
00677 md_info = md_info_from_type( ctx->hash_id );
00678 if( md_info == NULL )
00679 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00680
00681 hlen = md_get_size( md_info );
00682
00683 md_init_ctx( &md_ctx, md_info );
00684
00685
00686
00687 md( md_info, label, label_len, lhash );
00688
00689
00690
00691 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
00692 &md_ctx );
00693
00694
00695
00696 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
00697 &md_ctx );
00698
00699 p += hlen;
00700 md_free_ctx( &md_ctx );
00701
00702
00703
00704 if( memcmp( lhash, p, hlen ) != 0 )
00705 return( POLARSSL_ERR_RSA_INVALID_PADDING );
00706
00707 p += hlen;
00708
00709 while( *p == 0 && p < buf + ilen )
00710 p++;
00711
00712 if( p == buf + ilen )
00713 return( POLARSSL_ERR_RSA_INVALID_PADDING );
00714
00715 if( *p++ != 0x01 )
00716 return( POLARSSL_ERR_RSA_INVALID_PADDING );
00717
00718 if (ilen - (p - buf) > output_max_len)
00719 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
00720
00721 *olen = ilen - (p - buf);
00722 memcpy( output, p, *olen );
00723
00724 return( 0 );
00725 }
00726 #endif
00727
00728 #if defined(POLARSSL_PKCS1_V15)
00729
00730
00731
00732 int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
00733 int (*f_rng)(void *, unsigned char *, size_t),
00734 void *p_rng,
00735 int mode, size_t *olen,
00736 const unsigned char *input,
00737 unsigned char *output,
00738 size_t output_max_len)
00739 {
00740 int ret, correct = 1;
00741 size_t ilen, pad_count = 0;
00742 unsigned char *p, *q;
00743 unsigned char bt;
00744 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
00745
00746 if( ctx->padding != RSA_PKCS_V15 )
00747 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00748
00749 ilen = ctx->len;
00750
00751 if( ilen < 16 || ilen > sizeof( buf ) )
00752 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00753
00754 ret = ( mode == RSA_PUBLIC )
00755 ? rsa_public( ctx, input, buf )
00756 : rsa_private( ctx, f_rng, p_rng, input, buf );
00757
00758 if( ret != 0 )
00759 return( ret );
00760
00761 p = buf;
00762
00763 if( *p++ != 0 )
00764 correct = 0;
00765
00766 bt = *p++;
00767 if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) ||
00768 ( bt != RSA_SIGN && mode == RSA_PUBLIC ) )
00769 {
00770 correct = 0;
00771 }
00772
00773 if( bt == RSA_CRYPT )
00774 {
00775 while( *p != 0 && p < buf + ilen - 1 )
00776 pad_count += ( *p++ != 0 );
00777
00778 correct &= ( *p == 0 && p < buf + ilen - 1 );
00779
00780 q = p;
00781
00782
00783
00784 while ( q < buf + ilen - 1 )
00785 pad_count += ( *q++ != 0 );
00786
00787
00788
00789 correct |= pad_count & 0x100000;
00790 p++;
00791 }
00792 else
00793 {
00794 while( *p == 0xFF && p < buf + ilen - 1 )
00795 pad_count += ( *p++ == 0xFF );
00796
00797 correct &= ( *p == 0 && p < buf + ilen - 1 );
00798
00799 q = p;
00800
00801
00802
00803 while ( q < buf + ilen - 1 )
00804 pad_count += ( *q++ != 0 );
00805
00806
00807
00808 correct |= pad_count & 0x100000;
00809 p++;
00810 }
00811
00812 if( correct == 0 )
00813 return( POLARSSL_ERR_RSA_INVALID_PADDING );
00814
00815 if (ilen - (p - buf) > output_max_len)
00816 return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
00817
00818 *olen = ilen - (p - buf);
00819 memcpy( output, p, *olen );
00820
00821 return( 0 );
00822 }
00823 #endif
00824
00825
00826
00827
00828 int rsa_pkcs1_decrypt( rsa_context *ctx,
00829 int (*f_rng)(void *, unsigned char *, size_t),
00830 void *p_rng,
00831 int mode, size_t *olen,
00832 const unsigned char *input,
00833 unsigned char *output,
00834 size_t output_max_len)
00835 {
00836 switch( ctx->padding )
00837 {
00838 #if defined(POLARSSL_PKCS1_V15)
00839 case RSA_PKCS_V15:
00840 return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
00841 input, output, output_max_len );
00842 #endif
00843
00844 #if defined(POLARSSL_PKCS1_V21)
00845 case RSA_PKCS_V21:
00846 return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
00847 olen, input, output,
00848 output_max_len );
00849 #endif
00850
00851 default:
00852 return( POLARSSL_ERR_RSA_INVALID_PADDING );
00853 }
00854 }
00855
00856 #if defined(POLARSSL_PKCS1_V21)
00857
00858
00859
00860 int rsa_rsassa_pss_sign( rsa_context *ctx,
00861 int (*f_rng)(void *, unsigned char *, size_t),
00862 void *p_rng,
00863 int mode,
00864 md_type_t md_alg,
00865 unsigned int hashlen,
00866 const unsigned char *hash,
00867 unsigned char *sig )
00868 {
00869 size_t olen;
00870 unsigned char *p = sig;
00871 unsigned char salt[POLARSSL_MD_MAX_SIZE];
00872 unsigned int slen, hlen, offset = 0;
00873 int ret;
00874 size_t msb;
00875 const md_info_t *md_info;
00876 md_context_t md_ctx;
00877
00878 if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
00879 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00880
00881 olen = ctx->len;
00882
00883 if( md_alg != POLARSSL_MD_NONE )
00884 {
00885
00886
00887 md_info = md_info_from_type( md_alg );
00888 if( md_info == NULL )
00889 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00890
00891 hashlen = md_get_size( md_info );
00892 }
00893
00894 md_info = md_info_from_type( ctx->hash_id );
00895 if( md_info == NULL )
00896 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00897
00898 hlen = md_get_size( md_info );
00899 slen = hlen;
00900
00901 if( olen < hlen + slen + 2 )
00902 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00903
00904 memset( sig, 0, olen );
00905
00906 msb = mpi_msb( &ctx->N ) - 1;
00907
00908
00909
00910 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
00911 return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
00912
00913
00914
00915 msb = mpi_msb( &ctx->N ) - 1;
00916 p += olen - hlen * 2 - 2;
00917 *p++ = 0x01;
00918 memcpy( p, salt, slen );
00919 p += slen;
00920
00921 md_init_ctx( &md_ctx, md_info );
00922
00923
00924
00925 md_starts( &md_ctx );
00926 md_update( &md_ctx, p, 8 );
00927 md_update( &md_ctx, hash, hashlen );
00928 md_update( &md_ctx, salt, slen );
00929 md_finish( &md_ctx, p );
00930
00931
00932
00933 if( msb % 8 == 0 )
00934 offset = 1;
00935
00936
00937
00938 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
00939
00940 md_free_ctx( &md_ctx );
00941
00942 msb = mpi_msb( &ctx->N ) - 1;
00943 sig[0] &= 0xFF >> ( olen * 8 - msb );
00944
00945 p += hlen;
00946 *p++ = 0xBC;
00947
00948 return( ( mode == RSA_PUBLIC )
00949 ? rsa_public( ctx, sig, sig )
00950 : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
00951 }
00952 #endif
00953
00954 #if defined(POLARSSL_PKCS1_V15)
00955
00956
00957
00958
00959
00960
00961 int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
00962 int (*f_rng)(void *, unsigned char *, size_t),
00963 void *p_rng,
00964 int mode,
00965 md_type_t md_alg,
00966 unsigned int hashlen,
00967 const unsigned char *hash,
00968 unsigned char *sig )
00969 {
00970 size_t nb_pad, olen, oid_size = 0;
00971 unsigned char *p = sig;
00972 const char *oid;
00973
00974 if( ctx->padding != RSA_PKCS_V15 )
00975 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00976
00977 olen = ctx->len;
00978 nb_pad = olen - 3;
00979
00980 if( md_alg != POLARSSL_MD_NONE )
00981 {
00982 const md_info_t *md_info = md_info_from_type( md_alg );
00983 if( md_info == NULL )
00984 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00985
00986 if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
00987 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00988
00989 nb_pad -= 10 + oid_size;
00990
00991 hashlen = md_get_size( md_info );
00992 }
00993
00994 nb_pad -= hashlen;
00995
00996 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
00997 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
00998
00999 *p++ = 0;
01000 *p++ = RSA_SIGN;
01001 memset( p, 0xFF, nb_pad );
01002 p += nb_pad;
01003 *p++ = 0;
01004
01005 if( md_alg == POLARSSL_MD_NONE )
01006 {
01007 memcpy( p, hash, hashlen );
01008 }
01009 else
01010 {
01011
01012
01013
01014
01015
01016
01017
01018
01019
01020 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
01021 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
01022 *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
01023 *p++ = (unsigned char) ( 0x04 + oid_size );
01024 *p++ = ASN1_OID;
01025 *p++ = oid_size & 0xFF;
01026 memcpy( p, oid, oid_size );
01027 p += oid_size;
01028 *p++ = ASN1_NULL;
01029 *p++ = 0x00;
01030 *p++ = ASN1_OCTET_STRING;
01031 *p++ = hashlen;
01032 memcpy( p, hash, hashlen );
01033 }
01034
01035 return( ( mode == RSA_PUBLIC )
01036 ? rsa_public( ctx, sig, sig )
01037 : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
01038 }
01039 #endif
01040
01041
01042
01043
01044 int rsa_pkcs1_sign( rsa_context *ctx,
01045 int (*f_rng)(void *, unsigned char *, size_t),
01046 void *p_rng,
01047 int mode,
01048 md_type_t md_alg,
01049 unsigned int hashlen,
01050 const unsigned char *hash,
01051 unsigned char *sig )
01052 {
01053 switch( ctx->padding )
01054 {
01055 #if defined(POLARSSL_PKCS1_V15)
01056 case RSA_PKCS_V15:
01057 return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
01058 hashlen, hash, sig );
01059 #endif
01060
01061 #if defined(POLARSSL_PKCS1_V21)
01062 case RSA_PKCS_V21:
01063 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
01064 hashlen, hash, sig );
01065 #endif
01066
01067 default:
01068 return( POLARSSL_ERR_RSA_INVALID_PADDING );
01069 }
01070 }
01071
01072 #if defined(POLARSSL_PKCS1_V21)
01073
01074
01075
01076 int rsa_rsassa_pss_verify( rsa_context *ctx,
01077 int (*f_rng)(void *, unsigned char *, size_t),
01078 void *p_rng,
01079 int mode,
01080 md_type_t md_alg,
01081 unsigned int hashlen,
01082 const unsigned char *hash,
01083 const unsigned char *sig )
01084 {
01085 int ret;
01086 size_t siglen;
01087 unsigned char *p;
01088 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
01089 unsigned char result[POLARSSL_MD_MAX_SIZE];
01090 unsigned char zeros[8];
01091 unsigned int hlen;
01092 size_t slen, msb;
01093 const md_info_t *md_info;
01094 md_context_t md_ctx;
01095
01096 if( ctx->padding != RSA_PKCS_V21 )
01097 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
01098
01099 siglen = ctx->len;
01100
01101 if( siglen < 16 || siglen > sizeof( buf ) )
01102 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
01103
01104 ret = ( mode == RSA_PUBLIC )
01105 ? rsa_public( ctx, sig, buf )
01106 : rsa_private( ctx, f_rng, p_rng, sig, buf );
01107
01108 if( ret != 0 )
01109 return( ret );
01110
01111 p = buf;
01112
01113 if( buf[siglen - 1] != 0xBC )
01114 return( POLARSSL_ERR_RSA_INVALID_PADDING );
01115
01116 if( md_alg != POLARSSL_MD_NONE )
01117 {
01118
01119
01120 md_info = md_info_from_type( md_alg );
01121 if( md_info == NULL )
01122 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
01123
01124 hashlen = md_get_size( md_info );
01125 }
01126
01127 md_info = md_info_from_type( ctx->hash_id );
01128 if( md_info == NULL )
01129 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
01130
01131 hlen = md_get_size( md_info );
01132 slen = siglen - hlen - 1;
01133
01134 memset( zeros, 0, 8 );
01135
01136
01137
01138 msb = mpi_msb( &ctx->N ) - 1;
01139
01140
01141
01142 if( msb % 8 == 0 )
01143 {
01144 p++;
01145 siglen -= 1;
01146 }
01147 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
01148 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
01149
01150 md_init_ctx( &md_ctx, md_info );
01151
01152 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
01153
01154 buf[0] &= 0xFF >> ( siglen * 8 - msb );
01155
01156 while( *p == 0 && p < buf + siglen )
01157 p++;
01158
01159 if( p == buf + siglen ||
01160 *p++ != 0x01 )
01161 {
01162 md_free_ctx( &md_ctx );
01163 return( POLARSSL_ERR_RSA_INVALID_PADDING );
01164 }
01165
01166 slen -= p - buf;
01167
01168
01169
01170 md_starts( &md_ctx );
01171 md_update( &md_ctx, zeros, 8 );
01172 md_update( &md_ctx, hash, hashlen );
01173 md_update( &md_ctx, p, slen );
01174 md_finish( &md_ctx, result );
01175
01176 md_free_ctx( &md_ctx );
01177
01178 if( memcmp( p + slen, result, hlen ) == 0 )
01179 return( 0 );
01180 else
01181 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01182 }
01183 #endif
01184
01185 #if defined(POLARSSL_PKCS1_V15)
01186
01187
01188
01189 int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
01190 int (*f_rng)(void *, unsigned char *, size_t),
01191 void *p_rng,
01192 int mode,
01193 md_type_t md_alg,
01194 unsigned int hashlen,
01195 const unsigned char *hash,
01196 const unsigned char *sig )
01197 {
01198 int ret;
01199 size_t len, siglen, asn1_len;
01200 unsigned char *p, *end;
01201 unsigned char buf[POLARSSL_MPI_MAX_SIZE];
01202 md_type_t msg_md_alg;
01203 const md_info_t *md_info;
01204 asn1_buf oid;
01205
01206 if( ctx->padding != RSA_PKCS_V15 )
01207 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
01208
01209 siglen = ctx->len;
01210
01211 if( siglen < 16 || siglen > sizeof( buf ) )
01212 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
01213
01214 ret = ( mode == RSA_PUBLIC )
01215 ? rsa_public( ctx, sig, buf )
01216 : rsa_private( ctx, f_rng, p_rng, sig, buf );
01217
01218 if( ret != 0 )
01219 return( ret );
01220
01221 p = buf;
01222
01223 if( *p++ != 0 || *p++ != RSA_SIGN )
01224 return( POLARSSL_ERR_RSA_INVALID_PADDING );
01225
01226 while( *p != 0 )
01227 {
01228 if( p >= buf + siglen - 1 || *p != 0xFF )
01229 return( POLARSSL_ERR_RSA_INVALID_PADDING );
01230 p++;
01231 }
01232 p++;
01233
01234 len = siglen - ( p - buf );
01235
01236 if( len == hashlen && md_alg == POLARSSL_MD_NONE )
01237 {
01238 if( memcmp( p, hash, hashlen ) == 0 )
01239 return( 0 );
01240 else
01241 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01242 }
01243
01244 md_info = md_info_from_type( md_alg );
01245 if( md_info == NULL )
01246 return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
01247 hashlen = md_get_size( md_info );
01248
01249 end = p + len;
01250
01251
01252
01253 if( ( ret = asn1_get_tag( &p, end, &asn1_len,
01254 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
01255 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01256
01257 if( asn1_len + 2 != len )
01258 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01259
01260 if( ( ret = asn1_get_tag( &p, end, &asn1_len,
01261 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
01262 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01263
01264 if( asn1_len + 6 + hashlen != len )
01265 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01266
01267 if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 )
01268 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01269
01270 oid.p = p;
01271 p += oid.len;
01272
01273 if( oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
01274 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01275
01276 if( md_alg != msg_md_alg )
01277 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01278
01279
01280
01281
01282 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 )
01283 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01284
01285 if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
01286 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01287
01288 if( asn1_len != hashlen )
01289 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01290
01291 if( memcmp( p, hash, hashlen ) != 0 )
01292 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01293
01294 p += hashlen;
01295
01296 if( p != end )
01297 return( POLARSSL_ERR_RSA_VERIFY_FAILED );
01298
01299 return( 0 );
01300 }
01301 #endif
01302
01303
01304
01305
01306 int rsa_pkcs1_verify( rsa_context *ctx,
01307 int (*f_rng)(void *, unsigned char *, size_t),
01308 void *p_rng,
01309 int mode,
01310 md_type_t md_alg,
01311 unsigned int hashlen,
01312 const unsigned char *hash,
01313 const unsigned char *sig )
01314 {
01315 switch( ctx->padding )
01316 {
01317 #if defined(POLARSSL_PKCS1_V15)
01318 case RSA_PKCS_V15:
01319 return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
01320 hashlen, hash, sig );
01321 #endif
01322
01323 #if defined(POLARSSL_PKCS1_V21)
01324 case RSA_PKCS_V21:
01325 return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
01326 hashlen, hash, sig );
01327 #endif
01328
01329 default:
01330 return( POLARSSL_ERR_RSA_INVALID_PADDING );
01331 }
01332 }
01333
01334
01335
01336
01337 int rsa_copy( rsa_context *dst, const rsa_context *src )
01338 {
01339 int ret;
01340
01341 dst->ver = src->ver;
01342 dst->len = src->len;
01343
01344 MPI_CHK( mpi_copy( &dst->N, &src->N ) );
01345 MPI_CHK( mpi_copy( &dst->E, &src->E ) );
01346
01347 MPI_CHK( mpi_copy( &dst->D, &src->D ) );
01348 MPI_CHK( mpi_copy( &dst->P, &src->P ) );
01349 MPI_CHK( mpi_copy( &dst->Q, &src->Q ) );
01350 MPI_CHK( mpi_copy( &dst->DP, &src->DP ) );
01351 MPI_CHK( mpi_copy( &dst->DQ, &src->DQ ) );
01352 MPI_CHK( mpi_copy( &dst->QP, &src->QP ) );
01353
01354 MPI_CHK( mpi_copy( &dst->RN, &src->RN ) );
01355 MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
01356 MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
01357
01358 #if !defined(POLARSSL_RSA_NO_CRT)
01359 MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
01360 MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
01361 #endif
01362
01363 dst->padding = src->padding;
01364 dst->hash_id = src->padding;
01365
01366 cleanup:
01367 if( ret != 0 )
01368 rsa_free( dst );
01369
01370 return( ret );
01371 }
01372
01373
01374
01375
01376 void rsa_free( rsa_context *ctx )
01377 {
01378 #if !defined(POLARSSL_RSA_NO_CRT)
01379 mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
01380 #endif
01381 mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
01382 mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
01383 mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
01384 mpi_free( &ctx->E ); mpi_free( &ctx->N );
01385
01386 #if defined(POLARSSL_THREADING_C)
01387 polarssl_mutex_free( &ctx->mutex );
01388 #endif
01389 }
01390
01391 #if defined(POLARSSL_SELF_TEST)
01392
01393 #include "polarssl/sha1.h"
01394
01395
01396
01397
01398 #define KEY_LEN 128
01399
01400 #define RSA_N "9292758453063D803DD603D5E777D788" \
01401 "8ED1D5BF35786190FA2F23EBC0848AEA" \
01402 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
01403 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
01404 "93A89813FBF3C4F8066D2D800F7C38A8" \
01405 "1AE31942917403FF4946B0A83D3D3E05" \
01406 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
01407 "5E94BB77B07507233A0BC7BAC8F90F79"
01408
01409 #define RSA_E "10001"
01410
01411 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
01412 "66CA472BC44D253102F8B4A9D3BFA750" \
01413 "91386C0077937FE33FA3252D28855837" \
01414 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
01415 "DF79C5CE07EE72C7F123142198164234" \
01416 "CABB724CF78B8173B9F880FC86322407" \
01417 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
01418 "071513A1E85B5DFA031F21ECAE91A34D"
01419
01420 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
01421 "2C01CAD19EA484A87EA4377637E75500" \
01422 "FCB2005C5C7DD6EC4AC023CDA285D796" \
01423 "C3D9E75E1EFC42488BB4F1D13AC30A57"
01424
01425 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
01426 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
01427 "910E4168387E3C30AA1E00C339A79508" \
01428 "8452DD96A9A5EA5D9DCA68DA636032AF"
01429
01430 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
01431 "3C94D22288ACD763FD8E5600ED4A702D" \
01432 "F84198A5F06C2E72236AE490C93F07F8" \
01433 "3CC559CD27BC2D1CA488811730BB5725"
01434
01435 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
01436 "D8AAEA56749EA28623272E4F7D0592AF" \
01437 "7C1F1313CAC9471B5C523BFE592F517B" \
01438 "407A1BD76C164B93DA2D32A383E58357"
01439
01440 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
01441 "F38D18D2B2F0E2DD275AA977E2BF4411" \
01442 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
01443 "A74206CEC169D74BF5A8C50D6F48EA08"
01444
01445 #define PT_LEN 24
01446 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
01447 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
01448
01449 #if defined(POLARSSL_PCKS1_V15)
01450 static int myrand( void *rng_state, unsigned char *output, size_t len )
01451 {
01452 size_t i;
01453
01454 if( rng_state != NULL )
01455 rng_state = NULL;
01456
01457 for( i = 0; i < len; ++i )
01458 output[i] = rand();
01459
01460 return( 0 );
01461 }
01462 #endif
01463
01464
01465
01466
01467 int rsa_self_test( int verbose )
01468 {
01469 #if defined(POLARSSL_PCKS1_V15)
01470 size_t len;
01471 rsa_context rsa;
01472 unsigned char rsa_plaintext[PT_LEN];
01473 unsigned char rsa_decrypted[PT_LEN];
01474 unsigned char rsa_ciphertext[KEY_LEN];
01475 #if defined(POLARSSL_SHA1_C)
01476 unsigned char sha1sum[20];
01477 #endif
01478
01479 rsa_init( &rsa, RSA_PKCS_V15, 0 );
01480
01481 rsa.len = KEY_LEN;
01482 mpi_read_string( &rsa.N , 16, RSA_N );
01483 mpi_read_string( &rsa.E , 16, RSA_E );
01484 mpi_read_string( &rsa.D , 16, RSA_D );
01485 mpi_read_string( &rsa.P , 16, RSA_P );
01486 mpi_read_string( &rsa.Q , 16, RSA_Q );
01487 mpi_read_string( &rsa.DP, 16, RSA_DP );
01488 mpi_read_string( &rsa.DQ, 16, RSA_DQ );
01489 mpi_read_string( &rsa.QP, 16, RSA_QP );
01490
01491 if( verbose != 0 )
01492 printf( " RSA key validation: " );
01493
01494 if( rsa_check_pubkey( &rsa ) != 0 ||
01495 rsa_check_privkey( &rsa ) != 0 )
01496 {
01497 if( verbose != 0 )
01498 printf( "failed\n" );
01499
01500 return( 1 );
01501 }
01502
01503 if( verbose != 0 )
01504 printf( "passed\n PKCS#1 encryption : " );
01505
01506 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
01507
01508 if( rsa_pkcs1_encrypt( &rsa, myrand, NULL, RSA_PUBLIC, PT_LEN,
01509 rsa_plaintext, rsa_ciphertext ) != 0 )
01510 {
01511 if( verbose != 0 )
01512 printf( "failed\n" );
01513
01514 return( 1 );
01515 }
01516
01517 if( verbose != 0 )
01518 printf( "passed\n PKCS#1 decryption : " );
01519
01520 if( rsa_pkcs1_decrypt( &rsa, myrand, NULL, RSA_PRIVATE, &len,
01521 rsa_ciphertext, rsa_decrypted,
01522 sizeof(rsa_decrypted) ) != 0 )
01523 {
01524 if( verbose != 0 )
01525 printf( "failed\n" );
01526
01527 return( 1 );
01528 }
01529
01530 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
01531 {
01532 if( verbose != 0 )
01533 printf( "failed\n" );
01534
01535 return( 1 );
01536 }
01537
01538 #if defined(POLARSSL_SHA1_C)
01539 if( verbose != 0 )
01540 printf( "passed\n PKCS#1 data sign : " );
01541
01542 sha1( rsa_plaintext, PT_LEN, sha1sum );
01543
01544 if( rsa_pkcs1_sign( &rsa, myrand, NULL, RSA_PRIVATE, POLARSSL_MD_SHA1, 0,
01545 sha1sum, rsa_ciphertext ) != 0 )
01546 {
01547 if( verbose != 0 )
01548 printf( "failed\n" );
01549
01550 return( 1 );
01551 }
01552
01553 if( verbose != 0 )
01554 printf( "passed\n PKCS#1 sig. verify: " );
01555
01556 if( rsa_pkcs1_verify( &rsa, NULL, NULL, RSA_PUBLIC, POLARSSL_MD_SHA1, 0,
01557 sha1sum, rsa_ciphertext ) != 0 )
01558 {
01559 if( verbose != 0 )
01560 printf( "failed\n" );
01561
01562 return( 1 );
01563 }
01564
01565 if( verbose != 0 )
01566 printf( "passed\n\n" );
01567 #endif
01568
01569 rsa_free( &rsa );
01570 #else
01571 ((void) verbose);
01572 #endif
01573 return( 0 );
01574 }
01575
01576 #endif
01577
01578 #endif