34 #if defined(POLARSSL_RSA_C)
38 #if defined(POLARSSL_PKCS1_V21)
58 #if defined(POLARSSL_GENPRIME)
64 int (*f_rng)(
void *,
unsigned char *,
size_t),
66 unsigned int nbits,
int exponent )
71 if( f_rng == NULL || nbits < 128 || exponent < 3 )
140 if( !ctx->
N.
p || !ctx->
E.
p )
143 if( ( ctx->
N.
p[0] & 1 ) == 0 ||
144 ( ctx->
E.
p[0] & 1 ) == 0 )
164 mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
169 if( !ctx->
P.
p || !ctx->
Q.
p || !ctx->
D.
p )
224 const unsigned char *input,
225 unsigned char *output )
255 #if !defined(POLARSSL_RSA_NO_CRT)
263 int (*f_rng)(
void *,
unsigned char *,
size_t),
void *p_rng )
267 if( ctx->
Vf.
p != NULL )
294 int (*f_rng)(
void *,
unsigned char *,
size_t),
296 const unsigned char *input,
297 unsigned char *output )
313 #if defined(POLARSSL_RSA_NO_CRT)
322 MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
373 #if defined(POLARSSL_PKCS1_V21)
383 static void mgf_mask(
unsigned char *dst,
size_t dlen,
unsigned char *src,
size_t slen,
387 unsigned char counter[4];
393 memset( counter, 0, 4 );
412 for( i = 0; i < use_len; ++i )
422 #if defined(POLARSSL_PKCS1_V21)
427 int (*f_rng)(
void *,
unsigned char *,
size_t),
430 const unsigned char *label,
size_t label_len,
432 const unsigned char *input,
433 unsigned char *output )
437 unsigned char *p = output;
447 if( md_info == NULL )
453 if( olen < ilen + 2 * hlen + 2 || f_rng == NULL )
456 memset( output, 0, olen );
462 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
469 md( md_info, label, label_len, p );
471 p += olen - 2 * hlen - 2 - ilen;
473 memcpy( p, input, ilen );
479 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
484 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
491 :
rsa_private( ctx, f_rng, p_rng, output, output ) );
499 int (*f_rng)(
void *,
unsigned char *,
size_t),
501 int mode,
size_t ilen,
502 const unsigned char *input,
503 unsigned char *output )
507 unsigned char *p = output;
514 if( olen < ilen + 11 )
517 nb_pad = olen - 3 - ilen;
524 while( nb_pad-- > 0 )
529 ret = f_rng( p_rng, p, 1 );
530 }
while( *p == 0 && --rng_dl && ret == 0 );
534 if( rng_dl == 0 || ret != 0)
544 while( nb_pad-- > 0 )
549 memcpy( p, input, ilen );
553 :
rsa_private( ctx, f_rng, p_rng, output, output ) );
560 int (*f_rng)(
void *,
unsigned char *,
size_t),
562 int mode,
size_t ilen,
563 const unsigned char *input,
564 unsigned char *output )
572 #if defined(POLARSSL_PKCS1_V21)
575 ilen, input, output );
583 #if defined(POLARSSL_PKCS1_V21)
588 int (*f_rng)(
void *,
unsigned char *,
size_t),
591 const unsigned char *label,
size_t label_len,
593 const unsigned char *input,
594 unsigned char *output,
595 size_t output_max_len )
611 if( ilen < 16 || ilen >
sizeof( buf ) )
627 if( md_info == NULL )
636 md( md_info, label, label_len, lhash );
640 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
645 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
653 if( memcmp( lhash, p, hlen ) != 0 )
658 while( *p == 0 && p < buf + ilen )
661 if( p == buf + ilen )
667 if (ilen - (p - buf) > output_max_len)
670 *olen = ilen - (p - buf);
671 memcpy( output, p, *olen );
681 int (*f_rng)(
void *,
unsigned char *,
size_t),
683 int mode,
size_t *olen,
684 const unsigned char *input,
685 unsigned char *output,
686 size_t output_max_len)
688 int ret, correct = 1;
689 size_t ilen, pad_count = 0;
690 unsigned char *p, *q;
699 if( ilen < 16 || ilen >
sizeof( buf ) )
723 while( *p != 0 && p < buf + ilen - 1 )
724 pad_count += ( *p++ != 0 );
726 correct &= ( *p == 0 && p < buf + ilen - 1 );
732 while ( q < buf + ilen - 1 )
733 pad_count += ( *q++ != 0 );
737 correct |= pad_count & 0x100000;
742 while( *p == 0xFF && p < buf + ilen - 1 )
743 pad_count += ( *p++ == 0xFF );
745 correct &= ( *p == 0 && p < buf + ilen - 1 );
751 while ( q < buf + ilen - 1 )
752 pad_count += ( *q++ != 0 );
756 correct |= pad_count & 0x100000;
763 if (ilen - (p - buf) > output_max_len)
766 *olen = ilen - (p - buf);
767 memcpy( output, p, *olen );
776 int (*f_rng)(
void *,
unsigned char *,
size_t),
778 int mode,
size_t *olen,
779 const unsigned char *input,
780 unsigned char *output,
781 size_t output_max_len)
787 input, output, output_max_len );
789 #if defined(POLARSSL_PKCS1_V21)
792 olen, input, output, output_max_len );
800 #if defined(POLARSSL_PKCS1_V21)
805 int (*f_rng)(
void *,
unsigned char *,
size_t),
809 unsigned int hashlen,
810 const unsigned char *hash,
814 unsigned char *p = sig;
816 unsigned int slen, hlen, offset = 0;
860 if( md_info == NULL )
866 if( olen < hlen + slen + 2 )
869 memset( sig, 0, olen );
875 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
881 p += olen - hlen * 2 - 2;
883 memcpy( p, salt, slen );
903 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
908 sig[0] &= 0xFF >> ( olen * 8 - msb );
926 int (*f_rng)(
void *,
unsigned char *,
size_t),
930 unsigned int hashlen,
931 const unsigned char *hash,
935 unsigned char *p = sig;
945 nb_pad = olen - 3 - hashlen;
951 nb_pad = olen - 3 - 34;
955 nb_pad = olen - 3 - 35;
959 nb_pad = olen - 3 - 47;
963 nb_pad = olen - 3 - 51;
967 nb_pad = olen - 3 - 67;
971 nb_pad = olen - 3 - 83;
979 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
984 memset( p, 0xFF, nb_pad );
991 memcpy( p, hash, hashlen );
996 memcpy( p + 18, hash, 16 );
1001 memcpy( p + 18, hash, 16 );
1006 memcpy( p + 18, hash, 16 );
1011 memcpy( p + 15, hash, 20 );
1016 memcpy( p + 19, hash, 28 );
1017 p[1] += 28; p[14] = 4; p[18] += 28;
break;
1021 memcpy( p + 19, hash, 32 );
1022 p[1] += 32; p[14] = 1; p[18] += 32;
break;
1026 memcpy( p + 19, hash, 48 );
1027 p[1] += 48; p[14] = 2; p[18] += 48;
break;
1031 memcpy( p + 19, hash, 64 );
1032 p[1] += 64; p[14] = 3; p[18] += 64;
break;
1047 int (*f_rng)(
void *,
unsigned char *,
size_t),
1051 unsigned int hashlen,
1052 const unsigned char *hash,
1053 unsigned char *sig )
1059 hashlen, hash, sig );
1061 #if defined(POLARSSL_PKCS1_V21)
1064 hashlen, hash, sig );
1072 #if defined(POLARSSL_PKCS1_V21)
1077 int (*f_rng)(
void *,
unsigned char *,
size_t),
1081 unsigned int hashlen,
1082 const unsigned char *hash,
1083 unsigned char *sig )
1090 unsigned char zeros[8];
1101 if( siglen < 16 || siglen >
sizeof( buf ) )
1113 if( buf[siglen - 1] != 0xBC )
1149 if( md_info == NULL )
1153 slen = siglen - hlen - 1;
1155 memset( zeros, 0, 8 );
1168 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1173 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
1175 buf[0] &= 0xFF >> ( siglen * 8 - msb );
1177 while( *p == 0 && p < buf + siglen )
1180 if( p == buf + siglen ||
1199 if( memcmp( p + slen, result, hlen ) == 0 )
1210 int (*f_rng)(
void *,
unsigned char *,
size_t),
1214 unsigned int hashlen,
1215 const unsigned char *hash,
1216 unsigned char *sig )
1220 unsigned char *p, c;
1228 if( siglen < 16 || siglen >
sizeof( buf ) )
1240 if( *p++ != 0 || *p++ !=
RSA_SIGN )
1245 if( p >= buf + siglen - 1 || *p != 0xFF )
1251 len = siglen - ( p - buf );
1256 memcmp( p + 13, hash, 20 ) == 0 )
1273 if( memcmp( p + 18, hash, 16 ) == 0 )
1283 memcmp( p + 15, hash, 20 ) == 0 )
1288 if( ( len == 19 + 28 && p[14] == 4 && hash_id ==
SIG_RSA_SHA224 ) ||
1299 memcmp( p + 19, hash, c ) == 0 )
1307 if( memcmp( p, hash, hashlen ) == 0 )
1320 int (*f_rng)(
void *,
unsigned char *,
size_t),
1324 unsigned int hashlen,
1325 const unsigned char *hash,
1326 unsigned char *sig )
1332 hash_id, hashlen, hash, sig );
1334 #if defined(POLARSSL_PKCS1_V21)
1337 hashlen, hash, sig );
1356 #if defined(POLARSSL_SELF_TEST)
1365 #define RSA_N "9292758453063D803DD603D5E777D788" \
1366 "8ED1D5BF35786190FA2F23EBC0848AEA" \
1367 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1368 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1369 "93A89813FBF3C4F8066D2D800F7C38A8" \
1370 "1AE31942917403FF4946B0A83D3D3E05" \
1371 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1372 "5E94BB77B07507233A0BC7BAC8F90F79"
1374 #define RSA_E "10001"
1376 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1377 "66CA472BC44D253102F8B4A9D3BFA750" \
1378 "91386C0077937FE33FA3252D28855837" \
1379 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1380 "DF79C5CE07EE72C7F123142198164234" \
1381 "CABB724CF78B8173B9F880FC86322407" \
1382 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1383 "071513A1E85B5DFA031F21ECAE91A34D"
1385 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1386 "2C01CAD19EA484A87EA4377637E75500" \
1387 "FCB2005C5C7DD6EC4AC023CDA285D796" \
1388 "C3D9E75E1EFC42488BB4F1D13AC30A57"
1390 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1391 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1392 "910E4168387E3C30AA1E00C339A79508" \
1393 "8452DD96A9A5EA5D9DCA68DA636032AF"
1395 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1396 "3C94D22288ACD763FD8E5600ED4A702D" \
1397 "F84198A5F06C2E72236AE490C93F07F8" \
1398 "3CC559CD27BC2D1CA488811730BB5725"
1400 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1401 "D8AAEA56749EA28623272E4F7D0592AF" \
1402 "7C1F1313CAC9471B5C523BFE592F517B" \
1403 "407A1BD76C164B93DA2D32A383E58357"
1405 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1406 "F38D18D2B2F0E2DD275AA977E2BF4411" \
1407 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1408 "A74206CEC169D74BF5A8C50D6F48EA08"
1411 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1412 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1414 static int myrand(
void *rng_state,
unsigned char *output,
size_t len )
1418 if( rng_state != NULL )
1421 for( i = 0; i < len; ++i )
1434 unsigned char rsa_plaintext[PT_LEN];
1435 unsigned char rsa_decrypted[PT_LEN];
1436 unsigned char rsa_ciphertext[KEY_LEN];
1437 #if defined(POLARSSL_SHA1_C)
1438 unsigned char sha1sum[20];
1454 printf(
" RSA key validation: " );
1460 printf(
"failed\n" );
1466 printf(
"passed\n PKCS#1 encryption : " );
1468 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1471 rsa_plaintext, rsa_ciphertext ) != 0 )
1474 printf(
"failed\n" );
1480 printf(
"passed\n PKCS#1 decryption : " );
1483 rsa_ciphertext, rsa_decrypted,
1484 sizeof(rsa_decrypted) ) != 0 )
1487 printf(
"failed\n" );
1492 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1495 printf(
"failed\n" );
1500 #if defined(POLARSSL_SHA1_C)
1502 printf(
"passed\n PKCS#1 data sign : " );
1504 sha1( rsa_plaintext, PT_LEN, sha1sum );
1507 sha1sum, rsa_ciphertext ) != 0 )
1510 printf(
"failed\n" );
1516 printf(
"passed\n PKCS#1 sig. verify: " );
1519 sha1sum, rsa_ciphertext ) != 0 )
1522 printf(
"failed\n" );
1528 printf(
"passed\n\n" );
int md(const md_info_t *md_info, const unsigned char *input, size_t ilen, unsigned char *output)
Output = message_digest( input buffer )
int mpi_cmp_int(const mpi *X, t_sint z)
Compare signed values.
#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE
The output buffer for decryption is not large enough.
void mpi_swap(mpi *X, mpi *Y)
Swap the contents of X and Y.
int rsa_self_test(int verbose)
Checkup routine.
int rsa_rsaes_oaep_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t ilen, const unsigned char *input, unsigned char *output)
Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
int rsa_check_privkey(const rsa_context *ctx)
Check a private RSA key.
int mpi_gcd(mpi *G, const mpi *A, const mpi *B)
Greatest common divisor: G = gcd(A, B)
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
int mpi_fill_random(mpi *X, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Fill an MPI X with size bytes of random.
int rsa_rsaes_pkcs1_v15_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
int rsa_rsaes_oaep_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
int rsa_pkcs1_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 signature using the mode from the context.
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
int rsa_rsassa_pkcs1_v15_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
Configuration options (set of defines)
int rsa_check_pubkey(const rsa_context *ctx)
Check a public RSA key.
int mpi_div_mpi(mpi *Q, mpi *R, const mpi *A, const mpi *B)
Division by mpi: A = Q * B + R.
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
int rsa_rsassa_pss_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
int rsa_pkcs1_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Generic wrapper to perform a PKCS#1 decryption using the mode from the context.
int mpi_lset(mpi *X, t_sint z)
Set value from integer.
#define POLARSSL_ERR_RSA_RNG_FAILED
The random generator failed to generate non-zeros.
void mpi_init(mpi *X)
Initialize one MPI.
int mpi_cmp_mpi(const mpi *X, const mpi *Y)
Compare signed values.
const md_info_t * md_info
Information about the associated message digest.
int rsa_rsaes_pkcs1_v15_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
int mpi_add_mpi(mpi *X, const mpi *A, const mpi *B)
Signed addition: X = A + B.
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
void rsa_free(rsa_context *ctx)
Free the components of an RSA key.
int rsa_private(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, const unsigned char *input, unsigned char *output)
Do an RSA private key operation.
int rsa_pkcs1_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Generic wrapper to perform a PKCS#1 encryption using the mode from the context.
#define POLARSSL_ERR_RSA_INVALID_PADDING
Input data contains invalid padding and is rejected.
int mpi_inv_mod(mpi *X, const mpi *A, const mpi *N)
Modular inverse: X = A^-1 mod N.
void mpi_free(mpi *X)
Unallocate one MPI.
int mpi_exp_mod(mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR)
Sliding-window exponentiation: X = A^E mod N.
#define POLARSSL_ERR_RSA_VERIFY_FAILED
The PKCS#1 verification failed.
int mpi_gen_prime(mpi *X, size_t nbits, int dh_flag, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Prime number generation.
#define ASN1_HASH_SHA1_ALT
size_t mpi_msb(const mpi *X)
Return the number of bits up to and including the most significant '1' bit'.
#define POLARSSL_MPI_MAX_BITS
Maximum number of bits for usable MPIs.
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
Generic message digest wrapper.
int mpi_read_binary(mpi *X, const unsigned char *buf, size_t buflen)
Import X from unsigned binary data, big endian.
The RSA public-key cryptosystem.
#define POLARSSL_ERR_RSA_BAD_INPUT_DATA
Bad input parameters to function.
#define POLARSSL_ERR_RSA_PRIVATE_FAILED
The private key operation failed.
#define POLARSSL_MD_MAX_SIZE
SHA-1 cryptographic hash function.
#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED
Key failed to pass the libraries validity check.
int rsa_rsassa_pkcs1_v15_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
int rsa_gen_key(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, unsigned int nbits, int exponent)
Generate an RSA keypair.
void rsa_init(rsa_context *ctx, int padding, int hash_id)
Initialize an RSA context.
int mpi_mod_mpi(mpi *R, const mpi *A, const mpi *B)
Modulo: R = A mod B.
int mpi_write_binary(const mpi *X, unsigned char *buf, size_t buflen)
Export X into unsigned binary data, big endian.
int rsa_rsassa_pss_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
int size
Output length of the digest function.
#define POLARSSL_ERR_RSA_KEY_GEN_FAILED
Something failed during generation of a key.
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
int mpi_mul_mpi(mpi *X, const mpi *A, const mpi *B)
Baseline multiplication: X = A * B.
#define POLARSSL_ERR_RSA_PUBLIC_FAILED
The public key operation failed.
int mpi_sub_mpi(mpi *X, const mpi *A, const mpi *B)
Signed substraction: X = A - B.
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int mpi_sub_int(mpi *X, const mpi *A, t_sint b)
Signed substraction: X = A - b.
Message digest information.
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int rsa_pkcs1_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 verification using the mode from the context. ...
Generic message digest context.
int rsa_public(rsa_context *ctx, const unsigned char *input, unsigned char *output)
Do an RSA public key operation.