API Documentation (Doxygen generated)

These pages are generated with doxygen directly from the source code!

rsa.c
Go to the documentation of this file.
1 /*
2  * The RSA public-key cryptosystem
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
27  *
28  * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
29  * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_RSA_C)
35 
36 #include "polarssl/rsa.h"
37 #include "polarssl/oid.h"
38 
39 #if defined(POLARSSL_PKCS1_V21)
40 #include "polarssl/md.h"
41 #endif
42 
43 #include <stdlib.h>
44 #include <stdio.h>
45 
46 #if defined(POLARSSL_PLATFORM_C)
47 #include "polarssl/platform.h"
48 #else
49 #define polarssl_printf printf
50 #endif
51 
52 /*
53  * Initialize an RSA context
54  */
55 void rsa_init( rsa_context *ctx,
56  int padding,
57  int hash_id )
58 {
59  memset( ctx, 0, sizeof( rsa_context ) );
60 
61  rsa_set_padding( ctx, padding, hash_id );
62 
63 #if defined(POLARSSL_THREADING_C)
64  polarssl_mutex_init( &ctx->mutex );
65 #endif
66 }
67 
68 /*
69  * Set padding for an existing RSA context
70  */
71 void rsa_set_padding( rsa_context *ctx, int padding, int hash_id )
72 {
73  ctx->padding = padding;
74  ctx->hash_id = hash_id;
75 }
76 
77 #if defined(POLARSSL_GENPRIME)
78 
79 /*
80  * Generate an RSA keypair
81  */
82 int rsa_gen_key( rsa_context *ctx,
83  int (*f_rng)(void *, unsigned char *, size_t),
84  void *p_rng,
85  unsigned int nbits, int exponent )
86 {
87  int ret;
88  mpi P1, Q1, H, G;
89 
90  if( f_rng == NULL || nbits < 128 || exponent < 3 )
92 
93  mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G );
94 
95  /*
96  * find primes P and Q with Q < P so that:
97  * GCD( E, (P-1)*(Q-1) ) == 1
98  */
99  MPI_CHK( mpi_lset( &ctx->E, exponent ) );
100 
101  do
102  {
103  MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
104  f_rng, p_rng ) );
105 
106  MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
107  f_rng, p_rng ) );
108 
109  if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
110  mpi_swap( &ctx->P, &ctx->Q );
111 
112  if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
113  continue;
114 
115  MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
116  if( mpi_msb( &ctx->N ) != nbits )
117  continue;
118 
119  MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
120  MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
121  MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
122  MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
123  }
124  while( mpi_cmp_int( &G, 1 ) != 0 );
125 
126  /*
127  * D = E^-1 mod ((P-1)*(Q-1))
128  * DP = D mod (P - 1)
129  * DQ = D mod (Q - 1)
130  * QP = Q^-1 mod P
131  */
132  MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
133  MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
134  MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
135  MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
136 
137  ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
138 
139 cleanup:
140 
141  mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
142 
143  if( ret != 0 )
144  {
145  rsa_free( ctx );
146  return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
147  }
148 
149  return( 0 );
150 }
151 
152 #endif
153 
154 /*
155  * Check a public RSA key
156  */
157 int rsa_check_pubkey( const rsa_context *ctx )
158 {
159  if( !ctx->N.p || !ctx->E.p )
161 
162  if( ( ctx->N.p[0] & 1 ) == 0 ||
163  ( ctx->E.p[0] & 1 ) == 0 )
165 
166  if( mpi_msb( &ctx->N ) < 128 ||
167  mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
169 
170  if( mpi_msb( &ctx->E ) < 2 ||
171  mpi_msb( &ctx->E ) > 64 )
173 
174  return( 0 );
175 }
176 
177 /*
178  * Check a private RSA key
179  */
180 int rsa_check_privkey( const rsa_context *ctx )
181 {
182  int ret;
183  mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
184 
185  if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
186  return( ret );
187 
188  if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
190 
191  mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
192  mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
193  mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
194  mpi_init( &QP );
195 
196  MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
197  MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
198  MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
199  MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
200  MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
201  MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
202 
203  MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
204  MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
205  MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
206 
207  MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
208  MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
209  MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
210  /*
211  * Check for a valid PKCS1v2 private key
212  */
213  if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
214  mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
215  mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
216  mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
217  mpi_cmp_int( &L2, 0 ) != 0 ||
218  mpi_cmp_int( &I, 1 ) != 0 ||
219  mpi_cmp_int( &G, 1 ) != 0 )
220  {
222  }
223 
224 cleanup:
225  mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
226  mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
227  mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
228  mpi_free( &QP );
229 
231  return( ret );
232 
233  if( ret != 0 )
234  return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
235 
236  return( 0 );
237 }
238 
239 /*
240  * Do an RSA public key operation
241  */
242 int rsa_public( rsa_context *ctx,
243  const unsigned char *input,
244  unsigned char *output )
245 {
246  int ret;
247  size_t olen;
248  mpi T;
249 
250  mpi_init( &T );
251 
252  MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
253 
254  if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
255  {
256  mpi_free( &T );
258  }
259 
260  olen = ctx->len;
261  MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
262  MPI_CHK( mpi_write_binary( &T, output, olen ) );
263 
264 cleanup:
265 
266  mpi_free( &T );
267 
268  if( ret != 0 )
269  return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
270 
271  return( 0 );
272 }
273 
274 #if !defined(POLARSSL_RSA_NO_CRT)
275 /*
276  * Generate or update blinding values, see section 10 of:
277  * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
278  * DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
279  * Berlin Heidelberg, 1996. p. 104-113.
280  */
281 static int rsa_prepare_blinding( rsa_context *ctx, mpi *Vi, mpi *Vf,
282  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
283 {
284  int ret, count = 0;
285 
286 #if defined(POLARSSL_THREADING_C)
287  polarssl_mutex_lock( &ctx->mutex );
288 #endif
289 
290  if( ctx->Vf.p != NULL )
291  {
292  /* We already have blinding values, just update them by squaring */
293  MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
294  MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
295  MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
296  MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
297 
298  goto done;
299  }
300 
301  /* Unblinding value: Vf = random number, invertible mod N */
302  do {
303  if( count++ > 10 )
304  return( POLARSSL_ERR_RSA_RNG_FAILED );
305 
306  MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
307  MPI_CHK( mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
308  } while( mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
309 
310  /* Blinding value: Vi = Vf^(-e) mod N */
311  MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
312  MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
313 
314 done:
315  if( Vi != &ctx->Vi )
316  {
317  MPI_CHK( mpi_copy( Vi, &ctx->Vi ) );
318  MPI_CHK( mpi_copy( Vf, &ctx->Vf ) );
319  }
320 
321 cleanup:
322 #if defined(POLARSSL_THREADING_C)
323  polarssl_mutex_unlock( &ctx->mutex );
324 #endif
325 
326  return( ret );
327 }
328 #endif
329 
330 /*
331  * Do an RSA private key operation
332  */
333 int rsa_private( rsa_context *ctx,
334  int (*f_rng)(void *, unsigned char *, size_t),
335  void *p_rng,
336  const unsigned char *input,
337  unsigned char *output )
338 {
339  int ret;
340  size_t olen;
341  mpi T, T1, T2;
342 #if !defined(POLARSSL_RSA_NO_CRT)
343  mpi *Vi, *Vf;
344 
345  /*
346  * When using the Chinese Remainder Theorem, we use blinding values.
347  * Without threading, we just read them directly from the context,
348  * otherwise we make a local copy in order to reduce locking contention.
349  */
350 #if defined(POLARSSL_THREADING_C)
351  mpi Vi_copy, Vf_copy;
352 
353  mpi_init( &Vi_copy ); mpi_init( &Vf_copy );
354  Vi = &Vi_copy;
355  Vf = &Vf_copy;
356 #else
357  Vi = &ctx->Vi;
358  Vf = &ctx->Vf;
359 #endif
360 #endif
361 
362  mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
363 
364  MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
365  if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
366  {
367  mpi_free( &T );
369  }
370 
371 #if defined(POLARSSL_RSA_NO_CRT)
372  ((void) f_rng);
373  ((void) p_rng);
374  MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
375 #else
376  if( f_rng != NULL )
377  {
378  /*
379  * Blinding
380  * T = T * Vi mod N
381  */
382  MPI_CHK( rsa_prepare_blinding( ctx, Vi, Vf, f_rng, p_rng ) );
383  MPI_CHK( mpi_mul_mpi( &T, &T, Vi ) );
384  MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
385  }
386 
387  /*
388  * faster decryption using the CRT
389  *
390  * T1 = input ^ dP mod P
391  * T2 = input ^ dQ mod Q
392  */
393  MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
394  MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
395 
396  /*
397  * T = (T1 - T2) * (Q^-1 mod P) mod P
398  */
399  MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
400  MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
401  MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
402 
403  /*
404  * T = T2 + T * Q
405  */
406  MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
407  MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
408 
409  if( f_rng != NULL )
410  {
411  /*
412  * Unblind
413  * T = T * Vf mod N
414  */
415  MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) );
416  MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
417  }
418 #endif
419 
420  olen = ctx->len;
421  MPI_CHK( mpi_write_binary( &T, output, olen ) );
422 
423 cleanup:
424  mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
425 #if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C)
426  mpi_free( &Vi_copy ); mpi_free( &Vf_copy );
427 #endif
428 
429  if( ret != 0 )
430  return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
431 
432  return( 0 );
433 }
434 
435 #if defined(POLARSSL_PKCS1_V21)
436 
445 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
446  size_t slen, md_context_t *md_ctx )
447 {
448  unsigned char mask[POLARSSL_MD_MAX_SIZE];
449  unsigned char counter[4];
450  unsigned char *p;
451  unsigned int hlen;
452  size_t i, use_len;
453 
454  memset( mask, 0, POLARSSL_MD_MAX_SIZE );
455  memset( counter, 0, 4 );
456 
457  hlen = md_ctx->md_info->size;
458 
459  // Generate and apply dbMask
460  //
461  p = dst;
462 
463  while( dlen > 0 )
464  {
465  use_len = hlen;
466  if( dlen < hlen )
467  use_len = dlen;
468 
469  md_starts( md_ctx );
470  md_update( md_ctx, src, slen );
471  md_update( md_ctx, counter, 4 );
472  md_finish( md_ctx, mask );
473 
474  for( i = 0; i < use_len; ++i )
475  *p++ ^= mask[i];
476 
477  counter[3]++;
478 
479  dlen -= use_len;
480  }
481 }
482 #endif
483 
484 #if defined(POLARSSL_PKCS1_V21)
485 /*
486  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
487  */
489  int (*f_rng)(void *, unsigned char *, size_t),
490  void *p_rng,
491  int mode,
492  const unsigned char *label, size_t label_len,
493  size_t ilen,
494  const unsigned char *input,
495  unsigned char *output )
496 {
497  size_t olen;
498  int ret;
499  unsigned char *p = output;
500  unsigned int hlen;
501  const md_info_t *md_info;
502  md_context_t md_ctx;
503 
504  if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
506 
507  md_info = md_info_from_type( ctx->hash_id );
508  if( md_info == NULL )
510 
511  olen = ctx->len;
512  hlen = md_get_size( md_info );
513 
514  if( olen < ilen + 2 * hlen + 2 || f_rng == NULL )
516 
517  memset( output, 0, olen );
518 
519  *p++ = 0;
520 
521  // Generate a random octet string seed
522  //
523  if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
524  return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
525 
526  p += hlen;
527 
528  // Construct DB
529  //
530  md( md_info, label, label_len, p );
531  p += hlen;
532  p += olen - 2 * hlen - 2 - ilen;
533  *p++ = 1;
534  memcpy( p, input, ilen );
535 
536  md_init_ctx( &md_ctx, md_info );
537 
538  // maskedDB: Apply dbMask to DB
539  //
540  mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
541  &md_ctx );
542 
543  // maskedSeed: Apply seedMask to seed
544  //
545  mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
546  &md_ctx );
547 
548  md_free_ctx( &md_ctx );
549 
550  return( ( mode == RSA_PUBLIC )
551  ? rsa_public( ctx, output, output )
552  : rsa_private( ctx, f_rng, p_rng, output, output ) );
553 }
554 #endif /* POLARSSL_PKCS1_V21 */
555 
556 #if defined(POLARSSL_PKCS1_V15)
557 /*
558  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
559  */
561  int (*f_rng)(void *, unsigned char *, size_t),
562  void *p_rng,
563  int mode, size_t ilen,
564  const unsigned char *input,
565  unsigned char *output )
566 {
567  size_t nb_pad, olen;
568  int ret;
569  unsigned char *p = output;
570 
571  if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL )
573 
574  olen = ctx->len;
575 
576  if( olen < ilen + 11 )
578 
579  nb_pad = olen - 3 - ilen;
580 
581  *p++ = 0;
582  if( mode == RSA_PUBLIC )
583  {
584  *p++ = RSA_CRYPT;
585 
586  while( nb_pad-- > 0 )
587  {
588  int rng_dl = 100;
589 
590  do {
591  ret = f_rng( p_rng, p, 1 );
592  } while( *p == 0 && --rng_dl && ret == 0 );
593 
594  // Check if RNG failed to generate data
595  //
596  if( rng_dl == 0 || ret != 0)
597  return POLARSSL_ERR_RSA_RNG_FAILED + ret;
598 
599  p++;
600  }
601  }
602  else
603  {
604  *p++ = RSA_SIGN;
605 
606  while( nb_pad-- > 0 )
607  *p++ = 0xFF;
608  }
609 
610  *p++ = 0;
611  memcpy( p, input, ilen );
612 
613  return( ( mode == RSA_PUBLIC )
614  ? rsa_public( ctx, output, output )
615  : rsa_private( ctx, f_rng, p_rng, output, output ) );
616 }
617 #endif /* POLARSSL_PKCS1_V15 */
618 
619 /*
620  * Add the message padding, then do an RSA operation
621  */
623  int (*f_rng)(void *, unsigned char *, size_t),
624  void *p_rng,
625  int mode, size_t ilen,
626  const unsigned char *input,
627  unsigned char *output )
628 {
629  switch( ctx->padding )
630  {
631 #if defined(POLARSSL_PKCS1_V15)
632  case RSA_PKCS_V15:
633  return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
634  input, output );
635 #endif
636 
637 #if defined(POLARSSL_PKCS1_V21)
638  case RSA_PKCS_V21:
639  return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
640  ilen, input, output );
641 #endif
642 
643  default:
645  }
646 }
647 
648 #if defined(POLARSSL_PKCS1_V21)
649 /*
650  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
651  */
653  int (*f_rng)(void *, unsigned char *, size_t),
654  void *p_rng,
655  int mode,
656  const unsigned char *label, size_t label_len,
657  size_t *olen,
658  const unsigned char *input,
659  unsigned char *output,
660  size_t output_max_len )
661 {
662  int ret;
663  size_t ilen, i, pad_len;
664  unsigned char *p, bad, pad_done;
665  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
666  unsigned char lhash[POLARSSL_MD_MAX_SIZE];
667  unsigned int hlen;
668  const md_info_t *md_info;
669  md_context_t md_ctx;
670 
671  /*
672  * Parameters sanity checks
673  */
674  if( ctx->padding != RSA_PKCS_V21 )
676 
677  ilen = ctx->len;
678 
679  if( ilen < 16 || ilen > sizeof( buf ) )
681 
682  md_info = md_info_from_type( ctx->hash_id );
683  if( md_info == NULL )
685 
686  /*
687  * RSA operation
688  */
689  ret = ( mode == RSA_PUBLIC )
690  ? rsa_public( ctx, input, buf )
691  : rsa_private( ctx, f_rng, p_rng, input, buf );
692 
693  if( ret != 0 )
694  return( ret );
695 
696  /*
697  * Unmask data and generate lHash
698  */
699  hlen = md_get_size( md_info );
700 
701  md_init_ctx( &md_ctx, md_info );
702 
703  /* Generate lHash */
704  md( md_info, label, label_len, lhash );
705 
706  /* seed: Apply seedMask to maskedSeed */
707  mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
708  &md_ctx );
709 
710  /* DB: Apply dbMask to maskedDB */
711  mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
712  &md_ctx );
713 
714  md_free_ctx( &md_ctx );
715 
716  /*
717  * Check contents, in "constant-time"
718  */
719  p = buf;
720  bad = 0;
721 
722  bad |= *p++; /* First byte must be 0 */
723 
724  p += hlen; /* Skip seed */
725 
726  /* Check lHash */
727  for( i = 0; i < hlen; i++ )
728  bad |= lhash[i] ^ *p++;
729 
730  /* Get zero-padding len, but always read till end of buffer
731  * (minus one, for the 01 byte) */
732  pad_len = 0;
733  pad_done = 0;
734  for( i = 0; i < ilen - 2 * hlen - 2; i++ )
735  {
736  pad_done |= p[i];
737  pad_len += ( pad_done == 0 );
738  }
739 
740  p += pad_len;
741  bad |= *p++ ^ 0x01;
742 
743  /*
744  * The only information "leaked" is whether the padding was correct or not
745  * (eg, no data is copied if it was not correct). This meets the
746  * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
747  * the different error conditions.
748  */
749  if( bad != 0 )
751 
752  if (ilen - (p - buf) > output_max_len)
754 
755  *olen = ilen - (p - buf);
756  memcpy( output, p, *olen );
757 
758  return( 0 );
759 }
760 #endif /* POLARSSL_PKCS1_V21 */
761 
762 #if defined(POLARSSL_PKCS1_V15)
763 /*
764  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
765  */
767  int (*f_rng)(void *, unsigned char *, size_t),
768  void *p_rng,
769  int mode, size_t *olen,
770  const unsigned char *input,
771  unsigned char *output,
772  size_t output_max_len)
773 {
774  int ret;
775  size_t ilen, pad_count = 0, i;
776  unsigned char *p, bad, pad_done = 0;
777  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
778 
779  if( ctx->padding != RSA_PKCS_V15 )
781 
782  ilen = ctx->len;
783 
784  if( ilen < 16 || ilen > sizeof( buf ) )
786 
787  ret = ( mode == RSA_PUBLIC )
788  ? rsa_public( ctx, input, buf )
789  : rsa_private( ctx, f_rng, p_rng, input, buf );
790 
791  if( ret != 0 )
792  return( ret );
793 
794  p = buf;
795  bad = 0;
796 
797  /*
798  * Check and get padding len in "constant-time"
799  */
800  bad |= *p++; /* First byte must be 0 */
801 
802  /* This test does not depend on secret data */
803  if( mode == RSA_PRIVATE )
804  {
805  bad |= *p++ ^ RSA_CRYPT;
806 
807  /* Get padding len, but always read till end of buffer
808  * (minus one, for the 00 byte) */
809  for( i = 0; i < ilen - 3; i++ )
810  {
811  pad_done |= ( p[i] == 0 );
812  pad_count += ( pad_done == 0 );
813  }
814 
815  p += pad_count;
816  bad |= *p++; /* Must be zero */
817  }
818  else
819  {
820  bad |= *p++ ^ RSA_SIGN;
821 
822  /* Get padding len, but always read till end of buffer
823  * (minus one, for the 00 byte) */
824  for( i = 0; i < ilen - 3; i++ )
825  {
826  pad_done |= ( p[i] != 0xFF );
827  pad_count += ( pad_done == 0 );
828  }
829 
830  p += pad_count;
831  bad |= *p++; /* Must be zero */
832  }
833 
834  if( bad )
836 
837  if (ilen - (p - buf) > output_max_len)
839 
840  *olen = ilen - (p - buf);
841  memcpy( output, p, *olen );
842 
843  return( 0 );
844 }
845 #endif /* POLARSSL_PKCS1_V15 */
846 
847 /*
848  * Do an RSA operation, then remove the message padding
849  */
851  int (*f_rng)(void *, unsigned char *, size_t),
852  void *p_rng,
853  int mode, size_t *olen,
854  const unsigned char *input,
855  unsigned char *output,
856  size_t output_max_len)
857 {
858  switch( ctx->padding )
859  {
860 #if defined(POLARSSL_PKCS1_V15)
861  case RSA_PKCS_V15:
862  return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
863  input, output, output_max_len );
864 #endif
865 
866 #if defined(POLARSSL_PKCS1_V21)
867  case RSA_PKCS_V21:
868  return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
869  olen, input, output,
870  output_max_len );
871 #endif
872 
873  default:
875  }
876 }
877 
878 #if defined(POLARSSL_PKCS1_V21)
879 /*
880  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
881  */
883  int (*f_rng)(void *, unsigned char *, size_t),
884  void *p_rng,
885  int mode,
886  md_type_t md_alg,
887  unsigned int hashlen,
888  const unsigned char *hash,
889  unsigned char *sig )
890 {
891  size_t olen;
892  unsigned char *p = sig;
893  unsigned char salt[POLARSSL_MD_MAX_SIZE];
894  unsigned int slen, hlen, offset = 0;
895  int ret;
896  size_t msb;
897  const md_info_t *md_info;
898  md_context_t md_ctx;
899 
900  if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
902 
903  olen = ctx->len;
904 
905  if( md_alg != POLARSSL_MD_NONE )
906  {
907  // Gather length of hash to sign
908  //
909  md_info = md_info_from_type( md_alg );
910  if( md_info == NULL )
912 
913  hashlen = md_get_size( md_info );
914  }
915 
916  md_info = md_info_from_type( ctx->hash_id );
917  if( md_info == NULL )
919 
920  hlen = md_get_size( md_info );
921  slen = hlen;
922 
923  if( olen < hlen + slen + 2 )
925 
926  memset( sig, 0, olen );
927 
928  // Generate salt of length slen
929  //
930  if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
931  return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
932 
933  // Note: EMSA-PSS encoding is over the length of N - 1 bits
934  //
935  msb = mpi_msb( &ctx->N ) - 1;
936  p += olen - hlen * 2 - 2;
937  *p++ = 0x01;
938  memcpy( p, salt, slen );
939  p += slen;
940 
941  md_init_ctx( &md_ctx, md_info );
942 
943  // Generate H = Hash( M' )
944  //
945  md_starts( &md_ctx );
946  md_update( &md_ctx, p, 8 );
947  md_update( &md_ctx, hash, hashlen );
948  md_update( &md_ctx, salt, slen );
949  md_finish( &md_ctx, p );
950 
951  // Compensate for boundary condition when applying mask
952  //
953  if( msb % 8 == 0 )
954  offset = 1;
955 
956  // maskedDB: Apply dbMask to DB
957  //
958  mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
959 
960  md_free_ctx( &md_ctx );
961 
962  msb = mpi_msb( &ctx->N ) - 1;
963  sig[0] &= 0xFF >> ( olen * 8 - msb );
964 
965  p += hlen;
966  *p++ = 0xBC;
967 
968  return( ( mode == RSA_PUBLIC )
969  ? rsa_public( ctx, sig, sig )
970  : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
971 }
972 #endif /* POLARSSL_PKCS1_V21 */
973 
974 #if defined(POLARSSL_PKCS1_V15)
975 /*
976  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
977  */
978 /*
979  * Do an RSA operation to sign the message digest
980  */
982  int (*f_rng)(void *, unsigned char *, size_t),
983  void *p_rng,
984  int mode,
985  md_type_t md_alg,
986  unsigned int hashlen,
987  const unsigned char *hash,
988  unsigned char *sig )
989 {
990  size_t nb_pad, olen, oid_size = 0;
991  unsigned char *p = sig;
992  const char *oid;
993 
994  if( ctx->padding != RSA_PKCS_V15 )
996 
997  olen = ctx->len;
998  nb_pad = olen - 3;
999 
1000  if( md_alg != POLARSSL_MD_NONE )
1001  {
1002  const md_info_t *md_info = md_info_from_type( md_alg );
1003  if( md_info == NULL )
1005 
1006  if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1008 
1009  nb_pad -= 10 + oid_size;
1010 
1011  hashlen = md_get_size( md_info );
1012  }
1013 
1014  nb_pad -= hashlen;
1015 
1016  if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
1018 
1019  *p++ = 0;
1020  *p++ = RSA_SIGN;
1021  memset( p, 0xFF, nb_pad );
1022  p += nb_pad;
1023  *p++ = 0;
1024 
1025  if( md_alg == POLARSSL_MD_NONE )
1026  {
1027  memcpy( p, hash, hashlen );
1028  }
1029  else
1030  {
1031  /*
1032  * DigestInfo ::= SEQUENCE {
1033  * digestAlgorithm DigestAlgorithmIdentifier,
1034  * digest Digest }
1035  *
1036  * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1037  *
1038  * Digest ::= OCTET STRING
1039  */
1041  *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
1043  *p++ = (unsigned char) ( 0x04 + oid_size );
1044  *p++ = ASN1_OID;
1045  *p++ = oid_size & 0xFF;
1046  memcpy( p, oid, oid_size );
1047  p += oid_size;
1048  *p++ = ASN1_NULL;
1049  *p++ = 0x00;
1050  *p++ = ASN1_OCTET_STRING;
1051  *p++ = hashlen;
1052  memcpy( p, hash, hashlen );
1053  }
1054 
1055  return( ( mode == RSA_PUBLIC )
1056  ? rsa_public( ctx, sig, sig )
1057  : rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1058 }
1059 #endif /* POLARSSL_PKCS1_V15 */
1060 
1061 /*
1062  * Do an RSA operation to sign the message digest
1063  */
1064 int rsa_pkcs1_sign( rsa_context *ctx,
1065  int (*f_rng)(void *, unsigned char *, size_t),
1066  void *p_rng,
1067  int mode,
1068  md_type_t md_alg,
1069  unsigned int hashlen,
1070  const unsigned char *hash,
1071  unsigned char *sig )
1072 {
1073  switch( ctx->padding )
1074  {
1075 #if defined(POLARSSL_PKCS1_V15)
1076  case RSA_PKCS_V15:
1077  return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
1078  hashlen, hash, sig );
1079 #endif
1080 
1081 #if defined(POLARSSL_PKCS1_V21)
1082  case RSA_PKCS_V21:
1083  return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
1084  hashlen, hash, sig );
1085 #endif
1086 
1087  default:
1089  }
1090 }
1091 
1092 #if defined(POLARSSL_PKCS1_V21)
1093 /*
1094  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1095  */
1097  int (*f_rng)(void *, unsigned char *, size_t),
1098  void *p_rng,
1099  int mode,
1100  md_type_t md_alg,
1101  unsigned int hashlen,
1102  const unsigned char *hash,
1103  const unsigned char *sig )
1104 {
1105  int ret;
1106  size_t siglen;
1107  unsigned char *p;
1108  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1109  unsigned char result[POLARSSL_MD_MAX_SIZE];
1110  unsigned char zeros[8];
1111  unsigned int hlen;
1112  size_t slen, msb;
1113  const md_info_t *md_info;
1114  md_context_t md_ctx;
1115 
1116  if( ctx->padding != RSA_PKCS_V21 )
1118 
1119  siglen = ctx->len;
1120 
1121  if( siglen < 16 || siglen > sizeof( buf ) )
1123 
1124  ret = ( mode == RSA_PUBLIC )
1125  ? rsa_public( ctx, sig, buf )
1126  : rsa_private( ctx, f_rng, p_rng, sig, buf );
1127 
1128  if( ret != 0 )
1129  return( ret );
1130 
1131  p = buf;
1132 
1133  if( buf[siglen - 1] != 0xBC )
1135 
1136  if( md_alg != POLARSSL_MD_NONE )
1137  {
1138  // Gather length of hash to sign
1139  //
1140  md_info = md_info_from_type( md_alg );
1141  if( md_info == NULL )
1143 
1144  hashlen = md_get_size( md_info );
1145  }
1146 
1147  md_info = md_info_from_type( ctx->hash_id );
1148  if( md_info == NULL )
1150 
1151  hlen = md_get_size( md_info );
1152  slen = siglen - hlen - 1;
1153 
1154  memset( zeros, 0, 8 );
1155 
1156  // Note: EMSA-PSS verification is over the length of N - 1 bits
1157  //
1158  msb = mpi_msb( &ctx->N ) - 1;
1159 
1160  // Compensate for boundary condition when applying mask
1161  //
1162  if( msb % 8 == 0 )
1163  {
1164  p++;
1165  siglen -= 1;
1166  }
1167  if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1169 
1170  md_init_ctx( &md_ctx, md_info );
1171 
1172  mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
1173 
1174  buf[0] &= 0xFF >> ( siglen * 8 - msb );
1175 
1176  while( p < buf + siglen && *p == 0 )
1177  p++;
1178 
1179  if( p == buf + siglen ||
1180  *p++ != 0x01 )
1181  {
1182  md_free_ctx( &md_ctx );
1184  }
1185 
1186  slen -= p - buf;
1187 
1188  // Generate H = Hash( M' )
1189  //
1190  md_starts( &md_ctx );
1191  md_update( &md_ctx, zeros, 8 );
1192  md_update( &md_ctx, hash, hashlen );
1193  md_update( &md_ctx, p, slen );
1194  md_finish( &md_ctx, result );
1195 
1196  md_free_ctx( &md_ctx );
1197 
1198  if( memcmp( p + slen, result, hlen ) == 0 )
1199  return( 0 );
1200  else
1202 }
1203 #endif /* POLARSSL_PKCS1_V21 */
1204 
1205 #if defined(POLARSSL_PKCS1_V15)
1206 /*
1207  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1208  */
1210  int (*f_rng)(void *, unsigned char *, size_t),
1211  void *p_rng,
1212  int mode,
1213  md_type_t md_alg,
1214  unsigned int hashlen,
1215  const unsigned char *hash,
1216  const unsigned char *sig )
1217 {
1218  int ret;
1219  size_t len, siglen, asn1_len;
1220  unsigned char *p, *end;
1221  unsigned char buf[POLARSSL_MPI_MAX_SIZE];
1222  md_type_t msg_md_alg;
1223  const md_info_t *md_info;
1224  asn1_buf oid;
1225 
1226  if( ctx->padding != RSA_PKCS_V15 )
1228 
1229  siglen = ctx->len;
1230 
1231  if( siglen < 16 || siglen > sizeof( buf ) )
1233 
1234  ret = ( mode == RSA_PUBLIC )
1235  ? rsa_public( ctx, sig, buf )
1236  : rsa_private( ctx, f_rng, p_rng, sig, buf );
1237 
1238  if( ret != 0 )
1239  return( ret );
1240 
1241  p = buf;
1242 
1243  if( *p++ != 0 || *p++ != RSA_SIGN )
1245 
1246  while( *p != 0 )
1247  {
1248  if( p >= buf + siglen - 1 || *p != 0xFF )
1250  p++;
1251  }
1252  p++;
1253 
1254  len = siglen - ( p - buf );
1255 
1256  if( len == hashlen && md_alg == POLARSSL_MD_NONE )
1257  {
1258  if( memcmp( p, hash, hashlen ) == 0 )
1259  return( 0 );
1260  else
1262  }
1263 
1264  md_info = md_info_from_type( md_alg );
1265  if( md_info == NULL )
1267  hashlen = md_get_size( md_info );
1268 
1269  end = p + len;
1270 
1271  // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
1272  //
1273  if( ( ret = asn1_get_tag( &p, end, &asn1_len,
1274  ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1276 
1277  if( asn1_len + 2 != len )
1279 
1280  if( ( ret = asn1_get_tag( &p, end, &asn1_len,
1281  ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1283 
1284  if( asn1_len + 6 + hashlen != len )
1286 
1287  if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 )
1289 
1290  oid.p = p;
1291  p += oid.len;
1292 
1293  if( oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
1295 
1296  if( md_alg != msg_md_alg )
1298 
1299  /*
1300  * assume the algorithm parameters must be NULL
1301  */
1302  if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 )
1304 
1305  if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
1307 
1308  if( asn1_len != hashlen )
1310 
1311  if( memcmp( p, hash, hashlen ) != 0 )
1313 
1314  p += hashlen;
1315 
1316  if( p != end )
1318 
1319  return( 0 );
1320 }
1321 #endif /* POLARSSL_PKCS1_V15 */
1322 
1323 /*
1324  * Do an RSA operation and check the message digest
1325  */
1326 int rsa_pkcs1_verify( rsa_context *ctx,
1327  int (*f_rng)(void *, unsigned char *, size_t),
1328  void *p_rng,
1329  int mode,
1330  md_type_t md_alg,
1331  unsigned int hashlen,
1332  const unsigned char *hash,
1333  const unsigned char *sig )
1334 {
1335  switch( ctx->padding )
1336  {
1337 #if defined(POLARSSL_PKCS1_V15)
1338  case RSA_PKCS_V15:
1339  return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
1340  hashlen, hash, sig );
1341 #endif
1342 
1343 #if defined(POLARSSL_PKCS1_V21)
1344  case RSA_PKCS_V21:
1345  return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
1346  hashlen, hash, sig );
1347 #endif
1348 
1349  default:
1351  }
1352 }
1353 
1354 /*
1355  * Copy the components of an RSA key
1356  */
1357 int rsa_copy( rsa_context *dst, const rsa_context *src )
1358 {
1359  int ret;
1360 
1361  dst->ver = src->ver;
1362  dst->len = src->len;
1363 
1364  MPI_CHK( mpi_copy( &dst->N, &src->N ) );
1365  MPI_CHK( mpi_copy( &dst->E, &src->E ) );
1366 
1367  MPI_CHK( mpi_copy( &dst->D, &src->D ) );
1368  MPI_CHK( mpi_copy( &dst->P, &src->P ) );
1369  MPI_CHK( mpi_copy( &dst->Q, &src->Q ) );
1370  MPI_CHK( mpi_copy( &dst->DP, &src->DP ) );
1371  MPI_CHK( mpi_copy( &dst->DQ, &src->DQ ) );
1372  MPI_CHK( mpi_copy( &dst->QP, &src->QP ) );
1373 
1374  MPI_CHK( mpi_copy( &dst->RN, &src->RN ) );
1375  MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
1376  MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
1377 
1378 #if !defined(POLARSSL_RSA_NO_CRT)
1379  MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
1380  MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
1381 #endif
1382 
1383  dst->padding = src->padding;
1384  dst->hash_id = src->hash_id;
1385 
1386 cleanup:
1387  if( ret != 0 )
1388  rsa_free( dst );
1389 
1390  return( ret );
1391 }
1392 
1393 /*
1394  * Free the components of an RSA key
1395  */
1396 void rsa_free( rsa_context *ctx )
1397 {
1398 #if !defined(POLARSSL_RSA_NO_CRT)
1399  mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
1400 #endif
1401  mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
1402  mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
1403  mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
1404  mpi_free( &ctx->E ); mpi_free( &ctx->N );
1405 
1406 #if defined(POLARSSL_THREADING_C)
1407  polarssl_mutex_free( &ctx->mutex );
1408 #endif
1409 }
1410 
1411 #if defined(POLARSSL_SELF_TEST)
1412 
1413 #include "polarssl/sha1.h"
1414 
1415 /*
1416  * Example RSA-1024 keypair, for test purposes
1417  */
1418 #define KEY_LEN 128
1419 
1420 #define RSA_N "9292758453063D803DD603D5E777D788" \
1421  "8ED1D5BF35786190FA2F23EBC0848AEA" \
1422  "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1423  "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1424  "93A89813FBF3C4F8066D2D800F7C38A8" \
1425  "1AE31942917403FF4946B0A83D3D3E05" \
1426  "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1427  "5E94BB77B07507233A0BC7BAC8F90F79"
1428 
1429 #define RSA_E "10001"
1430 
1431 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1432  "66CA472BC44D253102F8B4A9D3BFA750" \
1433  "91386C0077937FE33FA3252D28855837" \
1434  "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1435  "DF79C5CE07EE72C7F123142198164234" \
1436  "CABB724CF78B8173B9F880FC86322407" \
1437  "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1438  "071513A1E85B5DFA031F21ECAE91A34D"
1439 
1440 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1441  "2C01CAD19EA484A87EA4377637E75500" \
1442  "FCB2005C5C7DD6EC4AC023CDA285D796" \
1443  "C3D9E75E1EFC42488BB4F1D13AC30A57"
1444 
1445 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1446  "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1447  "910E4168387E3C30AA1E00C339A79508" \
1448  "8452DD96A9A5EA5D9DCA68DA636032AF"
1449 
1450 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1451  "3C94D22288ACD763FD8E5600ED4A702D" \
1452  "F84198A5F06C2E72236AE490C93F07F8" \
1453  "3CC559CD27BC2D1CA488811730BB5725"
1454 
1455 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1456  "D8AAEA56749EA28623272E4F7D0592AF" \
1457  "7C1F1313CAC9471B5C523BFE592F517B" \
1458  "407A1BD76C164B93DA2D32A383E58357"
1459 
1460 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1461  "F38D18D2B2F0E2DD275AA977E2BF4411" \
1462  "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1463  "A74206CEC169D74BF5A8C50D6F48EA08"
1464 
1465 #define PT_LEN 24
1466 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1467  "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1468 
1469 #if defined(POLARSSL_PKCS1_V15)
1470 static int myrand( void *rng_state, unsigned char *output, size_t len )
1471 {
1472  size_t i;
1473 
1474  if( rng_state != NULL )
1475  rng_state = NULL;
1476 
1477  for( i = 0; i < len; ++i )
1478  output[i] = rand();
1479 
1480  return( 0 );
1481 }
1482 #endif
1483 
1484 /*
1485  * Checkup routine
1486  */
1487 int rsa_self_test( int verbose )
1488 {
1489 #if defined(POLARSSL_PKCS1_V15)
1490  size_t len;
1491  rsa_context rsa;
1492  unsigned char rsa_plaintext[PT_LEN];
1493  unsigned char rsa_decrypted[PT_LEN];
1494  unsigned char rsa_ciphertext[KEY_LEN];
1495 #if defined(POLARSSL_SHA1_C)
1496  unsigned char sha1sum[20];
1497 #endif
1498 
1499  rsa_init( &rsa, RSA_PKCS_V15, 0 );
1500 
1501  rsa.len = KEY_LEN;
1502  mpi_read_string( &rsa.N , 16, RSA_N );
1503  mpi_read_string( &rsa.E , 16, RSA_E );
1504  mpi_read_string( &rsa.D , 16, RSA_D );
1505  mpi_read_string( &rsa.P , 16, RSA_P );
1506  mpi_read_string( &rsa.Q , 16, RSA_Q );
1507  mpi_read_string( &rsa.DP, 16, RSA_DP );
1508  mpi_read_string( &rsa.DQ, 16, RSA_DQ );
1509  mpi_read_string( &rsa.QP, 16, RSA_QP );
1510 
1511  if( verbose != 0 )
1512  polarssl_printf( " RSA key validation: " );
1513 
1514  if( rsa_check_pubkey( &rsa ) != 0 ||
1515  rsa_check_privkey( &rsa ) != 0 )
1516  {
1517  if( verbose != 0 )
1518  polarssl_printf( "failed\n" );
1519 
1520  return( 1 );
1521  }
1522 
1523  if( verbose != 0 )
1524  polarssl_printf( "passed\n PKCS#1 encryption : " );
1525 
1526  memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1527 
1528  if( rsa_pkcs1_encrypt( &rsa, myrand, NULL, RSA_PUBLIC, PT_LEN,
1529  rsa_plaintext, rsa_ciphertext ) != 0 )
1530  {
1531  if( verbose != 0 )
1532  polarssl_printf( "failed\n" );
1533 
1534  return( 1 );
1535  }
1536 
1537  if( verbose != 0 )
1538  polarssl_printf( "passed\n PKCS#1 decryption : " );
1539 
1540  if( rsa_pkcs1_decrypt( &rsa, myrand, NULL, RSA_PRIVATE, &len,
1541  rsa_ciphertext, rsa_decrypted,
1542  sizeof(rsa_decrypted) ) != 0 )
1543  {
1544  if( verbose != 0 )
1545  polarssl_printf( "failed\n" );
1546 
1547  return( 1 );
1548  }
1549 
1550  if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1551  {
1552  if( verbose != 0 )
1553  polarssl_printf( "failed\n" );
1554 
1555  return( 1 );
1556  }
1557 
1558 #if defined(POLARSSL_SHA1_C)
1559  if( verbose != 0 )
1560  polarssl_printf( "passed\n PKCS#1 data sign : " );
1561 
1562  sha1( rsa_plaintext, PT_LEN, sha1sum );
1563 
1564  if( rsa_pkcs1_sign( &rsa, myrand, NULL, RSA_PRIVATE, POLARSSL_MD_SHA1, 0,
1565  sha1sum, rsa_ciphertext ) != 0 )
1566  {
1567  if( verbose != 0 )
1568  polarssl_printf( "failed\n" );
1569 
1570  return( 1 );
1571  }
1572 
1573  if( verbose != 0 )
1574  polarssl_printf( "passed\n PKCS#1 sig. verify: " );
1575 
1576  if( rsa_pkcs1_verify( &rsa, NULL, NULL, RSA_PUBLIC, POLARSSL_MD_SHA1, 0,
1577  sha1sum, rsa_ciphertext ) != 0 )
1578  {
1579  if( verbose != 0 )
1580  polarssl_printf( "failed\n" );
1581 
1582  return( 1 );
1583  }
1584 
1585  if( verbose != 0 )
1586  polarssl_printf( "passed\n\n" );
1587 #endif /* POLARSSL_SHA1_C */
1588 
1589  rsa_free( &rsa );
1590 #else /* POLARSSL_PKCS1_V15 */
1591  ((void) verbose);
1592 #endif /* POLARSSL_PKCS1_V15 */
1593  return( 0 );
1594 }
1595 
1596 #endif
1597 
1598 #endif