Commit | Line | Data |
---|---|---|
80a47a2c TK |
1 | /* |
2 | * The RSA public-key cryptosystem | |
3 | * | |
67932e54 TK |
4 | * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org> |
5 | * All rights reserved. | |
80a47a2c | 6 | * |
67932e54 | 7 | * Joined copyright on original XySSL code with: Christophe Devine |
80a47a2c TK |
8 | * |
9 | * This program is free software; you can redistribute it and/or modify | |
10 | * it under the terms of the GNU General Public License as published by | |
11 | * the Free Software Foundation; either version 2 of the License, or | |
12 | * (at your option) any later version. | |
13 | * | |
14 | * This program is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | * GNU General Public License for more details. | |
18 | * | |
19 | * You should have received a copy of the GNU General Public License along | |
20 | * with this program; if not, write to the Free Software Foundation, Inc., | |
21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
22 | */ | |
23 | /* | |
24 | * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman. | |
25 | * | |
26 | * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf | |
27 | * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf | |
28 | */ | |
29 | ||
67932e54 | 30 | /* $Cambridge: exim/src/src/pdkim/rsa.c,v 1.3 2009/12/07 13:05:07 tom Exp $ */ |
80a47a2c TK |
31 | |
32 | #include "rsa.h" | |
33 | #include "base64.h" | |
34 | ||
35 | #include <stdlib.h> | |
36 | #include <string.h> | |
37 | #include <stdio.h> | |
38 | ||
39 | ||
67932e54 | 40 | /* *************** begin copy from x509parse.c ********************/ |
80a47a2c TK |
41 | /* |
42 | * ASN.1 DER decoding routines | |
43 | */ | |
44 | static int asn1_get_len( unsigned char **p, | |
45 | unsigned char *end, | |
46 | int *len ) | |
47 | { | |
48 | if( ( end - *p ) < 1 ) | |
49 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
50 | ||
51 | if( ( **p & 0x80 ) == 0 ) | |
52 | *len = *(*p)++; | |
53 | else | |
54 | { | |
55 | switch( **p & 0x7F ) | |
56 | { | |
57 | case 1: | |
58 | if( ( end - *p ) < 2 ) | |
59 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
60 | ||
61 | *len = (*p)[1]; | |
62 | (*p) += 2; | |
63 | break; | |
64 | ||
65 | case 2: | |
66 | if( ( end - *p ) < 3 ) | |
67 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
68 | ||
69 | *len = ( (*p)[1] << 8 ) | (*p)[2]; | |
70 | (*p) += 3; | |
71 | break; | |
72 | ||
73 | default: | |
74 | return( POLARSSL_ERR_ASN1_INVALID_LENGTH ); | |
75 | break; | |
76 | } | |
77 | } | |
78 | ||
79 | if( *len > (int) ( end - *p ) ) | |
80 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
81 | ||
82 | return( 0 ); | |
83 | } | |
84 | ||
85 | static int asn1_get_tag( unsigned char **p, | |
86 | unsigned char *end, | |
87 | int *len, int tag ) | |
88 | { | |
89 | if( ( end - *p ) < 1 ) | |
90 | return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); | |
91 | ||
92 | if( **p != tag ) | |
93 | return( POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); | |
94 | ||
95 | (*p)++; | |
96 | ||
97 | return( asn1_get_len( p, end, len ) ); | |
98 | } | |
99 | ||
100 | static int asn1_get_int( unsigned char **p, | |
101 | unsigned char *end, | |
102 | int *val ) | |
103 | { | |
104 | int ret, len; | |
105 | ||
106 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_INTEGER ) ) != 0 ) | |
107 | return( ret ); | |
108 | ||
109 | if( len > (int) sizeof( int ) || ( **p & 0x80 ) != 0 ) | |
110 | return( POLARSSL_ERR_ASN1_INVALID_LENGTH ); | |
111 | ||
112 | *val = 0; | |
113 | ||
114 | while( len-- > 0 ) | |
115 | { | |
116 | *val = ( *val << 8 ) | **p; | |
117 | (*p)++; | |
118 | } | |
119 | ||
120 | return( 0 ); | |
121 | } | |
122 | ||
123 | static int asn1_get_mpi( unsigned char **p, | |
124 | unsigned char *end, | |
125 | mpi *X ) | |
126 | { | |
127 | int ret, len; | |
128 | ||
129 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_INTEGER ) ) != 0 ) | |
130 | return( ret ); | |
131 | ||
132 | ret = mpi_read_binary( X, *p, len ); | |
133 | ||
134 | *p += len; | |
135 | ||
136 | return( ret ); | |
137 | } | |
67932e54 TK |
138 | /* *************** end copy from x509parse.c ********************/ |
139 | ||
80a47a2c TK |
140 | |
141 | ||
142 | /* | |
143 | * Initialize an RSA context | |
144 | */ | |
145 | void rsa_init( rsa_context *ctx, | |
146 | int padding, | |
147 | int hash_id, | |
148 | int (*f_rng)(void *), | |
149 | void *p_rng ) | |
150 | { | |
151 | memset( ctx, 0, sizeof( rsa_context ) ); | |
152 | ||
153 | ctx->padding = padding; | |
154 | ctx->hash_id = hash_id; | |
155 | ||
156 | ctx->f_rng = f_rng; | |
157 | ctx->p_rng = p_rng; | |
158 | } | |
159 | ||
160 | ||
161 | /* | |
162 | * Check a public RSA key | |
163 | */ | |
164 | int rsa_check_pubkey( rsa_context *ctx ) | |
165 | { | |
67932e54 TK |
166 | if( !ctx->N.p || !ctx->E.p ) |
167 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
168 | ||
80a47a2c TK |
169 | if( ( ctx->N.p[0] & 1 ) == 0 || |
170 | ( ctx->E.p[0] & 1 ) == 0 ) | |
171 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
172 | ||
173 | if( mpi_msb( &ctx->N ) < 128 || | |
174 | mpi_msb( &ctx->N ) > 4096 ) | |
175 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
176 | ||
177 | if( mpi_msb( &ctx->E ) < 2 || | |
178 | mpi_msb( &ctx->E ) > 64 ) | |
179 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
180 | ||
181 | return( 0 ); | |
182 | } | |
183 | ||
184 | /* | |
185 | * Check a private RSA key | |
186 | */ | |
187 | int rsa_check_privkey( rsa_context *ctx ) | |
188 | { | |
189 | int ret; | |
190 | mpi PQ, DE, P1, Q1, H, I, G; | |
191 | ||
192 | if( ( ret = rsa_check_pubkey( ctx ) ) != 0 ) | |
193 | return( ret ); | |
194 | ||
67932e54 TK |
195 | if( !ctx->P.p || !ctx->Q.p || !ctx->D.p ) |
196 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED ); | |
197 | ||
80a47a2c TK |
198 | mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, NULL ); |
199 | ||
200 | MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) ); | |
201 | MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) ); | |
202 | MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) ); | |
203 | MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) ); | |
204 | MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) ); | |
205 | MPI_CHK( mpi_mod_mpi( &I, &DE, &H ) ); | |
206 | MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) ); | |
207 | ||
208 | if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 && | |
209 | mpi_cmp_int( &I, 1 ) == 0 && | |
210 | mpi_cmp_int( &G, 1 ) == 0 ) | |
211 | { | |
212 | mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL ); | |
213 | return( 0 ); | |
214 | } | |
215 | ||
216 | cleanup: | |
217 | ||
218 | mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL ); | |
219 | return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret ); | |
220 | } | |
221 | ||
222 | /* | |
223 | * Do an RSA public key operation | |
224 | */ | |
225 | int rsa_public( rsa_context *ctx, | |
226 | unsigned char *input, | |
227 | unsigned char *output ) | |
228 | { | |
229 | int ret, olen; | |
230 | mpi T; | |
231 | ||
232 | mpi_init( &T, NULL ); | |
233 | ||
234 | MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); | |
235 | ||
236 | if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) | |
237 | { | |
238 | mpi_free( &T, NULL ); | |
239 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
240 | } | |
241 | ||
242 | olen = ctx->len; | |
243 | MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); | |
244 | MPI_CHK( mpi_write_binary( &T, output, olen ) ); | |
245 | ||
246 | cleanup: | |
247 | ||
248 | mpi_free( &T, NULL ); | |
249 | ||
250 | if( ret != 0 ) | |
251 | return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret ); | |
252 | ||
253 | return( 0 ); | |
254 | } | |
255 | ||
256 | /* | |
257 | * Do an RSA private key operation | |
258 | */ | |
259 | int rsa_private( rsa_context *ctx, | |
260 | unsigned char *input, | |
261 | unsigned char *output ) | |
262 | { | |
263 | int ret, olen; | |
264 | mpi T, T1, T2; | |
265 | ||
266 | mpi_init( &T, &T1, &T2, NULL ); | |
267 | ||
268 | MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); | |
269 | ||
270 | if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) | |
271 | { | |
272 | mpi_free( &T, NULL ); | |
273 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
274 | } | |
275 | ||
276 | #if 0 | |
277 | MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) ); | |
278 | #else | |
279 | /* | |
280 | * faster decryption using the CRT | |
281 | * | |
282 | * T1 = input ^ dP mod P | |
283 | * T2 = input ^ dQ mod Q | |
284 | */ | |
285 | MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) ); | |
286 | MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) ); | |
287 | ||
288 | /* | |
289 | * T = (T1 - T2) * (Q^-1 mod P) mod P | |
290 | */ | |
291 | MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) ); | |
292 | MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) ); | |
293 | MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) ); | |
294 | ||
295 | /* | |
296 | * output = T2 + T * Q | |
297 | */ | |
298 | MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) ); | |
299 | MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) ); | |
300 | #endif | |
301 | ||
302 | olen = ctx->len; | |
303 | MPI_CHK( mpi_write_binary( &T, output, olen ) ); | |
304 | ||
305 | cleanup: | |
306 | ||
307 | mpi_free( &T, &T1, &T2, NULL ); | |
308 | ||
309 | if( ret != 0 ) | |
310 | return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret ); | |
311 | ||
312 | return( 0 ); | |
313 | } | |
314 | ||
315 | /* | |
316 | * Add the message padding, then do an RSA operation | |
317 | */ | |
318 | int rsa_pkcs1_encrypt( rsa_context *ctx, | |
319 | int mode, int ilen, | |
320 | unsigned char *input, | |
321 | unsigned char *output ) | |
322 | { | |
323 | int nb_pad, olen; | |
324 | unsigned char *p = output; | |
325 | ||
326 | olen = ctx->len; | |
327 | ||
328 | switch( ctx->padding ) | |
329 | { | |
330 | case RSA_PKCS_V15: | |
331 | ||
332 | if( ilen < 0 || olen < ilen + 11 ) | |
333 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
334 | ||
335 | nb_pad = olen - 3 - ilen; | |
336 | ||
337 | *p++ = 0; | |
338 | *p++ = RSA_CRYPT; | |
339 | ||
340 | while( nb_pad-- > 0 ) | |
341 | { | |
342 | do { | |
343 | *p = (unsigned char) rand(); | |
344 | } while( *p == 0 ); | |
345 | p++; | |
346 | } | |
347 | *p++ = 0; | |
348 | memcpy( p, input, ilen ); | |
349 | break; | |
350 | ||
351 | default: | |
352 | ||
353 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
354 | } | |
355 | ||
356 | return( ( mode == RSA_PUBLIC ) | |
357 | ? rsa_public( ctx, output, output ) | |
358 | : rsa_private( ctx, output, output ) ); | |
359 | } | |
360 | ||
361 | /* | |
362 | * Do an RSA operation, then remove the message padding | |
363 | */ | |
364 | int rsa_pkcs1_decrypt( rsa_context *ctx, | |
365 | int mode, int *olen, | |
366 | unsigned char *input, | |
367 | unsigned char *output, | |
67932e54 | 368 | int output_max_len) |
80a47a2c TK |
369 | { |
370 | int ret, ilen; | |
371 | unsigned char *p; | |
67932e54 | 372 | unsigned char buf[1024]; |
80a47a2c TK |
373 | |
374 | ilen = ctx->len; | |
375 | ||
376 | if( ilen < 16 || ilen > (int) sizeof( buf ) ) | |
377 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
378 | ||
379 | ret = ( mode == RSA_PUBLIC ) | |
380 | ? rsa_public( ctx, input, buf ) | |
381 | : rsa_private( ctx, input, buf ); | |
382 | ||
383 | if( ret != 0 ) | |
384 | return( ret ); | |
385 | ||
386 | p = buf; | |
387 | ||
388 | switch( ctx->padding ) | |
389 | { | |
390 | case RSA_PKCS_V15: | |
391 | ||
392 | if( *p++ != 0 || *p++ != RSA_CRYPT ) | |
393 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
394 | ||
395 | while( *p != 0 ) | |
396 | { | |
397 | if( p >= buf + ilen - 1 ) | |
398 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
399 | p++; | |
400 | } | |
401 | p++; | |
402 | break; | |
403 | ||
404 | default: | |
405 | ||
406 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
407 | } | |
408 | ||
409 | if (ilen - (int)(p - buf) > output_max_len) | |
67932e54 | 410 | return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE ); |
80a47a2c TK |
411 | |
412 | *olen = ilen - (int)(p - buf); | |
413 | memcpy( output, p, *olen ); | |
414 | ||
415 | return( 0 ); | |
416 | } | |
417 | ||
418 | /* | |
419 | * Do an RSA operation to sign the message digest | |
420 | */ | |
421 | int rsa_pkcs1_sign( rsa_context *ctx, | |
422 | int mode, | |
423 | int hash_id, | |
424 | int hashlen, | |
425 | unsigned char *hash, | |
426 | unsigned char *sig ) | |
427 | { | |
428 | int nb_pad, olen; | |
429 | unsigned char *p = sig; | |
430 | ||
431 | olen = ctx->len; | |
432 | ||
433 | switch( ctx->padding ) | |
434 | { | |
435 | case RSA_PKCS_V15: | |
436 | ||
437 | switch( hash_id ) | |
438 | { | |
67932e54 | 439 | case SIG_RSA_RAW: |
80a47a2c TK |
440 | nb_pad = olen - 3 - hashlen; |
441 | break; | |
442 | ||
67932e54 TK |
443 | case SIG_RSA_MD2: |
444 | case SIG_RSA_MD4: | |
445 | case SIG_RSA_MD5: | |
446 | nb_pad = olen - 3 - 34; | |
80a47a2c TK |
447 | break; |
448 | ||
67932e54 TK |
449 | case SIG_RSA_SHA1: |
450 | nb_pad = olen - 3 - 35; | |
80a47a2c TK |
451 | break; |
452 | ||
67932e54 TK |
453 | case SIG_RSA_SHA224: |
454 | nb_pad = olen - 3 - 47; | |
80a47a2c TK |
455 | break; |
456 | ||
67932e54 TK |
457 | case SIG_RSA_SHA256: |
458 | nb_pad = olen - 3 - 51; | |
459 | break; | |
460 | ||
461 | case SIG_RSA_SHA384: | |
462 | nb_pad = olen - 3 - 67; | |
463 | break; | |
464 | ||
465 | case SIG_RSA_SHA512: | |
466 | nb_pad = olen - 3 - 83; | |
467 | break; | |
468 | ||
469 | ||
80a47a2c TK |
470 | default: |
471 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
472 | } | |
473 | ||
474 | if( nb_pad < 8 ) | |
475 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
476 | ||
477 | *p++ = 0; | |
478 | *p++ = RSA_SIGN; | |
479 | memset( p, 0xFF, nb_pad ); | |
480 | p += nb_pad; | |
481 | *p++ = 0; | |
482 | break; | |
483 | ||
484 | default: | |
485 | ||
486 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
487 | } | |
488 | ||
489 | switch( hash_id ) | |
490 | { | |
67932e54 | 491 | case SIG_RSA_RAW: |
80a47a2c TK |
492 | memcpy( p, hash, hashlen ); |
493 | break; | |
494 | ||
67932e54 | 495 | case SIG_RSA_MD2: |
80a47a2c TK |
496 | memcpy( p, ASN1_HASH_MDX, 18 ); |
497 | memcpy( p + 18, hash, 16 ); | |
498 | p[13] = 2; break; | |
499 | ||
67932e54 | 500 | case SIG_RSA_MD4: |
80a47a2c TK |
501 | memcpy( p, ASN1_HASH_MDX, 18 ); |
502 | memcpy( p + 18, hash, 16 ); | |
503 | p[13] = 4; break; | |
504 | ||
67932e54 | 505 | case SIG_RSA_MD5: |
80a47a2c TK |
506 | memcpy( p, ASN1_HASH_MDX, 18 ); |
507 | memcpy( p + 18, hash, 16 ); | |
508 | p[13] = 5; break; | |
509 | ||
67932e54 | 510 | case SIG_RSA_SHA1: |
80a47a2c TK |
511 | memcpy( p, ASN1_HASH_SHA1, 15 ); |
512 | memcpy( p + 15, hash, 20 ); | |
513 | break; | |
514 | ||
67932e54 TK |
515 | case SIG_RSA_SHA224: |
516 | memcpy( p, ASN1_HASH_SHA2X, 19 ); | |
517 | memcpy( p + 19, hash, 28 ); | |
518 | p[1] += 28; p[14] = 4; p[18] += 28; break; | |
519 | ||
520 | case SIG_RSA_SHA256: | |
521 | memcpy( p, ASN1_HASH_SHA2X, 19 ); | |
80a47a2c | 522 | memcpy( p + 19, hash, 32 ); |
67932e54 TK |
523 | p[1] += 32; p[14] = 1; p[18] += 32; break; |
524 | ||
525 | case SIG_RSA_SHA384: | |
526 | memcpy( p, ASN1_HASH_SHA2X, 19 ); | |
527 | memcpy( p + 19, hash, 48 ); | |
528 | p[1] += 48; p[14] = 2; p[18] += 48; break; | |
529 | ||
530 | case SIG_RSA_SHA512: | |
531 | memcpy( p, ASN1_HASH_SHA2X, 19 ); | |
532 | memcpy( p + 19, hash, 64 ); | |
533 | p[1] += 64; p[14] = 3; p[18] += 64; break; | |
80a47a2c TK |
534 | |
535 | default: | |
536 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
537 | } | |
538 | ||
539 | return( ( mode == RSA_PUBLIC ) | |
540 | ? rsa_public( ctx, sig, sig ) | |
541 | : rsa_private( ctx, sig, sig ) ); | |
542 | } | |
543 | ||
544 | /* | |
545 | * Do an RSA operation and check the message digest | |
546 | */ | |
547 | int rsa_pkcs1_verify( rsa_context *ctx, | |
548 | int mode, | |
549 | int hash_id, | |
550 | int hashlen, | |
551 | unsigned char *hash, | |
552 | unsigned char *sig ) | |
553 | { | |
554 | int ret, len, siglen; | |
555 | unsigned char *p, c; | |
67932e54 | 556 | unsigned char buf[1024]; |
80a47a2c TK |
557 | |
558 | siglen = ctx->len; | |
559 | ||
560 | if( siglen < 16 || siglen > (int) sizeof( buf ) ) | |
561 | return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); | |
562 | ||
563 | ret = ( mode == RSA_PUBLIC ) | |
564 | ? rsa_public( ctx, sig, buf ) | |
565 | : rsa_private( ctx, sig, buf ); | |
566 | ||
567 | if( ret != 0 ) | |
568 | return( ret ); | |
569 | ||
570 | p = buf; | |
571 | ||
572 | switch( ctx->padding ) | |
573 | { | |
574 | case RSA_PKCS_V15: | |
575 | ||
576 | if( *p++ != 0 || *p++ != RSA_SIGN ) | |
577 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
578 | ||
579 | while( *p != 0 ) | |
580 | { | |
581 | if( p >= buf + siglen - 1 || *p != 0xFF ) | |
582 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
583 | p++; | |
584 | } | |
585 | p++; | |
586 | break; | |
587 | ||
588 | default: | |
589 | ||
590 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
591 | } | |
592 | ||
593 | len = siglen - (int)( p - buf ); | |
594 | ||
595 | if( len == 34 ) | |
596 | { | |
597 | c = p[13]; | |
598 | p[13] = 0; | |
599 | ||
600 | if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 ) | |
601 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
602 | ||
67932e54 TK |
603 | if( ( c == 2 && hash_id == SIG_RSA_MD2 ) || |
604 | ( c == 4 && hash_id == SIG_RSA_MD4 ) || | |
605 | ( c == 5 && hash_id == SIG_RSA_MD5 ) ) | |
80a47a2c TK |
606 | { |
607 | if( memcmp( p + 18, hash, 16 ) == 0 ) | |
608 | return( 0 ); | |
609 | else | |
610 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
611 | } | |
612 | } | |
613 | ||
67932e54 | 614 | if( len == 35 && hash_id == SIG_RSA_SHA1 ) |
80a47a2c TK |
615 | { |
616 | if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 && | |
617 | memcmp( p + 15, hash, 20 ) == 0 ) | |
618 | return( 0 ); | |
619 | else | |
620 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
621 | } | |
67932e54 TK |
622 | if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) || |
623 | ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) || | |
624 | ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) || | |
625 | ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) ) | |
80a47a2c | 626 | { |
67932e54 TK |
627 | c = p[1] - 17; |
628 | p[1] = 17; | |
629 | p[14] = 0; | |
630 | ||
631 | if( p[18] == c && | |
632 | memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 && | |
633 | memcmp( p + 19, hash, c ) == 0 ) | |
80a47a2c TK |
634 | return( 0 ); |
635 | else | |
636 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
637 | } | |
638 | ||
67932e54 | 639 | if( len == hashlen && hash_id == SIG_RSA_RAW ) |
80a47a2c TK |
640 | { |
641 | if( memcmp( p, hash, hashlen ) == 0 ) | |
642 | return( 0 ); | |
643 | else | |
644 | return( POLARSSL_ERR_RSA_VERIFY_FAILED ); | |
645 | } | |
646 | ||
647 | return( POLARSSL_ERR_RSA_INVALID_PADDING ); | |
648 | } | |
649 | ||
650 | /* | |
651 | * Free the components of an RSA key | |
652 | */ | |
653 | void rsa_free( rsa_context *ctx ) | |
654 | { | |
655 | mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN, | |
656 | &ctx->QP, &ctx->DQ, &ctx->DP, | |
657 | &ctx->Q, &ctx->P, &ctx->D, | |
658 | &ctx->E, &ctx->N, NULL ); | |
659 | } | |
660 | ||
80a47a2c TK |
661 | /* |
662 | * Parse a public RSA key | |
663 | ||
664 | OpenSSL RSA public key ASN1 container | |
665 | 0:d=0 hl=3 l= 159 cons: SEQUENCE | |
666 | 3:d=1 hl=2 l= 13 cons: SEQUENCE | |
667 | 5:d=2 hl=2 l= 9 prim: OBJECT:rsaEncryption | |
668 | 16:d=2 hl=2 l= 0 prim: NULL | |
669 | 18:d=1 hl=3 l= 141 prim: BIT STRING:RSAPublicKey (below) | |
670 | ||
671 | RSAPublicKey ASN1 container | |
672 | 0:d=0 hl=3 l= 137 cons: SEQUENCE | |
673 | 3:d=1 hl=3 l= 129 prim: INTEGER:Public modulus | |
674 | 135:d=1 hl=2 l= 3 prim: INTEGER:Public exponent | |
675 | */ | |
676 | ||
677 | int rsa_parse_public_key( rsa_context *rsa, unsigned char *buf, int buflen ) | |
678 | { | |
679 | unsigned char *p, *end; | |
680 | int ret, len; | |
681 | ||
682 | p = buf; | |
683 | end = buf+buflen; | |
684 | ||
685 | if( ( ret = asn1_get_tag( &p, end, &len, | |
686 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) { | |
687 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
688 | } | |
689 | ||
690 | if( ( ret = asn1_get_tag( &p, end, &len, | |
691 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) == 0 ) { | |
692 | /* Skip over embedded rsaEncryption Object */ | |
693 | p+=len; | |
694 | ||
695 | /* The RSAPublicKey ASN1 container is wrapped in a BIT STRING */ | |
696 | if( ( ret = asn1_get_tag( &p, end, &len, | |
697 | ASN1_BIT_STRING ) ) != 0 ) { | |
698 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
699 | } | |
700 | ||
701 | /* Limit range to that BIT STRING */ | |
702 | end = p + len; | |
703 | p++; | |
704 | ||
705 | if( ( ret = asn1_get_tag( &p, end, &len, | |
706 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) { | |
707 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
708 | } | |
709 | } | |
710 | ||
711 | if ( ( ( ret = asn1_get_mpi( &p, end, &(rsa->N) ) ) == 0 ) && | |
712 | ( ( ret = asn1_get_mpi( &p, end, &(rsa->E) ) ) == 0 ) ) { | |
713 | rsa->len = mpi_size( &rsa->N ); | |
714 | return 0; | |
715 | } | |
716 | ||
717 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
718 | } | |
719 | ||
720 | /* | |
721 | * Parse a private RSA key | |
722 | */ | |
723 | int rsa_parse_key( rsa_context *rsa, unsigned char *buf, int buflen, | |
724 | unsigned char *pwd, int pwdlen ) | |
725 | { | |
726 | int ret, len, enc; | |
727 | unsigned char *s1, *s2; | |
728 | unsigned char *p, *end; | |
729 | ||
730 | s1 = (unsigned char *) strstr( (char *) buf, | |
731 | "-----BEGIN RSA PRIVATE KEY-----" ); | |
732 | ||
733 | if( s1 != NULL ) | |
734 | { | |
735 | s2 = (unsigned char *) strstr( (char *) buf, | |
736 | "-----END RSA PRIVATE KEY-----" ); | |
737 | ||
738 | if( s2 == NULL || s2 <= s1 ) | |
739 | return( POLARSSL_ERR_X509_KEY_INVALID_PEM ); | |
740 | ||
741 | s1 += 31; | |
742 | if( *s1 == '\r' ) s1++; | |
743 | if( *s1 == '\n' ) s1++; | |
744 | else return( POLARSSL_ERR_X509_KEY_INVALID_PEM ); | |
745 | ||
746 | enc = 0; | |
747 | ||
748 | if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 ) | |
749 | { | |
750 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); | |
751 | } | |
752 | ||
753 | len = 0; | |
754 | ret = base64_decode( NULL, &len, s1, s2 - s1 ); | |
755 | ||
756 | if( ret == POLARSSL_ERR_BASE64_INVALID_CHARACTER ) | |
757 | return( ret | POLARSSL_ERR_X509_KEY_INVALID_PEM ); | |
758 | ||
759 | if( ( buf = (unsigned char *) malloc( len ) ) == NULL ) | |
760 | return( 1 ); | |
761 | ||
762 | if( ( ret = base64_decode( buf, &len, s1, s2 - s1 ) ) != 0 ) | |
763 | { | |
764 | free( buf ); | |
765 | return( ret | POLARSSL_ERR_X509_KEY_INVALID_PEM ); | |
766 | } | |
767 | ||
768 | buflen = len; | |
769 | ||
770 | if( enc != 0 ) | |
771 | { | |
772 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); | |
773 | } | |
774 | } | |
775 | ||
776 | memset( rsa, 0, sizeof( rsa_context ) ); | |
777 | ||
778 | p = buf; | |
779 | end = buf + buflen; | |
780 | ||
781 | /* | |
782 | * RSAPrivateKey ::= SEQUENCE { | |
783 | * version Version, | |
784 | * modulus INTEGER, -- n | |
785 | * publicExponent INTEGER, -- e | |
786 | * privateExponent INTEGER, -- d | |
787 | * prime1 INTEGER, -- p | |
788 | * prime2 INTEGER, -- q | |
789 | * exponent1 INTEGER, -- d mod (p-1) | |
790 | * exponent2 INTEGER, -- d mod (q-1) | |
791 | * coefficient INTEGER, -- (inverse of q) mod p | |
792 | * otherPrimeInfos OtherPrimeInfos OPTIONAL | |
793 | * } | |
794 | */ | |
795 | if( ( ret = asn1_get_tag( &p, end, &len, | |
796 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) | |
797 | { | |
798 | if( s1 != NULL ) | |
799 | free( buf ); | |
800 | ||
801 | rsa_free( rsa ); | |
802 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
803 | } | |
804 | ||
805 | end = p + len; | |
806 | ||
807 | if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 ) | |
808 | { | |
809 | if( s1 != NULL ) | |
810 | free( buf ); | |
811 | ||
812 | rsa_free( rsa ); | |
813 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | ret ); | |
814 | } | |
815 | ||
816 | if( rsa->ver != 0 ) | |
817 | { | |
818 | if( s1 != NULL ) | |
819 | free( buf ); | |
820 | ||
821 | rsa_free( rsa ); | |
822 | return( ret | POLARSSL_ERR_X509_KEY_INVALID_VERSION ); | |
823 | } | |
824 | ||
825 | if( ( ret = asn1_get_mpi( &p, end, &rsa->N ) ) != 0 || | |
826 | ( ret = asn1_get_mpi( &p, end, &rsa->E ) ) != 0 || | |
827 | ( ret = asn1_get_mpi( &p, end, &rsa->D ) ) != 0 || | |
828 | ( ret = asn1_get_mpi( &p, end, &rsa->P ) ) != 0 || | |
829 | ( ret = asn1_get_mpi( &p, end, &rsa->Q ) ) != 0 || | |
830 | ( ret = asn1_get_mpi( &p, end, &rsa->DP ) ) != 0 || | |
831 | ( ret = asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0 || | |
832 | ( ret = asn1_get_mpi( &p, end, &rsa->QP ) ) != 0 ) | |
833 | { | |
834 | if( s1 != NULL ) | |
835 | free( buf ); | |
836 | ||
837 | rsa_free( rsa ); | |
838 | return( ret | POLARSSL_ERR_X509_KEY_INVALID_FORMAT ); | |
839 | } | |
840 | ||
841 | rsa->len = mpi_size( &rsa->N ); | |
842 | ||
843 | if( p != end ) | |
844 | { | |
845 | if( s1 != NULL ) | |
846 | free( buf ); | |
847 | ||
848 | rsa_free( rsa ); | |
849 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT | | |
850 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); | |
851 | } | |
852 | ||
853 | if( ( ret = rsa_check_privkey( rsa ) ) != 0 ) | |
854 | { | |
855 | if( s1 != NULL ) | |
856 | free( buf ); | |
857 | ||
858 | rsa_free( rsa ); | |
859 | return( ret ); | |
860 | } | |
861 | ||
862 | if( s1 != NULL ) | |
863 | free( buf ); | |
864 | ||
865 | return( 0 ); | |
866 | } |