| 1 | /** |
| 2 | * \file rsa.h |
| 3 | * |
| 4 | * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine |
| 5 | * |
| 6 | * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org> |
| 7 | * |
| 8 | * All rights reserved. |
| 9 | * |
| 10 | * Redistribution and use in source and binary forms, with or without |
| 11 | * modification, are permitted provided that the following conditions |
| 12 | * are met: |
| 13 | * |
| 14 | * * Redistributions of source code must retain the above copyright |
| 15 | * notice, this list of conditions and the following disclaimer. |
| 16 | * * Redistributions in binary form must reproduce the above copyright |
| 17 | * notice, this list of conditions and the following disclaimer in the |
| 18 | * documentation and/or other materials provided with the distribution. |
| 19 | * * Neither the names of PolarSSL or XySSL nor the names of its contributors |
| 20 | * may be used to endorse or promote products derived from this software |
| 21 | * without specific prior written permission. |
| 22 | * |
| 23 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 24 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 25 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
| 26 | * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 27 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 28 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED |
| 29 | * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
| 30 | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
| 31 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
| 32 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
| 33 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 34 | */ |
| 35 | #ifndef POLARSSL_RSA_H |
| 36 | #define POLARSSL_RSA_H |
| 37 | |
| 38 | #include "polarssl/bignum.h" |
| 39 | |
| 40 | #define POLARSSL_ERR_RSA_BAD_INPUT_DATA -0x0400 |
| 41 | #define POLARSSL_ERR_RSA_INVALID_PADDING -0x0410 |
| 42 | #define POLARSSL_ERR_RSA_KEY_GEN_FAILED -0x0420 |
| 43 | #define POLARSSL_ERR_RSA_KEY_CHECK_FAILED -0x0430 |
| 44 | #define POLARSSL_ERR_RSA_PUBLIC_FAILED -0x0440 |
| 45 | #define POLARSSL_ERR_RSA_PRIVATE_FAILED -0x0450 |
| 46 | #define POLARSSL_ERR_RSA_VERIFY_FAILED -0x0460 |
| 47 | #define POLARSSL_ERR_RSA_OUTPUT_TO_LARGE -0x0470 |
| 48 | |
| 49 | /* |
| 50 | * PKCS#1 constants |
| 51 | */ |
| 52 | #define RSA_RAW 0 |
| 53 | #define RSA_MD2 2 |
| 54 | #define RSA_MD4 3 |
| 55 | #define RSA_MD5 4 |
| 56 | #define RSA_SHA1 5 |
| 57 | #define RSA_SHA256 6 |
| 58 | |
| 59 | #define RSA_PUBLIC 0 |
| 60 | #define RSA_PRIVATE 1 |
| 61 | |
| 62 | #define RSA_PKCS_V15 0 |
| 63 | #define RSA_PKCS_V21 1 |
| 64 | |
| 65 | #define RSA_SIGN 1 |
| 66 | #define RSA_CRYPT 2 |
| 67 | |
| 68 | /* |
| 69 | * DigestInfo ::= SEQUENCE { |
| 70 | * digestAlgorithm DigestAlgorithmIdentifier, |
| 71 | * digest Digest } |
| 72 | * |
| 73 | * DigestAlgorithmIdentifier ::= AlgorithmIdentifier |
| 74 | * |
| 75 | * Digest ::= OCTET STRING |
| 76 | */ |
| 77 | #define ASN1_HASH_MDX \ |
| 78 | "\x30\x20\x30\x0C\x06\x08\x2A\x86\x48" \ |
| 79 | "\x86\xF7\x0D\x02\x00\x05\x00\x04\x10" |
| 80 | |
| 81 | #define ASN1_HASH_SHA1 \ |
| 82 | "\x30\x21\x30\x09\x06\x05\x2B\x0E\x03" \ |
| 83 | "\x02\x1A\x05\x00\x04\x14" |
| 84 | |
| 85 | /** |
| 86 | * \brief RSA context structure |
| 87 | */ |
| 88 | typedef struct |
| 89 | { |
| 90 | int ver; /*!< always 0 */ |
| 91 | int len; /*!< size(N) in chars */ |
| 92 | |
| 93 | mpi N; /*!< public modulus */ |
| 94 | mpi E; /*!< public exponent */ |
| 95 | |
| 96 | mpi D; /*!< private exponent */ |
| 97 | mpi P; /*!< 1st prime factor */ |
| 98 | mpi Q; /*!< 2nd prime factor */ |
| 99 | mpi DP; /*!< D % (P - 1) */ |
| 100 | mpi DQ; /*!< D % (Q - 1) */ |
| 101 | mpi QP; /*!< 1 / (Q % P) */ |
| 102 | |
| 103 | mpi RN; /*!< cached R^2 mod N */ |
| 104 | mpi RP; /*!< cached R^2 mod P */ |
| 105 | mpi RQ; /*!< cached R^2 mod Q */ |
| 106 | |
| 107 | int padding; /*!< 1.5 or OAEP/PSS */ |
| 108 | int hash_id; /*!< hash identifier */ |
| 109 | int (*f_rng)(void *); /*!< RNG function */ |
| 110 | void *p_rng; /*!< RNG parameter */ |
| 111 | } |
| 112 | rsa_context; |
| 113 | |
| 114 | #ifdef __cplusplus |
| 115 | extern "C" { |
| 116 | #endif |
| 117 | |
| 118 | /** |
| 119 | * \brief Initialize an RSA context |
| 120 | * |
| 121 | * \param ctx RSA context to be initialized |
| 122 | * \param padding RSA_PKCS_V15 or RSA_PKCS_V21 |
| 123 | * \param hash_id RSA_PKCS_V21 hash identifier |
| 124 | * \param f_rng RNG function |
| 125 | * \param p_rng RNG parameter |
| 126 | * |
| 127 | * \note The hash_id parameter is actually ignored |
| 128 | * when using RSA_PKCS_V15 padding. |
| 129 | * |
| 130 | * \note Currently (xyssl-0.8), RSA_PKCS_V21 padding |
| 131 | * is not supported. |
| 132 | */ |
| 133 | void rsa_init( rsa_context *ctx, |
| 134 | int padding, |
| 135 | int hash_id, |
| 136 | int (*f_rng)(void *), |
| 137 | void *p_rng ); |
| 138 | |
| 139 | /** |
| 140 | * \brief Generate an RSA keypair |
| 141 | * |
| 142 | * \param ctx RSA context that will hold the key |
| 143 | * \param nbits size of the public key in bits |
| 144 | * \param exponent public exponent (e.g., 65537) |
| 145 | * |
| 146 | * \note rsa_init() must be called beforehand to setup |
| 147 | * the RSA context (especially f_rng and p_rng). |
| 148 | * |
| 149 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 150 | */ |
| 151 | int rsa_gen_key( rsa_context *ctx, int nbits, int exponent ); |
| 152 | |
| 153 | /** |
| 154 | * \brief Check a public RSA key |
| 155 | * |
| 156 | * \param ctx RSA context to be checked |
| 157 | * |
| 158 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 159 | */ |
| 160 | int rsa_check_pubkey( rsa_context *ctx ); |
| 161 | |
| 162 | /** |
| 163 | * \brief Check a private RSA key |
| 164 | * |
| 165 | * \param ctx RSA context to be checked |
| 166 | * |
| 167 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 168 | */ |
| 169 | int rsa_check_privkey( rsa_context *ctx ); |
| 170 | |
| 171 | /** |
| 172 | * \brief Do an RSA public key operation |
| 173 | * |
| 174 | * \param ctx RSA context |
| 175 | * \param input input buffer |
| 176 | * \param output output buffer |
| 177 | * |
| 178 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 179 | * |
| 180 | * \note This function does NOT take care of message |
| 181 | * padding. Also, be sure to set input[0] = 0. |
| 182 | * |
| 183 | * \note The input and output buffers must be large |
| 184 | * enough (eg. 128 bytes if RSA-1024 is used). |
| 185 | */ |
| 186 | int rsa_public( rsa_context *ctx, |
| 187 | unsigned char *input, |
| 188 | unsigned char *output ); |
| 189 | |
| 190 | /** |
| 191 | * \brief Do an RSA private key operation |
| 192 | * |
| 193 | * \param ctx RSA context |
| 194 | * \param input input buffer |
| 195 | * \param output output buffer |
| 196 | * |
| 197 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 198 | * |
| 199 | * \note The input and output buffers must be large |
| 200 | * enough (eg. 128 bytes if RSA-1024 is used). |
| 201 | */ |
| 202 | int rsa_private( rsa_context *ctx, |
| 203 | unsigned char *input, |
| 204 | unsigned char *output ); |
| 205 | |
| 206 | /** |
| 207 | * \brief Add the message padding, then do an RSA operation |
| 208 | * |
| 209 | * \param ctx RSA context |
| 210 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
| 211 | * \param ilen contains the the plaintext length |
| 212 | * \param input buffer holding the data to be encrypted |
| 213 | * \param output buffer that will hold the ciphertext |
| 214 | * |
| 215 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 216 | * |
| 217 | * \note The output buffer must be as large as the size |
| 218 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
| 219 | */ |
| 220 | int rsa_pkcs1_encrypt( rsa_context *ctx, |
| 221 | int mode, int ilen, |
| 222 | unsigned char *input, |
| 223 | unsigned char *output ); |
| 224 | |
| 225 | /** |
| 226 | * \brief Do an RSA operation, then remove the message padding |
| 227 | * |
| 228 | * \param ctx RSA context |
| 229 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
| 230 | * \param input buffer holding the encrypted data |
| 231 | * \param output buffer that will hold the plaintext |
| 232 | * \param olen will contain the plaintext length |
| 233 | * \param output_max_len maximum length of the output buffer |
| 234 | * |
| 235 | * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code |
| 236 | * |
| 237 | * \note The output buffer must be as large as the size |
| 238 | * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise |
| 239 | * an error is thrown. |
| 240 | */ |
| 241 | int rsa_pkcs1_decrypt( rsa_context *ctx, |
| 242 | int mode, int *olen, |
| 243 | unsigned char *input, |
| 244 | unsigned char *output, |
| 245 | int output_max_len); |
| 246 | |
| 247 | /** |
| 248 | * \brief Do a private RSA to sign a message digest |
| 249 | * |
| 250 | * \param ctx RSA context |
| 251 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
| 252 | * \param hash_id RSA_RAW, RSA_MD{2,4,5} or RSA_SHA{1,256} |
| 253 | * \param hashlen message digest length (for RSA_RAW only) |
| 254 | * \param hash buffer holding the message digest |
| 255 | * \param sig buffer that will hold the ciphertext |
| 256 | * |
| 257 | * \return 0 if the signing operation was successful, |
| 258 | * or an POLARSSL_ERR_RSA_XXX error code |
| 259 | * |
| 260 | * \note The "sig" buffer must be as large as the size |
| 261 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
| 262 | */ |
| 263 | int rsa_pkcs1_sign( rsa_context *ctx, |
| 264 | int mode, |
| 265 | int hash_id, |
| 266 | int hashlen, |
| 267 | unsigned char *hash, |
| 268 | unsigned char *sig ); |
| 269 | |
| 270 | /** |
| 271 | * \brief Do a public RSA and check the message digest |
| 272 | * |
| 273 | * \param ctx points to an RSA public key |
| 274 | * \param mode RSA_PUBLIC or RSA_PRIVATE |
| 275 | * \param hash_id RSA_RAW, RSA_MD{2,4,5} or RSA_SHA{1,256} |
| 276 | * \param hashlen message digest length (for RSA_RAW only) |
| 277 | * \param hash buffer holding the message digest |
| 278 | * \param sig buffer holding the ciphertext |
| 279 | * |
| 280 | * \return 0 if the verify operation was successful, |
| 281 | * or an POLARSSL_ERR_RSA_XXX error code |
| 282 | * |
| 283 | * \note The "sig" buffer must be as large as the size |
| 284 | * of ctx->N (eg. 128 bytes if RSA-1024 is used). |
| 285 | */ |
| 286 | int rsa_pkcs1_verify( rsa_context *ctx, |
| 287 | int mode, |
| 288 | int hash_id, |
| 289 | int hashlen, |
| 290 | unsigned char *hash, |
| 291 | unsigned char *sig ); |
| 292 | |
| 293 | /** |
| 294 | * \brief Free the components of an RSA key |
| 295 | */ |
| 296 | void rsa_free( rsa_context *ctx ); |
| 297 | |
| 298 | /** |
| 299 | * \brief Checkup routine |
| 300 | * |
| 301 | * \return 0 if successful, or 1 if the test failed |
| 302 | */ |
| 303 | int rsa_self_test( int verbose ); |
| 304 | |
| 305 | #ifdef __cplusplus |
| 306 | } |
| 307 | #endif |
| 308 | |
| 309 | #endif /* rsa.h */ |
| 310 | |
