deon/gnuk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

PolarSSL update to 1.2.9 (RSA blinding)

Browse Source
This commit is contained in:
NIIBE Yutaka
2013-10-05 12:30:55 +09:00
parent 7631531609
commit 533ac62846
9 changed files with 407 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ChangeLog
View File

@@ -1,3 +1,15 @@
2013-10-05 Niibe Yutaka <gniibe@fsij.org>
* polarssl/include/polarssl/aes.h: Updated from PolarSSL 1.2.9.
* polarssl/include/polarssl/bignum.h: Ditto.
* polarssl/include/polarssl/config.h: Ditto.
* polarssl/include/polarssl/rsa.h: Ditto.
* polarssl/library/aes.c, polarssl/library/bignum.c: Ditto.
* polarssl/library/rsa.c: Ditto. Fix rsa_free.
* src/call-rsa.c (rsa_sign, modulus_calc, rsa_decrypt)
(rsa_verify): Follow changes of PolarSSL 1.2.9 with RSA blinding.
Better error checking.
2013-10-04 Niibe Yutaka <gniibe@fsij.org>
* src/main.c (gnuk_malloc): Update ->neighbor field of a chunk on

21
polarssl/include/polarssl/aes.h
View File

@@ -3,7 +3,7 @@
*
* \brief AES block cipher
*
* Copyright (C) 2006-2010, Brainspark B.V.
* Copyright (C) 2006-2013, Brainspark B.V.
*
* This file is part of PolarSSL (http://www.polarssl.org)
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
@@ -27,6 +27,8 @@
#ifndef POLARSSL_AES_H
#define POLARSSL_AES_H
#include "config.h"
#include <string.h>
#ifdef _MSC_VER
@@ -42,6 +44,10 @@ typedef UINT32 uint32_t;
#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */
#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */
#if !defined(POLARSSL_AES_ALT)
// Regular implementation
//
/**
* \brief AES context structure
*/
@@ -171,6 +177,19 @@ int aes_crypt_ctr( aes_context *ctx,
unsigned char stream_block[16],
const unsigned char *input,
unsigned char *output );
#ifdef __cplusplus
}
#endif
#else /* POLARSSL_AES_ALT */
#include "aes_alt.h"
#endif /* POLARSSL_AES_ALT */
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief Checkup routine
*

6
polarssl/include/polarssl/bignum.h
View File

@@ -3,7 +3,7 @@
*
* \brief Multi-precision integer library
*
* Copyright (C) 2006-2010, Brainspark B.V.
* Copyright (C) 2006-2013, Brainspark B.V.
*
* This file is part of PolarSSL (http://www.polarssl.org)
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
@@ -65,6 +65,7 @@ typedef UINT64 uint64_t;
*/
#define POLARSSL_MPI_MAX_LIMBS 10000
#if !defined(POLARSSL_CONFIG_OPTIONS)
/*
* Maximum window size used for modular exponentiation. Default: 6
* Minimum value: 1. Maximum value: 6.
@@ -84,6 +85,9 @@ typedef UINT64 uint64_t;
* of limbs required (POLARSSL_MPI_MAX_LIMBS) is higher.
*/
#define POLARSSL_MPI_MAX_SIZE 256 /**< Maximum number of bytes for usable MPIs. */
#endif /* !POLARSSL_CONFIG_OPTIONS */
#define POLARSSL_MPI_MAX_BITS ( 8 * POLARSSL_MPI_MAX_SIZE ) /**< Maximum number of bits for usable MPIs. */
/*

128
polarssl/include/polarssl/config.h
View File

@@ -3,7 +3,7 @@
*
* \brief Configuration options (set of defines)
*
* Copyright (C) 2006-2012, Brainspark B.V.
* Copyright (C) 2006-2013, Brainspark B.V.
*
* This file is part of PolarSSL (http://www.polarssl.org)
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
@@ -105,6 +105,35 @@
* \{
*/
/**
* \def POLARSSL_XXX_ALT
*
* Uncomment a macro to let PolarSSL use your alternate core implementation of
* a symmetric or hash algorithm (e.g. platform specific assembly optimized
* implementations). Keep in mind that the function prototypes should remain
* the same.
*
* Example: In case you uncomment POLARSSL_AES_ALT, PolarSSL will no longer
* provide the "struct aes_context" definition and omit the base function
* declarations and implementations. "aes_alt.h" will be included from
* "aes.h" to include the new function definitions.
*
* Uncomment a macro to enable alternate implementation for core algorithm
* functions
#define POLARSSL_AES_ALT
#define POLARSSL_ARC4_ALT
#define POLARSSL_BLOWFISH_ALT
#define POLARSSL_CAMELLIA_ALT
#define POLARSSL_DES_ALT
#define POLARSSL_XTEA_ALT
#define POLARSSL_MD2_ALT
#define POLARSSL_MD4_ALT
#define POLARSSL_MD5_ALT
#define POLARSSL_SHA1_ALT
#define POLARSSL_SHA2_ALT
#define POLARSSL_SHA4_ALT
*/
/**
* \def POLARSSL_AES_ROM_TABLES
*
@@ -590,14 +619,23 @@
*
* Enable the HAVEGE random generator.
*
* Warning: the HAVEGE random generator is not suitable for virtualized
* environments
*
* Warning: the HAVEGE random generator is dependent on timing and specific
* processor traits. It is therefore not advised to use HAVEGE as
* your applications primary random generator or primary entropy pool
* input. As a secondary input to your entropy pool, it IS able add
* the (limited) extra entropy it provides.
*
* Module: library/havege.c
* Caller:
*
* Requires: POLARSSL_TIMING_C
*
* This module enables the HAVEGE random number generator.
*/
* Uncomment to enable the HAVEGE random generator.
#define POLARSSL_HAVEGE_C
*/
/**
* \def POLARSSL_MD_C
@@ -681,10 +719,11 @@
* \def POLARSSL_PBKDF2_C
*
* Enable PKCS#5 PBKDF2 key derivation function
* DEPRECATED: Use POLARSSL_PKCS5_C instead
*
* Module: library/pbkdf2.c
*
* Requires: POLARSSL_MD_C
* Requires: POLARSSL_PKCS5_C
*
* This module adds support for the PKCS#5 PBKDF2 key derivation function.
#define POLARSSL_PBKDF2_C
@@ -704,6 +743,19 @@
*/
#define POLARSSL_PEM_C
/**
* \def POLARSSL_PKCS5_C
*
* Enable PKCS#5 functions
*
* Module: library/pkcs5.c
*
* Requires: POLARSSL_MD_C
*
* This module adds support for the PKCS#5 functions.
*/
#define POLARSSL_PKCS5_C
/**
* \def POLARSSL_PKCS11_C
*
@@ -720,6 +772,22 @@
#define POLARSSL_PKCS11_C
*/
/**
* \def POLARSSL_PKCS12_C
*
* Enable PKCS#12 PBE functions
* Adds algorithms for parsing PKCS#8 encrypted private keys
*
* Module: library/pkcs12.c
* Caller: library/x509parse.c
*
* Requires: POLARSSL_ASN1_PARSE_C, POLARSSL_CIPHER_C, POLARSSL_MD_C
* Can use: POLARSSL_ARC4_C
*
* This module enables PKCS#12 functions.
*/
#define POLARSSL_PKCS12_C
/**
* \def POLARSSL_RSA_C
*
@@ -897,4 +965,56 @@
#define POLARSSL_XTEA_C
/* \} name */
/**
* \name SECTION: Module configuration options
*
* This section allows for the setting of module specific sizes and
* configuration options. The default values are already present in the
* relevant header files and should suffice for the regular use cases.
* Our advice is to enable POLARSSL_CONFIG_OPTIONS and change values here
* only if you have a good reason and know the consequences.
*
* If POLARSSL_CONFIG_OPTIONS is undefined here the options in the module
* header file take precedence.
*
* Please check the respective header file for documentation on these
* parameters (to prevent duplicate documentation).
*
* Uncomment POLARSSL_CONFIG_OPTIONS to enable using the values defined here.
* \{
*/
//#define POLARSSL_CONFIG_OPTIONS /**< Enable config.h module value configuration */
#if defined(POLARSSL_CONFIG_OPTIONS)
// MPI / BIGNUM options
//
#define POLARSSL_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
#define POLARSSL_MPI_MAX_SIZE 512 /**< Maximum number of bytes for usable MPIs. */
// CTR_DRBG options
//
#define CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default */
#define CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
#define CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
#define CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
#define CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
// Entropy options
//
#define ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
#define ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
// SSL Cache options
//
#define SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
#define SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
// SSL options
//
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
#endif /* POLARSSL_CONFIG_OPTIONS */
/* \} name */
#endif /* config.h */

51
polarssl/include/polarssl/rsa.h
View File

@@ -151,6 +151,11 @@ typedef struct
mpi RP; /*!< cached R^2 mod P */
mpi RQ; /*!< cached R^2 mod Q */
#if !defined(POLARSSL_RSA_NO_CRT)
mpi Vi; /*!< cached blinding value */
mpi Vf; /*!< cached un-blinding value */
#endif
int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
RSA_PKCS_v21 for OAEP/PSS */
int hash_id; /*!< Hash identifier of md_type_t as
@@ -242,6 +247,8 @@ int rsa_public( rsa_context *ctx,
* \brief Do an RSA private key operation
*
* \param ctx RSA context
* \param f_rng RNG function (Needed for blinding)
* \param p_rng RNG parameter
* \param input input buffer
* \param output output buffer
*
@@ -251,6 +258,8 @@ int rsa_public( rsa_context *ctx,
* enough (eg. 128 bytes if RSA-1024 is used).
*/
int rsa_private( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
const unsigned char *input,
unsigned char *output );
@@ -260,7 +269,8 @@ int rsa_private( rsa_context *ctx,
* RSA operation.
*
* \param ctx RSA context
* \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
* \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding
* and RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param ilen contains the plaintext length
@@ -283,7 +293,7 @@ int rsa_pkcs1_encrypt( rsa_context *ctx,
* \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
*
* \param ctx RSA context
* \param f_rng RNG function (Needed for padding)
* \param f_rng RNG function (Needed for padding and RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param ilen contains the plaintext length
@@ -306,7 +316,8 @@ int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
* \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
*
* \param ctx RSA context
* \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
* \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding
* and RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param label buffer holding the custom label to use
@@ -335,6 +346,8 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
* the message padding
*
* \param ctx RSA context
* \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param olen will contain the plaintext length
* \param input buffer holding the encrypted data
@@ -348,6 +361,8 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
* an error is thrown.
*/
int rsa_pkcs1_decrypt( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t *olen,
const unsigned char *input,
unsigned char *output,
@@ -357,6 +372,8 @@ int rsa_pkcs1_decrypt( rsa_context *ctx,
* \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
*
* \param ctx RSA context
* \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param olen will contain the plaintext length
* \param input buffer holding the encrypted data
@@ -370,6 +387,8 @@ int rsa_pkcs1_decrypt( rsa_context *ctx,
* an error is thrown.
*/
int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t *olen,
const unsigned char *input,
unsigned char *output,
@@ -379,6 +398,8 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
* \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
*
* \param ctx RSA context
* \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param label buffer holding the custom label to use
* \param label_len contains the label length
@@ -394,6 +415,8 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
* an error is thrown.
*/
int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
const unsigned char *label, size_t label_len,
size_t *olen,
@@ -407,7 +430,8 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
* a message digest
*
* \param ctx RSA context
* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for
* RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
@@ -440,6 +464,8 @@ int rsa_pkcs1_sign( rsa_context *ctx,
* \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
*
* \param ctx RSA context
* \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
* \param hashlen message digest length (for SIG_RSA_RAW only)
@@ -453,6 +479,8 @@ int rsa_pkcs1_sign( rsa_context *ctx,
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
*/
int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
@@ -463,7 +491,8 @@ int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
* \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
*
* \param ctx RSA context
* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for
* RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
@@ -498,6 +527,8 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
* the message digest
*
* \param ctx points to an RSA public key
* \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
* \param hashlen message digest length (for SIG_RSA_RAW only)
@@ -517,6 +548,8 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
* keep both hashes the same.
*/
int rsa_pkcs1_verify( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
@@ -527,6 +560,8 @@ int rsa_pkcs1_verify( rsa_context *ctx,
* \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
*
* \param ctx points to an RSA public key
* \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
* \param hashlen message digest length (for SIG_RSA_RAW only)
@@ -540,6 +575,8 @@ int rsa_pkcs1_verify( rsa_context *ctx,
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
*/
int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
@@ -551,6 +588,8 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
* \brief Do a public RSA and check the message digest
*
* \param ctx points to an RSA public key
* \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
* \param hashlen message digest length (for SIG_RSA_RAW only)
@@ -570,6 +609,8 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
* keep both hashes the same.
*/
int rsa_rsassa_pss_verify( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,

5
polarssl/library/aes.c
View File

@@ -1,7 +1,7 @@
/*
* FIPS-197 compliant AES implementation
*
* Copyright (C) 2006-2010, Brainspark B.V.
* Copyright (C) 2006-2013, Brainspark B.V.
*
* This file is part of PolarSSL (http://www.polarssl.org)
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
@@ -38,6 +38,8 @@
#include "polarssl/padlock.h"
#endif
#if !defined(POLARSSL_AES_ALT)
/*
* 32-bit integer manipulation macros (little endian)
*/
@@ -914,6 +916,7 @@ int aes_crypt_ctr( aes_context *ctx,
return( 0 );
}
#endif /* POLARSSL_CIPHER_MODE_CTR */
#endif /* !POLARSSL_AES_ALT */
#if defined(POLARSSL_SELF_TEST)

12
polarssl/library/bignum.c
View File

@@ -934,8 +934,16 @@ int mpi_sub_int( mpi *X, const mpi *A, t_sint b )
/*
* Helper for mpi multiplication
*/
static void mpi_mul_hlp( size_t i, t_uint *s, t_uint *d, t_uint b )
*/
static
#if defined(__APPLE__) && defined(__arm__)
/*
* Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
* appears to need this to prevent bad ARM code generation at -O3.
*/
__attribute__ ((noinline))
#endif
void mpi_mul_hlp( size_t i, t_uint *s, t_uint *d, t_uint b )
{
t_uint c = 0, t = 0;

115
polarssl/library/rsa.c
View File

@@ -252,10 +252,47 @@ cleanup:
return( 0 );
}
#if !defined(POLARSSL_RSA_NO_CRT)
/*
* Generate or update blinding values, see section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
* DSS, and other systems. In : Advances in Cryptology—CRYPTO96. Springer
* Berlin Heidelberg, 1996. p. 104-113.
*/
static int rsa_prepare_blinding( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret;
if( ctx->Vf.p != NULL )
{
/* We already have blinding values, just update them by squaring */
MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
return( 0 );
}
/* Unblinding value: Vf = random number */
MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
/* Blinding value: Vi = Vf^(-e) mod N */
MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
cleanup:
return( ret );
}
#endif
/*
* Do an RSA private key operation
*/
int rsa_private( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
const unsigned char *input,
unsigned char *output )
{
@@ -278,6 +315,17 @@ int rsa_private( rsa_context *ctx,
#if defined(POLARSSL_RSA_NO_CRT)
MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
#else
if( f_rng != NULL )
{
/*
* Blinding
* T = T * Vi mod N
*/
MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
/*
* faster decryption using the CRT
*
@@ -299,6 +347,16 @@ int rsa_private( rsa_context *ctx,
*/
MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
if( f_rng != NULL )
{
/*
* Unblind
* T = T * Vf mod N
*/
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
#endif
olen = ctx->len;
@@ -432,7 +490,7 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
return( ( mode == RSA_PUBLIC )
? rsa_public( ctx, output, output )
: rsa_private( ctx, output, output ) );
: rsa_private( ctx, f_rng, p_rng, output, output ) );
}
#endif /* POLARSSL_PKCS1_V21 */
@@ -494,7 +552,7 @@ int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
return( ( mode == RSA_PUBLIC )
? rsa_public( ctx, output, output )
: rsa_private( ctx, output, output ) );
: rsa_private( ctx, f_rng, p_rng, output, output ) );
}
/*
@@ -529,7 +587,9 @@ int rsa_pkcs1_encrypt( rsa_context *ctx,
* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
*/
int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
int mode,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
const unsigned char *label, size_t label_len,
size_t *olen,
const unsigned char *input,
@@ -555,7 +615,7 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
ret = ( mode == RSA_PUBLIC )
? rsa_public( ctx, input, buf )
: rsa_private( ctx, input, buf );
: rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 )
return( ret );
@@ -620,6 +680,8 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
*/
int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t *olen,
const unsigned char *input,
unsigned char *output,
@@ -641,7 +703,7 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
ret = ( mode == RSA_PUBLIC )
? rsa_public( ctx, input, buf )
: rsa_private( ctx, input, buf );
: rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 )
return( ret );
@@ -713,6 +775,8 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
* Do an RSA operation, then remove the message padding
*/
int rsa_pkcs1_decrypt( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t *olen,
const unsigned char *input,
unsigned char *output,
@@ -721,13 +785,13 @@ int rsa_pkcs1_decrypt( rsa_context *ctx,
switch( ctx->padding )
{
case RSA_PKCS_V15:
return rsa_rsaes_pkcs1_v15_decrypt( ctx, mode, olen, input, output,
output_max_len );
return rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
input, output, output_max_len );
#if defined(POLARSSL_PKCS1_V21)
case RSA_PKCS_V21:
return rsa_rsaes_oaep_decrypt( ctx, mode, NULL, 0, olen, input,
output, output_max_len );
return rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
olen, input, output, output_max_len );
#endif
default:
@@ -850,7 +914,7 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
return( ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, sig )
: rsa_private( ctx, sig, sig ) );
: rsa_private( ctx, f_rng, p_rng, sig, sig ) );
}
#endif /* POLARSSL_PKCS1_V21 */
@@ -861,6 +925,8 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
* Do an RSA operation to sign the message digest
*/
int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
@@ -973,7 +1039,7 @@ int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
return( ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, sig )
: rsa_private( ctx, sig, sig ) );
: rsa_private( ctx, f_rng, p_rng, sig, sig ) );
}
/*
@@ -993,7 +1059,7 @@ int rsa_pkcs1_sign( rsa_context *ctx,
switch( ctx->padding )
{
case RSA_PKCS_V15:
return rsa_rsassa_pkcs1_v15_sign( ctx, mode, hash_id,
return rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, hash_id,
hashlen, hash, sig );
#if defined(POLARSSL_PKCS1_V21)
@@ -1012,6 +1078,8 @@ int rsa_pkcs1_sign( rsa_context *ctx,
* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
*/
int rsa_rsassa_pss_verify( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
@@ -1039,7 +1107,7 @@ int rsa_rsassa_pss_verify( rsa_context *ctx,
ret = ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, buf )
: rsa_private( ctx, sig, buf );
: rsa_private( ctx, f_rng, p_rng, sig, buf );
if( ret != 0 )
return( ret );
@@ -1143,6 +1211,8 @@ int rsa_rsassa_pss_verify( rsa_context *ctx,
* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
*/
int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
@@ -1164,7 +1234,7 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
ret = ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, buf )
: rsa_private( ctx, sig, buf );
: rsa_private( ctx, f_rng, p_rng, sig, buf );
if( ret != 0 )
return( ret );
@@ -1251,6 +1321,8 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
* Do an RSA operation and check the message digest
*/
int rsa_pkcs1_verify( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
@@ -1260,12 +1332,12 @@ int rsa_pkcs1_verify( rsa_context *ctx,
switch( ctx->padding )
{
case RSA_PKCS_V15:
return rsa_rsassa_pkcs1_v15_verify( ctx, mode, hash_id,
hashlen, hash, sig );
return rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode,
hash_id, hashlen, hash, sig );
#if defined(POLARSSL_PKCS1_V21)
case RSA_PKCS_V21:
return rsa_rsassa_pss_verify( ctx, mode, hash_id,
return rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, hash_id,
hashlen, hash, sig );
#endif
@@ -1279,6 +1351,7 @@ int rsa_pkcs1_verify( rsa_context *ctx,
*/
void rsa_free( rsa_context *ctx )
{
mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
@@ -1352,7 +1425,7 @@ static int myrand( void *rng_state, unsigned char *output, size_t len )
for( i = 0; i < len; ++i )
output[i] = rand();
return( 0 );
}
@@ -1411,7 +1484,7 @@ int rsa_self_test( int verbose )
if( verbose != 0 )
printf( "passed\n PKCS#1 decryption : " );
if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
if( rsa_pkcs1_decrypt( &rsa, &myrand, NULL, RSA_PRIVATE, &len,
rsa_ciphertext, rsa_decrypted,
sizeof(rsa_decrypted) ) != 0 )
{
@@ -1435,7 +1508,7 @@ int rsa_self_test( int verbose )
sha1( rsa_plaintext, PT_LEN, sha1sum );
if( rsa_pkcs1_sign( &rsa, NULL, NULL, RSA_PRIVATE, SIG_RSA_SHA1, 20,
if( rsa_pkcs1_sign( &rsa, &myrand, NULL, RSA_PRIVATE, SIG_RSA_SHA1, 20,
sha1sum, rsa_ciphertext ) != 0 )
{
if( verbose != 0 )
@@ -1447,7 +1520,7 @@ int rsa_self_test( int verbose )
if( verbose != 0 )
printf( "passed\n PKCS#1 sig. verify: " );
if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
if( rsa_pkcs1_verify( &rsa, &myrand, NULL, RSA_PUBLIC, SIG_RSA_SHA1, 20,
sha1sum, rsa_ciphertext ) != 0 )
{
if( verbose != 0 )

176
src/call-rsa.c
View File

@@ -43,44 +43,45 @@ rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
struct key_data *kd)
{
mpi P1, Q1, H;
int r;
int ret = 0;
unsigned char temp[RSA_SIGNATURE_LENGTH];
mpi_init (&P1);
mpi_init (&Q1);
mpi_init (&H);
uint8_t index = 0;
rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
mpi_init (&P1); mpi_init (&Q1); mpi_init (&H);
rsa_ctx.len = KEY_CONTENT_LEN;
mpi_lset (&rsa_ctx.E, 0x10001);
mpi_read_binary (&rsa_ctx.P, &kd->data[0], rsa_ctx.len / 2);
mpi_read_binary (&rsa_ctx.Q, &kd->data[KEY_CONTENT_LEN/2], rsa_ctx.len / 2);
#if 0 /* Using CRT, we don't use N */
mpi_mul_mpi (&rsa_ctx.N, &rsa_ctx.P, &rsa_ctx.Q);
#endif
mpi_sub_int (&P1, &rsa_ctx.P, 1);
mpi_sub_int (&Q1, &rsa_ctx.Q, 1);
mpi_mul_mpi (&H, &P1, &Q1);
mpi_inv_mod (&rsa_ctx.D , &rsa_ctx.E, &H);
mpi_mod_mpi (&rsa_ctx.DP, &rsa_ctx.D, &P1);
mpi_mod_mpi (&rsa_ctx.DQ, &rsa_ctx.D, &Q1);
mpi_inv_mod (&rsa_ctx.QP, &rsa_ctx.Q, &rsa_ctx.P);
mpi_free (&P1);
mpi_free (&Q1);
mpi_free (&H);
MPI_CHK( mpi_lset (&rsa_ctx.E, 0x10001) );
MPI_CHK( mpi_read_binary (&rsa_ctx.P, &kd->data[0], rsa_ctx.len / 2) );
MPI_CHK( mpi_read_binary (&rsa_ctx.Q, &kd->data[KEY_CONTENT_LEN/2],
rsa_ctx.len / 2) );
MPI_CHK( mpi_mul_mpi (&rsa_ctx.N, &rsa_ctx.P, &rsa_ctx.Q) );
MPI_CHK( mpi_sub_int (&P1, &rsa_ctx.P, 1) );
MPI_CHK( mpi_sub_int (&Q1, &rsa_ctx.Q, 1) );
MPI_CHK( mpi_mul_mpi (&H, &P1, &Q1) );
MPI_CHK( mpi_inv_mod (&rsa_ctx.D , &rsa_ctx.E, &H) );
MPI_CHK( mpi_mod_mpi (&rsa_ctx.DP, &rsa_ctx.D, &P1) );
MPI_CHK( mpi_mod_mpi (&rsa_ctx.DQ, &rsa_ctx.D, &Q1) );
MPI_CHK( mpi_inv_mod (&rsa_ctx.QP, &rsa_ctx.Q, &rsa_ctx.P) );
cleanup:
mpi_free (&P1); mpi_free (&Q1); mpi_free (&H);
if (ret == 0)
{
DEBUG_INFO ("RSA sign...");
DEBUG_INFO ("RSA sign...");
ret = rsa_rsassa_pkcs1_v15_sign (&rsa_ctx, random_gen, &index,
RSA_PRIVATE, SIG_RSA_RAW,
msg_len, raw_message, temp);
memcpy (output, temp, RSA_SIGNATURE_LENGTH);
}
r = rsa_rsassa_pkcs1_v15_sign (&rsa_ctx, RSA_PRIVATE, SIG_RSA_RAW,
msg_len, raw_message, temp);
memcpy (output, temp, RSA_SIGNATURE_LENGTH);
rsa_free (&rsa_ctx);
if (r < 0)
if (ret != 0)
{
DEBUG_INFO ("fail:");
DEBUG_SHORT (r);
return r;
DEBUG_SHORT (ret);
return -1;
}
else
{
@@ -99,23 +100,23 @@ modulus_calc (const uint8_t *p, int len)
{
mpi P, Q, N;
uint8_t *modulus;
int ret;
modulus = malloc (len);
if (modulus == NULL)
return NULL;
mpi_init (&P);
mpi_init (&Q);
mpi_init (&N);
mpi_read_binary (&P, p, len / 2);
mpi_read_binary (&Q, p + len / 2, len / 2);
mpi_mul_mpi (&N, &P, &Q);
mpi_write_binary (&N, modulus, len);
mpi_free (&P);
mpi_free (&Q);
mpi_free (&N);
return modulus;
mpi_init (&P); mpi_init (&Q); mpi_init (&N);
MPI_CHK( mpi_read_binary (&P, p, len / 2) );
MPI_CHK( mpi_read_binary (&Q, p + len / 2, len / 2) );
MPI_CHK( mpi_mul_mpi (&N, &P, &Q) );
MPI_CHK( mpi_write_binary (&N, modulus, len) );
cleanup:
mpi_free (&P); mpi_free (&Q); mpi_free (&N);
if (ret != 0)
return NULL;
else
return modulus;
}
@@ -124,48 +125,47 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
struct key_data *kd)
{
mpi P1, Q1, H;
int r;
int ret;
unsigned int output_len;
uint8_t index = 0;
DEBUG_INFO ("RSA decrypt:");
DEBUG_WORD ((uint32_t)&output_len);
mpi_init (&P1);
mpi_init (&Q1);
mpi_init (&H);
rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
mpi_init (&P1); mpi_init (&Q1); mpi_init (&H);
rsa_ctx.len = msg_len;
DEBUG_WORD (msg_len);
mpi_lset (&rsa_ctx.E, 0x10001);
mpi_read_binary (&rsa_ctx.P, &kd->data[0], KEY_CONTENT_LEN / 2);
mpi_read_binary (&rsa_ctx.Q, &kd->data[KEY_CONTENT_LEN/2],
KEY_CONTENT_LEN / 2);
#if 0 /* Using CRT, we don't use N */
mpi_mul_mpi (&rsa_ctx.N, &rsa_ctx.P, &rsa_ctx.Q);
#endif
mpi_sub_int (&P1, &rsa_ctx.P, 1);
mpi_sub_int (&Q1, &rsa_ctx.Q, 1);
mpi_mul_mpi (&H, &P1, &Q1);
mpi_inv_mod (&rsa_ctx.D , &rsa_ctx.E, &H);
mpi_mod_mpi (&rsa_ctx.DP, &rsa_ctx.D, &P1);
mpi_mod_mpi (&rsa_ctx.DQ, &rsa_ctx.D, &Q1);
mpi_inv_mod (&rsa_ctx.QP, &rsa_ctx.Q, &rsa_ctx.P);
mpi_free (&P1);
mpi_free (&Q1);
mpi_free (&H);
MPI_CHK( mpi_lset (&rsa_ctx.E, 0x10001) );
MPI_CHK( mpi_read_binary (&rsa_ctx.P, &kd->data[0], KEY_CONTENT_LEN / 2) );
MPI_CHK( mpi_read_binary (&rsa_ctx.Q, &kd->data[KEY_CONTENT_LEN/2],
KEY_CONTENT_LEN / 2) );
MPI_CHK( mpi_mul_mpi (&rsa_ctx.N, &rsa_ctx.P, &rsa_ctx.Q) );
MPI_CHK( mpi_sub_int (&P1, &rsa_ctx.P, 1) );
MPI_CHK( mpi_sub_int (&Q1, &rsa_ctx.Q, 1) );
MPI_CHK( mpi_mul_mpi (&H, &P1, &Q1) );
MPI_CHK( mpi_inv_mod (&rsa_ctx.D , &rsa_ctx.E, &H) );
MPI_CHK( mpi_mod_mpi (&rsa_ctx.DP, &rsa_ctx.D, &P1) );
MPI_CHK( mpi_mod_mpi (&rsa_ctx.DQ, &rsa_ctx.D, &Q1) );
MPI_CHK( mpi_inv_mod (&rsa_ctx.QP, &rsa_ctx.Q, &rsa_ctx.P) );
cleanup:
mpi_free (&P1); mpi_free (&Q1); mpi_free (&H);
if (ret == 0)
{
DEBUG_INFO ("RSA decrypt ...");
ret = rsa_rsaes_pkcs1_v15_decrypt (&rsa_ctx, random_gen, &index,
RSA_PRIVATE, &output_len, input,
output, MAX_RES_APDU_DATA_SIZE);
}
DEBUG_INFO ("RSA decrypt ...");
r = rsa_rsaes_pkcs1_v15_decrypt (&rsa_ctx, RSA_PRIVATE, &output_len,
input, output, MAX_RES_APDU_DATA_SIZE);
rsa_free (&rsa_ctx);
if (r < 0)
if (ret != 0)
{
DEBUG_INFO ("fail:");
DEBUG_SHORT (r);
return r;
DEBUG_SHORT (ret);
return -1;
}
else
{
@@ -179,23 +179,26 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
int
rsa_verify (const uint8_t *pubkey, const uint8_t *hash, const uint8_t *sig)
{
int r;
int ret;
uint8_t index = 0;
rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
rsa_ctx.len = KEY_CONTENT_LEN;
mpi_lset (&rsa_ctx.E, 0x10001);
mpi_read_binary (&rsa_ctx.N, pubkey, KEY_CONTENT_LEN);
MPI_CHK( mpi_lset (&rsa_ctx.E, 0x10001) );
MPI_CHK( mpi_read_binary (&rsa_ctx.N, pubkey, KEY_CONTENT_LEN) );
DEBUG_INFO ("RSA verify...");
r = rsa_rsassa_pkcs1_v15_verify (&rsa_ctx, RSA_PUBLIC, SIG_RSA_SHA256, 32, hash, sig);
MPI_CHK( rsa_rsassa_pkcs1_v15_verify (&rsa_ctx, random_gen, &index,
RSA_PUBLIC, SIG_RSA_SHA256, 32,
hash, sig) );
cleanup:
rsa_free (&rsa_ctx);
if (r < 0)
if (ret != 0)
{
DEBUG_INFO ("fail:");
DEBUG_SHORT (r);
return r;
DEBUG_SHORT (ret);
return -1;
}
else
{
@@ -210,7 +213,7 @@ rsa_verify (const uint8_t *pubkey, const uint8_t *hash, const uint8_t *sig)
uint8_t *
rsa_genkey (void)
{
int r;
int ret;
uint8_t index = 0;
uint8_t *p_q_modulus = (uint8_t *)malloc (KEY_CONTENT_LEN*2);
uint8_t *p = p_q_modulus;
@@ -227,19 +230,24 @@ rsa_genkey (void)
prng_seed (random_gen, &index);
rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
r = rsa_gen_key (&rsa_ctx, random_gen, &index,
KEY_CONTENT_LEN * 8, RSA_EXPONENT);
if (r < 0)
MPI_CHK( rsa_gen_key (&rsa_ctx, random_gen, &index,
KEY_CONTENT_LEN * 8, RSA_EXPONENT) );
if (ret != 0)
{
free (p_q_modulus);
rsa_free (&rsa_ctx);
return NULL;
}
mpi_write_binary (&rsa_ctx.P, p, KEY_CONTENT_LEN/2);
mpi_write_binary (&rsa_ctx.Q, q, KEY_CONTENT_LEN/2);
mpi_write_binary (&rsa_ctx.N, modulus, KEY_CONTENT_LEN);
MPI_CHK( mpi_write_binary (&rsa_ctx.P, p, KEY_CONTENT_LEN/2) );
MPI_CHK( mpi_write_binary (&rsa_ctx.Q, q, KEY_CONTENT_LEN/2) );
MPI_CHK( mpi_write_binary (&rsa_ctx.N, modulus, KEY_CONTENT_LEN) );
cleanup:
rsa_free (&rsa_ctx);
return p_q_modulus;
if (ret != 0)
return NULL;
else
return p_q_modulus;
}
#endif