[proxmark3-svn] / common / polarssl / rsa.h

/**
 * \file rsa.h
 *
 * \brief The RSA public-key cryptosystem
 *
 *  Copyright (C) 2006-2010, Brainspark B.V.
 *
 *  This file is part of PolarSSL (http://www.polarssl.org)
 *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
 *
 *  All rights reserved.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
#ifndef POLARSSL_RSA_H
#define POLARSSL_RSA_H

#include "bignum.h"

/*
 * RSA Error codes
 */
#define POLARSSL_ERR_RSA_BAD_INPUT_DATA                    -0x4080  /**< Bad input parameters to function. */
#define POLARSSL_ERR_RSA_INVALID_PADDING                   -0x4100  /**< Input data contains invalid padding and is rejected. */
#define POLARSSL_ERR_RSA_KEY_GEN_FAILED                    -0x4180  /**< Something failed during generation of a key. */
#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED                  -0x4200  /**< Key failed to pass the libraries validity check. */
#define POLARSSL_ERR_RSA_PUBLIC_FAILED                     -0x4280  /**< The public key operation failed. */
#define POLARSSL_ERR_RSA_PRIVATE_FAILED                    -0x4300  /**< The private key operation failed. */
#define POLARSSL_ERR_RSA_VERIFY_FAILED                     -0x4380  /**< The PKCS#1 verification failed. */
#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400  /**< The output buffer for decryption is not large enough. */
#define POLARSSL_ERR_RSA_RNG_FAILED                        -0x4480  /**< The random generator failed to generate non-zeros. */

/*
 * PKCS#1 constants
 */
#define SIG_RSA_RAW     0
#define SIG_RSA_MD2     2
#define SIG_RSA_MD4     3
#define SIG_RSA_MD5     4
#define SIG_RSA_SHA1    5
#define SIG_RSA_SHA224 14
#define SIG_RSA_SHA256 11
#define SIG_RSA_SHA384 12
#define SIG_RSA_SHA512 13

#define RSA_PUBLIC      0
#define RSA_PRIVATE     1

#define RSA_PKCS_V15    0
#define RSA_PKCS_V21    1

#define RSA_SIGN        1
#define RSA_CRYPT       2

#define ASN1_STR_CONSTRUCTED_SEQUENCE   "\x30"
#define ASN1_STR_NULL                   "\x05"
#define ASN1_STR_OID                    "\x06"
#define ASN1_STR_OCTET_STRING           "\x04"

#define OID_DIGEST_ALG_MDX              "\x2A\x86\x48\x86\xF7\x0D\x02\x00"
#define OID_HASH_ALG_SHA1               "\x2b\x0e\x03\x02\x1a"
#define OID_HASH_ALG_SHA2X              "\x60\x86\x48\x01\x65\x03\x04\x02\x00"

#define OID_ISO_MEMBER_BODIES           "\x2a"
#define OID_ISO_IDENTIFIED_ORG          "\x2b"

/*
 * ISO Member bodies OID parts
 */
#define OID_COUNTRY_US                  "\x86\x48"
#define OID_RSA_DATA_SECURITY           "\x86\xf7\x0d"

/*
 * ISO Identified organization OID parts
 */
#define OID_OIW_SECSIG_SHA1             "\x0e\x03\x02\x1a"

/*
 * DigestInfo ::= SEQUENCE {
 *   digestAlgorithm DigestAlgorithmIdentifier,
 *   digest Digest }
 *
 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
 *
 * Digest ::= OCTET STRING
 */
#define ASN1_HASH_MDX                           \
(                                               \
    ASN1_STR_CONSTRUCTED_SEQUENCE "\x20"        \
      ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C"      \
        ASN1_STR_OID "\x08"                     \
      OID_DIGEST_ALG_MDX                        \
    ASN1_STR_NULL "\x00"                        \
      ASN1_STR_OCTET_STRING "\x10"              \
)

#define ASN1_HASH_SHA1                          \
    ASN1_STR_CONSTRUCTED_SEQUENCE "\x21"        \
      ASN1_STR_CONSTRUCTED_SEQUENCE "\x09"      \
        ASN1_STR_OID "\x05"                     \
      OID_HASH_ALG_SHA1                         \
        ASN1_STR_NULL "\x00"                    \
      ASN1_STR_OCTET_STRING "\x14"

#define ASN1_HASH_SHA1_ALT                      \
    ASN1_STR_CONSTRUCTED_SEQUENCE "\x1F"        \
      ASN1_STR_CONSTRUCTED_SEQUENCE "\x07"      \
        ASN1_STR_OID "\x05"                     \
      OID_HASH_ALG_SHA1                         \
      ASN1_STR_OCTET_STRING "\x14"

#define ASN1_HASH_SHA2X                         \
    ASN1_STR_CONSTRUCTED_SEQUENCE "\x11"        \
      ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d"      \
        ASN1_STR_OID "\x09"                     \
      OID_HASH_ALG_SHA2X                        \
        ASN1_STR_NULL "\x00"                    \
      ASN1_STR_OCTET_STRING "\x00"

/**
 * \brief          RSA context structure
 */
typedef struct
{
    int ver;                    /*!<  always 0          */
    size_t len;                 /*!<  size(N) in chars  */

    mpi N;                      /*!<  public modulus    */
    mpi E;                      /*!<  public exponent   */

    mpi D;                      /*!<  private exponent  */
    mpi P;                      /*!<  1st prime factor  */
    mpi Q;                      /*!<  2nd prime factor  */
    mpi DP;                     /*!<  D % (P - 1)       */
    mpi DQ;                     /*!<  D % (Q - 1)       */
    mpi QP;                     /*!<  1 / (Q % P)       */

    mpi RN;                     /*!<  cached R^2 mod N  */
    mpi RP;                     /*!<  cached R^2 mod P  */
    mpi RQ;                     /*!<  cached R^2 mod Q  */

    int padding;                /*!<  RSA_PKCS_V15 for 1.5 padding and
                                      RSA_PKCS_v21 for OAEP/PSS         */
    int hash_id;                /*!<  Hash identifier of md_type_t as
                                      specified in the md.h header file
                                      for the EME-OAEP and EMSA-PSS
                                      encoding                          */
}
rsa_context;

#ifdef __cplusplus
extern "C" {
#endif

/**
 * \brief          Initialize an RSA context
 *
 *                 Note: Set padding to RSA_PKCS_V21 for the RSAES-OAEP
 *                 encryption scheme and the RSASSA-PSS signature scheme.
 *
 * \param ctx      RSA context to be initialized
 * \param padding  RSA_PKCS_V15 or RSA_PKCS_V21
 * \param hash_id  RSA_PKCS_V21 hash identifier
 *
 * \note           The hash_id parameter is actually ignored
 *                 when using RSA_PKCS_V15 padding.
 */
void rsa_init( rsa_context *ctx,
               int padding,
               int hash_id);

/**
 * \brief          Generate an RSA keypair
 *
 * \param ctx      RSA context that will hold the key
 * \param f_rng    RNG function
 * \param p_rng    RNG parameter
 * \param nbits    size of the public key in bits
 * \param exponent public exponent (e.g., 65537)
 *
 * \note           rsa_init() must be called beforehand to setup
 *                 the RSA context.
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 */
int rsa_gen_key( rsa_context *ctx,
                 int (*f_rng)(void *, unsigned char *, size_t),
                 void *p_rng,
                 unsigned int nbits, int exponent );

/**
 * \brief          Check a public RSA key
 *
 * \param ctx      RSA context to be checked
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 */
int rsa_check_pubkey( const rsa_context *ctx );

/**
 * \brief          Check a private RSA key
 *
 * \param ctx      RSA context to be checked
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 */
int rsa_check_privkey( const rsa_context *ctx );

/**
 * \brief          Do an RSA public key operation
 *
 * \param ctx      RSA context
 * \param input    input buffer
 * \param output   output buffer
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           This function does NOT take care of message
 *                 padding. Also, be sure to set input[0] = 0 or assure that
 *                 input is smaller than N.
 *
 * \note           The input and output buffers must be large
 *                 enough (eg. 128 bytes if RSA-1024 is used).
 */
int rsa_public( rsa_context *ctx,
                const unsigned char *input,
                unsigned char *output );

/**
 * \brief          Do an RSA private key operation
 *
 * \param ctx      RSA context
 * \param input    input buffer
 * \param output   output buffer
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The input and output buffers must be large
 *                 enough (eg. 128 bytes if RSA-1024 is used).
 */
int rsa_private( rsa_context *ctx,
                 const unsigned char *input,
                 unsigned char *output );

/**
 * \brief          Generic wrapper to perform a PKCS#1 encryption using the
 *                 mode from the context. Add the message padding, then do an
 *                 RSA operation.
 *
 * \param ctx      RSA context
 * \param f_rng    RNG function (Needed for padding and PKCS#1 v2.1 encoding)
 * \param p_rng    RNG parameter
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param ilen     contains the plaintext length
 * \param input    buffer holding the data to be encrypted
 * \param output   buffer that will hold the ciphertext
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The output buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 */
int rsa_pkcs1_encrypt( rsa_context *ctx,
                       int (*f_rng)(void *, unsigned char *, size_t),
                       void *p_rng,
                       int mode, size_t ilen,
                       const unsigned char *input,
                       unsigned char *output );

/**
 * \brief          Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
 *
 * \param ctx      RSA context
 * \param f_rng    RNG function (Needed for padding)
 * \param p_rng    RNG parameter
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param ilen     contains the plaintext length
 * \param input    buffer holding the data to be encrypted
 * \param output   buffer that will hold the ciphertext
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The output buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 */
int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
                                 int (*f_rng)(void *, unsigned char *, size_t),
                                 void *p_rng,
                                 int mode, size_t ilen,
                                 const unsigned char *input,
                                 unsigned char *output );

/**
 * \brief          Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
 *
 * \param ctx      RSA context
 * \param f_rng    RNG function (Needed for padding and PKCS#1 v2.1 encoding)
 * \param p_rng    RNG parameter
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param label    buffer holding the custom label to use
 * \param label_len contains the label length
 * \param ilen     contains the plaintext length
 * \param input    buffer holding the data to be encrypted
 * \param output   buffer that will hold the ciphertext
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The output buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 */
int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
                            int (*f_rng)(void *, unsigned char *, size_t),
                            void *p_rng,
                            int mode,
                            const unsigned char *label, size_t label_len,
                            size_t ilen,
                            const unsigned char *input,
                            unsigned char *output );

/**
 * \brief          Generic wrapper to perform a PKCS#1 decryption using the
 *                 mode from the context. Do an RSA operation, then remove
 *                 the message padding
 *
 * \param ctx      RSA context
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param olen     will contain the plaintext length
 * \param input    buffer holding the encrypted data
 * \param output   buffer that will hold the plaintext
 * \param output_max_len    maximum length of the output buffer
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The output buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
 *                 an error is thrown.
 */
int rsa_pkcs1_decrypt( rsa_context *ctx,
                       int mode, size_t *olen,
                       const unsigned char *input,
                       unsigned char *output,
                       size_t output_max_len );

/**
 * \brief          Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
 *
 * \param ctx      RSA context
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param olen     will contain the plaintext length
 * \param input    buffer holding the encrypted data
 * \param output   buffer that will hold the plaintext
 * \param output_max_len    maximum length of the output buffer
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The output buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
 *                 an error is thrown.
 */
int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
                                 int mode, size_t *olen,
                                 const unsigned char *input,
                                 unsigned char *output,
                                 size_t output_max_len );

/**
 * \brief          Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
 *
 * \param ctx      RSA context
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param label    buffer holding the custom label to use
 * \param label_len contains the label length
 * \param olen     will contain the plaintext length
 * \param input    buffer holding the encrypted data
 * \param output   buffer that will hold the plaintext
 * \param output_max_len    maximum length of the output buffer
 *
 * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The output buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
 *                 an error is thrown.
 */
int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
                            int mode,
                            const unsigned char *label, size_t label_len,
                            size_t *olen,
                            const unsigned char *input,
                            unsigned char *output,
                            size_t output_max_len );

/**
 * \brief          Generic wrapper to perform a PKCS#1 signature using the
 *                 mode from the context. Do a private RSA operation to sign
 *                 a message digest
 *
 * \param ctx      RSA context
 * \param f_rng    RNG function (Needed for PKCS#1 v2.1 encoding)
 * \param p_rng    RNG parameter
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
 * \param hashlen  message digest length (for SIG_RSA_RAW only)
 * \param hash     buffer holding the message digest
 * \param sig      buffer that will hold the ciphertext
 *
 * \return         0 if the signing operation was successful,
 *                 or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The "sig" buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 *
 * \note           In case of PKCS#1 v2.1 encoding keep in mind that
 *                 the hash_id in the RSA context is the one used for the
 *                 encoding. hash_id in the function call is the type of hash
 *                 that is encoded. According to RFC 3447 it is advised to
 *                 keep both hashes the same.
 */
int rsa_pkcs1_sign( rsa_context *ctx,
                    int (*f_rng)(void *, unsigned char *, size_t),
                    void *p_rng,
                    int mode,
                    int hash_id,
                    unsigned int hashlen,
                    const unsigned char *hash,
                    unsigned char *sig );

/**
 * \brief          Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
 *
 * \param ctx      RSA context
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
 * \param hashlen  message digest length (for SIG_RSA_RAW only)
 * \param hash     buffer holding the message digest
 * \param sig      buffer that will hold the ciphertext
 *
 * \return         0 if the signing operation was successful,
 *                 or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The "sig" buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 */
int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
                               int mode,
                               int hash_id,
                               unsigned int hashlen,
                               const unsigned char *hash,
                               unsigned char *sig );

/**
 * \brief          Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
 *
 * \param ctx      RSA context
 * \param f_rng    RNG function (Needed for PKCS#1 v2.1 encoding)
 * \param p_rng    RNG parameter
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
 * \param hashlen  message digest length (for SIG_RSA_RAW only)
 * \param hash     buffer holding the message digest
 * \param sig      buffer that will hold the ciphertext
 *
 * \return         0 if the signing operation was successful,
 *                 or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The "sig" buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 *
 * \note           In case of PKCS#1 v2.1 encoding keep in mind that
 *                 the hash_id in the RSA context is the one used for the
 *                 encoding. hash_id in the function call is the type of hash
 *                 that is encoded. According to RFC 3447 it is advised to
 *                 keep both hashes the same.
 */
int rsa_rsassa_pss_sign( rsa_context *ctx,
                         int (*f_rng)(void *, unsigned char *, size_t),
                         void *p_rng,
                         int mode,
                         int hash_id,
                         unsigned int hashlen,
                         const unsigned char *hash,
                         unsigned char *sig );

/**
 * \brief          Generic wrapper to perform a PKCS#1 verification using the
 *                 mode from the context. Do a public RSA operation and check
 *                 the message digest
 *
 * \param ctx      points to an RSA public key
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
 * \param hashlen  message digest length (for SIG_RSA_RAW only)
 * \param hash     buffer holding the message digest
 * \param sig      buffer holding the ciphertext
 *
 * \return         0 if the verify operation was successful,
 *                 or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The "sig" buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 *
 * \note           In case of PKCS#1 v2.1 encoding keep in mind that
 *                 the hash_id in the RSA context is the one used for the
 *                 verification. hash_id in the function call is the type of hash
 *                 that is verified. According to RFC 3447 it is advised to
 *                 keep both hashes the same.
 */
int rsa_pkcs1_verify( rsa_context *ctx,
                      int mode,
                      int hash_id,
                      unsigned int hashlen,
                      const unsigned char *hash,
                      unsigned char *sig );

/**
 * \brief          Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
 *
 * \param ctx      points to an RSA public key
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
 * \param hashlen  message digest length (for SIG_RSA_RAW only)
 * \param hash     buffer holding the message digest
 * \param sig      buffer holding the ciphertext
 *
 * \return         0 if the verify operation was successful,
 *                 or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The "sig" buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 */
int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
                                 int mode,
                                 int hash_id,
                                 unsigned int hashlen,
                                 const unsigned char *hash,
                                 unsigned char *sig );

/**
 * \brief          Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
 * \brief          Do a public RSA and check the message digest
 *
 * \param ctx      points to an RSA public key
 * \param mode     RSA_PUBLIC or RSA_PRIVATE
 * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
 * \param hashlen  message digest length (for SIG_RSA_RAW only)
 * \param hash     buffer holding the message digest
 * \param sig      buffer holding the ciphertext
 *
 * \return         0 if the verify operation was successful,
 *                 or an POLARSSL_ERR_RSA_XXX error code
 *
 * \note           The "sig" buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 *
 * \note           In case of PKCS#1 v2.1 encoding keep in mind that
 *                 the hash_id in the RSA context is the one used for the
 *                 verification. hash_id in the function call is the type of hash
 *                 that is verified. According to RFC 3447 it is advised to
 *                 keep both hashes the same.
 */
int rsa_rsassa_pss_verify( rsa_context *ctx,
                           int mode,
                           int hash_id,
                           unsigned int hashlen,
                           const unsigned char *hash,
                           unsigned char *sig );

/**
 * \brief          Free the components of an RSA key
 *
 * \param ctx      RSA Context to free
 */
void rsa_free( rsa_context *ctx );

/**
 * \brief          Checkup routine
 *
 * \return         0 if successful, or 1 if the test failed
 */
int rsa_self_test( int verbose );

#ifdef __cplusplus
}
#endif

#endif /* rsa.h */
Commit	Line	Data
d03fb293 OM	1	/**
	2	* \file rsa.h
	3	*
	4	* \brief The RSA public-key cryptosystem
	5	*
	6	* Copyright (C) 2006-2010, Brainspark B.V.
	7	*
	8	* This file is part of PolarSSL (http://www.polarssl.org)
	9	* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
	10	*
	11	* All rights reserved.
	12	*
	13	* This program is free software; you can redistribute it and/or modify
	14	* it under the terms of the GNU General Public License as published by
	15	* the Free Software Foundation; either version 2 of the License, or
	16	* (at your option) any later version.
	17	*
	18	* This program is distributed in the hope that it will be useful,
	19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	21	* GNU General Public License for more details.
	22	*
	23	* You should have received a copy of the GNU General Public License along
	24	* with this program; if not, write to the Free Software Foundation, Inc.,
	25	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	26	*/
	27	#ifndef POLARSSL_RSA_H
	28	#define POLARSSL_RSA_H
	29
	30	#include "bignum.h"
	31
	32	/*
	33	* RSA Error codes
	34	*/
	35	#define POLARSSL_ERR_RSA_BAD_INPUT_DATA -0x4080 /*< Bad input parameters to function. /
	36	#define POLARSSL_ERR_RSA_INVALID_PADDING -0x4100 /*< Input data contains invalid padding and is rejected. /
	37	#define POLARSSL_ERR_RSA_KEY_GEN_FAILED -0x4180 /*< Something failed during generation of a key. /
	38	#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED -0x4200 /*< Key failed to pass the libraries validity check. /
	39	#define POLARSSL_ERR_RSA_PUBLIC_FAILED -0x4280 /*< The public key operation failed. /
	40	#define POLARSSL_ERR_RSA_PRIVATE_FAILED -0x4300 /*< The private key operation failed. /
	41	#define POLARSSL_ERR_RSA_VERIFY_FAILED -0x4380 /*< The PKCS#1 verification failed. /
	42	#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /*< The output buffer for decryption is not large enough. /
	43	#define POLARSSL_ERR_RSA_RNG_FAILED -0x4480 /*< The random generator failed to generate non-zeros. /
	44
	45	/*
	46	* PKCS#1 constants
	47	*/
	48	#define SIG_RSA_RAW 0
	49	#define SIG_RSA_MD2 2
	50	#define SIG_RSA_MD4 3
	51	#define SIG_RSA_MD5 4
	52	#define SIG_RSA_SHA1 5
	53	#define SIG_RSA_SHA224 14
	54	#define SIG_RSA_SHA256 11
	55	#define SIG_RSA_SHA384 12
	56	#define SIG_RSA_SHA512 13
	57
	58	#define RSA_PUBLIC 0
	59	#define RSA_PRIVATE 1
	60
	61	#define RSA_PKCS_V15 0
	62	#define RSA_PKCS_V21 1
	63
	64	#define RSA_SIGN 1
65	#define RSA_CRYPT 2
66
67	#define ASN1_STR_CONSTRUCTED_SEQUENCE "\x30"
68	#define ASN1_STR_NULL "\x05"
69	#define ASN1_STR_OID "\x06"
70	#define ASN1_STR_OCTET_STRING "\x04"
71
72	#define OID_DIGEST_ALG_MDX "\x2A\x86\x48\x86\xF7\x0D\x02\x00"
73	#define OID_HASH_ALG_SHA1 "\x2b\x0e\x03\x02\x1a"
74	#define OID_HASH_ALG_SHA2X "\x60\x86\x48\x01\x65\x03\x04\x02\x00"
75
76	#define OID_ISO_MEMBER_BODIES "\x2a"
77	#define OID_ISO_IDENTIFIED_ORG "\x2b"
78
79	/*
80	* ISO Member bodies OID parts
81	*/
82	#define OID_COUNTRY_US "\x86\x48"
83	#define OID_RSA_DATA_SECURITY "\x86\xf7\x0d"
84
85	/*
86	* ISO Identified organization OID parts
87	*/
88	#define OID_OIW_SECSIG_SHA1 "\x0e\x03\x02\x1a"
89
90	/*
91	* DigestInfo ::= SEQUENCE {
92	* digestAlgorithm DigestAlgorithmIdentifier,
93	* digest Digest }
94	*
95	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
96	*
97	* Digest ::= OCTET STRING
98	*/
99	#define ASN1_HASH_MDX \
100	( \
101	ASN1_STR_CONSTRUCTED_SEQUENCE "\x20" \
102	ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C" \
103	ASN1_STR_OID "\x08" \
104	OID_DIGEST_ALG_MDX \
105	ASN1_STR_NULL "\x00" \
106	ASN1_STR_OCTET_STRING "\x10" \
107	)
108
109	#define ASN1_HASH_SHA1 \
110	ASN1_STR_CONSTRUCTED_SEQUENCE "\x21" \
111	ASN1_STR_CONSTRUCTED_SEQUENCE "\x09" \
112	ASN1_STR_OID "\x05" \
113	OID_HASH_ALG_SHA1 \
114	ASN1_STR_NULL "\x00" \
115	ASN1_STR_OCTET_STRING "\x14"
116
117	#define ASN1_HASH_SHA1_ALT \
118	ASN1_STR_CONSTRUCTED_SEQUENCE "\x1F" \
119	ASN1_STR_CONSTRUCTED_SEQUENCE "\x07" \
120	ASN1_STR_OID "\x05" \
121	OID_HASH_ALG_SHA1 \
122	ASN1_STR_OCTET_STRING "\x14"
123
124	#define ASN1_HASH_SHA2X \
125	ASN1_STR_CONSTRUCTED_SEQUENCE "\x11" \
126	ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d" \
127	ASN1_STR_OID "\x09" \
128	OID_HASH_ALG_SHA2X \
129	ASN1_STR_NULL "\x00" \
130	ASN1_STR_OCTET_STRING "\x00"
131
132	/**
133	* \brief RSA context structure
134	*/
135	typedef struct
136	{
137	int ver; /!< always 0 /
138	size_t len; /!< size(N) in chars /
139
140	mpi N; /!< public modulus /
141	mpi E; /!< public exponent /
142
143	mpi D; /!< private exponent /
144	mpi P; /!< 1st prime factor /
145	mpi Q; /!< 2nd prime factor /
146	mpi DP; /!< D % (P - 1) /
147	mpi DQ; /!< D % (Q - 1) /
148	mpi QP; /!< 1 / (Q % P) /
149
150	mpi RN; /!< cached R^2 mod N /
151	mpi RP; /!< cached R^2 mod P /
152	mpi RQ; /!< cached R^2 mod Q /
153
154	int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
155	RSA_PKCS_v21 for OAEP/PSS */
156	int hash_id; /*!< Hash identifier of md_type_t as
157	specified in the md.h header file
158	for the EME-OAEP and EMSA-PSS
159	encoding */
160	}
161	rsa_context;
162
163	#ifdef __cplusplus
164	extern "C" {
165	#endif
166
167	/**
168	* \brief Initialize an RSA context
169	*
170	* Note: Set padding to RSA_PKCS_V21 for the RSAES-OAEP
171	* encryption scheme and the RSASSA-PSS signature scheme.
172	*
173	* \param ctx RSA context to be initialized
174	* \param padding RSA_PKCS_V15 or RSA_PKCS_V21
175	* \param hash_id RSA_PKCS_V21 hash identifier
176	*
177	* \note The hash_id parameter is actually ignored
178	* when using RSA_PKCS_V15 padding.
179	*/
180	void rsa_init( rsa_context *ctx,
181	int padding,
182	int hash_id);
183
184	/**
185	* \brief Generate an RSA keypair
186	*
187	* \param ctx RSA context that will hold the key
188	* \param f_rng RNG function
189	* \param p_rng RNG parameter
190	* \param nbits size of the public key in bits
191	* \param exponent public exponent (e.g., 65537)
192	*
193	* \note rsa_init() must be called beforehand to setup
194	* the RSA context.
195	*
196	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
197	*/
198	int rsa_gen_key( rsa_context *ctx,
199	int (f_rng)(void , unsigned char *, size_t),
200	void *p_rng,
201	unsigned int nbits, int exponent );
202
203	/**
204	* \brief Check a public RSA key
205	*
206	* \param ctx RSA context to be checked
207	*
208	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
209	*/
210	int rsa_check_pubkey( const rsa_context *ctx );
211
212	/**
213	* \brief Check a private RSA key
214	*
215	* \param ctx RSA context to be checked
216	*
217	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
218	*/
219	int rsa_check_privkey( const rsa_context *ctx );
220
221	/**
222	* \brief Do an RSA public key operation
223	*
224	* \param ctx RSA context
225	* \param input input buffer
226	* \param output output buffer
227	*
228	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
229	*
230	* \note This function does NOT take care of message
231	* padding. Also, be sure to set input[0] = 0 or assure that
232	* input is smaller than N.
233	*
234	* \note The input and output buffers must be large
235	* enough (eg. 128 bytes if RSA-1024 is used).
236	*/
237	int rsa_public( rsa_context *ctx,
238	const unsigned char *input,
239	unsigned char *output );
240
241	/**
242	* \brief Do an RSA private key operation
243	*
244	* \param ctx RSA context
245	* \param input input buffer
246	* \param output output buffer
247	*
248	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
249	*
250	* \note The input and output buffers must be large
251	* enough (eg. 128 bytes if RSA-1024 is used).
252	*/
253	int rsa_private( rsa_context *ctx,
254	const unsigned char *input,
255	unsigned char *output );
256
257	/**
258	* \brief Generic wrapper to perform a PKCS#1 encryption using the
259	* mode from the context. Add the message padding, then do an
260	* RSA operation.
261	*
262	* \param ctx RSA context
263	* \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
264	* \param p_rng RNG parameter
265	* \param mode RSA_PUBLIC or RSA_PRIVATE
266	* \param ilen contains the plaintext length
267	* \param input buffer holding the data to be encrypted
268	* \param output buffer that will hold the ciphertext
269	*
270	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
271	*
272	* \note The output buffer must be as large as the size
273	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
274	*/
275	int rsa_pkcs1_encrypt( rsa_context *ctx,
276	int (f_rng)(void , unsigned char *, size_t),
277	void *p_rng,
278	int mode, size_t ilen,
279	const unsigned char *input,
280	unsigned char *output );
281
282	/**
283	* \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
284	*
285	* \param ctx RSA context
286	* \param f_rng RNG function (Needed for padding)
287	* \param p_rng RNG parameter
288	* \param mode RSA_PUBLIC or RSA_PRIVATE
289	* \param ilen contains the plaintext length
290	* \param input buffer holding the data to be encrypted
291	* \param output buffer that will hold the ciphertext
292	*
293	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
294	*
295	* \note The output buffer must be as large as the size
296	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
297	*/
298	int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
299	int (f_rng)(void , unsigned char *, size_t),
300	void *p_rng,
301	int mode, size_t ilen,
302	const unsigned char *input,
303	unsigned char *output );
304
305	/**
306	* \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
307	*
308	* \param ctx RSA context
309	* \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding)
310	* \param p_rng RNG parameter
311	* \param mode RSA_PUBLIC or RSA_PRIVATE
312	* \param label buffer holding the custom label to use
313	* \param label_len contains the label length
314	* \param ilen contains the plaintext length
315	* \param input buffer holding the data to be encrypted
316	* \param output buffer that will hold the ciphertext
317	*
318	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
319	*
320	* \note The output buffer must be as large as the size
321	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
322	*/
323	int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
324	int (f_rng)(void , unsigned char *, size_t),
325	void *p_rng,
326	int mode,
327	const unsigned char *label, size_t label_len,
328	size_t ilen,
329	const unsigned char *input,
330	unsigned char *output );
331
332	/**
333	* \brief Generic wrapper to perform a PKCS#1 decryption using the
334	* mode from the context. Do an RSA operation, then remove
335	* the message padding
336	*
337	* \param ctx RSA context
338	* \param mode RSA_PUBLIC or RSA_PRIVATE
339	* \param olen will contain the plaintext length
340	* \param input buffer holding the encrypted data
341	* \param output buffer that will hold the plaintext
342	* \param output_max_len maximum length of the output buffer
343	*
344	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
345	*
346	* \note The output buffer must be as large as the size
347	* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
348	* an error is thrown.
349	*/
350	int rsa_pkcs1_decrypt( rsa_context *ctx,
351	int mode, size_t *olen,
352	const unsigned char *input,
353	unsigned char *output,
354	size_t output_max_len );
355
356	/**
357	* \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
358	*
359	* \param ctx RSA context
360	* \param mode RSA_PUBLIC or RSA_PRIVATE
361	* \param olen will contain the plaintext length
362	* \param input buffer holding the encrypted data
363	* \param output buffer that will hold the plaintext
364	* \param output_max_len maximum length of the output buffer
365	*
366	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
367	*
368	* \note The output buffer must be as large as the size
369	* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
370	* an error is thrown.
371	*/
372	int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
373	int mode, size_t *olen,
374	const unsigned char *input,
375	unsigned char *output,
376	size_t output_max_len );
377
378	/**
379	* \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
380	*
381	* \param ctx RSA context
382	* \param mode RSA_PUBLIC or RSA_PRIVATE
383	* \param label buffer holding the custom label to use
384	* \param label_len contains the label length
385	* \param olen will contain the plaintext length
386	* \param input buffer holding the encrypted data
387	* \param output buffer that will hold the plaintext
388	* \param output_max_len maximum length of the output buffer
389	*
390	* \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
391	*
392	* \note The output buffer must be as large as the size
393	* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
394	* an error is thrown.
395	*/
396	int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
397	int mode,
398	const unsigned char *label, size_t label_len,
399	size_t *olen,
400	const unsigned char *input,
401	unsigned char *output,
402	size_t output_max_len );
403
404	/**
405	* \brief Generic wrapper to perform a PKCS#1 signature using the
406	* mode from the context. Do a private RSA operation to sign
407	* a message digest
408	*
409	* \param ctx RSA context
410	* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
411	* \param p_rng RNG parameter
412	* \param mode RSA_PUBLIC or RSA_PRIVATE
413	* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
414	* \param hashlen message digest length (for SIG_RSA_RAW only)
415	* \param hash buffer holding the message digest
416	* \param sig buffer that will hold the ciphertext
417	*
418	* \return 0 if the signing operation was successful,
419	* or an POLARSSL_ERR_RSA_XXX error code
420	*
421	* \note The "sig" buffer must be as large as the size
422	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
423	*
424	* \note In case of PKCS#1 v2.1 encoding keep in mind that
425	* the hash_id in the RSA context is the one used for the
426	* encoding. hash_id in the function call is the type of hash
427	* that is encoded. According to RFC 3447 it is advised to
428	* keep both hashes the same.
429	*/
430	int rsa_pkcs1_sign( rsa_context *ctx,
431	int (f_rng)(void , unsigned char *, size_t),
432	void *p_rng,
433	int mode,
434	int hash_id,
435	unsigned int hashlen,
436	const unsigned char *hash,
437	unsigned char *sig );
438
439	/**
440	* \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
441	*
442	* \param ctx RSA context
443	* \param mode RSA_PUBLIC or RSA_PRIVATE
444	* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
445	* \param hashlen message digest length (for SIG_RSA_RAW only)
446	* \param hash buffer holding the message digest
447	* \param sig buffer that will hold the ciphertext
448	*
449	* \return 0 if the signing operation was successful,
450	* or an POLARSSL_ERR_RSA_XXX error code
451	*
452	* \note The "sig" buffer must be as large as the size
453	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
454	*/
455	int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
456	int mode,
457	int hash_id,
458	unsigned int hashlen,
459	const unsigned char *hash,
460	unsigned char *sig );
461
462	/**
463	* \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
464	*
465	* \param ctx RSA context
466	* \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding)
467	* \param p_rng RNG parameter
468	* \param mode RSA_PUBLIC or RSA_PRIVATE
469	* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
470	* \param hashlen message digest length (for SIG_RSA_RAW only)
471	* \param hash buffer holding the message digest
472	* \param sig buffer that will hold the ciphertext
473	*
474	* \return 0 if the signing operation was successful,
475	* or an POLARSSL_ERR_RSA_XXX error code
476	*
477	* \note The "sig" buffer must be as large as the size
478	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
479	*
480	* \note In case of PKCS#1 v2.1 encoding keep in mind that
481	* the hash_id in the RSA context is the one used for the
482	* encoding. hash_id in the function call is the type of hash
483	* that is encoded. According to RFC 3447 it is advised to
484	* keep both hashes the same.
485	*/
486	int rsa_rsassa_pss_sign( rsa_context *ctx,
487	int (f_rng)(void , unsigned char *, size_t),
488	void *p_rng,
489	int mode,
490	int hash_id,
491	unsigned int hashlen,
492	const unsigned char *hash,
493	unsigned char *sig );
494
495	/**
496	* \brief Generic wrapper to perform a PKCS#1 verification using the
497	* mode from the context. Do a public RSA operation and check
498	* the message digest
499	*
500	* \param ctx points to an RSA public key
501	* \param mode RSA_PUBLIC or RSA_PRIVATE
502	* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
503	* \param hashlen message digest length (for SIG_RSA_RAW only)
504	* \param hash buffer holding the message digest
505	* \param sig buffer holding the ciphertext
506	*
507	* \return 0 if the verify operation was successful,
508	* or an POLARSSL_ERR_RSA_XXX error code
509	*
510	* \note The "sig" buffer must be as large as the size
511	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
512	*
513	* \note In case of PKCS#1 v2.1 encoding keep in mind that
514	* the hash_id in the RSA context is the one used for the
515	* verification. hash_id in the function call is the type of hash
516	* that is verified. According to RFC 3447 it is advised to
517	* keep both hashes the same.
518	*/
519	int rsa_pkcs1_verify( rsa_context *ctx,
520	int mode,
521	int hash_id,
522	unsigned int hashlen,
523	const unsigned char *hash,
524	unsigned char *sig );
525
526	/**
527	* \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
528	*
529	* \param ctx points to an RSA public key
530	* \param mode RSA_PUBLIC or RSA_PRIVATE
531	* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
532	* \param hashlen message digest length (for SIG_RSA_RAW only)
533	* \param hash buffer holding the message digest
534	* \param sig buffer holding the ciphertext
535	*
536	* \return 0 if the verify operation was successful,
537	* or an POLARSSL_ERR_RSA_XXX error code
538	*
539	* \note The "sig" buffer must be as large as the size
540	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
541	*/
542	int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
543	int mode,
544	int hash_id,
545	unsigned int hashlen,
546	const unsigned char *hash,
547	unsigned char *sig );
548
549	/**
550	* \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
551	* \brief Do a public RSA and check the message digest
552	*
553	* \param ctx points to an RSA public key
554	* \param mode RSA_PUBLIC or RSA_PRIVATE
555	* \param hash_id SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
556	* \param hashlen message digest length (for SIG_RSA_RAW only)
557	* \param hash buffer holding the message digest
558	* \param sig buffer holding the ciphertext
559	*
560	* \return 0 if the verify operation was successful,
561	* or an POLARSSL_ERR_RSA_XXX error code
562	*
563	* \note The "sig" buffer must be as large as the size
564	* of ctx->N (eg. 128 bytes if RSA-1024 is used).
565	*
566	* \note In case of PKCS#1 v2.1 encoding keep in mind that
567	* the hash_id in the RSA context is the one used for the
568	* verification. hash_id in the function call is the type of hash
569	* that is verified. According to RFC 3447 it is advised to
570	* keep both hashes the same.
571	*/
572	int rsa_rsassa_pss_verify( rsa_context *ctx,
573	int mode,
574	int hash_id,
575	unsigned int hashlen,
576	const unsigned char *hash,
577	unsigned char *sig );
578
579	/**
580	* \brief Free the components of an RSA key
581	*
582	* \param ctx RSA Context to free
583	*/
584	void rsa_free( rsa_context *ctx );
585
586	/**
587	* \brief Checkup routine
588	*
589	* \return 0 if successful, or 1 if the test failed
590	*/
591	int rsa_self_test( int verbose );
592
593	#ifdef __cplusplus
594	}
595	#endif
596
597	#endif /* rsa.h */