| 1 | /* |
|---|---|
| 2 | * Copyright (c) 2007-2014, Cameron Rich |
| 3 | * |
| 4 | * All rights reserved. |
| 5 | * |
| 6 | * Redistribution and use in source and binary forms, with or without |
| 7 | * modification, are permitted provided that the following conditions are met: |
| 8 | * |
| 9 | * * Redistributions of source code must retain the above copyright notice, |
| 10 | * this list of conditions and the following disclaimer. |
| 11 | * * Redistributions in binary form must reproduce the above copyright notice, |
| 12 | * this list of conditions and the following disclaimer in the documentation |
| 13 | * and/or other materials provided with the distribution. |
| 14 | * * Neither the name of the axTLS project nor the names of its contributors |
| 15 | * may be used to endorse or promote products derived from this software |
| 16 | * without specific prior written permission. |
| 17 | * |
| 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 19 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 20 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 21 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR |
| 22 | * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
| 23 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
| 24 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
| 25 | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
| 26 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
| 27 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
| 28 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 29 | */ |
| 30 | |
| 31 | /** |
| 32 | * Implements the RSA public encryption algorithm. Uses the bigint library to |
| 33 | * perform its calculations. |
| 34 | */ |
| 35 | |
| 36 | #include <stdio.h> |
| 37 | #include <string.h> |
| 38 | #include <time.h> |
| 39 | #include <stdlib.h> |
| 40 | #include "os_port.h" |
| 41 | #include "crypto.h" |
| 42 | |
| 43 | void RSA_priv_key_new(RSA_CTX **ctx, |
| 44 | const uint8_t *modulus, int mod_len, |
| 45 | const uint8_t *pub_exp, int pub_len, |
| 46 | const uint8_t *priv_exp, int priv_len |
| 47 | #if CONFIG_BIGINT_CRT |
| 48 | , const uint8_t *p, int p_len, |
| 49 | const uint8_t *q, int q_len, |
| 50 | const uint8_t *dP, int dP_len, |
| 51 | const uint8_t *dQ, int dQ_len, |
| 52 | const uint8_t *qInv, int qInv_len |
| 53 | #endif |
| 54 | ) |
| 55 | { |
| 56 | RSA_CTX *rsa_ctx; |
| 57 | BI_CTX *bi_ctx; |
| 58 | RSA_pub_key_new(ctx, modulus, mod_len, pub_exp, pub_len); |
| 59 | rsa_ctx = *ctx; |
| 60 | bi_ctx = rsa_ctx->bi_ctx; |
| 61 | rsa_ctx->d = bi_import(bi_ctx, priv_exp, priv_len); |
| 62 | bi_permanent(rsa_ctx->d); |
| 63 | |
| 64 | #ifdef CONFIG_BIGINT_CRT |
| 65 | rsa_ctx->p = bi_import(bi_ctx, p, p_len); |
| 66 | rsa_ctx->q = bi_import(bi_ctx, q, q_len); |
| 67 | rsa_ctx->dP = bi_import(bi_ctx, dP, dP_len); |
| 68 | rsa_ctx->dQ = bi_import(bi_ctx, dQ, dQ_len); |
| 69 | rsa_ctx->qInv = bi_import(bi_ctx, qInv, qInv_len); |
| 70 | bi_permanent(rsa_ctx->dP); |
| 71 | bi_permanent(rsa_ctx->dQ); |
| 72 | bi_permanent(rsa_ctx->qInv); |
| 73 | bi_set_mod(bi_ctx, rsa_ctx->p, BIGINT_P_OFFSET); |
| 74 | bi_set_mod(bi_ctx, rsa_ctx->q, BIGINT_Q_OFFSET); |
| 75 | #endif |
| 76 | } |
| 77 | |
| 78 | void RSA_pub_key_new(RSA_CTX **ctx, |
| 79 | const uint8_t *modulus, int mod_len, |
| 80 | const uint8_t *pub_exp, int pub_len) |
| 81 | { |
| 82 | RSA_CTX *rsa_ctx; |
| 83 | BI_CTX *bi_ctx; |
| 84 | |
| 85 | if (*ctx) /* if we load multiple certs, dump the old one */ |
| 86 | RSA_free(*ctx); |
| 87 | |
| 88 | bi_ctx = bi_initialize(); |
| 89 | *ctx = (RSA_CTX *)calloc(1, sizeof(RSA_CTX)); |
| 90 | rsa_ctx = *ctx; |
| 91 | rsa_ctx->bi_ctx = bi_ctx; |
| 92 | rsa_ctx->num_octets = mod_len; |
| 93 | rsa_ctx->m = bi_import(bi_ctx, modulus, mod_len); |
| 94 | bi_set_mod(bi_ctx, rsa_ctx->m, BIGINT_M_OFFSET); |
| 95 | rsa_ctx->e = bi_import(bi_ctx, pub_exp, pub_len); |
| 96 | bi_permanent(rsa_ctx->e); |
| 97 | } |
| 98 | |
| 99 | /** |
| 100 | * Free up any RSA context resources. |
| 101 | */ |
| 102 | void RSA_free(RSA_CTX *rsa_ctx) |
| 103 | { |
| 104 | BI_CTX *bi_ctx; |
| 105 | if (rsa_ctx == NULL) /* deal with ptrs that are null */ |
| 106 | return; |
| 107 | |
| 108 | bi_ctx = rsa_ctx->bi_ctx; |
| 109 | |
| 110 | bi_depermanent(rsa_ctx->e); |
| 111 | bi_free(bi_ctx, rsa_ctx->e); |
| 112 | bi_free_mod(rsa_ctx->bi_ctx, BIGINT_M_OFFSET); |
| 113 | |
| 114 | if (rsa_ctx->d) |
| 115 | { |
| 116 | bi_depermanent(rsa_ctx->d); |
| 117 | bi_free(bi_ctx, rsa_ctx->d); |
| 118 | #ifdef CONFIG_BIGINT_CRT |
| 119 | bi_depermanent(rsa_ctx->dP); |
| 120 | bi_depermanent(rsa_ctx->dQ); |
| 121 | bi_depermanent(rsa_ctx->qInv); |
| 122 | bi_free(bi_ctx, rsa_ctx->dP); |
| 123 | bi_free(bi_ctx, rsa_ctx->dQ); |
| 124 | bi_free(bi_ctx, rsa_ctx->qInv); |
| 125 | bi_free_mod(rsa_ctx->bi_ctx, BIGINT_P_OFFSET); |
| 126 | bi_free_mod(rsa_ctx->bi_ctx, BIGINT_Q_OFFSET); |
| 127 | #endif |
| 128 | } |
| 129 | |
| 130 | bi_terminate(bi_ctx); |
| 131 | free(rsa_ctx); |
| 132 | } |
| 133 | |
| 134 | /** |
| 135 | * @brief Use PKCS1.5 for decryption/verification. |
| 136 | * @param ctx [in] The context |
| 137 | * @param in_data [in] The data to decrypt (must be < modulus size-11) |
| 138 | * @param out_data [out] The decrypted data. |
| 139 | * @param out_len [int] The size of the decrypted buffer in bytes |
| 140 | * @param is_decryption [in] Decryption or verify operation. |
| 141 | * @return The number of bytes that were originally encrypted. -1 on error. |
| 142 | * @see http://www.rsasecurity.com/rsalabs/node.asp?id=2125 |
| 143 | */ |
| 144 | int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, |
| 145 | uint8_t *out_data, int out_len, int is_decryption) |
| 146 | { |
| 147 | const int byte_size = ctx->num_octets; |
| 148 | int i = 0, size; |
| 149 | bigint *decrypted_bi, *dat_bi; |
| 150 | uint8_t *block = (uint8_t *)alloca(byte_size); |
| 151 | int pad_count = 0; |
| 152 | |
| 153 | if (out_len < byte_size) /* check output has enough size */ |
| 154 | return -1; |
| 155 | |
| 156 | memset(out_data, 0, out_len); /* initialise */ |
| 157 | |
| 158 | /* decrypt */ |
| 159 | dat_bi = bi_import(ctx->bi_ctx, in_data, byte_size); |
| 160 | #ifdef CONFIG_SSL_CERT_VERIFICATION |
| 161 | decrypted_bi = is_decryption ? /* decrypt or verify? */ |
| 162 | RSA_private(ctx, dat_bi) : RSA_public(ctx, dat_bi); |
| 163 | #else /* always a decryption */ |
| 164 | decrypted_bi = RSA_private(ctx, dat_bi); |
| 165 | #endif |
| 166 | |
| 167 | /* convert to a normal block */ |
| 168 | bi_export(ctx->bi_ctx, decrypted_bi, block, byte_size); |
| 169 | |
| 170 | if (block[i++] != 0) /* leading 0? */ |
| 171 | return -1; |
| 172 | |
| 173 | #ifdef CONFIG_SSL_CERT_VERIFICATION |
| 174 | if (is_decryption == 0) /* PKCS1.5 signing pads with "0xff"s */ |
| 175 | { |
| 176 | if (block[i++] != 0x01) /* BT correct? */ |
| 177 | return -1; |
| 178 | |
| 179 | while (block[i++] == 0xff && i < byte_size) |
| 180 | pad_count++; |
| 181 | } |
| 182 | else /* PKCS1.5 encryption padding is random */ |
| 183 | #endif |
| 184 | { |
| 185 | if (block[i++] != 0x02) /* BT correct? */ |
| 186 | return -1; |
| 187 | |
| 188 | while (block[i++] && i < byte_size) |
| 189 | pad_count++; |
| 190 | } |
| 191 | |
| 192 | /* check separator byte 0x00 - and padding must be 8 or more bytes */ |
| 193 | if (i == byte_size || pad_count < 8) |
| 194 | return -1; |
| 195 | |
| 196 | size = byte_size - i; |
| 197 | |
| 198 | /* get only the bit we want */ |
| 199 | memcpy(out_data, &block[i], size); |
| 200 | return size; |
| 201 | } |
| 202 | |
| 203 | /** |
| 204 | * Performs m = c^d mod n |
| 205 | */ |
| 206 | bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg) |
| 207 | { |
| 208 | #ifdef CONFIG_BIGINT_CRT |
| 209 | return bi_crt(c->bi_ctx, bi_msg, c->dP, c->dQ, c->p, c->q, c->qInv); |
| 210 | #else |
| 211 | BI_CTX *ctx = c->bi_ctx; |
| 212 | ctx->mod_offset = BIGINT_M_OFFSET; |
| 213 | return bi_mod_power(ctx, bi_msg, c->d); |
| 214 | #endif |
| 215 | } |
| 216 | |
| 217 | #ifdef CONFIG_SSL_FULL_MODE |
| 218 | /** |
| 219 | * Used for diagnostics. |
| 220 | */ |
| 221 | void RSA_print(const RSA_CTX *rsa_ctx) |
| 222 | { |
| 223 | if (rsa_ctx == NULL) |
| 224 | return; |
| 225 | |
| 226 | printf("----------------- RSA DEBUG ----------------\n"); |
| 227 | printf("Size:\t%d\n", rsa_ctx->num_octets); |
| 228 | bi_print("Modulus", rsa_ctx->m); |
| 229 | bi_print("Public Key", rsa_ctx->e); |
| 230 | bi_print("Private Key", rsa_ctx->d); |
| 231 | } |
| 232 | #endif |
| 233 | |
| 234 | #if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT) || (CONFIG_SSL_ENABLE_CLIENT) |
| 235 | /** |
| 236 | * Performs c = m^e mod n |
| 237 | */ |
| 238 | bigint *RSA_public(const RSA_CTX * c, bigint *bi_msg) |
| 239 | { |
| 240 | c->bi_ctx->mod_offset = BIGINT_M_OFFSET; |
| 241 | return bi_mod_power(c->bi_ctx, bi_msg, c->e); |
| 242 | } |
| 243 | |
| 244 | /** |
| 245 | * Use PKCS1.5 for encryption/signing. |
| 246 | * see http://www.rsasecurity.com/rsalabs/node.asp?id=2125 |
| 247 | */ |
| 248 | int RSA_encrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint16_t in_len, |
| 249 | uint8_t *out_data, int is_signing) |
| 250 | { |
| 251 | int byte_size = ctx->num_octets; |
| 252 | int num_pads_needed = byte_size-in_len-3; |
| 253 | bigint *dat_bi, *encrypt_bi; |
| 254 | |
| 255 | /* note: in_len+11 must be > byte_size */ |
| 256 | out_data[0] = 0; /* ensure encryption block is < modulus */ |
| 257 | |
| 258 | if (is_signing) |
| 259 | { |
| 260 | out_data[1] = 1; /* PKCS1.5 signing pads with "0xff"'s */ |
| 261 | memset(&out_data[2], 0xff, num_pads_needed); |
| 262 | } |
| 263 | else /* randomize the encryption padding with non-zero bytes */ |
| 264 | { |
| 265 | out_data[1] = 2; |
| 266 | if (get_random_NZ(num_pads_needed, &out_data[2]) < 0) |
| 267 | return -1; |
| 268 | } |
| 269 | |
| 270 | out_data[2+num_pads_needed] = 0; |
| 271 | memcpy(&out_data[3+num_pads_needed], in_data, in_len); |
| 272 | |
| 273 | /* now encrypt it */ |
| 274 | dat_bi = bi_import(ctx->bi_ctx, out_data, byte_size); |
| 275 | encrypt_bi = is_signing ? RSA_private(ctx, dat_bi) : |
| 276 | RSA_public(ctx, dat_bi); |
| 277 | bi_export(ctx->bi_ctx, encrypt_bi, out_data, byte_size); |
| 278 | |
| 279 | /* save a few bytes of memory */ |
| 280 | bi_clear_cache(ctx->bi_ctx); |
| 281 | return byte_size; |
| 282 | } |
| 283 | |
| 284 | #endif /* CONFIG_SSL_CERT_VERIFICATION */ |
| 285 |
Generated on 2021-Apr-16 from project MicroPython revision 1.15a
Powered by 
Code Browser 2.1
Generator usage only permitted with license.