3 * Copyright (C) 2006-2012 Sawtooth Consulting Ltd.
5 * This file is part of CyaSSL.
7 * CyaSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * CyaSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
27 #include <cyassl/ctaocrypt/rsa.h>
28 #include <cyassl/ctaocrypt/random.h>
29 #include <cyassl/ctaocrypt/error.h>
30 #include <cyassl/ctaocrypt/logging.h>
38 RSA_PUBLIC_ENCRYPT = 0,
39 RSA_PUBLIC_DECRYPT = 1,
40 RSA_PRIVATE_ENCRYPT = 2,
41 RSA_PRIVATE_DECRYPT = 3,
49 RSA_MIN_PAD_SZ = 11 /* seperator + 0 + pad value + 8 pads */
53 void InitRsaKey(RsaKey* key, void* heap)
55 key->type = -1; /* haven't decided yet */
58 /* TomsFastMath doesn't use memory allocation */
60 key->n.dp = key->e.dp = 0; /* public alloc parts */
62 key->d.dp = key->p.dp = 0; /* private alloc parts */
63 key->q.dp = key->dP.dp = 0;
64 key->u.dp = key->dQ.dp = 0;
69 void FreeRsaKey(RsaKey* key)
72 /* TomsFastMath doesn't use memory allocation */
74 if (key->type == RSA_PRIVATE) {
87 static void RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
88 word32 pkcsBlockLen, byte padValue, RNG* rng)
90 if (inputLen == 0) return;
92 pkcsBlock[0] = 0x0; /* set first byte to zero and advance */
93 pkcsBlock++; pkcsBlockLen--;
94 pkcsBlock[0] = padValue; /* insert padValue */
96 if (padValue == RSA_BLOCK_TYPE_1)
97 /* pad with 0xff bytes */
98 XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
100 /* pad with non-zero random bytes */
101 word32 padLen = pkcsBlockLen - inputLen - 1, i;
102 RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
105 for (i = 1; i < padLen; i++)
106 if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
109 pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
110 XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
114 static word32 RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
115 byte **output, byte padValue)
117 word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0,
122 if (pkcsBlock[0] != 0x0) /* skip past zero */
124 pkcsBlock++; pkcsBlockLen--;
126 /* Require block type padValue */
127 invalid = (pkcsBlock[0] != padValue) || invalid;
129 /* skip past the padding until we find the separator */
130 while (i<pkcsBlockLen && pkcsBlock[i++]) { /* null body */
132 if(!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) {
133 CYASSL_MSG("RsaUnPad error, bad formatting");
137 outputLen = pkcsBlockLen - i;
138 invalid = (outputLen > maxOutputLen) || invalid;
141 CYASSL_MSG("RsaUnPad error, bad formatting");
145 *output = (byte *)(pkcsBlock + i);
150 static int RsaFunction(const byte* in, word32 inLen, byte* out, word32* outLen,
151 int type, RsaKey* key)
153 #define ERROR_OUT(x) { ret = x; goto done;}
159 if (mp_init(&tmp) != MP_OKAY)
162 if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY)
163 ERROR_OUT(MP_READ_E);
165 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
166 #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
167 if (mp_exptmod(&tmp, &key->d, &key->n, &tmp) != MP_OKAY)
168 ERROR_OUT(MP_EXPTMOD_E);
170 #define INNER_ERROR_OUT(x) { ret = x; goto inner_done; }
174 if (mp_init(&tmpa) != MP_OKAY)
175 ERROR_OUT(MP_INIT_E);
177 if (mp_init(&tmpb) != MP_OKAY) {
179 ERROR_OUT(MP_INIT_E);
182 /* tmpa = tmp^dP mod p */
183 if (mp_exptmod(&tmp, &key->dP, &key->p, &tmpa) != MP_OKAY)
184 INNER_ERROR_OUT(MP_EXPTMOD_E);
186 /* tmpb = tmp^dQ mod q */
187 if (mp_exptmod(&tmp, &key->dQ, &key->q, &tmpb) != MP_OKAY)
188 INNER_ERROR_OUT(MP_EXPTMOD_E);
190 /* tmp = (tmpa - tmpb) * qInv (mod p) */
191 if (mp_sub(&tmpa, &tmpb, &tmp) != MP_OKAY)
192 INNER_ERROR_OUT(MP_SUB_E);
194 if (mp_mulmod(&tmp, &key->u, &key->p, &tmp) != MP_OKAY)
195 INNER_ERROR_OUT(MP_MULMOD_E);
197 /* tmp = tmpb + q * tmp */
198 if (mp_mul(&tmp, &key->q, &tmp) != MP_OKAY)
199 INNER_ERROR_OUT(MP_MUL_E);
201 if (mp_add(&tmp, &tmpb, &tmp) != MP_OKAY)
202 INNER_ERROR_OUT(MP_ADD_E);
208 if (ret != 0) return ret;
210 #endif /* RSA_LOW_MEM */
212 else if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
213 if (mp_exptmod(&tmp, &key->e, &key->n, &tmp) != MP_OKAY)
214 ERROR_OUT(MP_EXPTMOD_E);
217 ERROR_OUT(RSA_WRONG_TYPE_E);
219 keyLen = mp_unsigned_bin_size(&key->n);
220 if (keyLen > *outLen)
221 ERROR_OUT(RSA_BUFFER_E);
223 len = mp_unsigned_bin_size(&tmp);
225 /* pad front w/ zeros to match key length */
226 while (len < keyLen) {
234 if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY)
243 int RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
244 RsaKey* key, RNG* rng)
246 int sz = mp_unsigned_bin_size(&key->n), ret;
248 if (sz > (int)outLen)
251 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ))
254 RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_2, rng);
256 if ((ret = RsaFunction(out, sz, out, &outLen, RSA_PUBLIC_ENCRYPT, key)) < 0)
263 int RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
267 if ((ret = RsaFunction(in, inLen, in, &inLen, RSA_PRIVATE_DECRYPT, key))
272 plainLen = RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_2);
278 int RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
285 tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_RSA);
290 XMEMCPY(tmp, in, inLen);
292 if ((ret = plainLen = RsaPrivateDecryptInline(tmp, inLen, &pad, key))
294 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
297 if (plainLen > (int)outLen)
298 plainLen = BAD_FUNC_ARG;
300 XMEMCPY(out, pad, plainLen);
301 XMEMSET(tmp, 0x00, inLen);
303 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
309 int RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
313 if ((ret = RsaFunction(in, inLen, in, &inLen, RSA_PUBLIC_DECRYPT, key))
318 plainLen = RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_1);
324 int RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
331 tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_RSA);
336 XMEMCPY(tmp, in, inLen);
338 if ((ret = plainLen = RsaSSL_VerifyInline(tmp, inLen, &pad, key))
340 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
344 if (plainLen > (int)outLen)
345 plainLen = BAD_FUNC_ARG;
347 XMEMCPY(out, pad, plainLen);
348 XMEMSET(tmp, 0x00, inLen);
350 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
356 int RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
357 RsaKey* key, RNG* rng)
359 int sz = mp_unsigned_bin_size(&key->n), ret;
361 if (sz > (int)outLen)
364 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ))
367 RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_1, rng);
369 if ((ret = RsaFunction(out, sz, out, &outLen, RSA_PRIVATE_ENCRYPT,key)) < 0)
376 int RsaEncryptSize(RsaKey* key)
378 return mp_unsigned_bin_size(&key->n);
382 #ifdef CYASSL_KEY_GEN
384 static const int USE_BBS = 1;
386 static int rand_prime(mp_int* N, int len, RNG* rng, void* heap)
392 if (N == NULL || rng == NULL)
403 /* allow sizes between 2 and 512 bytes for a prime size */
404 if (len < 2 || len > 512) {
408 /* allocate buffer to work with */
409 buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA);
413 XMEMSET(buf, 0, len);
421 RNG_GenerateBlock(rng, buf, len);
424 buf[0] |= 0x80 | 0x40;
425 buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
428 if ((err = mp_read_unsigned_bin(N, buf, len)) != MP_OKAY) {
429 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
434 if ((err = mp_prime_is_prime(N, 8, &res)) != MP_OKAY) {
435 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
438 } while (res == MP_NO);
440 #ifdef LTC_CLEAN_STACK
441 XMEMSET(buf, 0, len);
444 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
449 /* Make an RSA key for size bits, with e specified, 65537 is a good e */
450 int MakeRsaKey(RsaKey* key, int size, long e, RNG* rng)
452 mp_int p, q, tmp1, tmp2, tmp3;
455 if (key == NULL || rng == NULL)
458 if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE)
461 if (e < 3 || (e & 1) == 0)
464 if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY)
467 err = mp_set_int(&tmp3, e);
470 if (err == MP_OKAY) {
472 err = rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */
475 err = mp_sub_d(&p, 1, &tmp1); /* tmp1 = p-1 */
478 err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(p-1, e) */
479 } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divdes p-1 */
483 if (err == MP_OKAY) {
485 err = rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */
488 err = mp_sub_d(&q, 1, &tmp1); /* tmp1 = q-1 */
491 err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(q-1, e) */
492 } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divdes q-1 */
496 err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
499 err = mp_init_multi(&key->dP, &key->dP, &key->u, NULL, NULL, NULL);
502 err = mp_sub_d(&p, 1, &tmp2); /* tmp2 = p-1 */
505 err = mp_lcm(&tmp1, &tmp2, &tmp1); /* tmp1 = lcm(p-1, q-1),last loop */
509 err = mp_set_int(&key->e, e); /* key->e = e */
511 if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */
512 err = mp_invmod(&key->e, &tmp1, &key->d);
515 err = mp_mul(&p, &q, &key->n); /* key->n = pq */
518 err = mp_sub_d(&p, 1, &tmp1);
521 err = mp_sub_d(&q, 1, &tmp2);
524 err = mp_mod(&key->d, &tmp1, &key->dP);
527 err = mp_mod(&key->d, &tmp2, &key->dQ);
530 err = mp_invmod(&q, &p, &key->u);
533 err = mp_copy(&p, &key->p);
536 err = mp_copy(&q, &key->q);
539 key->type = RSA_PRIVATE;
547 if (err != MP_OKAY) {
556 #endif /* CYASLS_KEY_GEN */