void
md_ctx_init (md_context_t *ctx, const md_info_t *kt)
{
ASSERT(NULL != ctx && NULL != kt);
CLEAR(*ctx);
ASSERT(0 == md_init_ctx(ctx, kt));
ASSERT(0 == md_starts(ctx));
}
/**
* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
*
* \param dst buffer to mask
* \param dlen length of destination buffer
* \param src source of the mask generation
* \param slen length of the source buffer
* \param md_ctx message digest context to use
*/
static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen,
md_context_t *md_ctx )
{
unsigned char mask[POLARSSL_MD_MAX_SIZE];
unsigned char counter[4];
unsigned char *p;
unsigned int hlen;
size_t i, use_len;
memset( mask, 0, POLARSSL_MD_MAX_SIZE );
memset( counter, 0, 4 );
hlen = md_ctx->md_info->size;
// Generate and apply dbMask
//
p = dst;
while( dlen > 0 )
{
use_len = hlen;
if( dlen < hlen )
use_len = dlen;
md_starts( md_ctx );
md_update( md_ctx, src, slen );
md_update( md_ctx, counter, 4 );
md_finish( md_ctx, mask );
for( i = 0; i < use_len; ++i )
*p++ ^= mask[i];
counter[3]++;
dlen -= use_len;
}
}
int bytes_to_key(const cipher_kt_t *cipher, const digest_type_t *md,
const uint8_t *pass, uint8_t *key, uint8_t *iv)
{
size_t datal;
datal = strlen((const char *)pass);
#if defined(USE_CRYPTO_OPENSSL)
return EVP_BytesToKey(cipher, md, NULL, pass, datal, 1, key, iv);
#elif defined(USE_CRYPTO_POLARSSL)
md_context_t c;
unsigned char md_buf[MAX_MD_SIZE];
int niv;
int nkey;
int addmd;
unsigned int mds;
unsigned int i;
int rv;
nkey = cipher_key_size(cipher);
niv = cipher_iv_size(cipher);
rv = nkey;
if (pass == NULL) {
return nkey;
}
memset(&c, 0, sizeof(md_context_t));
if (md_init_ctx(&c, md)) {
return 0;
}
addmd = 0;
mds = md_get_size(md);
for (;;) {
int error;
do {
error = 1;
if (md_starts(&c)) {
break;
}
if (addmd) {
if (md_update(&c, &(md_buf[0]), mds)) {
break;
}
} else {
addmd = 1;
}
if (md_update(&c, pass, datal)) {
break;
}
if (md_finish(&c, &(md_buf[0]))) {
break;
}
error = 0;
} while (0);
if (error) {
md_free_ctx(&c);
memset(md_buf, 0, MAX_MD_SIZE);
return 0;
}
i = 0;
if (nkey) {
for (;;) {
if (nkey == 0) {
break;
}
if (i == mds) {
break;
}
if (key != NULL) {
*(key++) = md_buf[i];
}
nkey--;
i++;
}
}
if (niv && (i != mds)) {
for (;;) {
if (niv == 0) {
break;
}
if (i == mds) {
break;
}
if (iv != NULL) {
*(iv++) = md_buf[i];
}
niv--;
i++;
}
}
if ((nkey == 0) && (niv == 0)) {
break;
}
}
md_free_ctx(&c);
memset(md_buf, 0, MAX_MD_SIZE);
return rv;
#elif defined(USE_CRYPTO_MBEDTLS)
/*
*
* Generic message digest context.
*
* typedef struct {
* Information about the associated message digest
* const mbedtls_md_info_t *md_info;
*
* Digest-specific context
* void *md_ctx;
*
* HMAC part of the context
* void *hmac_ctx;
* } mbedtls_md_context_t; // mbedtls 2.0.0
*
* typedef struct {
* Information about the associated message digest
* const md_info_t *md_info;
*
* Digest-specific context
* void *md_ctx;
* } md_context_t; //polarssl 1.3
*
*/
// NOTE: different struct body, initialize new param hmac 0 to disable HMAC
mbedtls_md_context_t c;
unsigned char md_buf[MAX_MD_SIZE];
int niv;
int nkey;
int addmd;
unsigned int mds;
unsigned int i;
int rv;
nkey = cipher_key_size(cipher);
niv = cipher_iv_size(cipher);
rv = nkey;
if (pass == NULL) {
return nkey;
}
memset(&c, 0, sizeof(mbedtls_md_context_t));
// XXX: md_init_ctx superseded by mbedtls_md_setup() in 2.0.0
// new param hmac 0 to save some memory if HMAC will not be used,
// non-zero is HMAC is going to be used with this context.
if (mbedtls_md_setup(&c, md, 1)) {
return 0;
}
addmd = 0;
mds = mbedtls_md_get_size(md);
for (;;) {
int error;
do {
error = 1;
if (mbedtls_md_starts(&c)) {
break;
}
if (addmd) {
if (mbedtls_md_update(&c, &(md_buf[0]), mds)) {
break;
}
} else {
addmd = 1;
}
if (mbedtls_md_update(&c, pass, datal)) {
break;
}
if (mbedtls_md_finish(&c, &(md_buf[0]))) {
break;
}
error = 0;
} while (0);
if (error) {
mbedtls_md_free(&c); // md_free_ctx deprecated, Use mbedtls_md_free() instead
memset(md_buf, 0, MAX_MD_SIZE);
return 0;
}
i = 0;
if (nkey) {
for (;;) {
if (nkey == 0) {
break;
}
if (i == mds) {
break;
}
if (key != NULL) {
*(key++) = md_buf[i];
}
nkey--;
i++;
}
}
if (niv && (i != mds)) {
for (;;) {
if (niv == 0) {
break;
}
if (i == mds) {
break;
}
if (iv != NULL) {
*(iv++) = md_buf[i];
}
niv--;
i++;
}
}
if ((nkey == 0) && (niv == 0)) {
break;
}
}
mbedtls_md_free(&c); // NOTE: md_free_ctx deprecated, Use mbedtls_md_free() instead
memset(md_buf, 0, MAX_MD_SIZE);
return rv;
#endif
}
/*
* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
*/
int rsa_rsassa_pss_sign( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig )
{
size_t olen;
unsigned char *p = sig;
unsigned char salt[POLARSSL_MD_MAX_SIZE];
unsigned int slen, hlen, offset = 0;
int ret;
size_t msb;
const md_info_t *md_info;
md_context_t md_ctx;
if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len;
switch( hash_id )
{
case SIG_RSA_MD2:
case SIG_RSA_MD4:
case SIG_RSA_MD5:
hashlen = 16;
break;
case SIG_RSA_SHA1:
hashlen = 20;
break;
case SIG_RSA_SHA224:
hashlen = 28;
break;
case SIG_RSA_SHA256:
hashlen = 32;
break;
case SIG_RSA_SHA384:
hashlen = 48;
break;
case SIG_RSA_SHA512:
hashlen = 64;
break;
default:
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
}
md_info = md_info_from_type( ctx->hash_id );
if( md_info == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hlen = md_get_size( md_info );
slen = hlen;
if( olen < hlen + slen + 2 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
memset( sig, 0, olen );
msb = mpi_msb( &ctx->N ) - 1;
// Generate salt of length slen
//
if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
// Note: EMSA-PSS encoding is over the length of N - 1 bits
//
msb = mpi_msb( &ctx->N ) - 1;
p += olen - hlen * 2 - 2;
*p++ = 0x01;
memcpy( p, salt, slen );
p += slen;
md_init_ctx( &md_ctx, md_info );
// Generate H = Hash( M' )
//
md_starts( &md_ctx );
md_update( &md_ctx, p, 8 );
md_update( &md_ctx, hash, hashlen );
md_update( &md_ctx, salt, slen );
md_finish( &md_ctx, p );
// Compensate for boundary condition when applying mask
//
if( msb % 8 == 0 )
offset = 1;
// maskedDB: Apply dbMask to DB
//
mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
md_free_ctx( &md_ctx );
msb = mpi_msb( &ctx->N ) - 1;
sig[0] &= 0xFF >> ( olen * 8 - msb );
p += hlen;
*p++ = 0xBC;
return( ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, sig )
: rsa_private( ctx, sig, sig ) );
}
/*
* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
*/
int rsa_rsassa_pss_verify( rsa_context *ctx,
int mode,
int hash_id,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig )
{
int ret;
size_t siglen;
unsigned char *p;
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
unsigned char result[POLARSSL_MD_MAX_SIZE];
unsigned char zeros[8];
unsigned int hlen;
size_t slen, msb;
const md_info_t *md_info;
md_context_t md_ctx;
if( ctx->padding != RSA_PKCS_V21 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
siglen = ctx->len;
if( siglen < 16 || siglen > sizeof( buf ) )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
ret = ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, buf )
: rsa_private( ctx, sig, buf );
if( ret != 0 )
return( ret );
p = buf;
if( buf[siglen - 1] != 0xBC )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
switch( hash_id )
{
case SIG_RSA_MD2:
case SIG_RSA_MD4:
case SIG_RSA_MD5:
hashlen = 16;
break;
case SIG_RSA_SHA1:
hashlen = 20;
break;
case SIG_RSA_SHA224:
hashlen = 28;
break;
case SIG_RSA_SHA256:
hashlen = 32;
break;
case SIG_RSA_SHA384:
hashlen = 48;
break;
case SIG_RSA_SHA512:
hashlen = 64;
break;
default:
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
}
md_info = md_info_from_type( ctx->hash_id );
if( md_info == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hlen = md_get_size( md_info );
slen = siglen - hlen - 1;
memset( zeros, 0, 8 );
// Note: EMSA-PSS verification is over the length of N - 1 bits
//
msb = mpi_msb( &ctx->N ) - 1;
// Compensate for boundary condition when applying mask
//
if( msb % 8 == 0 )
{
p++;
siglen -= 1;
}
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
md_init_ctx( &md_ctx, md_info );
mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
buf[0] &= 0xFF >> ( siglen * 8 - msb );
while( *p == 0 && p < buf + siglen )
p++;
if( p == buf + siglen ||
*p++ != 0x01 )
{
md_free_ctx( &md_ctx );
return( POLARSSL_ERR_RSA_INVALID_PADDING );
}
slen -= p - buf;
// Generate H = Hash( M' )
//
md_starts( &md_ctx );
md_update( &md_ctx, zeros, 8 );
md_update( &md_ctx, hash, hashlen );
md_update( &md_ctx, p, slen );
md_finish( &md_ctx, result );
md_free_ctx( &md_ctx );
if( memcmp( p + slen, result, hlen ) == 0 )
return( 0 );
else
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
}
/*
* Do an RSA operation and check the message digest
*/
int rsa_pkcs1_verify( rsa_context *ctx,
int mode,
int hash_id,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig )
{
int ret;
size_t len, siglen;
unsigned char *p, c;
unsigned char buf[1024];
#if defined(POLARSSL_PKCS1_V21)
unsigned char zeros[8];
unsigned int hlen;
size_t slen, msb;
const md_info_t *md_info;
md_context_t md_ctx;
#endif
siglen = ctx->len;
if( siglen < 16 || siglen > (int) sizeof( buf ) )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
ret = ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, buf )
: rsa_private( ctx, sig, buf );
if( ret != 0 )
return( ret );
p = buf;
switch( ctx->padding )
{
case RSA_PKCS_V15:
if( *p++ != 0 || *p++ != RSA_SIGN )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
while( *p != 0 )
{
if( p >= buf + siglen - 1 || *p != 0xFF )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
p++;
}
p++;
len = siglen - (int)( p - buf );
if( len == 34 )
{
c = p[13];
p[13] = 0;
if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
( c == 4 && hash_id == SIG_RSA_MD4 ) ||
( c == 5 && hash_id == SIG_RSA_MD5 ) )
{
if( memcmp( p + 18, hash, 16 ) == 0 )
return( 0 );
else
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
}
}
if( len == 35 && hash_id == SIG_RSA_SHA1 )
{
if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
memcmp( p + 15, hash, 20 ) == 0 )
return( 0 );
else
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
}
if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
{
c = p[1] - 17;
p[1] = 17;
p[14] = 0;
if( p[18] == c &&
memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
memcmp( p + 19, hash, c ) == 0 )
return( 0 );
else
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
}
if( len == hashlen && hash_id == SIG_RSA_RAW )
{
if( memcmp( p, hash, hashlen ) == 0 )
return( 0 );
else
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
}
break;
#if defined(POLARSSL_PKCS1_V21)
case RSA_PKCS_V21:
if( buf[siglen - 1] != 0xBC )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
switch( hash_id )
{
case SIG_RSA_MD2:
case SIG_RSA_MD4:
case SIG_RSA_MD5:
hashlen = 16;
break;
case SIG_RSA_SHA1:
hashlen = 20;
break;
case SIG_RSA_SHA224:
hashlen = 28;
break;
case SIG_RSA_SHA256:
hashlen = 32;
break;
case SIG_RSA_SHA384:
hashlen = 48;
break;
case SIG_RSA_SHA512:
hashlen = 64;
break;
default:
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
}
md_info = md_info_from_type( ctx->hash_id );
if( md_info == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hlen = md_get_size( md_info );
slen = siglen - hlen - 1;
memset( &md_ctx, 0, sizeof( md_context_t ) );
memset( zeros, 0, 8 );
md_init_ctx( &md_ctx, md_info );
// Note: EMSA-PSS verification is over the length of N - 1 bits
//
msb = mpi_msb( &ctx->N ) - 1;
// Compensate for boundary condition when applying mask
//
if( msb % 8 == 0 )
{
p++;
siglen -= 1;
}
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
buf[0] &= 0xFF >> ( siglen * 8 - msb );
while( *p == 0 && p < buf + siglen )
p++;
if( p == buf + siglen )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
if( *p++ != 0x01 )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
slen -= p - buf;
// Generate H = Hash( M' )
//
md_starts( &md_ctx );
md_update( &md_ctx, zeros, 8 );
md_update( &md_ctx, hash, hashlen );
md_update( &md_ctx, p, slen );
md_finish( &md_ctx, p );
if( memcmp( p, p + slen, hlen ) == 0 )
return( 0 );
else
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
break;
#endif
default:
return( POLARSSL_ERR_RSA_INVALID_PADDING );
}
return( POLARSSL_ERR_RSA_INVALID_PADDING );
}
/*
* Do an RSA operation to sign the message digest
*/
int rsa_pkcs1_sign( rsa_context *ctx,
int (*f_rng)(void *),
void *p_rng,
int mode,
int hash_id,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig )
{
size_t nb_pad, olen;
unsigned char *p = sig;
#if defined(POLARSSL_PKCS1_V21)
unsigned char salt[POLARSSL_MD_MAX_SIZE];
unsigned int i, slen, hlen, offset = 0;
size_t msb;
const md_info_t *md_info;
md_context_t md_ctx;
#else
(void) f_rng;
(void) p_rng;
#endif
olen = ctx->len;
switch( ctx->padding )
{
case RSA_PKCS_V15:
switch( hash_id )
{
case SIG_RSA_RAW:
nb_pad = olen - 3 - hashlen;
break;
case SIG_RSA_MD2:
case SIG_RSA_MD4:
case SIG_RSA_MD5:
nb_pad = olen - 3 - 34;
break;
case SIG_RSA_SHA1:
nb_pad = olen - 3 - 35;
break;
case SIG_RSA_SHA224:
nb_pad = olen - 3 - 47;
break;
case SIG_RSA_SHA256:
nb_pad = olen - 3 - 51;
break;
case SIG_RSA_SHA384:
nb_pad = olen - 3 - 67;
break;
case SIG_RSA_SHA512:
nb_pad = olen - 3 - 83;
break;
default:
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
}
if( nb_pad < 8 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
*p++ = 0;
*p++ = RSA_SIGN;
memset( p, 0xFF, nb_pad );
p += nb_pad;
*p++ = 0;
switch( hash_id )
{
case SIG_RSA_RAW:
memcpy( p, hash, hashlen );
break;
case SIG_RSA_MD2:
memcpy( p, ASN1_HASH_MDX, 18 );
memcpy( p + 18, hash, 16 );
p[13] = 2; break;
case SIG_RSA_MD4:
memcpy( p, ASN1_HASH_MDX, 18 );
memcpy( p + 18, hash, 16 );
p[13] = 4; break;
case SIG_RSA_MD5:
memcpy( p, ASN1_HASH_MDX, 18 );
memcpy( p + 18, hash, 16 );
p[13] = 5; break;
case SIG_RSA_SHA1:
memcpy( p, ASN1_HASH_SHA1, 15 );
memcpy( p + 15, hash, 20 );
break;
case SIG_RSA_SHA224:
memcpy( p, ASN1_HASH_SHA2X, 19 );
memcpy( p + 19, hash, 28 );
p[1] += 28; p[14] = 4; p[18] += 28; break;
case SIG_RSA_SHA256:
memcpy( p, ASN1_HASH_SHA2X, 19 );
memcpy( p + 19, hash, 32 );
p[1] += 32; p[14] = 1; p[18] += 32; break;
case SIG_RSA_SHA384:
memcpy( p, ASN1_HASH_SHA2X, 19 );
memcpy( p + 19, hash, 48 );
p[1] += 48; p[14] = 2; p[18] += 48; break;
case SIG_RSA_SHA512:
memcpy( p, ASN1_HASH_SHA2X, 19 );
memcpy( p + 19, hash, 64 );
p[1] += 64; p[14] = 3; p[18] += 64; break;
default:
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
}
break;
#if defined(POLARSSL_PKCS1_V21)
case RSA_PKCS_V21:
if( f_rng == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
switch( hash_id )
{
case SIG_RSA_MD2:
case SIG_RSA_MD4:
case SIG_RSA_MD5:
hashlen = 16;
break;
case SIG_RSA_SHA1:
hashlen = 20;
break;
case SIG_RSA_SHA224:
hashlen = 28;
break;
case SIG_RSA_SHA256:
hashlen = 32;
break;
case SIG_RSA_SHA384:
hashlen = 48;
break;
case SIG_RSA_SHA512:
hashlen = 64;
break;
default:
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
}
md_info = md_info_from_type( ctx->hash_id );
if( md_info == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hlen = md_get_size( md_info );
slen = hlen;
memset( sig, 0, olen );
memset( &md_ctx, 0, sizeof( md_context_t ) );
md_init_ctx( &md_ctx, md_info );
msb = mpi_msb( &ctx->N ) - 1;
// Generate salt of length slen
//
for( i = 0; i < slen; ++i )
salt[i] = (unsigned char) f_rng( p_rng );
// Note: EMSA-PSS encoding is over the length of N - 1 bits
//
msb = mpi_msb( &ctx->N ) - 1;
p += olen - hlen * 2 - 2;
*p++ = 0x01;
memcpy( p, salt, slen );
p += slen;
// Generate H = Hash( M' )
//
md_starts( &md_ctx );
md_update( &md_ctx, p, 8 );
md_update( &md_ctx, hash, hashlen );
md_update( &md_ctx, salt, slen );
md_finish( &md_ctx, p );
// Compensate for boundary condition when applying mask
//
if( msb % 8 == 0 )
offset = 1;
// maskedDB: Apply dbMask to DB
//
mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
msb = mpi_msb( &ctx->N ) - 1;
sig[0] &= 0xFF >> ( olen * 8 - msb );
p += hlen;
*p++ = 0xBC;
break;
#endif
default:
return( POLARSSL_ERR_RSA_INVALID_PADDING );
}
return( ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, sig )
: rsa_private( ctx, sig, sig ) );
}
int bytes_to_key(const cipher_kt_t *cipher, const digest_type_t *md, const uint8_t *pass, uint8_t *key, uint8_t *iv)
{
size_t datal;
datal = strlen((const char *) pass);
#if defined(USE_CRYPTO_OPENSSL)
return EVP_BytesToKey(cipher, md, NULL, pass, datal, 1, key, iv);
#elif defined(USE_CRYPTO_POLARSSL)
md_context_t c;
unsigned char md_buf[MAX_MD_SIZE];
int niv;
int nkey;
int addmd;
unsigned int mds;
unsigned int i;
int rv;
nkey = cipher_key_size(cipher);
niv = cipher_iv_size(cipher);
rv = nkey;
if (pass == NULL) {
return nkey;
}
memset(&c, 0, sizeof(md_context_t));
if (md_init_ctx(&c, md)) {
return 0;
}
addmd = 0;
mds = md_get_size(md);
for (;;) {
int error;
do {
error = 1;
if (md_starts(&c)) {
break;
}
if (addmd) {
if (md_update(&c, &(md_buf[0]), mds)) {
break;
}
} else {
addmd = 1;
}
if (md_update(&c, pass, datal))
break;
if (md_finish(&c, &(md_buf[0])))
break;
error = 0;
} while (0);
if (error) {
md_free_ctx(&c);
memset(md_buf, 0, MAX_MD_SIZE);
return 0;
}
i=0;
if (nkey) {
for (;;) {
if (nkey == 0) break;
if (i == mds) break;
if (key != NULL)
*(key++)=md_buf[i];
nkey--;
i++;
}
}
if (niv && (i != mds)) {
for (;;) {
if (niv == 0) break;
if (i == mds) break;
if (iv != NULL)
*(iv++)=md_buf[i];
niv--;
i++;
}
}
if ((nkey == 0) && (niv == 0)) break;
}
md_free_ctx(&c);
memset(md_buf, 0, MAX_MD_SIZE);
return rv;
#endif
}
/*
* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
*/
int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
md_type_t mgf1_hash_id,
int expected_salt_len,
const unsigned char *sig )
{
int ret;
size_t siglen;
unsigned char *p;
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
unsigned char result[POLARSSL_MD_MAX_SIZE];
unsigned char zeros[8];
unsigned int hlen;
size_t slen, msb;
const md_info_t *md_info;
md_context_t md_ctx;
if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
siglen = ctx->len;
if( siglen < 16 || siglen > sizeof( buf ) )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
ret = ( mode == RSA_PUBLIC )
? rsa_public( ctx, sig, buf )
: rsa_private( ctx, f_rng, p_rng, sig, buf );
if( ret != 0 )
return( ret );
p = buf;
if( buf[siglen - 1] != 0xBC )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
if( md_alg != POLARSSL_MD_NONE )
{
// Gather length of hash to sign
//
md_info = md_info_from_type( md_alg );
if( md_info == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hashlen = md_get_size( md_info );
}
md_info = md_info_from_type( mgf1_hash_id );
if( md_info == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hlen = md_get_size( md_info );
slen = siglen - hlen - 1; /* Currently length of salt + padding */
memset( zeros, 0, 8 );
// Note: EMSA-PSS verification is over the length of N - 1 bits
//
msb = mpi_msb( &ctx->N ) - 1;
// Compensate for boundary condition when applying mask
//
if( msb % 8 == 0 )
{
p++;
siglen -= 1;
}
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
md_init( &md_ctx );
md_init_ctx( &md_ctx, md_info );
mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
buf[0] &= 0xFF >> ( siglen * 8 - msb );
while( p < buf + siglen && *p == 0 )
p++;
if( p == buf + siglen ||
*p++ != 0x01 )
{
md_free( &md_ctx );
return( POLARSSL_ERR_RSA_INVALID_PADDING );
}
/* Actual salt len */
slen -= p - buf;
if( expected_salt_len != RSA_SALT_LEN_ANY &&
slen != (size_t) expected_salt_len )
{
md_free( &md_ctx );
return( POLARSSL_ERR_RSA_INVALID_PADDING );
}
// Generate H = Hash( M' )
//
md_starts( &md_ctx );
md_update( &md_ctx, zeros, 8 );
md_update( &md_ctx, hash, hashlen );
md_update( &md_ctx, p, slen );
md_finish( &md_ctx, result );
md_free( &md_ctx );
if( memcmp( p + slen, result, hlen ) == 0 )
return( 0 );
else
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
}