- fixed gmp initialization bugs
[strongswan.git] / Source / charon / transforms / rsa / rsa_public_key.c
1 /**
2 * @file rsa_public_key.c
3 *
4 * @brief Implementation of rsa_public_key_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <gmp.h>
24
25 #include "rsa_public_key.h"
26
27 #include <daemon.h>
28 #include <utils/allocator.h>
29 #include <transforms/hashers/hasher.h>
30
31 /*
32 * Since we don't have an ASN1 parser/generator,
33 * we use these predefined values for
34 * hash algorithm oids. These also contain
35 * the length of the following hash.
36 * These values are also used in rsa_private_key.c.
37 */
38
39 u_int8_t md2_oid[18] = {
40 0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,
41 0x48,0x86,0xf7,0x0d,0x02,0x02,0x05,0x00,
42 0x04,0x10
43 };
44
45 u_int8_t md5_oid[] = {
46 0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,
47 0x48,0x86,0xf7,0x0d,0x02,0x05,0x05,0x00,
48 0x04,0x10
49 };
50
51 u_int8_t sha1_oid[] = {
52 0x30,0x21,0x30,0x09,0x06,0x05,0x2b,0x0e,
53 0x03,0x02,0x1a,0x05,0x00,0x04,0x14
54 };
55
56 u_int8_t sha256_oid[] = {
57 0x30,0x31,0x30,0x0d,0x06,0x09,0x60,0x86,
58 0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,
59 0x00,0x04,0x20
60 };
61
62 u_int8_t sha384_oid[] = {
63 0x30,0x41,0x30,0x0d,0x06,0x09,0x60,0x86,
64 0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,
65 0x00,0x04,0x30
66 };
67
68 u_int8_t sha512_oid[] = {
69 0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,
70 0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,
71 0x00,0x04,0x40
72 };
73
74
75 typedef struct private_rsa_public_key_t private_rsa_public_key_t;
76
77 /**
78 * Private data structure with signing context.
79 */
80 struct private_rsa_public_key_t {
81 /**
82 * Public interface for this signer.
83 */
84 rsa_public_key_t public;
85
86 /**
87 * Is the key already set ?
88 */
89 bool is_key_set;
90
91 /**
92 * Public modulus.
93 */
94 mpz_t n;
95 /**
96 * Public exponent.
97 */
98 mpz_t e;
99
100 /**
101 * Keysize in bytes.
102 */
103 size_t k;
104
105 /**
106 * @brief Implements the RSAEP algorithm specified in PKCS#1.
107 *
108 * @param this calling object
109 * @param data data to process
110 * @return processed data
111 */
112 chunk_t (*rsaep) (private_rsa_public_key_t *this, chunk_t data);
113
114 /**
115 * @brief Implements the RSASVP1 algorithm specified in PKCS#1.
116 *
117 * @param this calling object
118 * @param data data to process
119 * @return processed data
120 */
121 chunk_t (*rsavp1) (private_rsa_public_key_t *this, chunk_t data);
122 };
123
124 /**
125 * Implementation of private_rsa_public_key_t.rsadp and private_rsa_public_key_t.rsavp1
126 */
127 static chunk_t rsaep(private_rsa_public_key_t *this, chunk_t data)
128 {
129 mpz_t m, c;
130 chunk_t encrypted;
131
132 mpz_init(c);
133 mpz_init(m);
134
135 mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
136
137 mpz_powm(c, m, this->e, this->n);
138
139 encrypted.len = this->k;
140 encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
141
142 mpz_clear(c);
143 mpz_clear(m);
144
145 return encrypted;
146 }
147
148 /**
149 * Implementation of rsa_public_key.verify_emsa_signature.
150 */
151 static status_t verify_emsa_pkcs1_signature(private_rsa_public_key_t *this, chunk_t data, chunk_t signature)
152 {
153 hasher_t *hasher = NULL;
154 chunk_t hash;
155 chunk_t em;
156 u_int8_t *pos;
157
158 if(!this->is_key_set)
159 {
160 return INVALID_STATE;
161 }
162
163 if (signature.len > this->k)
164 {
165 return INVALID_ARG;
166 }
167
168 /* unpack signature */
169 em = this->rsavp1(this, signature);
170
171 /* result should look like this:
172 * EM = 0x00 || 0x01 || PS || 0x00 || T.
173 * PS = 0xFF padding, with length to fill em
174 * T = oid || hash
175 */
176
177 /* check magic bytes */
178 if ((*(em.ptr) != 0x00) ||
179 (*(em.ptr+1) != 0x01))
180 {
181 allocator_free(em.ptr);
182 return FAILED;
183 }
184
185 /* find magic 0x00 */
186 pos = em.ptr + 2;
187 while (pos <= em.ptr + em.len)
188 {
189 if (*pos == 0x00)
190 {
191 /* found magic byte, stop */
192 pos++;
193 break;
194 }
195 else if (*pos != 0xFF)
196 {
197 /* bad padding, decryption failed ?!*/
198 allocator_free(em.ptr);
199 return FAILED;
200 }
201 pos++;
202 }
203
204 if (pos + 20 > em.ptr + em.len)
205 {
206 /* not enought room for oid compare */
207 allocator_free(em.ptr);
208 return FAILED;
209 }
210
211 if (memcmp(md2_oid, pos, sizeof(md2_oid)) == 0)
212 {
213 hasher = hasher_create(HASH_MD2);
214 pos += sizeof(md2_oid);
215 }
216 else if (memcmp(md5_oid, pos, sizeof(md5_oid)) == 0)
217 {
218 hasher = hasher_create(HASH_MD5);
219 pos += sizeof(md5_oid);
220 }
221 else if (memcmp(sha1_oid, pos, sizeof(sha1_oid)) == 0)
222 {
223 hasher = hasher_create(HASH_SHA1);
224 pos += sizeof(sha1_oid);
225 }
226 else if (memcmp(sha256_oid, pos, sizeof(sha256_oid)) == 0)
227 {
228 hasher = hasher_create(HASH_SHA256);
229 pos += sizeof(sha256_oid);
230 }
231 else if (memcmp(sha384_oid, pos, sizeof(sha384_oid)) == 0)
232 {
233 hasher = hasher_create(HASH_SHA384);
234 pos += sizeof(sha384_oid);
235 }
236 else if (memcmp(sha512_oid, pos, sizeof(sha512_oid)) == 0)
237 {
238 hasher = hasher_create(HASH_SHA512);
239 pos += sizeof(sha512_oid);
240 }
241
242 if (hasher == NULL)
243 {
244 /* not supported hash algorithm */
245 allocator_free(em.ptr);
246 return NOT_SUPPORTED;
247 }
248
249 if (pos + hasher->get_block_size(hasher) != em.ptr + em.len)
250 {
251 /* bad length */
252 allocator_free(em.ptr);
253 hasher->destroy(hasher);
254 return FAILED;
255 }
256
257 /* build own hash for a compare */
258 hasher->allocate_hash(hasher, data, &hash);
259 hasher->destroy(hasher);
260
261 if (memcmp(hash.ptr, pos, hash.len) != 0)
262 {
263 /* hash does not equal */
264 allocator_free(hash.ptr);
265 allocator_free(em.ptr);
266 return FAILED;
267
268 }
269
270 /* seems good */
271 allocator_free(hash.ptr);
272 allocator_free(em.ptr);
273 return SUCCESS;
274 }
275
276 /**
277 * Implementation of rsa_public_key.set_key.
278 */
279 static status_t set_key(private_rsa_public_key_t *this, chunk_t key)
280 {
281 chunk_t n, e;
282
283 n.len = key.len/2;
284 n.ptr = key.ptr;
285 e.len = n.len;
286 e.ptr = key.ptr + n.len;
287
288 mpz_init(this->n);
289 mpz_init(this->e);
290
291 mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
292 mpz_import(this->e, n.len, 1, 1, 1, 0, e.ptr);
293
294 this->k = n.len;
295
296 this->is_key_set = TRUE;
297
298 return SUCCESS;
299 }
300
301
302 /**
303 * Implementation of rsa_public_key.get_key.
304 */
305 static status_t get_key(private_rsa_public_key_t *this, chunk_t *key)
306 {
307 if (!this->is_key_set)
308 {
309 return INVALID_STATE;
310 }
311
312 chunk_t n, e;
313
314 n.len = this->k;
315 n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n);
316 e.len = this->k;
317 e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e);
318
319 key->len = this->k * 2;
320 key->ptr = allocator_alloc(key->len);
321 memcpy(key->ptr, n.ptr, n.len);
322 memcpy(key->ptr + n.len, e.ptr, e.len);
323 allocator_free(n.ptr);
324 allocator_free(e.ptr);
325
326 return SUCCESS;
327 }
328
329 /**
330 * Implementation of rsa_public_key.load_key.
331 */
332 static status_t load_key(private_rsa_public_key_t *this, char *file)
333 {
334 return NOT_SUPPORTED;
335 }
336
337 /**
338 * Implementation of rsa_public_key.save_key.
339 */
340 static status_t save_key(private_rsa_public_key_t *this, char *file)
341 {
342 return NOT_SUPPORTED;
343 }
344
345 /**
346 * Implementation of rsa_public_key.destroy.
347 */
348 static void destroy(private_rsa_public_key_t *this)
349 {
350 if (this->is_key_set)
351 {
352 mpz_clear(this->n);
353 mpz_clear(this->e);
354 }
355 allocator_free(this);
356 }
357
358 /*
359 * Described in header.
360 */
361 rsa_public_key_t *rsa_public_key_create()
362 {
363 private_rsa_public_key_t *this = allocator_alloc_thing(private_rsa_public_key_t);
364
365 /* public functions */
366 this->public.verify_emsa_pkcs1_signature = (status_t (*) (rsa_public_key_t*,chunk_t,chunk_t))verify_emsa_pkcs1_signature;
367 this->public.set_key = (status_t (*) (rsa_public_key_t*,chunk_t))set_key;
368 this->public.get_key = (status_t (*) (rsa_public_key_t*,chunk_t*))get_key;
369 this->public.load_key = (status_t (*) (rsa_public_key_t*,char*))load_key;
370 this->public.save_key = (status_t (*) (rsa_public_key_t*,char*))save_key;
371 this->public.destroy = (void (*) (rsa_public_key_t*))destroy;
372
373 /* private functions */
374 this->rsaep = rsaep;
375 this->rsavp1 = rsaep; /* same algorithm */
376
377 this->is_key_set = FALSE;
378
379 return &(this->public);
380 }