18dbcf02cSchristos /*
28dbcf02cSchristos * PKCS #1 (RSA Encryption)
3*36d97821Schristos * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
48dbcf02cSchristos *
562a52023Schristos * This software may be distributed under the terms of the BSD license.
662a52023Schristos * See README for more details.
78dbcf02cSchristos */
88dbcf02cSchristos
98dbcf02cSchristos #include "includes.h"
108dbcf02cSchristos
118dbcf02cSchristos #include "common.h"
12*36d97821Schristos #include "crypto/crypto.h"
138dbcf02cSchristos #include "rsa.h"
14*36d97821Schristos #include "asn1.h"
158dbcf02cSchristos #include "pkcs1.h"
168dbcf02cSchristos
178dbcf02cSchristos
pkcs1_generate_encryption_block(u8 block_type,size_t modlen,const u8 * in,size_t inlen,u8 * out,size_t * outlen)188dbcf02cSchristos static int pkcs1_generate_encryption_block(u8 block_type, size_t modlen,
198dbcf02cSchristos const u8 *in, size_t inlen,
208dbcf02cSchristos u8 *out, size_t *outlen)
218dbcf02cSchristos {
228dbcf02cSchristos size_t ps_len;
238dbcf02cSchristos u8 *pos;
248dbcf02cSchristos
258dbcf02cSchristos /*
268dbcf02cSchristos * PKCS #1 v1.5, 8.1:
278dbcf02cSchristos *
288dbcf02cSchristos * EB = 00 || BT || PS || 00 || D
298dbcf02cSchristos * BT = 00 or 01 for private-key operation; 02 for public-key operation
308dbcf02cSchristos * PS = k-3-||D||; at least eight octets
318dbcf02cSchristos * (BT=0: PS=0x00, BT=1: PS=0xff, BT=2: PS=pseudorandom non-zero)
328dbcf02cSchristos * k = length of modulus in octets (modlen)
338dbcf02cSchristos */
348dbcf02cSchristos
358dbcf02cSchristos if (modlen < 12 || modlen > *outlen || inlen > modlen - 11) {
368dbcf02cSchristos wpa_printf(MSG_DEBUG, "PKCS #1: %s - Invalid buffer "
378dbcf02cSchristos "lengths (modlen=%lu outlen=%lu inlen=%lu)",
388dbcf02cSchristos __func__, (unsigned long) modlen,
398dbcf02cSchristos (unsigned long) *outlen,
408dbcf02cSchristos (unsigned long) inlen);
418dbcf02cSchristos return -1;
428dbcf02cSchristos }
438dbcf02cSchristos
448dbcf02cSchristos pos = out;
458dbcf02cSchristos *pos++ = 0x00;
468dbcf02cSchristos *pos++ = block_type; /* BT */
478dbcf02cSchristos ps_len = modlen - inlen - 3;
488dbcf02cSchristos switch (block_type) {
498dbcf02cSchristos case 0:
508dbcf02cSchristos os_memset(pos, 0x00, ps_len);
518dbcf02cSchristos pos += ps_len;
528dbcf02cSchristos break;
538dbcf02cSchristos case 1:
548dbcf02cSchristos os_memset(pos, 0xff, ps_len);
558dbcf02cSchristos pos += ps_len;
568dbcf02cSchristos break;
578dbcf02cSchristos case 2:
588dbcf02cSchristos if (os_get_random(pos, ps_len) < 0) {
598dbcf02cSchristos wpa_printf(MSG_DEBUG, "PKCS #1: %s - Failed to get "
608dbcf02cSchristos "random data for PS", __func__);
618dbcf02cSchristos return -1;
628dbcf02cSchristos }
638dbcf02cSchristos while (ps_len--) {
648dbcf02cSchristos if (*pos == 0x00)
658dbcf02cSchristos *pos = 0x01;
668dbcf02cSchristos pos++;
678dbcf02cSchristos }
688dbcf02cSchristos break;
698dbcf02cSchristos default:
708dbcf02cSchristos wpa_printf(MSG_DEBUG, "PKCS #1: %s - Unsupported block type "
718dbcf02cSchristos "%d", __func__, block_type);
728dbcf02cSchristos return -1;
738dbcf02cSchristos }
748dbcf02cSchristos *pos++ = 0x00;
758dbcf02cSchristos os_memcpy(pos, in, inlen); /* D */
768dbcf02cSchristos
778dbcf02cSchristos return 0;
788dbcf02cSchristos }
798dbcf02cSchristos
808dbcf02cSchristos
pkcs1_encrypt(int block_type,struct crypto_rsa_key * key,int use_private,const u8 * in,size_t inlen,u8 * out,size_t * outlen)818dbcf02cSchristos int pkcs1_encrypt(int block_type, struct crypto_rsa_key *key,
828dbcf02cSchristos int use_private, const u8 *in, size_t inlen,
838dbcf02cSchristos u8 *out, size_t *outlen)
848dbcf02cSchristos {
858dbcf02cSchristos size_t modlen;
868dbcf02cSchristos
878dbcf02cSchristos modlen = crypto_rsa_get_modulus_len(key);
888dbcf02cSchristos
898dbcf02cSchristos if (pkcs1_generate_encryption_block(block_type, modlen, in, inlen,
908dbcf02cSchristos out, outlen) < 0)
918dbcf02cSchristos return -1;
928dbcf02cSchristos
938dbcf02cSchristos return crypto_rsa_exptmod(out, modlen, out, outlen, key, use_private);
948dbcf02cSchristos }
958dbcf02cSchristos
968dbcf02cSchristos
pkcs1_v15_private_key_decrypt(struct crypto_rsa_key * key,const u8 * in,size_t inlen,u8 * out,size_t * outlen)978dbcf02cSchristos int pkcs1_v15_private_key_decrypt(struct crypto_rsa_key *key,
988dbcf02cSchristos const u8 *in, size_t inlen,
998dbcf02cSchristos u8 *out, size_t *outlen)
1008dbcf02cSchristos {
1018dbcf02cSchristos int res;
1028dbcf02cSchristos u8 *pos, *end;
1038dbcf02cSchristos
1048dbcf02cSchristos res = crypto_rsa_exptmod(in, inlen, out, outlen, key, 1);
1058dbcf02cSchristos if (res)
1068dbcf02cSchristos return res;
1078dbcf02cSchristos
1088dbcf02cSchristos if (*outlen < 2 || out[0] != 0 || out[1] != 2)
1098dbcf02cSchristos return -1;
1108dbcf02cSchristos
1118dbcf02cSchristos /* Skip PS (pseudorandom non-zero octets) */
1128dbcf02cSchristos pos = out + 2;
1138dbcf02cSchristos end = out + *outlen;
1148dbcf02cSchristos while (*pos && pos < end)
1158dbcf02cSchristos pos++;
1168dbcf02cSchristos if (pos == end)
1178dbcf02cSchristos return -1;
118*36d97821Schristos if (pos - out - 2 < 8) {
119*36d97821Schristos /* PKCS #1 v1.5, 8.1: At least eight octets long PS */
120*36d97821Schristos wpa_printf(MSG_INFO, "LibTomCrypt: Too short padding");
121*36d97821Schristos return -1;
122*36d97821Schristos }
1238dbcf02cSchristos pos++;
1248dbcf02cSchristos
1258dbcf02cSchristos *outlen -= pos - out;
1268dbcf02cSchristos
1278dbcf02cSchristos /* Strip PKCS #1 header */
1288dbcf02cSchristos os_memmove(out, pos, *outlen);
1298dbcf02cSchristos
1308dbcf02cSchristos return 0;
1318dbcf02cSchristos }
1328dbcf02cSchristos
1338dbcf02cSchristos
pkcs1_decrypt_public_key(struct crypto_rsa_key * key,const u8 * crypt,size_t crypt_len,u8 * plain,size_t * plain_len)1348dbcf02cSchristos int pkcs1_decrypt_public_key(struct crypto_rsa_key *key,
1358dbcf02cSchristos const u8 *crypt, size_t crypt_len,
1368dbcf02cSchristos u8 *plain, size_t *plain_len)
1378dbcf02cSchristos {
1388dbcf02cSchristos size_t len;
1398dbcf02cSchristos u8 *pos;
1408dbcf02cSchristos
1418dbcf02cSchristos len = *plain_len;
1428dbcf02cSchristos if (crypto_rsa_exptmod(crypt, crypt_len, plain, &len, key, 0) < 0)
1438dbcf02cSchristos return -1;
1448dbcf02cSchristos
1458dbcf02cSchristos /*
1468dbcf02cSchristos * PKCS #1 v1.5, 8.1:
1478dbcf02cSchristos *
1488dbcf02cSchristos * EB = 00 || BT || PS || 00 || D
1498dbcf02cSchristos * BT = 00 or 01
1508dbcf02cSchristos * PS = k-3-||D|| times (00 if BT=00) or (FF if BT=01)
1518dbcf02cSchristos * k = length of modulus in octets
152*36d97821Schristos *
153*36d97821Schristos * Based on 10.1.3, "The block type shall be 01" for a signature.
1548dbcf02cSchristos */
1558dbcf02cSchristos
1568dbcf02cSchristos if (len < 3 + 8 + 16 /* min hash len */ ||
157*36d97821Schristos plain[0] != 0x00 || plain[1] != 0x01) {
1588dbcf02cSchristos wpa_printf(MSG_INFO, "LibTomCrypt: Invalid signature EB "
1598dbcf02cSchristos "structure");
1608dbcf02cSchristos return -1;
1618dbcf02cSchristos }
1628dbcf02cSchristos
1638dbcf02cSchristos pos = plain + 3;
1648dbcf02cSchristos /* BT = 01 */
1658dbcf02cSchristos if (plain[2] != 0xff) {
1668dbcf02cSchristos wpa_printf(MSG_INFO, "LibTomCrypt: Invalid signature "
1678dbcf02cSchristos "PS (BT=01)");
1688dbcf02cSchristos return -1;
1698dbcf02cSchristos }
1708dbcf02cSchristos while (pos < plain + len && *pos == 0xff)
1718dbcf02cSchristos pos++;
1728dbcf02cSchristos
1738dbcf02cSchristos if (pos - plain - 2 < 8) {
1748dbcf02cSchristos /* PKCS #1 v1.5, 8.1: At least eight octets long PS */
1758dbcf02cSchristos wpa_printf(MSG_INFO, "LibTomCrypt: Too short signature "
1768dbcf02cSchristos "padding");
1778dbcf02cSchristos return -1;
1788dbcf02cSchristos }
1798dbcf02cSchristos
1808dbcf02cSchristos if (pos + 16 /* min hash len */ >= plain + len || *pos != 0x00) {
1818dbcf02cSchristos wpa_printf(MSG_INFO, "LibTomCrypt: Invalid signature EB "
1828dbcf02cSchristos "structure (2)");
1838dbcf02cSchristos return -1;
1848dbcf02cSchristos }
1858dbcf02cSchristos pos++;
1868dbcf02cSchristos len -= pos - plain;
1878dbcf02cSchristos
1888dbcf02cSchristos /* Strip PKCS #1 header */
1898dbcf02cSchristos os_memmove(plain, pos, len);
1908dbcf02cSchristos *plain_len = len;
1918dbcf02cSchristos
1928dbcf02cSchristos return 0;
1938dbcf02cSchristos }
194*36d97821Schristos
195*36d97821Schristos
pkcs1_v15_sig_ver(struct crypto_public_key * pk,const u8 * s,size_t s_len,const struct asn1_oid * hash_alg,const u8 * hash,size_t hash_len)196*36d97821Schristos int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
197*36d97821Schristos const u8 *s, size_t s_len,
198*36d97821Schristos const struct asn1_oid *hash_alg,
199*36d97821Schristos const u8 *hash, size_t hash_len)
200*36d97821Schristos {
201*36d97821Schristos int res;
202*36d97821Schristos u8 *decrypted;
203*36d97821Schristos size_t decrypted_len;
204*36d97821Schristos const u8 *pos, *end, *next, *da_end;
205*36d97821Schristos struct asn1_hdr hdr;
206*36d97821Schristos struct asn1_oid oid;
207*36d97821Schristos
208*36d97821Schristos decrypted = os_malloc(s_len);
209*36d97821Schristos if (decrypted == NULL)
210*36d97821Schristos return -1;
211*36d97821Schristos decrypted_len = s_len;
212*36d97821Schristos res = crypto_public_key_decrypt_pkcs1(pk, s, s_len, decrypted,
213*36d97821Schristos &decrypted_len);
214*36d97821Schristos if (res < 0) {
215*36d97821Schristos wpa_printf(MSG_INFO, "PKCS #1: RSA decrypt failed");
216*36d97821Schristos os_free(decrypted);
217*36d97821Schristos return -1;
218*36d97821Schristos }
219*36d97821Schristos wpa_hexdump(MSG_DEBUG, "Decrypted(S)", decrypted, decrypted_len);
220*36d97821Schristos
221*36d97821Schristos /*
222*36d97821Schristos * PKCS #1 v1.5, 10.1.2:
223*36d97821Schristos *
224*36d97821Schristos * DigestInfo ::= SEQUENCE {
225*36d97821Schristos * digestAlgorithm DigestAlgorithmIdentifier,
226*36d97821Schristos * digest Digest
227*36d97821Schristos * }
228*36d97821Schristos *
229*36d97821Schristos * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
230*36d97821Schristos *
231*36d97821Schristos * Digest ::= OCTET STRING
232*36d97821Schristos *
233*36d97821Schristos */
234*36d97821Schristos if (asn1_get_next(decrypted, decrypted_len, &hdr) < 0 ||
235*36d97821Schristos hdr.class != ASN1_CLASS_UNIVERSAL ||
236*36d97821Schristos hdr.tag != ASN1_TAG_SEQUENCE) {
237*36d97821Schristos wpa_printf(MSG_DEBUG,
238*36d97821Schristos "PKCS #1: Expected SEQUENCE (DigestInfo) - found class %d tag 0x%x",
239*36d97821Schristos hdr.class, hdr.tag);
240*36d97821Schristos os_free(decrypted);
241*36d97821Schristos return -1;
242*36d97821Schristos }
243*36d97821Schristos
244*36d97821Schristos pos = hdr.payload;
245*36d97821Schristos end = pos + hdr.length;
246*36d97821Schristos
247*36d97821Schristos /*
248*36d97821Schristos * X.509:
249*36d97821Schristos * AlgorithmIdentifier ::= SEQUENCE {
250*36d97821Schristos * algorithm OBJECT IDENTIFIER,
251*36d97821Schristos * parameters ANY DEFINED BY algorithm OPTIONAL
252*36d97821Schristos * }
253*36d97821Schristos */
254*36d97821Schristos
255*36d97821Schristos if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
256*36d97821Schristos hdr.class != ASN1_CLASS_UNIVERSAL ||
257*36d97821Schristos hdr.tag != ASN1_TAG_SEQUENCE) {
258*36d97821Schristos wpa_printf(MSG_DEBUG,
259*36d97821Schristos "PKCS #1: Expected SEQUENCE (AlgorithmIdentifier) - found class %d tag 0x%x",
260*36d97821Schristos hdr.class, hdr.tag);
261*36d97821Schristos os_free(decrypted);
262*36d97821Schristos return -1;
263*36d97821Schristos }
264*36d97821Schristos da_end = hdr.payload + hdr.length;
265*36d97821Schristos
266*36d97821Schristos if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
267*36d97821Schristos wpa_printf(MSG_DEBUG,
268*36d97821Schristos "PKCS #1: Failed to parse digestAlgorithm");
269*36d97821Schristos os_free(decrypted);
270*36d97821Schristos return -1;
271*36d97821Schristos }
272*36d97821Schristos
273*36d97821Schristos if (!asn1_oid_equal(&oid, hash_alg)) {
274*36d97821Schristos char txt[100], txt2[100];
275*36d97821Schristos asn1_oid_to_str(&oid, txt, sizeof(txt));
276*36d97821Schristos asn1_oid_to_str(hash_alg, txt2, sizeof(txt2));
277*36d97821Schristos wpa_printf(MSG_DEBUG,
278*36d97821Schristos "PKCS #1: Hash alg OID mismatch: was %s, expected %s",
279*36d97821Schristos txt, txt2);
280*36d97821Schristos os_free(decrypted);
281*36d97821Schristos return -1;
282*36d97821Schristos }
283*36d97821Schristos
284*36d97821Schristos /* Digest ::= OCTET STRING */
285*36d97821Schristos pos = da_end;
286*36d97821Schristos end = decrypted + decrypted_len;
287*36d97821Schristos
288*36d97821Schristos if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
289*36d97821Schristos hdr.class != ASN1_CLASS_UNIVERSAL ||
290*36d97821Schristos hdr.tag != ASN1_TAG_OCTETSTRING) {
291*36d97821Schristos wpa_printf(MSG_DEBUG,
292*36d97821Schristos "PKCS #1: Expected OCTETSTRING (Digest) - found class %d tag 0x%x",
293*36d97821Schristos hdr.class, hdr.tag);
294*36d97821Schristos os_free(decrypted);
295*36d97821Schristos return -1;
296*36d97821Schristos }
297*36d97821Schristos wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Decrypted Digest",
298*36d97821Schristos hdr.payload, hdr.length);
299*36d97821Schristos
300*36d97821Schristos if (hdr.length != hash_len ||
301*36d97821Schristos os_memcmp_const(hdr.payload, hash, hdr.length) != 0) {
302*36d97821Schristos wpa_printf(MSG_INFO, "PKCS #1: Digest value does not match calculated hash");
303*36d97821Schristos os_free(decrypted);
304*36d97821Schristos return -1;
305*36d97821Schristos }
306*36d97821Schristos
307*36d97821Schristos os_free(decrypted);
308*36d97821Schristos
309*36d97821Schristos if (hdr.payload + hdr.length != end) {
310*36d97821Schristos wpa_printf(MSG_INFO,
311*36d97821Schristos "PKCS #1: Extra data after signature - reject");
312*36d97821Schristos
313*36d97821Schristos wpa_hexdump(MSG_DEBUG, "PKCS #1: Extra data",
314*36d97821Schristos hdr.payload + hdr.length,
315*36d97821Schristos end - hdr.payload - hdr.length);
316*36d97821Schristos return -1;
317*36d97821Schristos }
318*36d97821Schristos
319*36d97821Schristos return 0;
320*36d97821Schristos }
321