Lines Matching +full:iso +full:- +full:8 +full:x14
2 * Copyright (C) 2021 - This file is part of libecc project
27 * related algorithms as per RFC 8017 and ISO/IEC 9796-2 based
44 * against elaborate microarchitectural side-channels and so on). The modular exponentation
55 * Padding oracles (Bleichenbacher, Manger) in RSA PKCS#1 v1.5 and RSA-OAEP decryption
75 * All-in-all, this piece of code can be useful in some contexts, or risky to
76 * use in other sensitive ones where advanced side-channels or fault attacks
89 ret = nn_init_from_buf(&(pub->n), n, nlen); EG(ret, err); in rsa_import_pub_key()
90 ret = nn_init_from_buf(&(pub->e), e, elen); in rsa_import_pub_key()
112 priv->type = RSA_SIMPLE; in rsa_import_simple_priv_key()
113 ret = nn_init_from_buf(&(priv->key.s.n), n, nlen); EG(ret, err); in rsa_import_simple_priv_key()
114 ret = nn_init_from_buf(&(priv->key.s.d), d, dlen); EG(ret, err); in rsa_import_simple_priv_key()
117 priv->type = RSA_SIMPLE_PQ; in rsa_import_simple_priv_key()
118 ret = nn_init_from_buf(&(priv->key.s_pq.n), n, nlen); EG(ret, err); in rsa_import_simple_priv_key()
119 ret = nn_init_from_buf(&(priv->key.s_pq.d), d, dlen); EG(ret, err); in rsa_import_simple_priv_key()
120 ret = nn_init_from_buf(&(priv->key.s_pq.p), p, plen); EG(ret, err); in rsa_import_simple_priv_key()
121 ret = nn_init_from_buf(&(priv->key.s_pq.q), q, qlen); EG(ret, err); in rsa_import_simple_priv_key()
144 priv->type = RSA_CRT; in rsa_import_crt_priv_key()
146 ret = nn_init_from_buf(&(priv->key.crt.p), p, plen); EG(ret, err); in rsa_import_crt_priv_key()
147 ret = nn_init_from_buf(&(priv->key.crt.q), q, qlen); EG(ret, err); in rsa_import_crt_priv_key()
148 ret = nn_init_from_buf(&(priv->key.crt.dP), dP, dPlen); EG(ret, err); in rsa_import_crt_priv_key()
149 ret = nn_init_from_buf(&(priv->key.crt.dQ), dQ, dQlen); EG(ret, err); in rsa_import_crt_priv_key()
150 ret = nn_init_from_buf(&(priv->key.crt.qInv), qInv, qInvlen); EG(ret, err); in rsa_import_crt_priv_key()
152 priv->key.crt.u = 0; in rsa_import_crt_priv_key()
161 priv->key.crt.u = u; in rsa_import_crt_priv_key()
164 rsa_priv_key_crt_coeffs *cur = &(priv->key.crt.coeffs[(i / 3)]); in rsa_import_crt_priv_key()
166 ret = nn_init_from_buf(&(cur->r), coeffs[i], coeffslens[i]); EG(ret, err); in rsa_import_crt_priv_key()
167 ret = nn_init_from_buf(&(cur->d), coeffs[i + 1], coeffslens[i + 1]); EG(ret, err); in rsa_import_crt_priv_key()
168 ret = nn_init_from_buf(&(cur->t), coeffs[i + 2], coeffslens[i + 2]); EG(ret, err); in rsa_import_crt_priv_key()
179 /* I2OSP - Integer-to-Octet-String primitive
194 /* OS2IP - Octet-String-to-Integer primitive
223 n = &(pub->n); in rsaep()
224 e = &(pub->e); in rsaep()
230 /* Check that m is indeed in [0, n-1], trigger an error if not */ in rsaep()
249 * Blind an exponent with a "small" multiple (of size "bits") of the input mod or (mod-1).
312 ret = nn_copy(&R, &(priv->key.crt.coeffs[0].r)); EG(ret, err); in rsadp_crt_coeffs()
315 r_i_1 = &(priv->key.crt.coeffs[i-1].r); in rsadp_crt_coeffs()
316 r_i = &(priv->key.crt.coeffs[i].r); in rsadp_crt_coeffs()
317 d_i = &(priv->key.crt.coeffs[i].d); in rsadp_crt_coeffs()
318 t_i = &(priv->key.crt.coeffs[i].t); in rsadp_crt_coeffs()
333 /* R = R * r_(i-1) */ in rsadp_crt_coeffs()
335 /* h = (m_i - m) * t_i mod r_i */ in rsadp_crt_coeffs()
371 p = &(priv->key.crt.p); in rsadp_crt()
372 q = &(priv->key.crt.q); in rsadp_crt()
373 dP = &(priv->key.crt.dP); in rsadp_crt()
374 dQ = &(priv->key.crt.dQ); in rsadp_crt()
375 qInv = &(priv->key.crt.qInv); in rsadp_crt()
376 u = priv->key.crt.u; in rsadp_crt()
399 /* h = (m_1 - m_2) * qInv mod p */ in rsadp_crt()
434 if(priv->type == RSA_SIMPLE){ in rsadp_nocrt()
435 n = &(priv->key.s.n); in rsadp_nocrt()
436 d = &(priv->key.s.d); in rsadp_nocrt()
438 else if(priv->type == RSA_SIMPLE_PQ){ in rsadp_nocrt()
439 n = &(priv->key.s_pq.n); in rsadp_nocrt()
440 d = &(priv->key.s_pq.d); in rsadp_nocrt()
443 ret = -1; in rsadp_nocrt()
449 /* Check that c is indeed in [0, n-1], trigger an error if not */ in rsadp_nocrt()
455 * type key in order to be able to compute our Phi(n) = (p-1)(q-1) and perform in rsadp_nocrt()
458 if(priv->type == RSA_SIMPLE_PQ){ in rsadp_nocrt()
459 p = &(priv->key.s_pq.p); in rsadp_nocrt()
460 q = &(priv->key.s_pq.q); in rsadp_nocrt()
470 ret = -1; in rsadp_nocrt()
500 if((priv->type == RSA_SIMPLE) || (priv->type == RSA_SIMPLE_PQ)){ in rsadp()
503 else if(priv->type == RSA_CRT){ in rsadp()
507 ret = -1; in rsadp()
528 n = &(pub->n); in rsadp_hardened()
529 e = &(pub->e); in rsadp_hardened()
539 ret = -1; in rsadp_hardened()
641 0x14 }; in rsa_digestinfo_from_hash()
650 0x14 }; in rsa_digestinfo_from_hash()
713 0x14 }; in rsa_digestinfo_from_hash()
719 /* The following SHA-3 oids have been taken from in rsa_digestinfo_from_hash()
720 * https://www.ietf.org/archive/id/draft-jivsov-openpgp-sha3-01.txt in rsa_digestinfo_from_hash()
722 * The specific case of SHA3-224 is infered from the OID of SHA3-224 although in rsa_digestinfo_from_hash()
774 ret = -1; in rsa_digestinfo_from_hash()
816 C[2] = (u8)((c >> 8) & 0xff); in _mgf1()
820 if ((masklen % hlen) && (c == (ceil - 1))) { /* need last chunk smaller than hlen */ in _mgf1()
831 /* EMSA-PSS-ENCODE encoding as described in RFC 8017 section 9.1.1
842 u8 zeroes[8]; in emsa_pss_encode()
880 /* emBits at least 8hLen + 8sLen + 9 */ in emsa_pss_encode()
881 MUST_HAVE((embits >= ((8*(u32)hlen) + (8*(u32)saltlen) + 9)), ret, err); in emsa_pss_encode()
910 /* dbMask = MGF(H, emLen - hLen - 1) in emsa_pss_encode()
913 dblen = (emlen - hlen - 1); in emsa_pss_encode()
914 pslen = (dblen - saltlen - 1); /* padding string PS len */ in emsa_pss_encode()
932 dbmask[dblen - saltlen + i] ^= salt[i]; in emsa_pss_encode()
935 /* Set the leftmost 8emLen - emBits bits of the leftmost octet in emsa_pss_encode()
939 for(i = 0; i < (8 - ((8*emlen) - embits)); i++){ in emsa_pss_encode()
945 em[emlen - 1] = 0xbc; in emsa_pss_encode()
952 /* EMSA-PSS-VERIFY verification as described in RFC 8017 section 9.1.2
964 u8 zeroes[8]; in emsa_pss_verify()
998 /* emBits at least 8hLen + 8sLen + 9 */ in emsa_pss_verify()
999 MUST_HAVE((embits >= ((8*(u32)hlen) + (8*(u32)saltlen) + 9)), ret, err); in emsa_pss_verify()
1001 /* Check that emLen == \ceil(emBits/8) */ in emsa_pss_verify()
1002 MUST_HAVE((((embits / 8) + 1) < (u32)((u32)0x1 << 16)), ret, err); in emsa_pss_verify()
1003 _emlen = ((embits % 8) == 0) ? (u16)(embits / 8) : (u16)((embits / 8) + 1); in emsa_pss_verify()
1010 MUST_HAVE((em[emlen - 1] == 0xbc), ret, err); in emsa_pss_verify()
1012 …/* If the leftmost 8emLen - emBits bits of the leftmost octet in maskedDB are not all equal to zer… in emsa_pss_verify()
1017 for(i = 0; i < (8 - ((unsigned int)(8*emlen) - embits)); i++){ in emsa_pss_verify()
1022 /* dbMask = MGF(H, emLen - hLen - 1) */ in emsa_pss_verify()
1023 dblen = (u32)(emlen - hlen - 1); in emsa_pss_verify()
1032 /* Set the leftmost 8emLen - emBits bits of the leftmost octet in DB to zero */ in emsa_pss_verify()
1036 * If the emLen - hLen - sLen - 2 leftmost octets of DB are not in emsa_pss_verify()
1037 * zero or if the octet at position emLen - hLen - sLen - 1 (the in emsa_pss_verify()
1041 for(i = 0; i < (u16)(dblen - saltlen - 1); i++){ in emsa_pss_verify()
1044 MUST_HAVE((db[dblen - saltlen - 1] == 0x01), ret, err); in emsa_pss_verify()
1047 salt = &db[dblen - saltlen]; in emsa_pss_verify()
1068 ret = -1; in emsa_pss_verify()
1075 /* EMSA-PKCS1-v1_5 encoding as described in RFC 8017 section 9.2
1115 ret = rsa_digestinfo_from_hash(gen_hash_type, &em[emlen - tlen], &digestinfo_len); EG(ret, err); in emsa_pkcs1_v1_5_encode()
1116 ret = local_memcpy(&em[emlen - tlen + digestinfo_len], digest, digest_size); EG(ret, err); in emsa_pkcs1_v1_5_encode()
1123 em[emlen - tlen - 1] = 0x00; in emsa_pkcs1_v1_5_encode()
1124 ret = local_memset(&em[2], 0xff, emlen - tlen - 3); in emsa_pkcs1_v1_5_encode()
1132 /* The RSAES-PKCS1-V1_5-ENCRYPT algorithm as described in RFC 8017 section 7.2.1
1152 MUST_HAVE((mlen <= (k - 11)), ret, err); in rsaes_pkcs1_v1_5_encrypt()
1155 /* EME-PKCS1-v1_5 encoding EM = 0x00 || 0x02 || PS || 0x00 || M */ in rsaes_pkcs1_v1_5_encrypt()
1159 for(i = 0; i < (k - mlen - 3); i++){ in rsaes_pkcs1_v1_5_encrypt()
1168 MUST_HAVE((seedlen == (k - mlen - 3)), ret, err); in rsaes_pkcs1_v1_5_encrypt()
1175 em[k - mlen - 1] = 0x00; in rsaes_pkcs1_v1_5_encrypt()
1176 ret = local_memcpy(&em[k - mlen], m, mlen); EG(ret, err); in rsaes_pkcs1_v1_5_encrypt()
1199 /* The RSAES-PKCS1-V1_5-DECRYPT algorithm as described in RFC 8017 section 7.2.2
1235 /* EME-PKCS1-v1_5 decoding: EM = 0x00 || 0x02 || PS || 0x00 || M */ in _rsaes_pkcs1_v1_5_decrypt()
1239 ret = (1 - (!!(em[0] == 0x00) & !!(em[1] == 0x02))); in _rsaes_pkcs1_v1_5_decrypt()
1244 pos = (mask * i) + ((1 - mask) * pos); in _rsaes_pkcs1_v1_5_decrypt()
1246 ret |= !(pos >= (2 + 8)); /* PS length is at least 8 (also implying we found a 0x00) */ in _rsaes_pkcs1_v1_5_decrypt()
1257 pos = (ret) ? ((i % (k - 2)) + 2) : pos; in _rsaes_pkcs1_v1_5_decrypt()
1262 idx = ((i < pos) ? 0x00 : (i - pos)); in _rsaes_pkcs1_v1_5_decrypt()
1267 (*mlen) = (u16)(k - pos); in _rsaes_pkcs1_v1_5_decrypt()
1269 ret = -(!!ret); in _rsaes_pkcs1_v1_5_decrypt()
1296 /* The RSAES-OAEP-ENCRYPT algorithm as described in RFC 8017 section 7.1.1
1336 MUST_HAVE(((mlen ) <= ((u32)k - (2 * (u32)hlen) - 2)), ret, err); in rsaes_oaep_encrypt()
1339 /* EME-OAEP encoding: DB = lHash || PS || 0x01 || M */ in rsaes_oaep_encrypt()
1343 MUST_HAVE(((k - hlen - 1) <= sizeof(db)), ret, err); in rsaes_oaep_encrypt()
1353 * 2.b. Generate a padding string PS consisting of k - mLen - 2hLen - in rsaes_oaep_encrypt()
1358 pslen = (k - mlen - (u32)(2 * hlen) - 2); in rsaes_oaep_encrypt()
1376 /* Let dbMask = MGF(seed, k - hLen - 1)*/ in rsaes_oaep_encrypt()
1377 khlen = (k - hlen - 1); in rsaes_oaep_encrypt()
1415 /* The RSAES-OAEP-DECRYPT algorithm as described in RFC 8017 section 7.1.2
1472 /* EME-OAEP decoding */ in _rsaes_oaep_decrypt()
1486 khlen = (k - hlen - 1); in _rsaes_oaep_decrypt()
1493 /* dbMask = MGF(seed, k - hLen - 1) */ in _rsaes_oaep_decrypt()
1528 pos = (ret) ? ((i % (khlen - hlen)) + hlen) : pos; in _rsaes_oaep_decrypt()
1534 idx = (i < pos) ? 0x00 : (i - pos); in _rsaes_oaep_decrypt()
1539 (*mlen) = (u16)(k - hlen - 1 - pos); in _rsaes_oaep_decrypt()
1541 ret = -(!!ret); in _rsaes_oaep_decrypt()
1574 /* The RSASSA-PKCS1-V1_5-SIGN signature algorithm as described in RFC 8017 section 8.2.1
1596 /* EM = EMSA-PKCS1-V1_5-ENCODE (M, k) */ in _rsassa_pkcs1_v1_5_sign()
1641 /* The RSASSA-PKCS1-V1_5-VERIFY verification algorithm as described in RFC 8017 section 8.2.2
1678 /* EM' = EMSA-PKCS1-V1_5-ENCODE (M, k) */ in rsassa_pkcs1_v1_5_verify()
1685 ret = -1; in rsassa_pkcs1_v1_5_verify()
1694 /* The RSASSA-PSS-SIGN signature algorithm as described in RFC 8017 section 8.1.1
1719 /* EM = EMSA-PSS-ENCODE (M, modBits - 1) */ in _rsassa_pss_sign()
1721 …ret = emsa_pss_encode(m, mlen, em, (modbits - 1), &emsize, gen_hash_type, mgf_hash_type, saltlen, … in _rsassa_pss_sign()
1723 …/* Note that the octet length of EM will be one less than k if modBits - 1 is divisible by 8 and e… in _rsassa_pss_sign()
1724 MUST_HAVE(emsize == BYTECEIL(modbits - 1), ret, err); in _rsassa_pss_sign()
1774 /* The RSASSA-PSS-VERIFY verification algorithm as described in RFC 8017 section 8.1.2
1804 /* emLen = \ceil ((modBits - 1)/8) */ in rsassa_pss_verify()
1805 MUST_HAVE((((modbits - 1) / 8) + 1) < (u32)((u32)0x1 << 16), ret, err); in rsassa_pss_verify()
1806 emlen = (((modbits - 1) % 8) == 0) ? (u16)((modbits - 1) / 8) : (u16)(((modbits - 1) / 8) + 1); in rsassa_pss_verify()
1808 …/* Note that emLen will be one less than k if modBits - 1 is divisible by 8 and equal to k otherwi… in rsassa_pss_verify()
1809 MUST_HAVE(emlen == BYTECEIL(modbits - 1), ret, err); in rsassa_pss_verify()
1814 /* Result = EMSA-PSS-VERIFY (M, EM, modBits - 1) */ in rsassa_pss_verify()
1815 ret = emsa_pss_verify(m, mlen, em, (modbits - 1), emlen, gen_hash_type, mgf_hash_type, saltlen); in rsassa_pss_verify()
1824 /* The RSA signature algorithm using ISO/IEC 9796-2 padding scheme 1.
1829 * (see http://www.crypto-uni.lu/jscoron/publications/iso97962joc.pdf).
1831 * The ISO/IEC 9796-2 is also described in EMV Book 2 in the A.2.1 section:
1863 /* Compute our recoverable and non-recoverable parts */ in _rsa_iso9796_2_sign_recover()
1864 m1len_ = (mlen >= (k - 2 - hlen)) ? (k - 2 - hlen) : mlen; in _rsa_iso9796_2_sign_recover()
1865 m2len_ = (mlen - m1len_); in _rsa_iso9796_2_sign_recover()
1870 ret = gen_hash_final(&hctx, &s[k - 1 - hlen], gen_hash_type); EG(ret, err); in _rsa_iso9796_2_sign_recover()
1883 s[k - 1] = 0xbc; in _rsa_iso9796_2_sign_recover()
1933 /* The RSA verification algorithm using ISO/IEC 9796-2 padding scheme 1.
1938 * (see http://www.crypto-uni.lu/jscoron/publications/iso97962joc.pdf).
1940 * The ISO/IEC 9796-2 is also described in EMV Book 2 in the A.2.1 section:
1978 m1len_ = (u32)(slen - (hlen + 2)); in rsa_iso9796_2_verify_recover()
1994 if((X[0] != 0x6a) || (X[slen - 1] != 0xbc)){ in rsa_iso9796_2_verify_recover()
1995 ret = -1; in rsa_iso9796_2_verify_recover()
2008 ret = -1; in rsa_iso9796_2_verify_recover()
2029 * https://github.com/bdauvergne/python-pkcs1/tree/master/tests/data
2040 * NOTE: the double parentheses are here to handle -Wunreachable-code in main()
2044 ext_printf(" => Please recompile libecc with EXTRA_CFLAGS=\"-DUSER_NN_BIT_LEN=4096\"\n"); in main()
2046 …ext_printf(" Then recompile the current examples with the same EXTRA_CFLAGS=\"-DUSER_NN_BIT_LE… in main()