5 /* nettle, low-level cryptographics library
7 * Copyright (C) 2002 Niels Möller
9 * The nettle library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published by
11 * the Free Software Foundation; either version 2.1 of the License, or (at your
12 * option) any later version.
14 * The nettle library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
17 * License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with the nettle library; see the file COPYING.LIB. If not, write to
21 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
35 /* string.h must be included before gmp.h */
46 #include "rsa-session.h"
49 rsa_session_set_decrypt_key(struct rsa_session *ctx,
50 const struct rsa_session_info *key)
52 const uint8_t *aes_key = SESSION_AES_KEY(key);
53 const uint8_t *iv = SESSION_IV(key);
54 const uint8_t *hmac_key = SESSION_HMAC_KEY(key);
56 aes_set_decrypt_key(&ctx->aes.ctx, AES_KEY_SIZE, aes_key);
57 CBC_SET_IV(&ctx->aes, iv);
58 hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key);
62 read_uint32(FILE *f, uint32_t *n)
65 if (fread(buf, 1, sizeof(buf), f) != sizeof(buf))
68 *n = READ_UINT32(buf);
76 return read_uint32(f, &version) && version == RSA_VERSION;
80 read_bignum(FILE *f, mpz_t x)
83 if (read_uint32(f, &size)
86 uint8_t *p = xalloc(size);
87 if (fread(p, 1, size, f) != size)
93 nettle_mpz_set_str_256_u(x, size, p);
103 struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes;
104 struct hmac_sha1_ctx hmac;
105 struct yarrow256_ctx yarrow;
108 #define BUF_SIZE (100 * AES_BLOCK_SIZE)
110 /* Trailing data that needs special processing */
111 #define BUF_FINAL (AES_BLOCK_SIZE + SHA1_DIGEST_SIZE)
114 process_file(struct rsa_session *ctx,
117 uint8_t buffer[BUF_SIZE + BUF_FINAL];
118 uint8_t digest[SHA1_DIGEST_SIZE];
122 size = fread(buffer, 1, BUF_FINAL, in);
123 if (size < BUF_FINAL || ferror(in))
125 werror("Reading input failed: %s\n", strerror(errno));
131 size = fread(buffer + BUF_FINAL, 1, BUF_SIZE, in);
135 werror("Reading input failed: %s\n", strerror(errno));
139 if (size % AES_BLOCK_SIZE != 0)
141 werror("Unexpected EOF on input.\n");
147 CBC_DECRYPT(&ctx->aes, aes_decrypt, size, buffer, buffer);
148 hmac_sha1_update(&ctx->hmac, size, buffer);
149 if (!write_string(out, size, buffer))
151 werror("Writing output failed: %s\n", strerror(errno));
154 memmove(buffer, buffer + size, BUF_FINAL);
157 while (size == BUF_SIZE);
159 /* Decrypt final block */
160 CBC_DECRYPT(&ctx->aes, aes_decrypt, AES_BLOCK_SIZE, buffer, buffer);
161 padding = buffer[AES_BLOCK_SIZE - 1];
162 if (padding > AES_BLOCK_SIZE)
164 werror("Decryption failed: Invalid padding.\n");
168 if (padding < AES_BLOCK_SIZE)
170 unsigned leftover = AES_BLOCK_SIZE - padding;
171 hmac_sha1_update(&ctx->hmac, leftover, buffer);
172 if (!write_string(out, leftover, buffer))
174 werror("Writing output failed: %s\n", strerror(errno));
178 hmac_sha1_digest(&ctx->hmac, SHA1_DIGEST_SIZE, digest);
179 if (memcmp(digest, buffer + AES_BLOCK_SIZE, SHA1_DIGEST_SIZE) != 0)
181 werror("Decryption failed: Invalid mac.\n");
189 main(int argc, char **argv)
191 struct rsa_private_key key;
192 struct rsa_session ctx;
193 struct rsa_session_info session;
202 werror("Usage: rsa-decrypt PRIVATE-KEY < ciphertext\n");
206 rsa_private_key_init(&key);
208 if (!read_rsa_key(argv[1], NULL, &key))
210 werror("Invalid key\n");
214 if (!read_version(stdin))
216 werror("Bad version number in input file.\n");
220 if (!read_bignum(stdin, x))
222 werror("Bad rsa header in input file.\n");
226 length = sizeof(session.key);
227 if (!rsa_decrypt(&key, &length, session.key, x) || length != sizeof(session.key))
229 werror("Failed to decrypt rsa header in input file.\n");
234 rsa_session_set_decrypt_key(&ctx, &session);
236 if (!process_file(&ctx,
240 rsa_private_key_clear(&key);