5
/* nettle, low-level cryptographics library
7
* Copyright (C) 2002 Niels M�ller
9
* The nettle library is free software; you can redistribute it and/or modify
10
* it under the terms of the GNU Lesser General Public License as published by
11
* the Free Software Foundation; either version 2.1 of the License, or (at your
12
* option) any later version.
14
* The nettle library is distributed in the hope that it will be useful, but
15
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
17
* License for more details.
19
* You should have received a copy of the GNU Lesser General Public License
20
* along with the nettle library; see the file COPYING.LIB. If not, write to
21
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
35
/* string.h must be included before gmp.h */
46
#include "rsa-session.h"
51
rsa_session_set_decrypt_key(struct rsa_session *ctx,
52
const struct rsa_session_info *key)
54
const uint8_t *aes_key = SESSION_AES_KEY(key);
55
const uint8_t *iv = SESSION_IV(key);
56
const uint8_t *hmac_key = SESSION_HMAC_KEY(key);
58
aes_set_decrypt_key(&ctx->aes.ctx, AES_KEY_SIZE, aes_key);
59
CBC_SET_IV(&ctx->aes, iv);
60
hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key);
64
read_uint32(FILE *f, uint32_t *n)
67
if (fread(buf, 1, sizeof(buf), f) != sizeof(buf))
70
*n = READ_UINT32(buf);
78
return read_uint32(f, &version) && version == RSA_VERSION;
82
read_bignum(FILE *f, mpz_t x)
85
if (read_uint32(f, &size)
88
uint8_t *p = xalloc(size);
89
if (fread(p, 1, size, f) != size)
95
nettle_mpz_set_str_256_u(x, size, p);
105
struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes;
106
struct hmac_sha1_ctx hmac;
107
struct yarrow256_ctx yarrow;
110
#define BUF_SIZE (100 * AES_BLOCK_SIZE)
112
/* Trailing data that needs special processing */
113
#define BUF_FINAL (AES_BLOCK_SIZE + SHA1_DIGEST_SIZE)
116
process_file(struct rsa_session *ctx,
119
uint8_t buffer[BUF_SIZE + BUF_FINAL];
120
uint8_t digest[SHA1_DIGEST_SIZE];
124
size = fread(buffer, 1, BUF_FINAL, in);
125
if (size < BUF_FINAL || ferror(in))
127
werror("Reading input failed: %s\n", strerror(errno));
133
size = fread(buffer + BUF_FINAL, 1, BUF_SIZE, in);
137
werror("Reading input failed: %s\n", strerror(errno));
141
if (size % AES_BLOCK_SIZE != 0)
143
werror("Unexpected EOF on input.\n");
149
CBC_DECRYPT(&ctx->aes, aes_decrypt, size, buffer, buffer);
150
hmac_sha1_update(&ctx->hmac, size, buffer);
151
if (!write_string(out, size, buffer))
153
werror("Writing output failed: %s\n", strerror(errno));
156
memmove(buffer, buffer + size, BUF_FINAL);
159
while (size == BUF_SIZE);
161
/* Decrypt final block */
162
CBC_DECRYPT(&ctx->aes, aes_decrypt, AES_BLOCK_SIZE, buffer, buffer);
163
padding = buffer[AES_BLOCK_SIZE - 1];
164
if (padding > AES_BLOCK_SIZE)
166
werror("Decryption failed: Invalid padding.\n");
170
if (padding < AES_BLOCK_SIZE)
172
unsigned leftover = AES_BLOCK_SIZE - padding;
173
hmac_sha1_update(&ctx->hmac, leftover, buffer);
174
if (!write_string(out, leftover, buffer))
176
werror("Writing output failed: %s\n", strerror(errno));
180
hmac_sha1_digest(&ctx->hmac, SHA1_DIGEST_SIZE, digest);
181
if (memcmp(digest, buffer + AES_BLOCK_SIZE, SHA1_DIGEST_SIZE) != 0)
183
werror("Decryption failed: Invalid mac.\n");
191
main(int argc, char **argv)
193
struct rsa_private_key key;
194
struct rsa_session ctx;
195
struct rsa_session_info session;
204
werror("Usage: rsa-decrypt PRIVATE-KEY < ciphertext\n");
208
rsa_private_key_init(&key);
210
if (!read_rsa_key(argv[1], NULL, &key))
212
werror("Invalid key\n");
216
if (!read_version(stdin))
218
werror("Bad version number in input file.\n");
222
if (!read_bignum(stdin, x))
224
werror("Bad rsa header in input file.\n");
228
length = sizeof(session.key);
229
if (!rsa_decrypt(&key, &length, session.key, x) || length != sizeof(session.key))
231
werror("Failed to decrypt rsa header in input file.\n");
236
rsa_session_set_decrypt_key(&ctx, &session);
238
if (!process_file(&ctx,
242
rsa_private_key_clear(&key);