Blame - library/rsa.c - mirror/mbed-crypto - TrustedFirmware Git Browser

2009-01-03 21:22:43 +0000

[diff] [blame]

1

/*

2

* The RSA public-key cryptosystem

3

*

Manuel Pégourié-Gonnard

6fb8187

2015-07-27 11:11:48 +0200

[diff] [blame]

4

Manuel Pégourié-Gonnard

37ff140

2015-09-04 14:21:07 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

Paul Bakker

b96f154

2010-07-18 20:36:00 +0000

[diff] [blame]

18

*

Manuel Pégourié-Gonnard

fe44643

2015-03-06 13:17:10 +0000

[diff] [blame]

19

* This file is part of mbed TLS (https://tls.mbed.org)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

20

*/

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

21

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

22

/*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

23

* The following sources were referenced in the design of this implementation

24

* of the RSA algorithm:

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

25

*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

26

* [1] A method for obtaining digital signatures and public-key cryptosystems

27

* R Rivest, A Shamir, and L Adleman

28

* http://people.csail.mit.edu/rivest/pubs.html#RSA78

29

*

30

* [2] Handbook of Applied Cryptography - 1997, Chapter 8

31

* Menezes, van Oorschot and Vanstone

32

*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

33

* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks

34

* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and

35

* Stefan Mangard

36

* https://arxiv.org/abs/1702.08719v2

37

*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

38

*/

39

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

40

#if !defined(MBEDTLS_CONFIG_FILE)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

41

#include "mbedtls/config.h"

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

42

#else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

43

#include MBEDTLS_CONFIG_FILE

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

44

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

45

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

46

#if defined(MBEDTLS_RSA_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

47

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

48

#include "mbedtls/rsa.h"

49

#include "mbedtls/oid.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

50

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

51

#include <string.h>

52

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

53

#if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

54

#include "mbedtls/md.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

55

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

56

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

57

#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

58

#include <stdlib.h>

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

59

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

60

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

61

#if defined(MBEDTLS_PLATFORM_C)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

62

#include "mbedtls/platform.h"

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

63

#else

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

64

#include <stdio.h>

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

65

#define mbedtls_printf printf

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

66

#define mbedtls_calloc calloc

67

#define mbedtls_free free

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

68

#endif

69

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

70

/* Implementation that should never be optimized out by the compiler */

71

static void mbedtls_zeroize( void *v, size_t n ) {

72

volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;

73

}

74

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

75

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

76

* Context-independent RSA helper functions.

77

*

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

78

* There are two classes of helper functions:

79

* (1) Parameter-generating helpers. These are:

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

80

* - mbedtls_rsa_deduce_primes

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

81

* - mbedtls_rsa_deduce_private_exponent

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

82

* - mbedtls_rsa_deduce_crt

83

* Each of these functions takes a set of core RSA parameters

84

* and generates some other, or CRT related parameters.

85

* (2) Parameter-checking helpers. These are:

86

* - mbedtls_rsa_validate_params

87

* - mbedtls_rsa_validate_crt

88

* They take a set of core or CRT related RSA parameters

89

* and check their validity.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

90

*

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

91

* The helper functions do not use the RSA context structure

92

* and therefore do not need to be replaced when providing

93

* an alternative RSA implementation.

94

*

95

* Their main purpose is to provide common MPI operations in the context

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

96

* of RSA that can be easily shared across multiple implementations.

97

*/

98

99

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

100

*

101

* Given the modulus N=PQ and a pair of public and private

102

* exponents E and D, respectively, factor N.

103

*

104

* Setting F := lcm(P-1,Q-1), the idea is as follows:

105

*

106

* (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)

107

* is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the

108

* square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four

109

* possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)

110

* or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime

111

* factors of N.

112

*

113

* (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same

114

* construction still applies since (-)^K is the identity on the set of

115

* roots of 1 in Z/NZ.

116

*

117

* The public and private key primitives (-)^E and (-)^D are mutually inverse

118

* bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.

119

* if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.

120

* Splitting L = 2^t * K with K odd, we have

121

*

122

* DE - 1 = FL = (F/2) * (2^(t+1)) * K,

123

*

124

* so (F / 2) * K is among the numbers

125

*

126

* (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord

127

*

128

* where ord is the order of 2 in (DE - 1).

129

* We can therefore iterate through these numbers apply the construction

130

* of (a) and (b) above to attempt to factor N.

131

*

132

*/

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

133

int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N,

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

134

mbedtls_mpi const *D, mbedtls_mpi const *E,

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

135

mbedtls_mpi *P, mbedtls_mpi *Q )

136

{

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

137

int ret = 0;

138

139

uint16_t attempt; /* Number of current attempt */

140

uint16_t iter; /* Number of squares computed in the current attempt */

141

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

142

uint16_t order; /* Order of 2 in DE - 1 */

143

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

144

mbedtls_mpi T; /* Holds largest odd divisor of DE - 1 */

145

mbedtls_mpi K; /* During factorization attempts, stores a random integer

146

* in the range of [0,..,N] */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

147

Hanno Becker

68b4d58

2017-10-10 16:39:10 +0100

[diff] [blame^]

148

const unsigned int primes[] = { 2,

149

3, 5, 7, 11, 13, 17, 19, 23,

150

29, 31, 37, 41, 43, 47, 53, 59,

151

61, 67, 71, 73, 79, 83, 89, 97,

152

101, 103, 107, 109, 113, 127, 131, 137,

153

139, 149, 151, 157, 163, 167, 173, 179,

154

181, 191, 193, 197, 199, 211, 223, 227,

155

229, 233, 239, 241, 251, 257, 263, 269,

156

271, 277, 281, 283, 293, 307, 311, 313

157

};

158

159

const size_t num_primes = sizeof( primes ) / sizeof( *primes );

160

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

161

if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )

162

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

163

164

if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||

165

mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||

166

mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||

167

mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||

168

mbedtls_mpi_cmp_mpi( E, N ) >= 0 )

169

{

170

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

}

/*

* Initializations and temporary changes

175

*/

176

177

mbedtls_mpi_init( &K );

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

178

mbedtls_mpi_init( &T );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

179

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

180

/* T := DE - 1 */

181

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, D, E ) );

182

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &T, &T, 1 ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

183

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

184

if( ( order = mbedtls_mpi_lsb( &T ) ) == 0 )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

185

{

186

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

goto cleanup;

}

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

190

/* After this operation, T holds the largest odd divisor of DE - 1. */

191

MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &T, order ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

192

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

/*

* Actual work

*/

Hanno Becker

2017-10-10 16:39:10 +0100

[diff] [blame^]

197

/* Skip trying 2 if N == 1 mod 8 */

198

attempt = 0;

199

if( N->p[0] % 8 == 1 )

200

attempt = 1;

201

202

for( ; attempt < num_primes; ++attempt )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

203

{

Hanno Becker

68b4d58

2017-10-10 16:39:10 +0100

[diff] [blame^]

204

mbedtls_mpi_lset( &K, primes[attempt] );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

205

206

/* Check if gcd(K,N) = 1 */

207

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );

208

if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )

209

continue;

210

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

211

/* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

212

* and check whether they have nontrivial GCD with N. */

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

213

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, &T, N,

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

214

Q /* temporarily use Q for storing Montgomery

215

* multiplication helper values */ ) );

216

217

for( iter = 1; iter < order; ++iter )

218

{

219

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );

220

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );

221

222

if( mbedtls_mpi_cmp_int( P, 1 ) == 1 &&

223

mbedtls_mpi_cmp_mpi( P, N ) == -1 )

224

{

225

/*

226

* Have found a nontrivial divisor P of N.

Hanno Becker

d56d83a

2017-08-25 07:29:35 +0100

[diff] [blame]

227

* Set Q := N / P.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

228

*/

229

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

230

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, NULL, N, P ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

235

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );

236

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );

}

}

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

cleanup:

mbedtls_mpi_free( &K );

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

245

mbedtls_mpi_free( &T );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

/*

* Given P, Q and the public exponent E, deduce D.

251

* This is essentially a modular inversion.

252

*/

253

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

254

int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,

255

mbedtls_mpi const *Q,

256

mbedtls_mpi const *E,

257

mbedtls_mpi *D )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

258

{

259

int ret = 0;

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

260

mbedtls_mpi K, L;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

261

262

if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )

263

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

264

265

if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||

266

mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||

267

mbedtls_mpi_cmp_int( E, 0 ) == 0 )

268

{

269

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

270

}

271

272

mbedtls_mpi_init( &K );

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

273

mbedtls_mpi_init( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

274

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

275

/* Temporarily put K := P-1 and L := Q-1 */

276

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

277

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

278

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

279

/* Temporarily put D := gcd(P-1, Q-1) */

280

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

281

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

282

/* K := LCM(P-1, Q-1) */

283

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

284

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );

285

286

/* Compute modular inverse of E in LCM(P-1, Q-1) */

287

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );

288

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

289

cleanup:

290

291

mbedtls_mpi_free( &K );

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

292

mbedtls_mpi_free( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

/*

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

298

* Check that RSA CRT parameters are in accordance with core parameters.

299

*/

300

301

int mbedtls_rsa_validate_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,

302

const mbedtls_mpi *D, const mbedtls_mpi *DP,

303

const mbedtls_mpi *DQ, const mbedtls_mpi *QP )

{

int ret = 0;

mbedtls_mpi K, L;

mbedtls_mpi_init( &K );

309

mbedtls_mpi_init( &L );

310

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

311

/* Check that DP - D == 0 mod P - 1 */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

if( DP != NULL )

{

if( P == NULL )

{

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

321

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );

322

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );

323

324

if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )

325

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

326

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

327

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

331

/* Check that DQ - D == 0 mod Q - 1 */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

if( DQ != NULL )

{

if( Q == NULL )

{

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );

341

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );

342

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );

343

344

if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )

345

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

346

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

347

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

351

/* Check that QP * Q - 1 == 0 mod P */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

352

if( QP != NULL )

353

{

354

if( P == NULL || Q == NULL )

355

{

356

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );

361

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

362

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );

363

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

364

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

365

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

366

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

cleanup:

/* Wrap MPI error codes by RSA check failure error code */

373

if( ret != 0 &&

374

ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&

375

ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )

376

{

377

ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

378

}

379

380

mbedtls_mpi_free( &K );

381

mbedtls_mpi_free( &L );

return( ret );

}

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

387

* Check that core RSA parameters are sane.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

388

*/

389

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

390

int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,

391

const mbedtls_mpi *Q, const mbedtls_mpi *D,

392

const mbedtls_mpi *E,

393

int (*f_rng)(void *, unsigned char *, size_t),

394

void *p_rng )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

395

{

396

int ret = 0;

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

397

mbedtls_mpi K, L;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

398

399

mbedtls_mpi_init( &K );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

400

mbedtls_mpi_init( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

401

402

/*

403

* Step 1: If PRNG provided, check that P and Q are prime

404

*/

405

Hanno Becker

2017-08-24 06:55:11 +0100

[diff] [blame]

406

#if defined(MBEDTLS_GENPRIME)

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

407

if( f_rng != NULL && P != NULL &&

408

( ret = mbedtls_mpi_is_prime( P, f_rng, p_rng ) ) != 0 )

409

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

410

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

if( f_rng != NULL && Q != NULL &&

415

( ret = mbedtls_mpi_is_prime( Q, f_rng, p_rng ) ) != 0 )

416

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

417

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

418

goto cleanup;

419

}

Hanno Becker

2017-08-24 06:55:11 +0100

[diff] [blame]

#else

((void) f_rng);

((void) p_rng);

#endif /* MBEDTLS_GENPRIME */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

424

425

/*

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

426

* Step 2: Check that 1 < N = PQ

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

427

*/

428

429

if( P != NULL && Q != NULL && N != NULL )

430

{

431

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

432

if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 ||

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

433

mbedtls_mpi_cmp_mpi( &K, N ) != 0 )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

434

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

435

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

}

/*

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

441

* Step 3: Check and 1 < D, E < N if present.

442

*/

443

444

if( N != NULL && D != NULL && E != NULL )

445

{

446

if ( mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||

447

mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||

448

mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||

449

mbedtls_mpi_cmp_mpi( E, N ) >= 0 )

450

{

451

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

goto cleanup;

}

}

/*

* Step 4: Check that D, E are inverse modulo P-1 and Q-1

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

458

*/

459

460

if( P != NULL && Q != NULL && D != NULL && E != NULL )

461

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

462

if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

463

mbedtls_mpi_cmp_int( Q, 1 ) <= 0 )

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

464

{

465

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

466

goto cleanup;

467

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

468

469

/* Compute DE-1 mod P-1 */

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

470

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );

471

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

472

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );

473

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

474

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

475

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

476

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

/* Compute DE-1 mod Q-1 */

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

481

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );

482

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

483

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );

484

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

485

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

486

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

487

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

488

goto cleanup;

489

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

}

cleanup:

mbedtls_mpi_free( &K );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

495

mbedtls_mpi_free( &L );

496

497

/* Wrap MPI error codes by RSA check failure error code */

498

if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )

499

{

500

ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

501

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,

507

const mbedtls_mpi *D, mbedtls_mpi *DP,

508

mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret = 0;

mbedtls_mpi K;

mbedtls_mpi_init( &K );

513

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

514

/* DP = D mod P-1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

515

if( DP != NULL )

516

{

517

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

518

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );

519

}

520

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

521

/* DQ = D mod Q-1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

522

if( DQ != NULL )

523

{

524

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );

525

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );

526

}

527

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

528

/* QP = Q^{-1} mod P */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

529

if( QP != NULL )

530

{

531

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );

}

cleanup:

mbedtls_mpi_free( &K );

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

540

541

/*

542

* Default RSA interface implementation

543

*/

544

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

545

#if !defined(MBEDTLS_RSA_ALT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

546

547

int mbedtls_rsa_import( mbedtls_rsa_context *ctx,

548

const mbedtls_mpi *N,

549

const mbedtls_mpi *P, const mbedtls_mpi *Q,

550

const mbedtls_mpi *D, const mbedtls_mpi *E )

{

int ret;

if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||

555

( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||

556

( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||

557

( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||

558

( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )

559

{

560

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

if( N != NULL )

ctx->len = mbedtls_mpi_size( &ctx->N );

return( 0 );

}

int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

570

unsigned char const *N, size_t N_len,

571

unsigned char const *P, size_t P_len,

572

unsigned char const *Q, size_t Q_len,

573

unsigned char const *D, size_t D_len,

574

unsigned char const *E, size_t E_len )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

{

int ret;

if( N != NULL )

{

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );

581

ctx->len = mbedtls_mpi_size( &ctx->N );

}

if( P != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );

586

587

if( Q != NULL )

588

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );

589

590

if( D != NULL )

591

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );

592

593

if( E != NULL )

594

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );

cleanup:

if( ret != 0 )

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

return( 0 );

}

int mbedtls_rsa_complete( mbedtls_rsa_context *ctx,

605

int (*f_rng)(void *, unsigned char *, size_t),

606

void *p_rng )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

{

int ret = 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

610

const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );

611

const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );

612

const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );

613

const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );

614

const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

615

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

616

/*

617

* Check whether provided parameters are enough

618

* to deduce all others. The following incomplete

619

* parameter sets for private keys are supported:

620

*

621

* (1) P, Q missing.

622

* (2) D and potentially N missing.

623

*

624

*/

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

625

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

626

const int n_missing = have_P && have_Q && have_D && have_E;

627

const int pq_missing = have_N && !have_P && !have_Q && have_D && have_E;

628

const int d_missing = have_P && have_Q && !have_D && have_E;

629

const int is_pub = have_N && !have_P && !have_Q && !have_D && have_E;

630

631

/* These three alternatives are mutually exclusive */

632

const int is_priv = n_missing || pq_missing || d_missing;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

633

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

634

if( !is_priv && !is_pub )

635

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

636

637

/*

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

638

* Step 1: Deduce N if P, Q are provided.

639

*/

640

641

if( !have_N && have_P && have_Q )

642

{

643

if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,

644

&ctx->Q ) ) != 0 )

645

{

646

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

647

}

648

649

ctx->len = mbedtls_mpi_size( &ctx->N );

}

/*

* Step 2: Deduce and verify all remaining core parameters.

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

*/

if( pq_missing )

{

/* This includes sanity checking of core parameters,

659

* so no further checks necessary. */

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

660

ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->D, &ctx->E,

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

f_rng, p_rng,

&ctx->P, &ctx->Q );

if( ret != 0 )

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

else if( d_missing )

{

Hanno Becker

2017-08-24 06:55:11 +0100

[diff] [blame]

669

#if defined(MBEDTLS_GENPRIME)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

670

/* If a PRNG is provided, check if P, Q are prime. */

671

if( f_rng != NULL &&

672

( ( ret = mbedtls_mpi_is_prime( &ctx->P, f_rng, p_rng ) ) != 0 ||

673

( ret = mbedtls_mpi_is_prime( &ctx->Q, f_rng, p_rng ) ) != 0 ) )

674

{

675

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

676

}

Hanno Becker

2017-08-24 06:55:11 +0100

[diff] [blame]

677

#endif /* MBEDTLS_GENPRIME */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

678

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

679

/* Deduce private exponent. This includes double-checking of the result,

680

* so together with the primality test above all core parameters are

681

* guaranteed to be sane if this call succeeds. */

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

682

if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,

683

&ctx->Q,

684

&ctx->E,

685

&ctx->D ) ) != 0 )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

686

{

687

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

688

}

689

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

690

691

/* In the remaining case of a public key, there's nothing to check for. */

692

693

/*

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

694

* Step 3: Deduce all additional parameters specific

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

695

* to our current RSA implementaiton.

696

*/

697

Hanno Becker

23344b5

2017-08-23 07:43:27 +0100

[diff] [blame]

698

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

699

if( is_priv )

700

{

701

ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

702

&ctx->DP, &ctx->DQ, &ctx->QP );

703

if( ret != 0 )

704

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

705

}

Hanno Becker

23344b5

2017-08-23 07:43:27 +0100

[diff] [blame]

706

#endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

707

708

/*

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

709

* Step 3: Basic sanity check

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

*/

if( is_priv )

{

if( ( ret = mbedtls_rsa_check_privkey( ctx ) ) != 0 )

return( ret );

}

else

{

if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )

return( ret );

}

return( 0 );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

726

int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,

727

unsigned char *N, size_t N_len,

728

unsigned char *P, size_t P_len,

729

unsigned char *Q, size_t Q_len,

730

unsigned char *D, size_t D_len,

731

unsigned char *E, size_t E_len )

{

int ret = 0;

/* Check if key is private or public */

736

const int is_priv =

737

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

738

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

739

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

740

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

741

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

746

* something must be wrong. */

747

if( P != NULL || Q != NULL || D != NULL )

748

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

if( N != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );

754

755

if( P != NULL )

756

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );

757

758

if( Q != NULL )

759

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );

760

761

if( D != NULL )

762

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );

763

764

if( E != NULL )

765

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

cleanup:

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

772

int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,

773

mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,

774

mbedtls_mpi *D, mbedtls_mpi *E )

{

int ret;

/* Check if key is private or public */

779

int is_priv =

780

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

781

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

782

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

783

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

784

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

789

* something must be wrong. */

790

if( P != NULL || Q != NULL || D != NULL )

791

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

/* Export all requested core parameters. */

796

797

if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||

798

( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||

799

( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||

800

( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||

801

( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )

{

return( ret );

}

return( 0 );

}

/*

* Export CRT parameters

811

* This must also be implemented if CRT is not used, for being able to

812

* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt

813

* can be used in this case.

814

*/

815

int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,

816

mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret;

/* Check if key is private or public */

821

int is_priv =

822

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

823

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

824

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

825

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

826

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

827

828

if( !is_priv )

829

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

830

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

831

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

832

/* Export all requested blinding parameters. */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

833

if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||

834

( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||

835

( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )

836

{

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

837

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

838

}

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

839

#else

840

if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

841

DP, DQ, QP ) ) != 0 )

842

{

843

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

844

}

845

#endif

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

846

847

return( 0 );

848

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

849

850

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

851

* Initialize an RSA context

852

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

853

void mbedtls_rsa_init( mbedtls_rsa_context *ctx,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

854

int padding,

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

855

int hash_id )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

856

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

857

memset( ctx, 0, sizeof( mbedtls_rsa_context ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

858

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

859

mbedtls_rsa_set_padding( ctx, padding, hash_id );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

860

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

861

#if defined(MBEDTLS_THREADING_C)

862

mbedtls_mutex_init( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

863

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

864

}

865

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

866

/*

867

* Set padding for an existing RSA context

868

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

869

void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

870

{

871

ctx->padding = padding;

872

ctx->hash_id = hash_id;

873

}

874

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

875

/*

876

* Get length in bytes of RSA modulus

877

*/

878

879

size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )

880

{

Hanno Becker

2f8f06a

2017-09-29 11:47:26 +0100

[diff] [blame]

881

return( ctx->len );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

882

}

883

884

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

885

#if defined(MBEDTLS_GENPRIME)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

886

887

/*

888

* Generate an RSA keypair

889

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

890

int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

891

int (*f_rng)(void *, unsigned char *, size_t),

892

void *p_rng,

893

unsigned int nbits, int exponent )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

894

{

895

int ret;

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

896

mbedtls_mpi H, G;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

897

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

898

if( f_rng == NULL || nbits < 128 || exponent < 3 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

899

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

900

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

901

if( nbits % 2 )

902

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

903

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

904

mbedtls_mpi_init( &H );

905

mbedtls_mpi_init( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

906

907

/*

908

* find primes P and Q with Q < P so that:

909

* GCD( E, (P-1)*(Q-1) ) == 1

910

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

911

MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

912

913

do

914

{

Janos Follath

10c575b

2016-02-23 14:42:48 +0000

[diff] [blame]

915

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

916

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

917

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

918

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

919

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

920

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

921

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

922

continue;

923

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

924

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

925

if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

926

continue;

927

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

928

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

929

mbedtls_mpi_swap( &ctx->P, &ctx->Q );

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

930

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

931

/* Temporarily replace P,Q by P-1, Q-1 */

932

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );

933

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );

934

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

935

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

936

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

937

while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

938

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

939

/* Restore P,Q */

940

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );

941

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );

942

943

ctx->len = mbedtls_mpi_size( &ctx->N );

944

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

945

/*

946

* D = E^-1 mod ((P-1)*(Q-1))

* DP = D mod (P - 1)

* DQ = D mod (Q - 1)

* QP = Q^-1 mod P

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

951

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

952

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &H ) );

953

954

#if !defined(MBEDTLS_RSA_NO_CRT)

955

MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

956

&ctx->DP, &ctx->DQ, &ctx->QP ) );

957

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

958

Hanno Becker

83aad1f

2017-08-23 06:45:10 +0100

[diff] [blame]

959

/* Double-check */

960

MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );

961

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

962

cleanup:

963

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

964

mbedtls_mpi_free( &H );

965

mbedtls_mpi_free( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

966

967

if( ret != 0 )

968

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

969

mbedtls_rsa_free( ctx );

970

return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

971

}

972

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

973

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

974

}

975

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

976

#endif /* MBEDTLS_GENPRIME */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

977

978

/*

979

* Check a public RSA key

980

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

981

int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

982

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

983

if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) == 0 ||

984

mbedtls_mpi_cmp_int( &ctx->E, 0 ) == 0 )

985

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

986

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

987

}

Paul Bakker

37940d9

2009-07-10 22:38:58 +0000

[diff] [blame]

988

Hanno Becker

ba1ba11

2017-09-29 11:48:23 +0100

[diff] [blame]

989

if( ctx->len != mbedtls_mpi_size( &ctx->N ) )

990

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

991

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

992

if( mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 ||

993

mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 )

994

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

995

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

996

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

997

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

998

if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||

999

mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1000

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1001

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1002

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1003

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1004

if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1005

mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1006

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1007

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1008

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

/*

* Check a private RSA key

1015

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1016

int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1017

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1018

if( mbedtls_rsa_check_pubkey( ctx ) != 0 )

1019

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

1020

1021

if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1022

&ctx->D, &ctx->E, NULL, NULL ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1023

{

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1024

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1025

}

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1026

#if !defined(MBEDTLS_RSA_NO_CRT)

1027

else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,

1028

&ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )

1029

{

1030

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

1031

}

1032

#endif

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

1033

1034

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1035

}

1036

1037

/*

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1038

* Check if contexts holding a public and private key match

1039

*/

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1040

int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,

1041

const mbedtls_rsa_context *prv )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1042

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1043

if( mbedtls_rsa_check_pubkey( pub ) != 0 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1044

mbedtls_rsa_check_privkey( prv ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1045

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1046

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1047

}

1048

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1049

if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||

1050

mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1051

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1052

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

}

return( 0 );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1059

* Do an RSA public key operation

1060

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1061

int mbedtls_rsa_public( mbedtls_rsa_context *ctx,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1062

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1063

unsigned char *output )

1064

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1065

int ret;

1066

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1067

mbedtls_mpi T;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1068

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1069

mbedtls_mpi_init( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1070

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1071

#if defined(MBEDTLS_THREADING_C)

1072

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

1073

return( ret );

1074

#endif

1075

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1076

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1077

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1078

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1079

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1080

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1081

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1082

}

1083

1084

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1085

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );

1086

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1087

1088

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1089

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1090

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

1091

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

88fca3e

2015-03-27 15:06:07 +0100

[diff] [blame]

1092

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1093

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1094

mbedtls_mpi_free( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1095

1096

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1097

return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1102

/*

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1103

* Generate or update blinding values, see section 10 of:

1104

* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,

Manuel Pégourié-Gonnard

998930a

2015-04-03 13:48:06 +0200

[diff] [blame]

1105

* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1106

* Berlin Heidelberg, 1996. p. 104-113.

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1107

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1108

static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1109

int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )

1110

{

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1111

int ret, count = 0;

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1112

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1113

if( ctx->Vf.p != NULL )

1114

{

1115

/* We already have blinding values, just update them by squaring */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1116

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );

1117

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );

1118

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );

1119

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1120

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1121

goto cleanup;

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1122

}

1123

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1124

/* Unblinding value: Vf = random number, invertible mod N */

1125

do {

1126

if( count++ > 10 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1127

return( MBEDTLS_ERR_RSA_RNG_FAILED );

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1128

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1129

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );

1130

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );

1131

} while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1132

1133

/* Blinding value: Vi = Vf^(-e) mod N */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1134

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );

1135

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1136

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

1137

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1138

cleanup:

1139

return( ret );

1140

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1141

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1142

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1143

* Exponent blinding supposed to prevent side-channel attacks using multiple

1144

* traces of measurements to recover the RSA key. The more collisions are there,

1145

* the more bits of the key can be recovered. See [3].

1146

*

1147

* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)

1148

* observations on avarage.

1149

*

1150

* For example with 28 byte blinding to achieve 2 collisions the adversary has

1151

* to make 2^112 observations on avarage.

1152

*

1153

* (With the currently (as of 2017 April) known best algorithms breaking 2048

1154

* bit RSA requires approximately as much time as trying out 2^112 random keys.

1155

* Thus in this sense with 28 byte blinding the security is not reduced by

1156

* side-channel attacks like the one in [3])

1157

*

1158

* This countermeasure does not help if the key recovery is possible with a

1159

* single trace.

1160

*/

1161

#define RSA_EXPONENT_BLINDING 28

1162

1163

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1164

* Do an RSA private key operation

1165

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1166

int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1167

int (*f_rng)(void *, unsigned char *, size_t),

1168

void *p_rng,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1169

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1170

unsigned char *output )

1171

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1172

int ret;

1173

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1174

mbedtls_mpi T, T1, T2;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1175

mbedtls_mpi P1, Q1, R;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1176

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1177

mbedtls_mpi D_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1178

mbedtls_mpi *D = &ctx->D;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1179

#else

1180

mbedtls_mpi DP_blind, DQ_blind;

1181

mbedtls_mpi *DP = &ctx->DP;

1182

mbedtls_mpi *DQ = &ctx->DQ;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1183

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1184

Hanno Becker

45037ce

2017-08-25 11:03:34 +0100

[diff] [blame]

1185

/* Sanity-check that all relevant fields are at least set,

1186

* but don't perform a full keycheck. */

1187

if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) == 0 ||

1188

mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 ||

1189

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) == 0 ||

1190

mbedtls_mpi_cmp_int( &ctx->D, 0 ) == 0 ||

1191

mbedtls_mpi_cmp_int( &ctx->E, 0 ) == 0 )

1192

{

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

1193

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Hanno Becker

45037ce

2017-08-25 11:03:34 +0100

[diff] [blame]

1194

}

1195

#if !defined(MBEDTLS_RSA_NO_CRT)

1196

if( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) == 0 ||

1197

mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) == 0 ||

1198

mbedtls_mpi_cmp_int( &ctx->QP, 0 ) == 0 )

1199

{

1200

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1201

}

1202

#endif /* MBEDTLS_RSA_NO_CRT */

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

1203

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1204

mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1205

mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );

1206

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1207

if( f_rng != NULL )

1208

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1209

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1210

mbedtls_mpi_init( &D_blind );

1211

#else

1212

mbedtls_mpi_init( &DP_blind );

1213

mbedtls_mpi_init( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1214

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1215

}

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1216

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1217

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1218

#if defined(MBEDTLS_THREADING_C)

1219

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

1220

return( ret );

1221

#endif

1222

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1223

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

1224

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1225

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1226

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1227

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1228

}

1229

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1230

if( f_rng != NULL )

1231

{

1232

/*

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1233

* Blinding

1234

* T = T * Vi mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1235

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1236

MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );

1237

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1238

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1239

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

/*

* Exponent blinding

*/

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );

1244

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );

1245

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1246

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1247

/*

1248

* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D

1249

*/

1250

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1251

f_rng, p_rng ) );

1252

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );

1253

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );

1254

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );

1255

1256

D = &D_blind;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1257

#else

1258

/*

1259

* DP_blind = ( P - 1 ) * R + DP

1260

*/

1261

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1262

f_rng, p_rng ) );

1263

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );

1264

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,

&ctx->DP ) );

DP = &DP_blind;

/*

* DQ_blind = ( Q - 1 ) * R + DQ

1271

*/

1272

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1273

f_rng, p_rng ) );

1274

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );

1275

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,

1276

&ctx->DQ ) );

1277

1278

DQ = &DQ_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1279

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1280

}

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1281

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1282

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1283

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

e10e06d

2014-11-06 18:15:12 +0100

[diff] [blame]

1284

#else

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1285

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1286

* Faster decryption using the CRT

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1287

*

1288

* T1 = input ^ dP mod P

1289

* T2 = input ^ dQ mod Q

1290

*/

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1291

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );

1292

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1293

1294

/*

1295

* T = (T1 - T2) * (Q^-1 mod P) mod P

1296

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1297

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );

1298

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );

1299

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1300

1301

/*

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1302

* T = T2 + T * Q

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1303

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1304

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );

1305

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );

1306

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1307

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

if( f_rng != NULL )

{

/*

* Unblind

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1312

* T = T * Vf mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1313

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1314

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1315

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1316

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1317

1318

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1319

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1320

1321

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1322

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1323

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

1324

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

1325

#endif

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1326

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1327

mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1328

mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );

1329

1330

if( f_rng != NULL )

1331

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1332

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1333

mbedtls_mpi_free( &D_blind );

1334

#else

1335

mbedtls_mpi_free( &DP_blind );

1336

mbedtls_mpi_free( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1337

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1338

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1339

1340

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1341

return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1346

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1347

/**

1348

* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.

1349

*

Paul Bakker

b125ed8

2011-11-10 13:33:51 +0000

[diff] [blame]

1350

* \param dst buffer to mask

1351

* \param dlen length of destination buffer

1352

* \param src source of the mask generation

1353

* \param slen length of the source buffer

1354

* \param md_ctx message digest context to use

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1355

*/

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1356

static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1357

size_t slen, mbedtls_md_context_t *md_ctx )

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1358

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1359

unsigned char mask[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1360

unsigned char counter[4];

1361

unsigned char *p;

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1362

unsigned int hlen;

1363

size_t i, use_len;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1364

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1365

memset( mask, 0, MBEDTLS_MD_MAX_SIZE );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1366

memset( counter, 0, 4 );

1367

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1368

hlen = mbedtls_md_get_size( md_ctx->md_info );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1369

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1370

/* Generate and apply dbMask */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

p = dst;

while( dlen > 0 )

{

use_len = hlen;

if( dlen < hlen )

use_len = dlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1379

mbedtls_md_starts( md_ctx );

1380

mbedtls_md_update( md_ctx, src, slen );

1381

mbedtls_md_update( md_ctx, counter, 4 );

1382

mbedtls_md_finish( md_ctx, mask );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1383

1384

for( i = 0; i < use_len; ++i )

*p++ ^= mask[i];

counter[3]++;

dlen -= use_len;

}

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1391

1392

mbedtls_zeroize( mask, sizeof( mask ) );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1393

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1394

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1395

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1396

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1397

/*

1398

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function

1399

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1400

int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1401

int (*f_rng)(void *, unsigned char *, size_t),

1402

void *p_rng,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1403

int mode,

1404

const unsigned char *label, size_t label_len,

1405

size_t ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1406

const unsigned char *input,

1407

unsigned char *output )

{

size_t olen;

int ret;

unsigned char *p = output;

1412

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1413

const mbedtls_md_info_t *md_info;

1414

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1415

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1416

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1417

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1418

1419

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1420

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1421

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1422

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1423

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1424

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1425

1426

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1427

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1428

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1429

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1430

if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1431

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1432

1433

memset( output, 0, olen );

*p++ = 0;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1437

/* Generate a random octet string seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1438

if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1439

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p += hlen;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1443

/* Construct DB */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1444

mbedtls_md( md_info, label, label_len, p );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1445

p += hlen;

1446

p += olen - 2 * hlen - 2 - ilen;

1447

*p++ = 1;

1448

memcpy( p, input, ilen );

1449

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1450

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1451

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1452

{

1453

mbedtls_md_free( &md_ctx );

1454

return( ret );

1455

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1456

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1457

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1458

mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,

1459

&md_ctx );

1460

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1461

/* maskedSeed: Apply seedMask to seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1462

mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,

1463

&md_ctx );

1464

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1465

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1466

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1467

return( ( mode == MBEDTLS_RSA_PUBLIC )

1468

? mbedtls_rsa_public( ctx, output, output )

1469

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1470

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1471

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1472

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1473

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1474

/*

1475

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function

1476

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1477

int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1478

int (*f_rng)(void *, unsigned char *, size_t),

1479

void *p_rng,

1480

int mode, size_t ilen,

1481

const unsigned char *input,

1482

unsigned char *output )

{

size_t nb_pad, olen;

int ret;

unsigned char *p = output;

1487

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1488

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1489

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1490

Janos Follath

1ed9f99

2016-03-18 11:45:44 +0000

[diff] [blame]

1491

// We don't check p_rng because it won't be dereferenced here

1492

if( f_rng == NULL || input == NULL || output == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1493

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1494

1495

olen = ctx->len;

Manuel Pégourié-Gonnard

370717b

2016-02-11 10:35:13 +0100

[diff] [blame]

1496

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1497

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1498

if( ilen + 11 < ilen || olen < ilen + 11 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1499

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1500

1501

nb_pad = olen - 3 - ilen;

1502

1503

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1504

if( mode == MBEDTLS_RSA_PUBLIC )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1505

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1506

*p++ = MBEDTLS_RSA_CRYPT;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1507

1508

while( nb_pad-- > 0 )

{

int rng_dl = 100;

do {

ret = f_rng( p_rng, p, 1 );

1514

} while( *p == 0 && --rng_dl && ret == 0 );

1515

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1516

/* Check if RNG failed to generate data */

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1517

if( rng_dl == 0 || ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1518

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p++;

}

}

else

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1525

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1526

1527

while( nb_pad-- > 0 )

*p++ = 0xFF;

}

*p++ = 0;

memcpy( p, input, ilen );

1533

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1534

return( ( mode == MBEDTLS_RSA_PUBLIC )

1535

? mbedtls_rsa_public( ctx, output, output )

1536

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1537

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1538

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1539

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1540

/*

1541

* Add the message padding, then do an RSA operation

1542

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1543

int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

1544

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

1545

void *p_rng,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1546

int mode, size_t ilen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1547

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1548

unsigned char *output )

1549

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1550

switch( ctx->padding )

1551

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1552

#if defined(MBEDTLS_PKCS1_V15)

1553

case MBEDTLS_RSA_PKCS_V15:

1554

return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1555

input, output );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1556

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1557

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1558

#if defined(MBEDTLS_PKCS1_V21)

1559

case MBEDTLS_RSA_PKCS_V21:

1560

return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1561

ilen, input, output );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1562

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1563

1564

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1565

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1566

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1567

}

1568

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1569

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1570

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1571

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1572

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1573

int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1574

int (*f_rng)(void *, unsigned char *, size_t),

1575

void *p_rng,

1576

int mode,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1577

const unsigned char *label, size_t label_len,

1578

size_t *olen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1579

const unsigned char *input,

1580

unsigned char *output,

1581

size_t output_max_len )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1582

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1583

int ret;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1584

size_t ilen, i, pad_len;

1585

unsigned char *p, bad, pad_done;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1586

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

1587

unsigned char lhash[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1588

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1589

const mbedtls_md_info_t *md_info;

1590

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1591

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1592

/*

1593

* Parameters sanity checks

1594

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1595

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1596

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

ilen = ctx->len;

Paul Bakker

2011-06-09 13:55:13 +0000

[diff] [blame]

1600

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1601

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1602

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1603

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1604

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1605

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1606

Janos Follath

c17cda1

2016-02-11 11:08:18 +0000

[diff] [blame]

1607

hlen = mbedtls_md_get_size( md_info );

1608

1609

// checking for integer underflow

1610

if( 2 * hlen + 2 > ilen )

1611

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1612

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1613

/*

1614

* RSA operation

1615

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1616

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1617

? mbedtls_rsa_public( ctx, input, buf )

1618

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1619

1620

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1621

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1622

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1623

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1624

* Unmask data and generate lHash

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1625

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1626

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1627

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1628

{

1629

mbedtls_md_free( &md_ctx );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1630

goto cleanup;

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1631

}

1632

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1633

1634

/* Generate lHash */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1635

mbedtls_md( md_info, label, label_len, lhash );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1636

1637

/* seed: Apply seedMask to maskedSeed */

1638

mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,

1639

&md_ctx );

1640

1641

/* DB: Apply dbMask to maskedDB */

1642

mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,

1643

&md_ctx );

1644

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1645

mbedtls_md_free( &md_ctx );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1646

1647

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1648

* Check contents, in "constant-time"

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1649

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1650

p = buf;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1651

bad = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1652

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1653

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1654

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1655

p += hlen; /* Skip seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1656

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1657

/* Check lHash */

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1658

for( i = 0; i < hlen; i++ )

1659

bad |= lhash[i] ^ *p++;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1660

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1661

/* Get zero-padding len, but always read till end of buffer

1662

* (minus one, for the 01 byte) */

1663

pad_len = 0;

1664

pad_done = 0;

1665

for( i = 0; i < ilen - 2 * hlen - 2; i++ )

1666

{

1667

pad_done |= p[i];

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1668

pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1669

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1670

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1671

p += pad_len;

1672

bad |= *p++ ^ 0x01;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1673

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1674

/*

1675

* The only information "leaked" is whether the padding was correct or not

1676

* (eg, no data is copied if it was not correct). This meets the

1677

* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between

1678

* the different error conditions.

1679

*/

1680

if( bad != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1681

{

1682

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1683

goto cleanup;

1684

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1685

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1686

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1687

{

1688

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1689

goto cleanup;

1690

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1691

1692

*olen = ilen - (p - buf);

1693

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1694

ret = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1695

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1696

cleanup:

1697

mbedtls_zeroize( buf, sizeof( buf ) );

1698

mbedtls_zeroize( lhash, sizeof( lhash ) );

1699

1700

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1701

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1702

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1703

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1704

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1705

/*

1706

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function

1707

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1708

int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1709

int (*f_rng)(void *, unsigned char *, size_t),

1710

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1711

int mode, size_t *olen,

1712

const unsigned char *input,

1713

unsigned char *output,

1714

size_t output_max_len)

1715

{

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1716

int ret;

1717

size_t ilen, pad_count = 0, i;

1718

unsigned char *p, bad, pad_done = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1719

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1720

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1721

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1722

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

ilen = ctx->len;

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1727

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1728

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1729

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1730

? mbedtls_rsa_public( ctx, input, buf )

1731

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1732

1733

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1734

goto cleanup;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1735

1736

p = buf;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1737

bad = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1738

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1739

/*

1740

* Check and get padding len in "constant-time"

1741

*/

1742

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1743

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1744

/* This test does not depend on secret data */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1745

if( mode == MBEDTLS_RSA_PRIVATE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1746

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1747

bad |= *p++ ^ MBEDTLS_RSA_CRYPT;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1748

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1749

/* Get padding len, but always read till end of buffer

1750

* (minus one, for the 00 byte) */

1751

for( i = 0; i < ilen - 3; i++ )

1752

{

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1753

pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;

1754

pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1755

}

Paul Bakker

e6ee41f

2012-05-19 08:43:48 +0000

[diff] [blame]

1756

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1757

p += pad_count;

1758

bad |= *p++; /* Must be zero */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1759

}

1760

else

1761

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1762

bad |= *p++ ^ MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1763

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1764

/* Get padding len, but always read till end of buffer

1765

* (minus one, for the 00 byte) */

1766

for( i = 0; i < ilen - 3; i++ )

1767

{

Manuel Pégourié-Gonnard

fbf0915

2014-02-03 11:58:55 +0100

[diff] [blame]

1768

pad_done |= ( p[i] != 0xFF );

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1769

pad_count += ( pad_done == 0 );

1770

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1771

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1772

p += pad_count;

1773

bad |= *p++; /* Must be zero */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1774

}

1775

Janos Follath

c69fa50

2016-02-12 13:30:09 +0000

[diff] [blame]

1776

bad |= ( pad_count < 8 );

Janos Follath

b6eb1ca

2016-02-08 13:59:25 +0000

[diff] [blame]

1777

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1778

if( bad )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1779

{

1780

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1781

goto cleanup;

1782

}

Paul Bakker

8804f69

2013-02-28 18:06:26 +0100

[diff] [blame]

1783

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1784

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1785

{

1786

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1787

goto cleanup;

1788

}

Paul Bakker

060c568

2009-01-12 21:48:39 +0000

[diff] [blame]

1789

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

1790

*olen = ilen - (p - buf);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1791

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1792

ret = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1793

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1794

cleanup:

1795

mbedtls_zeroize( buf, sizeof( buf ) );

1796

1797

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1798

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1799

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1800

1801

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1802

* Do an RSA operation, then remove the message padding

1803

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1804

int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1805

int (*f_rng)(void *, unsigned char *, size_t),

1806

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1807

int mode, size_t *olen,

1808

const unsigned char *input,

1809

unsigned char *output,

1810

size_t output_max_len)

1811

{

1812

switch( ctx->padding )

1813

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1814

#if defined(MBEDTLS_PKCS1_V15)

1815

case MBEDTLS_RSA_PKCS_V15:

1816

return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1817

input, output, output_max_len );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1818

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1819

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1820

#if defined(MBEDTLS_PKCS1_V21)

1821

case MBEDTLS_RSA_PKCS_V21:

1822

return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1823

olen, input, output,

1824

output_max_len );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1825

#endif

1826

1827

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1828

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1829

}

1830

}

1831

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1832

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1833

/*

1834

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function

1835

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1836

int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1837

int (*f_rng)(void *, unsigned char *, size_t),

1838

void *p_rng,

1839

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1840

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1841

unsigned int hashlen,

1842

const unsigned char *hash,

unsigned char *sig )

{

size_t olen;

unsigned char *p = sig;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1847

unsigned char salt[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1848

unsigned int slen, hlen, offset = 0;

1849

int ret;

1850

size_t msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1851

const mbedtls_md_info_t *md_info;

1852

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1853

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1854

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1855

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1856

1857

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1858

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1859

1860

olen = ctx->len;

1861

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1862

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1863

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1864

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1865

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1866

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1867

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1868

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1869

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1870

}

1871

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1872

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1873

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1874

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1875

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1876

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1877

slen = hlen;

1878

1879

if( olen < hlen + slen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1880

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1881

1882

memset( sig, 0, olen );

1883

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1884

/* Generate salt of length slen */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1885

if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1886

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1887

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1888

/* Note: EMSA-PSS encoding is over the length of N - 1 bits */

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1889

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1890

p += olen - hlen * 2 - 2;

1891

*p++ = 0x01;

1892

memcpy( p, salt, slen );

1893

p += slen;

1894

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1895

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1896

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1897

{

1898

mbedtls_md_free( &md_ctx );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1899

/* No need to zeroize salt: we didn't use it. */

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1900

return( ret );

1901

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1902

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1903

/* Generate H = Hash( M' ) */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1904

mbedtls_md_starts( &md_ctx );

1905

mbedtls_md_update( &md_ctx, p, 8 );

1906

mbedtls_md_update( &md_ctx, hash, hashlen );

1907

mbedtls_md_update( &md_ctx, salt, slen );

1908

mbedtls_md_finish( &md_ctx, p );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1909

mbedtls_zeroize( salt, sizeof( salt ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1910

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1911

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

offset = 1;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1915

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1916

mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );

1917

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1918

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1919

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1920

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1921

sig[0] &= 0xFF >> ( olen * 8 - msb );

p += hlen;

*p++ = 0xBC;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1926

return( ( mode == MBEDTLS_RSA_PUBLIC )

1927

? mbedtls_rsa_public( ctx, sig, sig )

1928

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1929

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1930

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1931

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1932

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1933

/*

1934

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function

1935

*/

1936

/*

1937

* Do an RSA operation to sign the message digest

1938

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1939

int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1940

int (*f_rng)(void *, unsigned char *, size_t),

1941

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1942

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1943

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1944

unsigned int hashlen,

1945

const unsigned char *hash,

1946

unsigned char *sig )

1947

{

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1948

size_t nb_pad, olen, oid_size = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1949

unsigned char *p = sig;

Paul Bakker

21e081b

2014-07-24 10:38:01 +0200

[diff] [blame]

1950

const char *oid = NULL;

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1951

unsigned char *sig_try = NULL, *verif = NULL;

1952

size_t i;

1953

unsigned char diff;

1954

volatile unsigned char diff_no_optimize;

1955

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1956

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1957

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1958

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1959

1960

olen = ctx->len;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1961

nb_pad = olen - 3;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1962

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1963

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1964

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1965

const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1966

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1967

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1968

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1969

if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )

1970

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1971

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1972

nb_pad -= 10 + oid_size;

1973

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1974

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1975

}

1976

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1977

nb_pad -= hashlen;

1978

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1979

if( ( nb_pad < 8 ) || ( nb_pad > olen ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1980

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1981

1982

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1983

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1984

memset( p, 0xFF, nb_pad );

1985

p += nb_pad;

1986

*p++ = 0;

1987

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1988

if( md_alg == MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1989

{

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1990

memcpy( p, hash, hashlen );

}

else

{

/*

* DigestInfo ::= SEQUENCE {

1996

* digestAlgorithm DigestAlgorithmIdentifier,

1997

* digest Digest }

1998

*

1999

* DigestAlgorithmIdentifier ::= AlgorithmIdentifier

2000

*

2001

* Digest ::= OCTET STRING

2002

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2003

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2004

*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2005

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2006

*p++ = (unsigned char) ( 0x04 + oid_size );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2007

*p++ = MBEDTLS_ASN1_OID;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2008

*p++ = oid_size & 0xFF;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2009

memcpy( p, oid, oid_size );

2010

p += oid_size;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2011

*p++ = MBEDTLS_ASN1_NULL;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2012

*p++ = 0x00;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2013

*p++ = MBEDTLS_ASN1_OCTET_STRING;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2014

*p++ = hashlen;

2015

memcpy( p, hash, hashlen );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2016

}

2017

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2018

if( mode == MBEDTLS_RSA_PUBLIC )

2019

return( mbedtls_rsa_public( ctx, sig, sig ) );

2020

2021

/*

2022

* In order to prevent Lenstra's attack, make the signature in a

2023

* temporary buffer and check it before returning it.

2024

*/

2025

sig_try = mbedtls_calloc( 1, ctx->len );

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2026

if( sig_try == NULL )

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2027

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

2028

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2029

verif = mbedtls_calloc( 1, ctx->len );

2030

if( verif == NULL )

2031

{

2032

mbedtls_free( sig_try );

2033

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

2034

}

2035

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2036

MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );

2037

MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );

2038

2039

/* Compare in constant time just in case */

2040

for( diff = 0, i = 0; i < ctx->len; i++ )

2041

diff |= verif[i] ^ sig[i];

2042

diff_no_optimize = diff;

2043

2044

if( diff_no_optimize != 0 )

2045

{

2046

ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;

goto cleanup;

}

memcpy( sig, sig_try, ctx->len );

2051

2052

cleanup:

2053

mbedtls_free( sig_try );

2054

mbedtls_free( verif );

2055

2056

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2057

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2058

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2059

2060

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2061

* Do an RSA operation to sign the message digest

2062

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2063

int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2064

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2065

void *p_rng,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2066

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2067

mbedtls_md_type_t md_alg,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2068

unsigned int hashlen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

2069

const unsigned char *hash,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2070

unsigned char *sig )

2071

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2072

switch( ctx->padding )

2073

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2074

#if defined(MBEDTLS_PKCS1_V15)

2075

case MBEDTLS_RSA_PKCS_V15:

2076

return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2077

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2078

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2079

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2080

#if defined(MBEDTLS_PKCS1_V21)

2081

case MBEDTLS_RSA_PKCS_V21:

2082

return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2083

hashlen, hash, sig );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2084

#endif

2085

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2086

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2087

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2088

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2089

}

2090

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2091

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2092

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2093

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2094

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2095

int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2096

int (*f_rng)(void *, unsigned char *, size_t),

2097

void *p_rng,

2098

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2099

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2100

unsigned int hashlen,

2101

const unsigned char *hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2102

mbedtls_md_type_t mgf1_hash_id,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2103

int expected_salt_len,

2104

const unsigned char *sig )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2105

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2106

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2107

size_t siglen;

2108

unsigned char *p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2109

unsigned char result[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2110

unsigned char zeros[8];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2111

unsigned int hlen;

2112

size_t slen, msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2113

const mbedtls_md_info_t *md_info;

2114

mbedtls_md_context_t md_ctx;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2115

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2116

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2117

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

2118

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2119

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2120

siglen = ctx->len;

2121

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

2122

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2123

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2124

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2125

ret = ( mode == MBEDTLS_RSA_PUBLIC )

2126

? mbedtls_rsa_public( ctx, sig, buf )

2127

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2134

if( buf[siglen - 1] != 0xBC )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2135

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2136

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2137

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2138

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2139

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2140

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2141

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2142

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2143

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2144

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2145

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2146

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2147

md_info = mbedtls_md_info_from_type( mgf1_hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2148

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2149

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2150

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2151

hlen = mbedtls_md_get_size( md_info );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2152

slen = siglen - hlen - 1; /* Currently length of salt + padding */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2153

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2154

memset( zeros, 0, 8 );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2155

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2156

/*

2157

* Note: EMSA-PSS verification is over the length of N - 1 bits

2158

*/

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

2159

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2160

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2161

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

{

p++;

siglen -= 1;

}

if( buf[0] >> ( 8 - siglen * 8 + msb ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2168

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2169

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2170

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

2171

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

2172

{

2173

mbedtls_md_free( &md_ctx );

2174

return( ret );

2175

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2176

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2177

mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );

Paul Bakker

02303e8

2013-01-03 11:08:31 +0100

[diff] [blame]

2178

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2179

buf[0] &= 0xFF >> ( siglen * 8 - msb );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2180

Paul Bakker

4de44aa

2013-12-31 11:43:01 +0100

[diff] [blame]

2181

while( p < buf + siglen && *p == 0 )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2182

p++;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2183

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2184

if( p == buf + siglen ||

2185

*p++ != 0x01 )

2186

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2187

mbedtls_md_free( &md_ctx );

2188

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2189

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2190

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2191

/* Actual salt len */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2192

slen -= p - buf;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2193

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2194

if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2195

slen != (size_t) expected_salt_len )

2196

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2197

mbedtls_md_free( &md_ctx );

2198

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2199

}

2200

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2201

/*

2202

* Generate H = Hash( M' )

2203

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2204

mbedtls_md_starts( &md_ctx );

2205

mbedtls_md_update( &md_ctx, zeros, 8 );

2206

mbedtls_md_update( &md_ctx, hash, hashlen );

2207

mbedtls_md_update( &md_ctx, p, slen );

2208

mbedtls_md_finish( &md_ctx, result );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2209

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2210

mbedtls_md_free( &md_ctx );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2211

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2212

if( memcmp( p + slen, result, hlen ) == 0 )

2213

return( 0 );

2214

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2215

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2216

}

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2217

2218

/*

2219

* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function

2220

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2221

int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2222

int (*f_rng)(void *, unsigned char *, size_t),

2223

void *p_rng,

2224

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2225

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2226

unsigned int hashlen,

2227

const unsigned char *hash,

2228

const unsigned char *sig )

2229

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2230

mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )

2231

? (mbedtls_md_type_t) ctx->hash_id

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2232

: md_alg;

2233

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2234

return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2235

md_alg, hashlen, hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2236

mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2237

sig ) );

2238

2239

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2240

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

40628ba

2013-01-03 10:50:31 +0100

[diff] [blame]

2241

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2242

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2243

/*

2244

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function

2245

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2246

int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

2247

int (*f_rng)(void *, unsigned char *, size_t),

2248

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2249

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2250

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2251

unsigned int hashlen,

2252

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

2253

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2254

{

2255

int ret;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2256

size_t len, siglen, asn1_len;

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2257

unsigned char *p, *p0, *end;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2258

mbedtls_md_type_t msg_md_alg;

2259

const mbedtls_md_info_t *md_info;

2260

mbedtls_asn1_buf oid;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2261

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2262

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2263

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

2264

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

siglen = ctx->len;

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2269

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2270

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2271

ret = ( mode == MBEDTLS_RSA_PUBLIC )

2272

? mbedtls_rsa_public( ctx, sig, buf )

2273

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2280

if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )

2281

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

while( *p != 0 )

{

if( p >= buf + siglen - 1 || *p != 0xFF )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2286

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2287

p++;

2288

}

Manuel Pégourié-Gonnard

c1380de

2017-05-11 12:49:51 +0200

[diff] [blame]

2289

p++; /* skip 00 byte */

2290

2291

/* We've read: 00 01 PS 00 where PS must be at least 8 bytes */

2292

if( p - buf < 11 )

2293

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2294

2295

len = siglen - ( p - buf );

2296

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2297

if( len == hashlen && md_alg == MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2298

{

2299

if( memcmp( p, hash, hashlen ) == 0 )

2300

return( 0 );

2301

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2302

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2303

}

2304

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2305

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2306

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2307

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

2308

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

end = p + len;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2312

/*

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2313

* Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.

2314

* Insist on 2-byte length tags, to protect against variants of

2315

* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2316

*/

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2317

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2318

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,

2319

MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )

2320

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2321

if( p != p0 + 2 || asn1_len + 2 != len )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2322

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2323

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2324

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2325

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,

2326

MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )

2327

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2328

if( p != p0 + 2 || asn1_len + 6 + hashlen != len )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2329

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2330

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2331

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2332

if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )

2333

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2334

if( p != p0 + 2 )

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2335

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

oid.p = p;

p += oid.len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2340

if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )

2341

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2342

2343

if( md_alg != msg_md_alg )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2344

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2345

2346

/*

2347

* assume the algorithm parameters must be NULL

2348

*/

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2349

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2350

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )

2351

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2352

if( p != p0 + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2353

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2354

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2355

p0 = p;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2356

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )

2357

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2358

if( p != p0 + 2 || asn1_len != hashlen )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2359

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2360

2361

if( memcmp( p, hash, hashlen ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2362

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

p += hashlen;

if( p != end )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2367

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2368

2369

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2370

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2371

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2372

2373

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2374

* Do an RSA operation and check the message digest

2375

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2376

int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

2377

int (*f_rng)(void *, unsigned char *, size_t),

2378

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2379

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2380

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2381

unsigned int hashlen,

2382

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

2383

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2384

{

2385

switch( ctx->padding )

2386

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2387

#if defined(MBEDTLS_PKCS1_V15)

2388

case MBEDTLS_RSA_PKCS_V15:

2389

return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2390

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2391

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2392

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2393

#if defined(MBEDTLS_PKCS1_V21)

2394

case MBEDTLS_RSA_PKCS_V21:

2395

return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2396

hashlen, hash, sig );

2397

#endif

2398

2399

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2400

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

}

}

/*

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2405

* Copy the components of an RSA key

2406

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2407

int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

{

int ret;

dst->ver = src->ver;

dst->len = src->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2414

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );

2415

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2416

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2417

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );

2418

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );

2419

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2420

2421

#if !defined(MBEDTLS_RSA_NO_CRT)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2422

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );

2423

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );

2424

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2425

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );

2426

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2427

#endif

2428

2429

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2430

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2431

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );

2432

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

2433

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2434

dst->padding = src->padding;

Manuel Pégourié-Gonnard

fdddac9

2014-03-25 15:58:35 +0100

[diff] [blame]

2435

dst->hash_id = src->hash_id;

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2436

2437

cleanup:

2438

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2439

mbedtls_rsa_free( dst );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

return( ret );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2445

* Free the components of an RSA key

2446

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2447

void mbedtls_rsa_free( mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2448

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2449

mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2450

mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D );

2451

mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2452

mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2453

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2454

#if !defined(MBEDTLS_RSA_NO_CRT)

2455

mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );

2456

mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );

2457

mbedtls_mpi_free( &ctx->DP );

2458

#endif /* MBEDTLS_RSA_NO_CRT */

2459

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2460

#if defined(MBEDTLS_THREADING_C)

2461

mbedtls_mutex_free( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2462

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2463

}

2464

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

2465

#endif /* !MBEDTLS_RSA_ALT */

2466

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2467

#if defined(MBEDTLS_SELF_TEST)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2468

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

2469

#include "mbedtls/sha1.h"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2470

2471

/*

2472

* Example RSA-1024 keypair, for test purposes

*/

#define KEY_LEN 128

#define RSA_N "9292758453063D803DD603D5E777D788" \

2477

"8ED1D5BF35786190FA2F23EBC0848AEA" \

2478

"DDA92CA6C3D80B32C4D109BE0F36D6AE" \

2479

"7130B9CED7ACDF54CFC7555AC14EEBAB" \

2480

"93A89813FBF3C4F8066D2D800F7C38A8" \

2481

"1AE31942917403FF4946B0A83D3D3E05" \

2482

"EE57C6F5F5606FB5D4BC6CD34EE0801A" \

2483

"5E94BB77B07507233A0BC7BAC8F90F79"

2484

2485

#define RSA_E "10001"

2486

2487

#define RSA_D "24BF6185468786FDD303083D25E64EFC" \

2488

"66CA472BC44D253102F8B4A9D3BFA750" \

2489

"91386C0077937FE33FA3252D28855837" \

2490

"AE1B484A8A9A45F7EE8C0C634F99E8CD" \

2491

"DF79C5CE07EE72C7F123142198164234" \

2492

"CABB724CF78B8173B9F880FC86322407" \

2493

"AF1FEDFDDE2BEB674CA15F3E81A1521E" \

2494

"071513A1E85B5DFA031F21ECAE91A34D"

2495

2496

#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \

2497

"2C01CAD19EA484A87EA4377637E75500" \

2498

"FCB2005C5C7DD6EC4AC023CDA285D796" \

2499

"C3D9E75E1EFC42488BB4F1D13AC30A57"

2500

2501

#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \

2502

"E211C2B9E5DB1ED0BF61D0D9899620F4" \

2503

"910E4168387E3C30AA1E00C339A79508" \

2504

"8452DD96A9A5EA5D9DCA68DA636032AF"

2505

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2506

#define PT_LEN 24

2507

#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \

2508

"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"

2509

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2510

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2511

static int myrand( void *rng_state, unsigned char *output, size_t len )

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2512

{

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2513

#if !defined(__OpenBSD__)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2514

size_t i;

2515

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2516

if( rng_state != NULL )

2517

rng_state = NULL;

2518

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2519

for( i = 0; i < len; ++i )

2520

output[i] = rand();

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2521

#else

2522

if( rng_state != NULL )

2523

rng_state = NULL;

2524

2525

arc4random_buf( output, len );

2526

#endif /* !OpenBSD */

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2527

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2528

return( 0 );

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2529

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2530

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2531

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2532

/*

2533

* Checkup routine

2534

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2535

int mbedtls_rsa_self_test( int verbose )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2536

{

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2537

int ret = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2538

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2539

size_t len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2540

mbedtls_rsa_context rsa;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2541

unsigned char rsa_plaintext[PT_LEN];

2542

unsigned char rsa_decrypted[PT_LEN];

2543

unsigned char rsa_ciphertext[KEY_LEN];

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2544

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

5690efc

2011-05-26 13:16:06 +0000

[diff] [blame]

2545

unsigned char sha1sum[20];

2546

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2547

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2548

mbedtls_mpi K;

2549

2550

mbedtls_mpi_init( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2551

mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2552

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2553

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );

2554

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );

2555

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );

2556

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );

2557

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );

2558

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );

2559

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );

2560

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );

2561

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );

2562

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );

2563

2564

MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa, NULL, NULL ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2565

2566

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2567

mbedtls_printf( " RSA key validation: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2568

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2569

if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||

2570

mbedtls_rsa_check_privkey( &rsa ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2571

{

2572

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2573

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2579

mbedtls_printf( "passed\n PKCS#1 encryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2580

2581

memcpy( rsa_plaintext, RSA_PT, PT_LEN );

2582

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2583

if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,

2584

PT_LEN, rsa_plaintext,

2585

rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2586

{

2587

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2588

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2594

mbedtls_printf( "passed\n PKCS#1 decryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2595

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2596

if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,

2597

&len, rsa_ciphertext, rsa_decrypted,

2598

sizeof(rsa_decrypted) ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2599

{

2600

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2601

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )

2607

{

2608

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2609

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2614

if( verbose != 0 )

2615

mbedtls_printf( "passed\n" );

2616

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2617

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2618

if( verbose != 0 )

Brian Murray

930a370

2016-05-18 14:38:02 -0700

[diff] [blame]

2619

mbedtls_printf( " PKCS#1 data sign : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2620

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2621

mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2622

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2623

if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,

2624

MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,

2625

sha1sum, rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2626

{

2627

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2628

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2634

mbedtls_printf( "passed\n PKCS#1 sig. verify: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2635

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2636

if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,

2637

MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,

2638

sha1sum, rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2639

{

2640

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2641

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2647

mbedtls_printf( "passed\n" );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2648

#endif /* MBEDTLS_SHA1_C */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2649

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2650

if( verbose != 0 )

2651

mbedtls_printf( "\n" );

2652

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2653

cleanup:

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2654

mbedtls_mpi_free( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2655

mbedtls_rsa_free( &rsa );

2656

#else /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3e41fe8

2013-09-15 17:42:50 +0200

[diff] [blame]

2657

((void) verbose);

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2658

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2659

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2660

}

2661

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2662

#endif /* MBEDTLS_SELF_TEST */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2663

Manuel Pégourié-Gonnard