blob: 3c538bf439a2a36c5fe41583e86eb5fc6d6d137c [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * The RSA public-key cryptosystem
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +000018 */
Hanno Becker74716312017-10-02 10:00:37 +010019
Paul Bakker5121ce52009-01-03 21:22:43 +000020/*
Simon Butcherbdae02c2016-01-20 00:44:42 +000021 * The following sources were referenced in the design of this implementation
22 * of the RSA algorithm:
Paul Bakker5121ce52009-01-03 21:22:43 +000023 *
Simon Butcherbdae02c2016-01-20 00:44:42 +000024 * [1] A method for obtaining digital signatures and public-key cryptosystems
25 * R Rivest, A Shamir, and L Adleman
26 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
27 *
28 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
29 * Menezes, van Oorschot and Vanstone
30 *
Janos Follathe81102e2017-03-22 13:38:28 +000031 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
32 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
33 * Stefan Mangard
34 * https://arxiv.org/abs/1702.08719v2
35 *
Paul Bakker5121ce52009-01-03 21:22:43 +000036 */
37
Gilles Peskinedb09ef62020-06-03 01:43:33 +020038#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020040#if defined(MBEDTLS_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000041
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000042#include "mbedtls/rsa.h"
Chris Jones66a4cd42021-03-09 16:04:12 +000043#include "rsa_alt_helpers.h"
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000044#include "mbedtls/oid.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050045#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +000046#include "mbedtls/error.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +020047#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +020048#include "mbedtls/constant_time.h"
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +020049#include "md_psa.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +000050
Rich Evans00ab4702015-02-06 13:43:58 +000051#include <string.h>
52
gufe44c2620da2020-08-03 17:56:50 +020053#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker5121ce52009-01-03 21:22:43 +000054#include <stdlib.h>
Rich Evans00ab4702015-02-06 13:43:58 +000055#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000056
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000057#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +010058
Dave Rodgman19e8cd02023-05-09 11:10:21 +010059
60#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
61
62/** This function performs the unpadding part of a PKCS#1 v1.5 decryption
63 * operation (EME-PKCS1-v1_5 decoding).
64 *
65 * \note The return value from this function is a sensitive value
66 * (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen
67 * in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING
68 * is often a situation that an attacker can provoke and leaking which
69 * one is the result is precisely the information the attacker wants.
70 *
71 * \param input The input buffer which is the payload inside PKCS#1v1.5
72 * encryption padding, called the "encoded message EM"
73 * by the terminology.
74 * \param ilen The length of the payload in the \p input buffer.
75 * \param output The buffer for the payload, called "message M" by the
76 * PKCS#1 terminology. This must be a writable buffer of
77 * length \p output_max_len bytes.
78 * \param olen The address at which to store the length of
79 * the payload. This must not be \c NULL.
80 * \param output_max_len The length in bytes of the output buffer \p output.
81 *
82 * \return \c 0 on success.
83 * \return #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
84 * The output buffer is too small for the unpadded payload.
85 * \return #MBEDTLS_ERR_RSA_INVALID_PADDING
86 * The input doesn't contain properly formatted padding.
87 */
88static int mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char *input,
89 size_t ilen,
90 unsigned char *output,
91 size_t output_max_len,
92 size_t *olen)
93{
94 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
95 size_t i, plaintext_max_size;
96
97 /* The following variables take sensitive values: their value must
98 * not leak into the observable behavior of the function other than
99 * the designated outputs (output, olen, return value). Otherwise
100 * this would open the execution of the function to
101 * side-channel-based variants of the Bleichenbacher padding oracle
102 * attack. Potential side channels include overall timing, memory
103 * access patterns (especially visible to an adversary who has access
104 * to a shared memory cache), and branches (especially visible to
105 * an adversary who has access to a shared code cache or to a shared
106 * branch predictor). */
107 size_t pad_count = 0;
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100108 mbedtls_ct_condition_t bad;
109 mbedtls_ct_condition_t pad_done;
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100110 size_t plaintext_size = 0;
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100111 mbedtls_ct_condition_t output_too_large;
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100112
113 plaintext_max_size = (output_max_len > ilen - 11) ? ilen - 11
114 : output_max_len;
115
116 /* Check and get padding length in constant time and constant
117 * memory trace. The first byte must be 0. */
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100118 bad = mbedtls_ct_bool(input[0]);
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100119
120
121 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
122 * where PS must be at least 8 nonzero bytes. */
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100123 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(input[1], MBEDTLS_RSA_CRYPT));
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100124
125 /* Read the whole buffer. Set pad_done to nonzero if we find
126 * the 0x00 byte and remember the padding length in pad_count. */
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100127 pad_done = MBEDTLS_CT_FALSE;
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100128 for (i = 2; i < ilen; i++) {
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100129 mbedtls_ct_condition_t found = mbedtls_ct_uint_eq(input[i], 0);
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100130 pad_done = mbedtls_ct_bool_or(pad_done, found);
Dave Rodgman98ddc012023-08-10 12:11:31 +0100131 pad_count += mbedtls_ct_uint_if_else_0(mbedtls_ct_bool_not(pad_done), 1);
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100132 }
133
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100134 /* If pad_done is still zero, there's no data, only unfinished padding. */
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100135 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_not(pad_done));
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100136
137 /* There must be at least 8 bytes of padding. */
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100138 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_gt(8, pad_count));
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100139
140 /* If the padding is valid, set plaintext_size to the number of
141 * remaining bytes after stripping the padding. If the padding
142 * is invalid, avoid leaking this fact through the size of the
143 * output: use the maximum message size that fits in the output
144 * buffer. Do it without branches to avoid leaking the padding
145 * validity through timing. RSA keys are small enough that all the
146 * size_t values involved fit in unsigned int. */
Dave Rodgman2b4486a2023-05-17 15:51:59 +0100147 plaintext_size = mbedtls_ct_uint_if(
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100148 bad, (unsigned) plaintext_max_size,
149 (unsigned) (ilen - pad_count - 3));
150
151 /* Set output_too_large to 0 if the plaintext fits in the output
152 * buffer and to 1 otherwise. */
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100153 output_too_large = mbedtls_ct_uint_gt(plaintext_size,
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100154 plaintext_max_size);
155
156 /* Set ret without branches to avoid timing attacks. Return:
157 * - INVALID_PADDING if the padding is bad (bad != 0).
158 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
159 * plaintext does not fit in the output buffer.
160 * - 0 if the padding is correct. */
Dave Rodgmand03f4832023-09-22 09:52:15 +0100161 ret = mbedtls_ct_error_if(
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100162 bad,
Dave Rodgmand03f4832023-09-22 09:52:15 +0100163 MBEDTLS_ERR_RSA_INVALID_PADDING,
164 mbedtls_ct_error_if_else_0(output_too_large, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE)
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100165 );
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100166
167 /* If the padding is bad or the plaintext is too large, zero the
168 * data that we're about to copy to the output buffer.
169 * We need to copy the same amount of data
170 * from the same buffer whether the padding is good or not to
171 * avoid leaking the padding validity through overall timing or
172 * through memory or cache access patterns. */
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100173 mbedtls_ct_zeroize_if(mbedtls_ct_bool_or(bad, output_too_large), input + 11, ilen - 11);
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100174
175 /* If the plaintext is too large, truncate it to the buffer size.
176 * Copy anyway to avoid revealing the length through timing, because
177 * revealing the length is as bad as revealing the padding validity
178 * for a Bleichenbacher attack. */
Dave Rodgman2b4486a2023-05-17 15:51:59 +0100179 plaintext_size = mbedtls_ct_uint_if(output_too_large,
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100180 (unsigned) plaintext_max_size,
181 (unsigned) plaintext_size);
182
183 /* Move the plaintext to the leftmost position where it can start in
184 * the working buffer, i.e. make it start plaintext_max_size from
185 * the end of the buffer. Do this with a memory access trace that
186 * does not depend on the plaintext size. After this move, the
187 * starting location of the plaintext is no longer sensitive
188 * information. */
Dave Rodgman9f9c3b82023-05-17 12:28:51 +0100189 mbedtls_ct_memmove_left(input + ilen - plaintext_max_size,
190 plaintext_max_size,
191 plaintext_max_size - plaintext_size);
Dave Rodgman19e8cd02023-05-09 11:10:21 +0100192
193 /* Finally copy the decrypted plaintext plus trailing zeros into the output
194 * buffer. If output_max_len is 0, then output may be an invalid pointer
195 * and the result of memcpy() would be undefined; prevent undefined
196 * behavior making sure to depend only on output_max_len (the size of the
197 * user-provided output buffer), which is independent from plaintext
198 * length, validity of padding, success of the decryption, and other
199 * secrets. */
200 if (output_max_len != 0) {
201 memcpy(output, input + ilen - plaintext_max_size, plaintext_max_size);
202 }
203
204 /* Report the amount of data we copied to the output buffer. In case
205 * of errors (bad padding or output too large), the value of *olen
206 * when this function returns is not specified. Making it equivalent
207 * to the good case limits the risks of leaking the padding validity. */
208 *olen = plaintext_size;
209
210 return ret;
211}
212
213#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
214
Hanno Beckera565f542017-10-11 11:00:19 +0100215#if !defined(MBEDTLS_RSA_ALT)
216
Gilles Peskine449bd832023-01-11 14:50:10 +0100217int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
218 const mbedtls_mpi *N,
219 const mbedtls_mpi *P, const mbedtls_mpi *Q,
220 const mbedtls_mpi *D, const mbedtls_mpi *E)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100221{
Janos Follath24eed8d2019-11-22 13:21:35 +0000222 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100223
Gilles Peskine449bd832023-01-11 14:50:10 +0100224 if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
225 (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
226 (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||
227 (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||
228 (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
229 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100230 }
231
Gilles Peskine449bd832023-01-11 14:50:10 +0100232 if (N != NULL) {
233 ctx->len = mbedtls_mpi_size(&ctx->N);
234 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100235
Gilles Peskine449bd832023-01-11 14:50:10 +0100236 return 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100237}
238
Gilles Peskine449bd832023-01-11 14:50:10 +0100239int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
240 unsigned char const *N, size_t N_len,
241 unsigned char const *P, size_t P_len,
242 unsigned char const *Q, size_t Q_len,
243 unsigned char const *D, size_t D_len,
244 unsigned char const *E, size_t E_len)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100245{
Hanno Beckerd4d60572018-01-10 07:12:01 +0000246 int ret = 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100247
Gilles Peskine449bd832023-01-11 14:50:10 +0100248 if (N != NULL) {
249 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
250 ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100251 }
252
Gilles Peskine449bd832023-01-11 14:50:10 +0100253 if (P != NULL) {
254 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
255 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100256
Gilles Peskine449bd832023-01-11 14:50:10 +0100257 if (Q != NULL) {
258 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
259 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100260
Gilles Peskine449bd832023-01-11 14:50:10 +0100261 if (D != NULL) {
262 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
263 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100264
Gilles Peskine449bd832023-01-11 14:50:10 +0100265 if (E != NULL) {
266 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
267 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100268
269cleanup:
270
Gilles Peskine449bd832023-01-11 14:50:10 +0100271 if (ret != 0) {
272 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
273 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100274
Gilles Peskine449bd832023-01-11 14:50:10 +0100275 return 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100276}
277
Hanno Becker705fc682017-10-10 17:57:02 +0100278/*
279 * Checks whether the context fields are set in such a way
280 * that the RSA primitives will be able to execute without error.
281 * It does *not* make guarantees for consistency of the parameters.
282 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100283static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
284 int blinding_needed)
Hanno Becker705fc682017-10-10 17:57:02 +0100285{
Hanno Beckerebd2c022017-10-12 10:54:53 +0100286#if !defined(MBEDTLS_RSA_NO_CRT)
287 /* blinding_needed is only used for NO_CRT to decide whether
288 * P,Q need to be present or not. */
289 ((void) blinding_needed);
290#endif
291
Gilles Peskine449bd832023-01-11 14:50:10 +0100292 if (ctx->len != mbedtls_mpi_size(&ctx->N) ||
293 ctx->len > MBEDTLS_MPI_MAX_SIZE) {
294 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker3a760a12018-01-05 08:14:49 +0000295 }
Hanno Becker705fc682017-10-10 17:57:02 +0100296
297 /*
298 * 1. Modular exponentiation needs positive, odd moduli.
299 */
300
301 /* Modular exponentiation wrt. N is always used for
302 * RSA public key operations. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100303 if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||
304 mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
305 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100306 }
307
308#if !defined(MBEDTLS_RSA_NO_CRT)
309 /* Modular exponentiation for P and Q is only
310 * used for private key operations and if CRT
311 * is used. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100312 if (is_priv &&
313 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
314 mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||
315 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||
316 mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
317 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100318 }
319#endif /* !MBEDTLS_RSA_NO_CRT */
320
321 /*
322 * 2. Exponents must be positive
323 */
324
325 /* Always need E for public key operations */
Gilles Peskine449bd832023-01-11 14:50:10 +0100326 if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
327 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
328 }
Hanno Becker705fc682017-10-10 17:57:02 +0100329
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100330#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker705fc682017-10-10 17:57:02 +0100331 /* For private key operations, use D or DP & DQ
332 * as (unblinded) exponents. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100333 if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
334 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
335 }
Hanno Becker705fc682017-10-10 17:57:02 +0100336#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100337 if (is_priv &&
338 (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||
339 mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
340 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100341 }
342#endif /* MBEDTLS_RSA_NO_CRT */
343
344 /* Blinding shouldn't make exponents negative either,
345 * so check that P, Q >= 1 if that hasn't yet been
346 * done as part of 1. */
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100347#if defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100348 if (is_priv && blinding_needed &&
349 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
350 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
351 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100352 }
353#endif
354
355 /* It wouldn't lead to an error if it wasn't satisfied,
Hanno Beckerf8c028a2017-10-17 09:20:57 +0100356 * but check for QP >= 1 nonetheless. */
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100357#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100358 if (is_priv &&
359 mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
360 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100361 }
362#endif
363
Gilles Peskine449bd832023-01-11 14:50:10 +0100364 return 0;
Hanno Becker705fc682017-10-10 17:57:02 +0100365}
366
Gilles Peskine449bd832023-01-11 14:50:10 +0100367int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100368{
369 int ret = 0;
Jack Lloyd8c2631b2020-01-23 17:23:52 -0500370 int have_N, have_P, have_Q, have_D, have_E;
371#if !defined(MBEDTLS_RSA_NO_CRT)
372 int have_DP, have_DQ, have_QP;
373#endif
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500374 int n_missing, pq_missing, d_missing, is_pub, is_priv;
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100375
Gilles Peskine449bd832023-01-11 14:50:10 +0100376 have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
377 have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
378 have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
379 have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
380 have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
Jack Lloyd8c2631b2020-01-23 17:23:52 -0500381
382#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100383 have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
384 have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
385 have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
Jack Lloyd8c2631b2020-01-23 17:23:52 -0500386#endif
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100387
Hanno Becker617c1ae2017-08-23 14:11:24 +0100388 /*
389 * Check whether provided parameters are enough
390 * to deduce all others. The following incomplete
391 * parameter sets for private keys are supported:
392 *
393 * (1) P, Q missing.
394 * (2) D and potentially N missing.
395 *
396 */
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100397
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500398 n_missing = have_P && have_Q && have_D && have_E;
399 pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
400 d_missing = have_P && have_Q && !have_D && have_E;
401 is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
Hanno Becker2cca6f32017-09-29 11:46:40 +0100402
403 /* These three alternatives are mutually exclusive */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500404 is_priv = n_missing || pq_missing || d_missing;
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100405
Gilles Peskine449bd832023-01-11 14:50:10 +0100406 if (!is_priv && !is_pub) {
407 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
408 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100409
410 /*
Hanno Becker2cca6f32017-09-29 11:46:40 +0100411 * Step 1: Deduce N if P, Q are provided.
412 */
413
Gilles Peskine449bd832023-01-11 14:50:10 +0100414 if (!have_N && have_P && have_Q) {
415 if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
416 &ctx->Q)) != 0) {
417 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker2cca6f32017-09-29 11:46:40 +0100418 }
419
Gilles Peskine449bd832023-01-11 14:50:10 +0100420 ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Becker2cca6f32017-09-29 11:46:40 +0100421 }
422
423 /*
424 * Step 2: Deduce and verify all remaining core parameters.
Hanno Becker617c1ae2017-08-23 14:11:24 +0100425 */
426
Gilles Peskine449bd832023-01-11 14:50:10 +0100427 if (pq_missing) {
428 ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
429 &ctx->P, &ctx->Q);
430 if (ret != 0) {
431 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
432 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100433
Gilles Peskine449bd832023-01-11 14:50:10 +0100434 } else if (d_missing) {
435 if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
436 &ctx->Q,
437 &ctx->E,
438 &ctx->D)) != 0) {
439 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100440 }
441 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100442
Hanno Becker617c1ae2017-08-23 14:11:24 +0100443 /*
Hanno Becker2cca6f32017-09-29 11:46:40 +0100444 * Step 3: Deduce all additional parameters specific
Hanno Beckere8674892017-10-10 17:56:14 +0100445 * to our current RSA implementation.
Hanno Becker617c1ae2017-08-23 14:11:24 +0100446 */
447
Hanno Becker23344b52017-08-23 07:43:27 +0100448#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100449 if (is_priv && !(have_DP && have_DQ && have_QP)) {
450 ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
451 &ctx->DP, &ctx->DQ, &ctx->QP);
452 if (ret != 0) {
453 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
454 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100455 }
Hanno Becker23344b52017-08-23 07:43:27 +0100456#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker617c1ae2017-08-23 14:11:24 +0100457
458 /*
Hanno Becker705fc682017-10-10 17:57:02 +0100459 * Step 3: Basic sanity checks
Hanno Becker617c1ae2017-08-23 14:11:24 +0100460 */
461
Gilles Peskine449bd832023-01-11 14:50:10 +0100462 return rsa_check_context(ctx, is_priv, 1);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100463}
464
Gilles Peskine449bd832023-01-11 14:50:10 +0100465int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
466 unsigned char *N, size_t N_len,
467 unsigned char *P, size_t P_len,
468 unsigned char *Q, size_t Q_len,
469 unsigned char *D, size_t D_len,
470 unsigned char *E, size_t E_len)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100471{
472 int ret = 0;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500473 int is_priv;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100474
475 /* Check if key is private or public */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500476 is_priv =
Gilles Peskine449bd832023-01-11 14:50:10 +0100477 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
478 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
479 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
480 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
481 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100482
Gilles Peskine449bd832023-01-11 14:50:10 +0100483 if (!is_priv) {
Hanno Becker617c1ae2017-08-23 14:11:24 +0100484 /* If we're trying to export private parameters for a public key,
485 * something must be wrong. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100486 if (P != NULL || Q != NULL || D != NULL) {
487 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
488 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100489
490 }
491
Gilles Peskine449bd832023-01-11 14:50:10 +0100492 if (N != NULL) {
493 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
494 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100495
Gilles Peskine449bd832023-01-11 14:50:10 +0100496 if (P != NULL) {
497 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
498 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100499
Gilles Peskine449bd832023-01-11 14:50:10 +0100500 if (Q != NULL) {
501 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
502 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100503
Gilles Peskine449bd832023-01-11 14:50:10 +0100504 if (D != NULL) {
505 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
506 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100507
Gilles Peskine449bd832023-01-11 14:50:10 +0100508 if (E != NULL) {
509 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
510 }
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100511
512cleanup:
513
Gilles Peskine449bd832023-01-11 14:50:10 +0100514 return ret;
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100515}
516
Gilles Peskine449bd832023-01-11 14:50:10 +0100517int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
518 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
519 mbedtls_mpi *D, mbedtls_mpi *E)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100520{
Janos Follath24eed8d2019-11-22 13:21:35 +0000521 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500522 int is_priv;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100523
524 /* Check if key is private or public */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500525 is_priv =
Gilles Peskine449bd832023-01-11 14:50:10 +0100526 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
527 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
528 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
529 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
530 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100531
Gilles Peskine449bd832023-01-11 14:50:10 +0100532 if (!is_priv) {
Hanno Becker617c1ae2017-08-23 14:11:24 +0100533 /* If we're trying to export private parameters for a public key,
534 * something must be wrong. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100535 if (P != NULL || Q != NULL || D != NULL) {
536 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
537 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100538
539 }
540
541 /* Export all requested core parameters. */
542
Gilles Peskine449bd832023-01-11 14:50:10 +0100543 if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||
544 (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||
545 (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||
546 (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||
547 (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
548 return ret;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100549 }
550
Gilles Peskine449bd832023-01-11 14:50:10 +0100551 return 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100552}
553
554/*
555 * Export CRT parameters
556 * This must also be implemented if CRT is not used, for being able to
557 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
558 * can be used in this case.
559 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100560int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
561 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100562{
Janos Follath24eed8d2019-11-22 13:21:35 +0000563 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500564 int is_priv;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100565
566 /* Check if key is private or public */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500567 is_priv =
Gilles Peskine449bd832023-01-11 14:50:10 +0100568 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
569 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
570 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
571 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
572 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100573
Gilles Peskine449bd832023-01-11 14:50:10 +0100574 if (!is_priv) {
575 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
576 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100577
Hanno Beckerdc95c892017-08-23 06:57:02 +0100578#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100579 /* Export all requested blinding parameters. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100580 if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||
581 (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||
582 (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
583 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100584 }
Hanno Beckerdc95c892017-08-23 06:57:02 +0100585#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100586 if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
587 DP, DQ, QP)) != 0) {
588 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Beckerdc95c892017-08-23 06:57:02 +0100589 }
590#endif
Hanno Becker617c1ae2017-08-23 14:11:24 +0100591
Gilles Peskine449bd832023-01-11 14:50:10 +0100592 return 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100593}
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100594
Paul Bakker5121ce52009-01-03 21:22:43 +0000595/*
596 * Initialize an RSA context
597 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100598void mbedtls_rsa_init(mbedtls_rsa_context *ctx)
Paul Bakker5121ce52009-01-03 21:22:43 +0000599{
Gilles Peskine449bd832023-01-11 14:50:10 +0100600 memset(ctx, 0, sizeof(mbedtls_rsa_context));
Paul Bakker5121ce52009-01-03 21:22:43 +0000601
Ronald Cronc1905a12021-06-05 11:11:14 +0200602 ctx->padding = MBEDTLS_RSA_PKCS_V15;
603 ctx->hash_id = MBEDTLS_MD_NONE;
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200604
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200605#if defined(MBEDTLS_THREADING_C)
Gilles Peskineeb940592021-02-01 17:57:41 +0100606 /* Set ctx->ver to nonzero to indicate that the mutex has been
607 * initialized and will need to be freed. */
608 ctx->ver = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100609 mbedtls_mutex_init(&ctx->mutex);
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200610#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000611}
612
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100613/*
614 * Set padding for an existing RSA context
615 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100616int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
617 mbedtls_md_type_t hash_id)
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100618{
Gilles Peskine449bd832023-01-11 14:50:10 +0100619 switch (padding) {
Ronald Cron3a0375f2021-06-08 10:22:28 +0200620#if defined(MBEDTLS_PKCS1_V15)
621 case MBEDTLS_RSA_PKCS_V15:
622 break;
623#endif
624
625#if defined(MBEDTLS_PKCS1_V21)
626 case MBEDTLS_RSA_PKCS_V21:
627 break;
628#endif
629 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100630 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Ronald Cron3a0375f2021-06-08 10:22:28 +0200631 }
Ronald Cronea7631b2021-06-03 18:51:59 +0200632
Manuel Pégourié-Gonnard3356b892022-07-05 10:25:06 +0200633#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine449bd832023-01-11 14:50:10 +0100634 if ((padding == MBEDTLS_RSA_PKCS_V21) &&
635 (hash_id != MBEDTLS_MD_NONE)) {
Manuel Pégourié-Gonnardfaa3b4e2022-07-15 13:18:15 +0200636 /* Just make sure this hash is supported in this build. */
Manuel Pégourié-Gonnard28f504e2023-03-30 09:42:10 +0200637 if (mbedtls_md_info_from_type(hash_id) == NULL) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100638 return MBEDTLS_ERR_RSA_INVALID_PADDING;
639 }
Ronald Cronea7631b2021-06-03 18:51:59 +0200640 }
Manuel Pégourié-Gonnard3356b892022-07-05 10:25:06 +0200641#endif /* MBEDTLS_PKCS1_V21 */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500642
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100643 ctx->padding = padding;
644 ctx->hash_id = hash_id;
Ronald Cronea7631b2021-06-03 18:51:59 +0200645
Gilles Peskine449bd832023-01-11 14:50:10 +0100646 return 0;
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100647}
648
Hanno Becker617c1ae2017-08-23 14:11:24 +0100649/*
Yanray Wang83548b52023-03-15 16:46:34 +0800650 * Get padding mode of initialized RSA context
Yanray Wanga730df62023-03-01 10:18:19 +0800651 */
652int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx)
653{
Yanray Wang644b9012023-03-15 16:50:31 +0800654 return ctx->padding;
Yanray Wanga730df62023-03-01 10:18:19 +0800655}
656
657/*
Yanray Wang12cb3962023-03-01 10:20:02 +0800658 * Get hash identifier of mbedtls_md_type_t type
659 */
Yanray Wangd41684e2023-03-17 18:54:22 +0800660int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx)
Yanray Wang12cb3962023-03-01 10:20:02 +0800661{
Yanray Wang644b9012023-03-15 16:50:31 +0800662 return ctx->hash_id;
Yanray Wang12cb3962023-03-01 10:20:02 +0800663}
664
665/*
Hanno Becker617c1ae2017-08-23 14:11:24 +0100666 * Get length in bytes of RSA modulus
667 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100668size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100669{
Gilles Peskine449bd832023-01-11 14:50:10 +0100670 return ctx->len;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100671}
672
673
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200674#if defined(MBEDTLS_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000675
676/*
677 * Generate an RSA keypair
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800678 *
679 * This generation method follows the RSA key pair generation procedure of
680 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
Paul Bakker5121ce52009-01-03 21:22:43 +0000681 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100682int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
683 int (*f_rng)(void *, unsigned char *, size_t),
684 void *p_rng,
685 unsigned int nbits, int exponent)
Paul Bakker5121ce52009-01-03 21:22:43 +0000686{
Janos Follath24eed8d2019-11-22 13:21:35 +0000687 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jethro Beekman97f95c92018-02-13 15:50:36 -0800688 mbedtls_mpi H, G, L;
Janos Follathb8fc1b02018-09-03 15:37:01 +0100689 int prime_quality = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000690
Janos Follathb8fc1b02018-09-03 15:37:01 +0100691 /*
692 * If the modulus is 1024 bit long or shorter, then the security strength of
693 * the RSA algorithm is less than or equal to 80 bits and therefore an error
694 * rate of 2^-80 is sufficient.
695 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100696 if (nbits > 1024) {
Janos Follathb8fc1b02018-09-03 15:37:01 +0100697 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
Gilles Peskine449bd832023-01-11 14:50:10 +0100698 }
Janos Follathb8fc1b02018-09-03 15:37:01 +0100699
Gilles Peskine449bd832023-01-11 14:50:10 +0100700 mbedtls_mpi_init(&H);
701 mbedtls_mpi_init(&G);
702 mbedtls_mpi_init(&L);
Paul Bakker5121ce52009-01-03 21:22:43 +0000703
Waleed Elmelegyd7bdbbe2023-07-20 16:26:58 +0000704 if (exponent < 3 || nbits % 2 != 0) {
Gilles Peskine5e40a7c2021-02-02 21:06:10 +0100705 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
706 goto cleanup;
707 }
708
Waleed Elmelegyd7bdbbe2023-07-20 16:26:58 +0000709 if (nbits < MBEDTLS_RSA_GEN_KEY_MIN_BITS) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000710 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
711 goto cleanup;
712 }
713
714 /*
715 * find primes P and Q with Q < P so that:
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800716 * 1. |P-Q| > 2^( nbits / 2 - 100 )
717 * 2. GCD( E, (P-1)*(Q-1) ) == 1
718 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000719 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100720 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
Paul Bakker5121ce52009-01-03 21:22:43 +0000721
Gilles Peskine449bd832023-01-11 14:50:10 +0100722 do {
723 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
724 prime_quality, f_rng, p_rng));
Paul Bakker5121ce52009-01-03 21:22:43 +0000725
Gilles Peskine449bd832023-01-11 14:50:10 +0100726 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
727 prime_quality, f_rng, p_rng));
Paul Bakker5121ce52009-01-03 21:22:43 +0000728
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800729 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100730 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
731 if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000732 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100733 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000734
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800735 /* not required by any standards, but some users rely on the fact that P > Q */
Gilles Peskine449bd832023-01-11 14:50:10 +0100736 if (H.s < 0) {
737 mbedtls_mpi_swap(&ctx->P, &ctx->Q);
738 }
Janos Follathef441782016-09-21 13:18:12 +0100739
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100740 /* Temporarily replace P,Q by P-1, Q-1 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100741 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
742 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
743 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
Jethro Beekman97f95c92018-02-13 15:50:36 -0800744
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800745 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100746 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
747 if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
Jethro Beekman97f95c92018-02-13 15:50:36 -0800748 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100749 }
Jethro Beekman97f95c92018-02-13 15:50:36 -0800750
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800751 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100752 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
753 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
754 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
Jethro Beekman97f95c92018-02-13 15:50:36 -0800755
Gilles Peskine449bd832023-01-11 14:50:10 +0100756 if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a))
Jethro Beekman97f95c92018-02-13 15:50:36 -0800757 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100758 }
Jethro Beekman97f95c92018-02-13 15:50:36 -0800759
760 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100761 } while (1);
Paul Bakker5121ce52009-01-03 21:22:43 +0000762
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100763 /* Restore P,Q */
Gilles Peskine449bd832023-01-11 14:50:10 +0100764 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));
765 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100766
Gilles Peskine449bd832023-01-11 14:50:10 +0100767 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800768
Gilles Peskine449bd832023-01-11 14:50:10 +0100769 ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100770
Jethro Beekman97f95c92018-02-13 15:50:36 -0800771#if !defined(MBEDTLS_RSA_NO_CRT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000772 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000773 * DP = D mod (P - 1)
774 * DQ = D mod (Q - 1)
775 * QP = Q^-1 mod P
776 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100777 MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
778 &ctx->DP, &ctx->DQ, &ctx->QP));
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100779#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000780
Hanno Becker83aad1f2017-08-23 06:45:10 +0100781 /* Double-check */
Gilles Peskine449bd832023-01-11 14:50:10 +0100782 MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
Paul Bakker5121ce52009-01-03 21:22:43 +0000783
784cleanup:
785
Gilles Peskine449bd832023-01-11 14:50:10 +0100786 mbedtls_mpi_free(&H);
787 mbedtls_mpi_free(&G);
788 mbedtls_mpi_free(&L);
Paul Bakker5121ce52009-01-03 21:22:43 +0000789
Gilles Peskine449bd832023-01-11 14:50:10 +0100790 if (ret != 0) {
791 mbedtls_rsa_free(ctx);
Chris Jones74392092021-04-01 16:00:01 +0100792
Gilles Peskine449bd832023-01-11 14:50:10 +0100793 if ((-ret & ~0x7f) == 0) {
794 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
795 }
796 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000797 }
798
Gilles Peskine449bd832023-01-11 14:50:10 +0100799 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000800}
801
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200802#endif /* MBEDTLS_GENPRIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000803
804/*
805 * Check a public RSA key
806 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100807int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
Paul Bakker5121ce52009-01-03 21:22:43 +0000808{
Gilles Peskine449bd832023-01-11 14:50:10 +0100809 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) {
810 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Becker98838b02017-10-02 13:16:10 +0100811 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000812
Gilles Peskine449bd832023-01-11 14:50:10 +0100813 if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
814 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Becker98838b02017-10-02 13:16:10 +0100815 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000816
Gilles Peskine449bd832023-01-11 14:50:10 +0100817 if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||
818 mbedtls_mpi_bitlen(&ctx->E) < 2 ||
819 mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
820 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
821 }
822
823 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000824}
825
826/*
Hanno Becker705fc682017-10-10 17:57:02 +0100827 * Check for the consistency of all fields in an RSA private key context
Paul Bakker5121ce52009-01-03 21:22:43 +0000828 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100829int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
Paul Bakker5121ce52009-01-03 21:22:43 +0000830{
Gilles Peskine449bd832023-01-11 14:50:10 +0100831 if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
832 rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
833 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000834 }
Paul Bakker48377d92013-08-30 12:06:24 +0200835
Gilles Peskine449bd832023-01-11 14:50:10 +0100836 if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
837 &ctx->D, &ctx->E, NULL, NULL) != 0) {
838 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000839 }
Paul Bakker6c591fa2011-05-05 11:49:20 +0000840
Hanno Beckerb269a852017-08-25 08:03:21 +0100841#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100842 else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
843 &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
844 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Beckerb269a852017-08-25 08:03:21 +0100845 }
846#endif
Paul Bakker6c591fa2011-05-05 11:49:20 +0000847
Gilles Peskine449bd832023-01-11 14:50:10 +0100848 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000849}
850
851/*
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100852 * Check if contexts holding a public and private key match
853 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100854int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
855 const mbedtls_rsa_context *prv)
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100856{
Gilles Peskine449bd832023-01-11 14:50:10 +0100857 if (mbedtls_rsa_check_pubkey(pub) != 0 ||
858 mbedtls_rsa_check_privkey(prv) != 0) {
859 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100860 }
861
Gilles Peskine449bd832023-01-11 14:50:10 +0100862 if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||
863 mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
864 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100865 }
866
Gilles Peskine449bd832023-01-11 14:50:10 +0100867 return 0;
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100868}
869
870/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000871 * Do an RSA public key operation
872 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100873int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
874 const unsigned char *input,
875 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000876{
Janos Follath24eed8d2019-11-22 13:21:35 +0000877 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000878 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200879 mbedtls_mpi T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000880
Gilles Peskine449bd832023-01-11 14:50:10 +0100881 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) {
882 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
883 }
Hanno Becker705fc682017-10-10 17:57:02 +0100884
Gilles Peskine449bd832023-01-11 14:50:10 +0100885 mbedtls_mpi_init(&T);
Paul Bakker5121ce52009-01-03 21:22:43 +0000886
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200887#if defined(MBEDTLS_THREADING_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100888 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
889 return ret;
890 }
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200891#endif
892
Gilles Peskine449bd832023-01-11 14:50:10 +0100893 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
Paul Bakker5121ce52009-01-03 21:22:43 +0000894
Gilles Peskine449bd832023-01-11 14:50:10 +0100895 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
Manuel Pégourié-Gonnard4d04cdc2015-08-28 10:32:21 +0200896 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
897 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000898 }
899
900 olen = ctx->len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100901 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
902 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
Paul Bakker5121ce52009-01-03 21:22:43 +0000903
904cleanup:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200905#if defined(MBEDTLS_THREADING_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100906 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
907 return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
908 }
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100909#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000910
Gilles Peskine449bd832023-01-11 14:50:10 +0100911 mbedtls_mpi_free(&T);
Paul Bakker5121ce52009-01-03 21:22:43 +0000912
Gilles Peskine449bd832023-01-11 14:50:10 +0100913 if (ret != 0) {
914 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
915 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000916
Gilles Peskine449bd832023-01-11 14:50:10 +0100917 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000918}
919
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200920/*
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200921 * Generate or update blinding values, see section 10 of:
922 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard998930a2015-04-03 13:48:06 +0200923 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200924 * Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200925 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100926static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
927 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200928{
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200929 int ret, count = 0;
Manuel Pégourié-Gonnard750d3c72020-06-26 11:19:12 +0200930 mbedtls_mpi R;
931
Gilles Peskine449bd832023-01-11 14:50:10 +0100932 mbedtls_mpi_init(&R);
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200933
Gilles Peskine449bd832023-01-11 14:50:10 +0100934 if (ctx->Vf.p != NULL) {
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200935 /* We already have blinding values, just update them by squaring */
Gilles Peskine449bd832023-01-11 14:50:10 +0100936 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
937 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
938 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
939 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200940
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200941 goto cleanup;
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200942 }
943
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200944 /* Unblinding value: Vf = random number, invertible mod N */
945 do {
Gilles Peskine449bd832023-01-11 14:50:10 +0100946 if (count++ > 10) {
Manuel Pégourié-Gonnarde288ec02020-07-16 09:23:30 +0200947 ret = MBEDTLS_ERR_RSA_RNG_FAILED;
948 goto cleanup;
949 }
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200950
Gilles Peskine449bd832023-01-11 14:50:10 +0100951 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200952
Manuel Pégourié-Gonnard78683962020-07-16 09:48:54 +0200953 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100954 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
955 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
956 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
Manuel Pégourié-Gonnard750d3c72020-06-26 11:19:12 +0200957
Manuel Pégourié-Gonnard78683962020-07-16 09:48:54 +0200958 /* At this point, Vi is invertible mod N if and only if both Vf and R
959 * are invertible mod N. If one of them isn't, we don't need to know
960 * which one, we just loop and choose new values for both of them.
961 * (Each iteration succeeds with overwhelming probability.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100962 ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
963 if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Manuel Pégourié-Gonnardb3e3d792020-06-26 11:03:19 +0200964 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100965 }
Manuel Pégourié-Gonnardb3e3d792020-06-26 11:03:19 +0200966
Gilles Peskine449bd832023-01-11 14:50:10 +0100967 } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
Peter Kolbusca8b8e72020-09-24 11:11:50 -0500968
969 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100970 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
971 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200972
Manuel Pégourié-Gonnard78683962020-07-16 09:48:54 +0200973 /* Blinding value: Vi = Vf^(-e) mod N
Manuel Pégourié-Gonnard750d3c72020-06-26 11:19:12 +0200974 * (Vi already contains Vf^-1 at this point) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100975 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200976
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200977
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200978cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100979 mbedtls_mpi_free(&R);
Manuel Pégourié-Gonnard750d3c72020-06-26 11:19:12 +0200980
Gilles Peskine449bd832023-01-11 14:50:10 +0100981 return ret;
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200982}
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200983
Paul Bakker5121ce52009-01-03 21:22:43 +0000984/*
Janos Follathe81102e2017-03-22 13:38:28 +0000985 * Exponent blinding supposed to prevent side-channel attacks using multiple
986 * traces of measurements to recover the RSA key. The more collisions are there,
987 * the more bits of the key can be recovered. See [3].
988 *
989 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800990 * observations on average.
Janos Follathe81102e2017-03-22 13:38:28 +0000991 *
992 * For example with 28 byte blinding to achieve 2 collisions the adversary has
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800993 * to make 2^112 observations on average.
Janos Follathe81102e2017-03-22 13:38:28 +0000994 *
995 * (With the currently (as of 2017 April) known best algorithms breaking 2048
996 * bit RSA requires approximately as much time as trying out 2^112 random keys.
997 * Thus in this sense with 28 byte blinding the security is not reduced by
998 * side-channel attacks like the one in [3])
999 *
1000 * This countermeasure does not help if the key recovery is possible with a
1001 * single trace.
1002 */
1003#define RSA_EXPONENT_BLINDING 28
1004
1005/*
Paul Bakker5121ce52009-01-03 21:22:43 +00001006 * Do an RSA private key operation
1007 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001008int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
1009 int (*f_rng)(void *, unsigned char *, size_t),
1010 void *p_rng,
1011 const unsigned char *input,
1012 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +00001013{
Janos Follath24eed8d2019-11-22 13:21:35 +00001014 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +00001015 size_t olen;
Hanno Becker06811ce2017-05-03 15:10:34 +01001016
1017 /* Temporary holding the result */
1018 mbedtls_mpi T;
1019
1020 /* Temporaries holding P-1, Q-1 and the
1021 * exponent blinding factor, respectively. */
Janos Follathf9203b42017-03-22 15:13:15 +00001022 mbedtls_mpi P1, Q1, R;
Hanno Becker06811ce2017-05-03 15:10:34 +01001023
1024#if !defined(MBEDTLS_RSA_NO_CRT)
1025 /* Temporaries holding the results mod p resp. mod q. */
1026 mbedtls_mpi TP, TQ;
1027
1028 /* Temporaries holding the blinded exponents for
1029 * the mod p resp. mod q computation (if used). */
Janos Follathf9203b42017-03-22 15:13:15 +00001030 mbedtls_mpi DP_blind, DQ_blind;
Hanno Becker06811ce2017-05-03 15:10:34 +01001031
1032 /* Pointers to actual exponents to be used - either the unblinded
1033 * or the blinded ones, depending on the presence of a PRNG. */
Janos Follathf9203b42017-03-22 15:13:15 +00001034 mbedtls_mpi *DP = &ctx->DP;
1035 mbedtls_mpi *DQ = &ctx->DQ;
Hanno Becker06811ce2017-05-03 15:10:34 +01001036#else
1037 /* Temporary holding the blinded exponent (if used). */
1038 mbedtls_mpi D_blind;
1039
1040 /* Pointer to actual exponent to be used - either the unblinded
1041 * or the blinded one, depending on the presence of a PRNG. */
1042 mbedtls_mpi *D = &ctx->D;
Hanno Becker43f94722017-08-25 11:50:00 +01001043#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker06811ce2017-05-03 15:10:34 +01001044
Hanno Beckerc6075cc2017-08-25 11:45:35 +01001045 /* Temporaries holding the initial input and the double
1046 * checked result; should be the same in the end. */
1047 mbedtls_mpi I, C;
Paul Bakker5121ce52009-01-03 21:22:43 +00001048
Gilles Peskine449bd832023-01-11 14:50:10 +01001049 if (f_rng == NULL) {
1050 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1051 }
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001052
Gilles Peskine449bd832023-01-11 14:50:10 +01001053 if (rsa_check_context(ctx, 1 /* private key checks */,
1054 1 /* blinding on */) != 0) {
1055 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Beckerebd2c022017-10-12 10:54:53 +01001056 }
Manuel Pégourié-Gonnardfb84d382015-10-30 10:56:25 +01001057
Hanno Becker06811ce2017-05-03 15:10:34 +01001058#if defined(MBEDTLS_THREADING_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001059 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
1060 return ret;
1061 }
Hanno Becker06811ce2017-05-03 15:10:34 +01001062#endif
Janos Follathf9203b42017-03-22 15:13:15 +00001063
Hanno Becker06811ce2017-05-03 15:10:34 +01001064 /* MPI Initialization */
Gilles Peskine449bd832023-01-11 14:50:10 +01001065 mbedtls_mpi_init(&T);
Hanno Becker06811ce2017-05-03 15:10:34 +01001066
Gilles Peskine449bd832023-01-11 14:50:10 +01001067 mbedtls_mpi_init(&P1);
1068 mbedtls_mpi_init(&Q1);
1069 mbedtls_mpi_init(&R);
Janos Follathf9203b42017-03-22 15:13:15 +00001070
Janos Follathe81102e2017-03-22 13:38:28 +00001071#if defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +01001072 mbedtls_mpi_init(&D_blind);
Janos Follathf9203b42017-03-22 15:13:15 +00001073#else
Gilles Peskine449bd832023-01-11 14:50:10 +01001074 mbedtls_mpi_init(&DP_blind);
1075 mbedtls_mpi_init(&DQ_blind);
Janos Follathe81102e2017-03-22 13:38:28 +00001076#endif
1077
Hanno Becker06811ce2017-05-03 15:10:34 +01001078#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +01001079 mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +02001080#endif
1081
Gilles Peskine449bd832023-01-11 14:50:10 +01001082 mbedtls_mpi_init(&I);
1083 mbedtls_mpi_init(&C);
Hanno Becker06811ce2017-05-03 15:10:34 +01001084
1085 /* End of MPI initialization */
1086
Gilles Peskine449bd832023-01-11 14:50:10 +01001087 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
1088 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
Manuel Pégourié-Gonnard4d04cdc2015-08-28 10:32:21 +02001089 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
1090 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00001091 }
1092
Gilles Peskine449bd832023-01-11 14:50:10 +01001093 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
Hanno Becker06811ce2017-05-03 15:10:34 +01001094
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001095 /*
1096 * Blinding
1097 * T = T * Vi mod N
1098 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001099 MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
1100 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
1101 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
Janos Follathe81102e2017-03-22 13:38:28 +00001102
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001103 /*
1104 * Exponent blinding
1105 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001106 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
1107 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
Janos Follathe81102e2017-03-22 13:38:28 +00001108
Janos Follathf9203b42017-03-22 15:13:15 +00001109#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001110 /*
1111 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
1112 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001113 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
1114 f_rng, p_rng));
1115 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
1116 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
1117 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
Janos Follathe81102e2017-03-22 13:38:28 +00001118
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001119 D = &D_blind;
Janos Follathf9203b42017-03-22 15:13:15 +00001120#else
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001121 /*
1122 * DP_blind = ( P - 1 ) * R + DP
1123 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001124 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
1125 f_rng, p_rng));
1126 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
1127 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
1128 &ctx->DP));
Janos Follathf9203b42017-03-22 15:13:15 +00001129
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001130 DP = &DP_blind;
Janos Follathf9203b42017-03-22 15:13:15 +00001131
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001132 /*
1133 * DQ_blind = ( Q - 1 ) * R + DQ
1134 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001135 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
1136 f_rng, p_rng));
1137 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
1138 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
1139 &ctx->DQ));
Janos Follathf9203b42017-03-22 15:13:15 +00001140
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001141 DQ = &DQ_blind;
Janos Follathe81102e2017-03-22 13:38:28 +00001142#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakkeraab30c12013-08-30 11:00:25 +02001143
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001144#if defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +01001145 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +01001146#else
Paul Bakkeraab30c12013-08-30 11:00:25 +02001147 /*
Janos Follathe81102e2017-03-22 13:38:28 +00001148 * Faster decryption using the CRT
Paul Bakker5121ce52009-01-03 21:22:43 +00001149 *
Hanno Becker06811ce2017-05-03 15:10:34 +01001150 * TP = input ^ dP mod P
1151 * TQ = input ^ dQ mod Q
Paul Bakker5121ce52009-01-03 21:22:43 +00001152 */
Hanno Becker06811ce2017-05-03 15:10:34 +01001153
Gilles Peskine449bd832023-01-11 14:50:10 +01001154 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));
1155 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));
Paul Bakker5121ce52009-01-03 21:22:43 +00001156
1157 /*
Hanno Becker06811ce2017-05-03 15:10:34 +01001158 * T = (TP - TQ) * (Q^-1 mod P) mod P
Paul Bakker5121ce52009-01-03 21:22:43 +00001159 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001160 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
1161 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
1162 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
Paul Bakker5121ce52009-01-03 21:22:43 +00001163
1164 /*
Hanno Becker06811ce2017-05-03 15:10:34 +01001165 * T = TQ + T * Q
Paul Bakker5121ce52009-01-03 21:22:43 +00001166 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001167 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
1168 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001169#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakkeraab30c12013-08-30 11:00:25 +02001170
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +02001171 /*
1172 * Unblind
1173 * T = T * Vf mod N
1174 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001175 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vf));
1176 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
Paul Bakker5121ce52009-01-03 21:22:43 +00001177
Hanno Becker2dec5e82017-10-03 07:49:52 +01001178 /* Verify the result to prevent glitching attacks. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001179 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
1180 &ctx->N, &ctx->RN));
1181 if (mbedtls_mpi_cmp_mpi(&C, &I) != 0) {
Hanno Becker06811ce2017-05-03 15:10:34 +01001182 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1183 goto cleanup;
1184 }
Hanno Becker06811ce2017-05-03 15:10:34 +01001185
Paul Bakker5121ce52009-01-03 21:22:43 +00001186 olen = ctx->len;
Gilles Peskine449bd832023-01-11 14:50:10 +01001187 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
Paul Bakker5121ce52009-01-03 21:22:43 +00001188
1189cleanup:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001190#if defined(MBEDTLS_THREADING_C)
Gilles Peskine449bd832023-01-11 14:50:10 +01001191 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
1192 return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1193 }
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +02001194#endif
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +02001195
Gilles Peskine449bd832023-01-11 14:50:10 +01001196 mbedtls_mpi_free(&P1);
1197 mbedtls_mpi_free(&Q1);
1198 mbedtls_mpi_free(&R);
Janos Follathf9203b42017-03-22 15:13:15 +00001199
Janos Follathe81102e2017-03-22 13:38:28 +00001200#if defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +01001201 mbedtls_mpi_free(&D_blind);
Janos Follathf9203b42017-03-22 15:13:15 +00001202#else
Gilles Peskine449bd832023-01-11 14:50:10 +01001203 mbedtls_mpi_free(&DP_blind);
1204 mbedtls_mpi_free(&DQ_blind);
Janos Follathe81102e2017-03-22 13:38:28 +00001205#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001206
Gilles Peskine449bd832023-01-11 14:50:10 +01001207 mbedtls_mpi_free(&T);
Hanno Becker06811ce2017-05-03 15:10:34 +01001208
1209#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +01001210 mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
Hanno Becker06811ce2017-05-03 15:10:34 +01001211#endif
1212
Gilles Peskine449bd832023-01-11 14:50:10 +01001213 mbedtls_mpi_free(&C);
1214 mbedtls_mpi_free(&I);
Hanno Becker06811ce2017-05-03 15:10:34 +01001215
Gilles Peskine449bd832023-01-11 14:50:10 +01001216 if (ret != 0 && ret >= -0x007f) {
1217 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
1218 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001219
Gilles Peskine449bd832023-01-11 14:50:10 +01001220 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00001221}
1222
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001223#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker9dcc3222011-03-08 14:16:06 +00001224/**
1225 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1226 *
Paul Bakkerb125ed82011-11-10 13:33:51 +00001227 * \param dst buffer to mask
1228 * \param dlen length of destination buffer
1229 * \param src source of the mask generation
1230 * \param slen length of the source buffer
Manuel Pégourié-Gonnard259c2132022-07-15 12:09:08 +02001231 * \param md_alg message digest to use
Paul Bakker9dcc3222011-03-08 14:16:06 +00001232 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001233static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
1234 size_t slen, mbedtls_md_type_t md_alg)
Paul Bakker9dcc3222011-03-08 14:16:06 +00001235{
Paul Bakker9dcc3222011-03-08 14:16:06 +00001236 unsigned char counter[4];
1237 unsigned char *p;
Paul Bakker23986e52011-04-24 08:57:21 +00001238 unsigned int hlen;
1239 size_t i, use_len;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +02001240 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
Andres Amaya Garcia94682d12017-07-20 14:26:37 +01001241 int ret = 0;
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +02001242 const mbedtls_md_info_t *md_info;
1243 mbedtls_md_context_t md_ctx;
Paul Bakker9dcc3222011-03-08 14:16:06 +00001244
Gilles Peskine449bd832023-01-11 14:50:10 +01001245 mbedtls_md_init(&md_ctx);
1246 md_info = mbedtls_md_info_from_type(md_alg);
1247 if (md_info == NULL) {
1248 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1249 }
Manuel Pégourié-Gonnard259c2132022-07-15 12:09:08 +02001250
Gilles Peskine449bd832023-01-11 14:50:10 +01001251 mbedtls_md_init(&md_ctx);
1252 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
Manuel Pégourié-Gonnard259c2132022-07-15 12:09:08 +02001253 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001254 }
Manuel Pégourié-Gonnard259c2132022-07-15 12:09:08 +02001255
Gilles Peskine449bd832023-01-11 14:50:10 +01001256 hlen = mbedtls_md_get_size(md_info);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +02001257
Gilles Peskine449bd832023-01-11 14:50:10 +01001258 memset(mask, 0, sizeof(mask));
1259 memset(counter, 0, 4);
Paul Bakker9dcc3222011-03-08 14:16:06 +00001260
Simon Butcher02037452016-03-01 21:19:12 +00001261 /* Generate and apply dbMask */
Paul Bakker9dcc3222011-03-08 14:16:06 +00001262 p = dst;
1263
Gilles Peskine449bd832023-01-11 14:50:10 +01001264 while (dlen > 0) {
Paul Bakker9dcc3222011-03-08 14:16:06 +00001265 use_len = hlen;
Gilles Peskine449bd832023-01-11 14:50:10 +01001266 if (dlen < hlen) {
Paul Bakker9dcc3222011-03-08 14:16:06 +00001267 use_len = dlen;
Gilles Peskine449bd832023-01-11 14:50:10 +01001268 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00001269
Gilles Peskine449bd832023-01-11 14:50:10 +01001270 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001271 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001272 }
1273 if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001274 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001275 }
1276 if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001277 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001278 }
1279 if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001280 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001281 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00001282
Gilles Peskine449bd832023-01-11 14:50:10 +01001283 for (i = 0; i < use_len; ++i) {
Paul Bakker9dcc3222011-03-08 14:16:06 +00001284 *p++ ^= mask[i];
Gilles Peskine449bd832023-01-11 14:50:10 +01001285 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00001286
1287 counter[3]++;
1288
1289 dlen -= use_len;
1290 }
Gilles Peskine18ac7162017-05-05 19:24:06 +02001291
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001292exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001293 mbedtls_platform_zeroize(mask, sizeof(mask));
Gilles Peskine449bd832023-01-11 14:50:10 +01001294 mbedtls_md_free(&md_ctx);
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001295
Gilles Peskine449bd832023-01-11 14:50:10 +01001296 return ret;
Paul Bakker9dcc3222011-03-08 14:16:06 +00001297}
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001298
1299/**
1300 * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
1301 *
1302 * \param hash the input hash
1303 * \param hlen length of the input hash
1304 * \param salt the input salt
1305 * \param slen length of the input salt
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +02001306 * \param out the output buffer - must be large enough for \p md_alg
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001307 * \param md_alg message digest to use
1308 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001309static int hash_mprime(const unsigned char *hash, size_t hlen,
1310 const unsigned char *salt, size_t slen,
1311 unsigned char *out, mbedtls_md_type_t md_alg)
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001312{
1313 const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +02001314
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001315 mbedtls_md_context_t md_ctx;
Przemek Stekielf98b57f2022-07-29 11:27:46 +02001316 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001317
Gilles Peskine449bd832023-01-11 14:50:10 +01001318 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
1319 if (md_info == NULL) {
1320 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1321 }
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001322
Gilles Peskine449bd832023-01-11 14:50:10 +01001323 mbedtls_md_init(&md_ctx);
1324 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001325 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001326 }
1327 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001328 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001329 }
1330 if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001331 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001332 }
1333 if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001334 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001335 }
1336 if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001337 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001338 }
1339 if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001340 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +01001341 }
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001342
1343exit:
Gilles Peskine449bd832023-01-11 14:50:10 +01001344 mbedtls_md_free(&md_ctx);
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001345
Gilles Peskine449bd832023-01-11 14:50:10 +01001346 return ret;
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001347}
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +02001348
1349/**
1350 * Compute a hash.
1351 *
1352 * \param md_alg algorithm to use
1353 * \param input input message to hash
1354 * \param ilen input length
1355 * \param output the output buffer - must be large enough for \p md_alg
1356 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001357static int compute_hash(mbedtls_md_type_t md_alg,
1358 const unsigned char *input, size_t ilen,
1359 unsigned char *output)
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +02001360{
1361 const mbedtls_md_info_t *md_info;
1362
Gilles Peskine449bd832023-01-11 14:50:10 +01001363 md_info = mbedtls_md_info_from_type(md_alg);
1364 if (md_info == NULL) {
1365 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1366 }
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +02001367
Gilles Peskine449bd832023-01-11 14:50:10 +01001368 return mbedtls_md(md_info, input, ilen, output);
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +02001369}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001370#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker9dcc3222011-03-08 14:16:06 +00001371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001372#if defined(MBEDTLS_PKCS1_V21)
Paul Bakkerb3869132013-02-28 17:21:01 +01001373/*
1374 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1375 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001376int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
1377 int (*f_rng)(void *, unsigned char *, size_t),
1378 void *p_rng,
1379 const unsigned char *label, size_t label_len,
1380 size_t ilen,
1381 const unsigned char *input,
1382 unsigned char *output)
Paul Bakkerb3869132013-02-28 17:21:01 +01001383{
1384 size_t olen;
Janos Follath24eed8d2019-11-22 13:21:35 +00001385 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb3869132013-02-28 17:21:01 +01001386 unsigned char *p = output;
1387 unsigned int hlen;
Paul Bakkerb3869132013-02-28 17:21:01 +01001388
Gilles Peskine449bd832023-01-11 14:50:10 +01001389 if (f_rng == NULL) {
1390 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1391 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001392
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +02001393 hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001394 if (hlen == 0) {
1395 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1396 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001397
1398 olen = ctx->len;
Paul Bakkerb3869132013-02-28 17:21:01 +01001399
Simon Butcher02037452016-03-01 21:19:12 +00001400 /* first comparison checks for overflow */
Gilles Peskine449bd832023-01-11 14:50:10 +01001401 if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) {
1402 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1403 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001404
Gilles Peskine449bd832023-01-11 14:50:10 +01001405 memset(output, 0, olen);
Paul Bakkerb3869132013-02-28 17:21:01 +01001406
1407 *p++ = 0;
1408
Simon Butcher02037452016-03-01 21:19:12 +00001409 /* Generate a random octet string seed */
Gilles Peskine449bd832023-01-11 14:50:10 +01001410 if ((ret = f_rng(p_rng, p, hlen)) != 0) {
1411 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1412 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001413
1414 p += hlen;
1415
Simon Butcher02037452016-03-01 21:19:12 +00001416 /* Construct DB */
Gilles Peskine449bd832023-01-11 14:50:10 +01001417 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p);
1418 if (ret != 0) {
1419 return ret;
1420 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001421 p += hlen;
1422 p += olen - 2 * hlen - 2 - ilen;
1423 *p++ = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01001424 if (ilen != 0) {
1425 memcpy(p, input, ilen);
1426 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001427
Simon Butcher02037452016-03-01 21:19:12 +00001428 /* maskedDB: Apply dbMask to DB */
Gilles Peskine449bd832023-01-11 14:50:10 +01001429 if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
Agathiyan Bragadeesh01ed84a2023-07-13 11:42:41 +01001430 (mbedtls_md_type_t) ctx->hash_id)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +01001431 return ret;
1432 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001433
Simon Butcher02037452016-03-01 21:19:12 +00001434 /* maskedSeed: Apply seedMask to seed */
Gilles Peskine449bd832023-01-11 14:50:10 +01001435 if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
Agathiyan Bragadeesh01ed84a2023-07-13 11:42:41 +01001436 (mbedtls_md_type_t) ctx->hash_id)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +01001437 return ret;
1438 }
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001439
Gilles Peskine449bd832023-01-11 14:50:10 +01001440 return mbedtls_rsa_public(ctx, output, output);
Paul Bakkerb3869132013-02-28 17:21:01 +01001441}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001442#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001443
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001444#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +01001445/*
1446 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1447 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001448int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
1449 int (*f_rng)(void *, unsigned char *, size_t),
1450 void *p_rng, size_t ilen,
1451 const unsigned char *input,
1452 unsigned char *output)
Paul Bakkerb3869132013-02-28 17:21:01 +01001453{
1454 size_t nb_pad, olen;
Janos Follath24eed8d2019-11-22 13:21:35 +00001455 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb3869132013-02-28 17:21:01 +01001456 unsigned char *p = output;
1457
Paul Bakkerb3869132013-02-28 17:21:01 +01001458 olen = ctx->len;
Manuel Pégourié-Gonnard370717b2016-02-11 10:35:13 +01001459
Simon Butcher02037452016-03-01 21:19:12 +00001460 /* first comparison checks for overflow */
Gilles Peskine449bd832023-01-11 14:50:10 +01001461 if (ilen + 11 < ilen || olen < ilen + 11) {
1462 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1463 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001464
1465 nb_pad = olen - 3 - ilen;
1466
1467 *p++ = 0;
Thomas Daubney53e4ac62021-05-13 18:26:49 +01001468
Gilles Peskine449bd832023-01-11 14:50:10 +01001469 if (f_rng == NULL) {
1470 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1471 }
Thomas Daubney53e4ac62021-05-13 18:26:49 +01001472
1473 *p++ = MBEDTLS_RSA_CRYPT;
1474
Gilles Peskine449bd832023-01-11 14:50:10 +01001475 while (nb_pad-- > 0) {
Thomas Daubney53e4ac62021-05-13 18:26:49 +01001476 int rng_dl = 100;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05001477
Thomas Daubney53e4ac62021-05-13 18:26:49 +01001478 do {
Gilles Peskine449bd832023-01-11 14:50:10 +01001479 ret = f_rng(p_rng, p, 1);
1480 } while (*p == 0 && --rng_dl && ret == 0);
Paul Bakkerb3869132013-02-28 17:21:01 +01001481
Thomas Daubney53e4ac62021-05-13 18:26:49 +01001482 /* Check if RNG failed to generate data */
Gilles Peskine449bd832023-01-11 14:50:10 +01001483 if (rng_dl == 0 || ret != 0) {
1484 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1485 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001486
Thomas Daubney53e4ac62021-05-13 18:26:49 +01001487 p++;
Paul Bakkerb3869132013-02-28 17:21:01 +01001488 }
1489
1490 *p++ = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +01001491 if (ilen != 0) {
1492 memcpy(p, input, ilen);
1493 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001494
Gilles Peskine449bd832023-01-11 14:50:10 +01001495 return mbedtls_rsa_public(ctx, output, output);
Paul Bakkerb3869132013-02-28 17:21:01 +01001496}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001497#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001498
Paul Bakker5121ce52009-01-03 21:22:43 +00001499/*
1500 * Add the message padding, then do an RSA operation
1501 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001502int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
1503 int (*f_rng)(void *, unsigned char *, size_t),
1504 void *p_rng,
1505 size_t ilen,
1506 const unsigned char *input,
1507 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +00001508{
Gilles Peskine449bd832023-01-11 14:50:10 +01001509 switch (ctx->padding) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001510#if defined(MBEDTLS_PKCS1_V15)
1511 case MBEDTLS_RSA_PKCS_V15:
Gilles Peskine449bd832023-01-11 14:50:10 +01001512 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng,
1513 ilen, input, output);
Paul Bakker48377d92013-08-30 12:06:24 +02001514#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001516#if defined(MBEDTLS_PKCS1_V21)
1517 case MBEDTLS_RSA_PKCS_V21:
Gilles Peskine449bd832023-01-11 14:50:10 +01001518 return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,
1519 ilen, input, output);
Paul Bakker9dcc3222011-03-08 14:16:06 +00001520#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001521
1522 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01001523 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker5121ce52009-01-03 21:22:43 +00001524 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001525}
1526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001527#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +00001528/*
Paul Bakkerb3869132013-02-28 17:21:01 +01001529 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker5121ce52009-01-03 21:22:43 +00001530 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001531int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
1532 int (*f_rng)(void *, unsigned char *, size_t),
1533 void *p_rng,
1534 const unsigned char *label, size_t label_len,
1535 size_t *olen,
1536 const unsigned char *input,
1537 unsigned char *output,
1538 size_t output_max_len)
Paul Bakker5121ce52009-01-03 21:22:43 +00001539{
Janos Follath24eed8d2019-11-22 13:21:35 +00001540 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001541 size_t ilen, i, pad_len;
Dave Rodgmanb4e6b412023-09-18 18:46:19 +01001542 unsigned char *p;
Dave Rodgmanc62f7fc2023-09-20 19:06:02 +01001543 mbedtls_ct_condition_t bad, in_padding;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001544 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +02001545 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
Paul Bakker23986e52011-04-24 08:57:21 +00001546 unsigned int hlen;
Paul Bakkerb3869132013-02-28 17:21:01 +01001547
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001548 /*
1549 * Parameters sanity checks
1550 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001551 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1552 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1553 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001554
1555 ilen = ctx->len;
1556
Gilles Peskine449bd832023-01-11 14:50:10 +01001557 if (ilen < 16 || ilen > sizeof(buf)) {
1558 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1559 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001560
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +02001561 hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001562 if (hlen == 0) {
1563 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1564 }
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001565
Janos Follathc17cda12016-02-11 11:08:18 +00001566 // checking for integer underflow
Gilles Peskine449bd832023-01-11 14:50:10 +01001567 if (2 * hlen + 2 > ilen) {
1568 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1569 }
Janos Follathc17cda12016-02-11 11:08:18 +00001570
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001571 /*
1572 * RSA operation
1573 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001574 ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
Paul Bakker5121ce52009-01-03 21:22:43 +00001575
Gilles Peskine449bd832023-01-11 14:50:10 +01001576 if (ret != 0) {
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001577 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +01001578 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001579
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001580 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001581 * Unmask data and generate lHash
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001582 */
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001583 /* seed: Apply seedMask to maskedSeed */
Gilles Peskine449bd832023-01-11 14:50:10 +01001584 if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
Agathiyan Bragadeesh01ed84a2023-07-13 11:42:41 +01001585 (mbedtls_md_type_t) ctx->hash_id)) != 0 ||
Gilles Peskine449bd832023-01-11 14:50:10 +01001586 /* DB: Apply dbMask to maskedDB */
1587 (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
Agathiyan Bragadeesh01ed84a2023-07-13 11:42:41 +01001588 (mbedtls_md_type_t) ctx->hash_id)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001589 goto cleanup;
1590 }
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001591
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001592 /* Generate lHash */
Gilles Peskine449bd832023-01-11 14:50:10 +01001593 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id,
1594 label, label_len, lhash);
1595 if (ret != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001596 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +01001597 }
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001598
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001599 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001600 * Check contents, in "constant-time"
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001601 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001602 p = buf;
1603
Dave Rodgmanb4e6b412023-09-18 18:46:19 +01001604 bad = mbedtls_ct_bool(*p++); /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001605
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001606 p += hlen; /* Skip seed */
Paul Bakkerb3869132013-02-28 17:21:01 +01001607
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001608 /* Check lHash */
Dave Rodgmanb4e6b412023-09-18 18:46:19 +01001609 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool(mbedtls_ct_memcmp(lhash, p, hlen)));
Dave Rodgman66d6ac92023-09-18 18:35:03 +01001610 p += hlen;
Paul Bakkerb3869132013-02-28 17:21:01 +01001611
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001612 /* Get zero-padding len, but always read till end of buffer
1613 * (minus one, for the 01 byte) */
1614 pad_len = 0;
Dave Rodgmanc62f7fc2023-09-20 19:06:02 +01001615 in_padding = MBEDTLS_CT_TRUE;
Gilles Peskine449bd832023-01-11 14:50:10 +01001616 for (i = 0; i < ilen - 2 * hlen - 2; i++) {
Dave Rodgmanc62f7fc2023-09-20 19:06:02 +01001617 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_uint_eq(p[i], 0));
1618 pad_len += mbedtls_ct_uint_if_else_0(in_padding, 1);
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001619 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001620
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001621 p += pad_len;
Dave Rodgmanb4e6b412023-09-18 18:46:19 +01001622 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(*p++, 0x01));
Paul Bakkerb3869132013-02-28 17:21:01 +01001623
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001624 /*
1625 * The only information "leaked" is whether the padding was correct or not
1626 * (eg, no data is copied if it was not correct). This meets the
1627 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1628 * the different error conditions.
1629 */
Dave Rodgmanb4e6b412023-09-18 18:46:19 +01001630 if (bad != MBEDTLS_CT_FALSE) {
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001631 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1632 goto cleanup;
1633 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001634
Gilles Peskine449bd832023-01-11 14:50:10 +01001635 if (ilen - (p - buf) > output_max_len) {
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001636 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1637 goto cleanup;
1638 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001639
1640 *olen = ilen - (p - buf);
Gilles Peskine449bd832023-01-11 14:50:10 +01001641 if (*olen != 0) {
1642 memcpy(output, p, *olen);
1643 }
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001644 ret = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +01001645
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001646cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +01001647 mbedtls_platform_zeroize(buf, sizeof(buf));
1648 mbedtls_platform_zeroize(lhash, sizeof(lhash));
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001649
Gilles Peskine449bd832023-01-11 14:50:10 +01001650 return ret;
Paul Bakkerb3869132013-02-28 17:21:01 +01001651}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001652#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001654#if defined(MBEDTLS_PKCS1_V15)
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001655/*
1656 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1657 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001658int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
1659 int (*f_rng)(void *, unsigned char *, size_t),
1660 void *p_rng,
1661 size_t *olen,
1662 const unsigned char *input,
1663 unsigned char *output,
1664 size_t output_max_len)
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001665{
1666 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1667 size_t ilen;
1668 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1669
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001670 ilen = ctx->len;
1671
Gilles Peskine449bd832023-01-11 14:50:10 +01001672 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
1673 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1674 }
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001675
Gilles Peskine449bd832023-01-11 14:50:10 +01001676 if (ilen < 16 || ilen > sizeof(buf)) {
1677 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1678 }
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001679
Gilles Peskine449bd832023-01-11 14:50:10 +01001680 ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001681
Gilles Peskine449bd832023-01-11 14:50:10 +01001682 if (ret != 0) {
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001683 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +01001684 }
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001685
Gilles Peskine449bd832023-01-11 14:50:10 +01001686 ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen,
1687 output, output_max_len, olen);
gabor-mezei-armbef600f2021-09-26 15:20:48 +02001688
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001689cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +01001690 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001691
Gilles Peskine449bd832023-01-11 14:50:10 +01001692 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00001693}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001694#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001695
1696/*
Paul Bakkerb3869132013-02-28 17:21:01 +01001697 * Do an RSA operation, then remove the message padding
1698 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001699int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
1700 int (*f_rng)(void *, unsigned char *, size_t),
1701 void *p_rng,
1702 size_t *olen,
1703 const unsigned char *input,
1704 unsigned char *output,
1705 size_t output_max_len)
Paul Bakkerb3869132013-02-28 17:21:01 +01001706{
Gilles Peskine449bd832023-01-11 14:50:10 +01001707 switch (ctx->padding) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001708#if defined(MBEDTLS_PKCS1_V15)
1709 case MBEDTLS_RSA_PKCS_V15:
Gilles Peskine449bd832023-01-11 14:50:10 +01001710 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen,
1711 input, output, output_max_len);
Paul Bakker48377d92013-08-30 12:06:24 +02001712#endif
Paul Bakkerb3869132013-02-28 17:21:01 +01001713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001714#if defined(MBEDTLS_PKCS1_V21)
1715 case MBEDTLS_RSA_PKCS_V21:
Gilles Peskine449bd832023-01-11 14:50:10 +01001716 return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,
1717 olen, input, output,
1718 output_max_len);
Paul Bakkerb3869132013-02-28 17:21:01 +01001719#endif
1720
1721 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01001722 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakkerb3869132013-02-28 17:21:01 +01001723 }
1724}
1725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001726#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine449bd832023-01-11 14:50:10 +01001727static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
1728 int (*f_rng)(void *, unsigned char *, size_t),
1729 void *p_rng,
1730 mbedtls_md_type_t md_alg,
1731 unsigned int hashlen,
1732 const unsigned char *hash,
1733 int saltlen,
1734 unsigned char *sig)
Paul Bakkerb3869132013-02-28 17:21:01 +01001735{
1736 size_t olen;
1737 unsigned char *p = sig;
Cédric Meuter668a78d2020-04-30 11:57:04 +02001738 unsigned char *salt = NULL;
Jaeden Amero3725bb22018-09-07 19:12:36 +01001739 size_t slen, min_slen, hlen, offset = 0;
Janos Follath24eed8d2019-11-22 13:21:35 +00001740 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb3869132013-02-28 17:21:01 +01001741 size_t msb;
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +02001742
Gilles Peskine449bd832023-01-11 14:50:10 +01001743 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +01001744 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +01001745 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001746
Gilles Peskine449bd832023-01-11 14:50:10 +01001747 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1748 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1749 }
Thomas Daubneyd58ed582021-05-21 11:50:39 +01001750
Gilles Peskine449bd832023-01-11 14:50:10 +01001751 if (f_rng == NULL) {
1752 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1753 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001754
1755 olen = ctx->len;
1756
Gilles Peskine449bd832023-01-11 14:50:10 +01001757 if (md_alg != MBEDTLS_MD_NONE) {
Simon Butcher02037452016-03-01 21:19:12 +00001758 /* Gather length of hash to sign */
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +02001759 size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +01001760 if (exp_hashlen == 0) {
1761 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1762 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02001763
Gilles Peskine449bd832023-01-11 14:50:10 +01001764 if (hashlen != exp_hashlen) {
1765 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1766 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001767 }
1768
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +02001769 hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001770 if (hlen == 0) {
1771 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1772 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001773
Gilles Peskine449bd832023-01-11 14:50:10 +01001774 if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
1775 /* Calculate the largest possible salt length, up to the hash size.
1776 * Normally this is the hash length, which is the maximum salt length
1777 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
1778 * enough room, use the maximum salt length that fits. The constraint is
1779 * that the hash length plus the salt length plus 2 bytes must be at most
1780 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
1781 * (PKCS#1 v2.2) §9.1.1 step 3. */
Cedric Meuter8aa4d752020-04-21 12:49:11 +02001782 min_slen = hlen - 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01001783 if (olen < hlen + min_slen + 2) {
1784 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1785 } else if (olen >= hlen + hlen + 2) {
Cedric Meuter8aa4d752020-04-21 12:49:11 +02001786 slen = hlen;
Gilles Peskine449bd832023-01-11 14:50:10 +01001787 } else {
Cedric Meuter8aa4d752020-04-21 12:49:11 +02001788 slen = olen - hlen - 2;
Gilles Peskine449bd832023-01-11 14:50:10 +01001789 }
1790 } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {
1791 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1792 } else {
Cédric Meuter010ddc22020-04-25 09:24:11 +02001793 slen = (size_t) saltlen;
Cedric Meuter8aa4d752020-04-21 12:49:11 +02001794 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001795
Gilles Peskine449bd832023-01-11 14:50:10 +01001796 memset(sig, 0, olen);
Paul Bakkerb3869132013-02-28 17:21:01 +01001797
Simon Butcher02037452016-03-01 21:19:12 +00001798 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
Gilles Peskine449bd832023-01-11 14:50:10 +01001799 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
Jaeden Amero3725bb22018-09-07 19:12:36 +01001800 p += olen - hlen - slen - 2;
Paul Bakkerb3869132013-02-28 17:21:01 +01001801 *p++ = 0x01;
Cédric Meuter668a78d2020-04-30 11:57:04 +02001802
1803 /* Generate salt of length slen in place in the encoded message */
1804 salt = p;
Gilles Peskine449bd832023-01-11 14:50:10 +01001805 if ((ret = f_rng(p_rng, salt, slen)) != 0) {
1806 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1807 }
Cédric Meuter668a78d2020-04-30 11:57:04 +02001808
Paul Bakkerb3869132013-02-28 17:21:01 +01001809 p += slen;
1810
Simon Butcher02037452016-03-01 21:19:12 +00001811 /* Generate H = Hash( M' ) */
Agathiyan Bragadeesh01ed84a2023-07-13 11:42:41 +01001812 ret = hash_mprime(hash, hashlen, salt, slen, p, (mbedtls_md_type_t) ctx->hash_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001813 if (ret != 0) {
1814 return ret;
1815 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001816
Simon Butcher02037452016-03-01 21:19:12 +00001817 /* Compensate for boundary condition when applying mask */
Gilles Peskine449bd832023-01-11 14:50:10 +01001818 if (msb % 8 == 0) {
Paul Bakkerb3869132013-02-28 17:21:01 +01001819 offset = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +01001820 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001821
Simon Butcher02037452016-03-01 21:19:12 +00001822 /* maskedDB: Apply dbMask to DB */
Gilles Peskine449bd832023-01-11 14:50:10 +01001823 ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen,
Agathiyan Bragadeesh01ed84a2023-07-13 11:42:41 +01001824 (mbedtls_md_type_t) ctx->hash_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01001825 if (ret != 0) {
1826 return ret;
1827 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001828
Gilles Peskine449bd832023-01-11 14:50:10 +01001829 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
1830 sig[0] &= 0xFF >> (olen * 8 - msb);
Paul Bakkerb3869132013-02-28 17:21:01 +01001831
1832 p += hlen;
1833 *p++ = 0xBC;
1834
Gilles Peskine449bd832023-01-11 14:50:10 +01001835 return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
Paul Bakkerb3869132013-02-28 17:21:01 +01001836}
Cedric Meuter8aa4d752020-04-21 12:49:11 +02001837
1838/*
Cédric Meuterf3fab332020-04-25 11:30:45 +02001839 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
1840 * the option to pass in the salt length.
1841 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001842int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
1843 int (*f_rng)(void *, unsigned char *, size_t),
1844 void *p_rng,
1845 mbedtls_md_type_t md_alg,
1846 unsigned int hashlen,
1847 const unsigned char *hash,
1848 int saltlen,
1849 unsigned char *sig)
Cédric Meuterf3fab332020-04-25 11:30:45 +02001850{
Gilles Peskine449bd832023-01-11 14:50:10 +01001851 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
1852 hashlen, hash, saltlen, sig);
Cédric Meuterf3fab332020-04-25 11:30:45 +02001853}
1854
1855
1856/*
Cedric Meuter8aa4d752020-04-21 12:49:11 +02001857 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1858 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001859int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
1860 int (*f_rng)(void *, unsigned char *, size_t),
1861 void *p_rng,
1862 mbedtls_md_type_t md_alg,
1863 unsigned int hashlen,
1864 const unsigned char *hash,
1865 unsigned char *sig)
Cedric Meuter8aa4d752020-04-21 12:49:11 +02001866{
Gilles Peskine449bd832023-01-11 14:50:10 +01001867 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
1868 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
Cedric Meuter8aa4d752020-04-21 12:49:11 +02001869}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001870#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001871
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001872#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +01001873/*
1874 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1875 */
Hanno Beckerfdf38032017-09-06 12:35:55 +01001876
1877/* Construct a PKCS v1.5 encoding of a hashed message
1878 *
1879 * This is used both for signature generation and verification.
1880 *
1881 * Parameters:
1882 * - md_alg: Identifies the hash algorithm used to generate the given hash;
Hanno Beckere58d38c2017-09-27 17:09:00 +01001883 * MBEDTLS_MD_NONE if raw data is signed.
Gilles Peskine6e3187b2021-06-22 18:39:53 +02001884 * - hashlen: Length of hash. Must match md_alg if that's not NONE.
Hanno Beckere58d38c2017-09-27 17:09:00 +01001885 * - hash: Buffer containing the hashed message or the raw data.
1886 * - dst_len: Length of the encoded message.
Hanno Beckerfdf38032017-09-06 12:35:55 +01001887 * - dst: Buffer to hold the encoded message.
1888 *
1889 * Assumptions:
Gilles Peskine6e3187b2021-06-22 18:39:53 +02001890 * - hash has size hashlen.
Hanno Beckere58d38c2017-09-27 17:09:00 +01001891 * - dst points to a buffer of size at least dst_len.
Hanno Beckerfdf38032017-09-06 12:35:55 +01001892 *
1893 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001894static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
1895 unsigned int hashlen,
1896 const unsigned char *hash,
1897 size_t dst_len,
1898 unsigned char *dst)
Hanno Beckerfdf38032017-09-06 12:35:55 +01001899{
1900 size_t oid_size = 0;
Hanno Beckere58d38c2017-09-27 17:09:00 +01001901 size_t nb_pad = dst_len;
Hanno Beckerfdf38032017-09-06 12:35:55 +01001902 unsigned char *p = dst;
1903 const char *oid = NULL;
1904
1905 /* Are we signing hashed or raw data? */
Gilles Peskine449bd832023-01-11 14:50:10 +01001906 if (md_alg != MBEDTLS_MD_NONE) {
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +02001907 unsigned char md_size = mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +01001908 if (md_size == 0) {
1909 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1910 }
Hanno Beckerfdf38032017-09-06 12:35:55 +01001911
Gilles Peskine449bd832023-01-11 14:50:10 +01001912 if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
1913 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1914 }
Hanno Beckerfdf38032017-09-06 12:35:55 +01001915
Gilles Peskine449bd832023-01-11 14:50:10 +01001916 if (hashlen != md_size) {
1917 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1918 }
Hanno Beckerfdf38032017-09-06 12:35:55 +01001919
1920 /* Double-check that 8 + hashlen + oid_size can be used as a
1921 * 1-byte ASN.1 length encoding and that there's no overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +01001922 if (8 + hashlen + oid_size >= 0x80 ||
Hanno Beckerfdf38032017-09-06 12:35:55 +01001923 10 + hashlen < hashlen ||
Gilles Peskine449bd832023-01-11 14:50:10 +01001924 10 + hashlen + oid_size < 10 + hashlen) {
1925 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1926 }
Hanno Beckerfdf38032017-09-06 12:35:55 +01001927
1928 /*
1929 * Static bounds check:
1930 * - Need 10 bytes for five tag-length pairs.
1931 * (Insist on 1-byte length encodings to protect against variants of
1932 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1933 * - Need hashlen bytes for hash
1934 * - Need oid_size bytes for hash alg OID.
1935 */
Gilles Peskine449bd832023-01-11 14:50:10 +01001936 if (nb_pad < 10 + hashlen + oid_size) {
1937 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1938 }
Hanno Beckerfdf38032017-09-06 12:35:55 +01001939 nb_pad -= 10 + hashlen + oid_size;
Gilles Peskine449bd832023-01-11 14:50:10 +01001940 } else {
1941 if (nb_pad < hashlen) {
1942 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1943 }
Hanno Beckerfdf38032017-09-06 12:35:55 +01001944
1945 nb_pad -= hashlen;
1946 }
1947
Hanno Becker2b2f8982017-09-27 17:10:03 +01001948 /* Need space for signature header and padding delimiter (3 bytes),
1949 * and 8 bytes for the minimal padding */
Gilles Peskine449bd832023-01-11 14:50:10 +01001950 if (nb_pad < 3 + 8) {
1951 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1952 }
Hanno Beckerfdf38032017-09-06 12:35:55 +01001953 nb_pad -= 3;
1954
1955 /* Now nb_pad is the amount of memory to be filled
Hanno Becker2b2f8982017-09-27 17:10:03 +01001956 * with padding, and at least 8 bytes long. */
Hanno Beckerfdf38032017-09-06 12:35:55 +01001957
1958 /* Write signature header and padding */
1959 *p++ = 0;
1960 *p++ = MBEDTLS_RSA_SIGN;
Gilles Peskine449bd832023-01-11 14:50:10 +01001961 memset(p, 0xFF, nb_pad);
Hanno Beckerfdf38032017-09-06 12:35:55 +01001962 p += nb_pad;
1963 *p++ = 0;
1964
1965 /* Are we signing raw data? */
Gilles Peskine449bd832023-01-11 14:50:10 +01001966 if (md_alg == MBEDTLS_MD_NONE) {
1967 memcpy(p, hash, hashlen);
1968 return 0;
Hanno Beckerfdf38032017-09-06 12:35:55 +01001969 }
1970
1971 /* Signing hashed data, add corresponding ASN.1 structure
1972 *
1973 * DigestInfo ::= SEQUENCE {
1974 * digestAlgorithm DigestAlgorithmIdentifier,
1975 * digest Digest }
1976 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1977 * Digest ::= OCTET STRING
1978 *
1979 * Schematic:
1980 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1981 * TAG-NULL + LEN [ NULL ] ]
1982 * TAG-OCTET + LEN [ HASH ] ]
1983 */
1984 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
Gilles Peskine449bd832023-01-11 14:50:10 +01001985 *p++ = (unsigned char) (0x08 + oid_size + hashlen);
Hanno Beckerfdf38032017-09-06 12:35:55 +01001986 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
Gilles Peskine449bd832023-01-11 14:50:10 +01001987 *p++ = (unsigned char) (0x04 + oid_size);
Hanno Beckerfdf38032017-09-06 12:35:55 +01001988 *p++ = MBEDTLS_ASN1_OID;
Hanno Becker87ae1972018-01-15 15:27:56 +00001989 *p++ = (unsigned char) oid_size;
Gilles Peskine449bd832023-01-11 14:50:10 +01001990 memcpy(p, oid, oid_size);
Hanno Beckerfdf38032017-09-06 12:35:55 +01001991 p += oid_size;
1992 *p++ = MBEDTLS_ASN1_NULL;
1993 *p++ = 0x00;
1994 *p++ = MBEDTLS_ASN1_OCTET_STRING;
Hanno Becker87ae1972018-01-15 15:27:56 +00001995 *p++ = (unsigned char) hashlen;
Gilles Peskine449bd832023-01-11 14:50:10 +01001996 memcpy(p, hash, hashlen);
Hanno Beckerfdf38032017-09-06 12:35:55 +01001997 p += hashlen;
1998
1999 /* Just a sanity-check, should be automatic
2000 * after the initial bounds check. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002001 if (p != dst + dst_len) {
2002 mbedtls_platform_zeroize(dst, dst_len);
2003 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Beckerfdf38032017-09-06 12:35:55 +01002004 }
2005
Gilles Peskine449bd832023-01-11 14:50:10 +01002006 return 0;
Hanno Beckerfdf38032017-09-06 12:35:55 +01002007}
2008
Paul Bakkerb3869132013-02-28 17:21:01 +01002009/*
2010 * Do an RSA operation to sign the message digest
2011 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002012int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
2013 int (*f_rng)(void *, unsigned char *, size_t),
2014 void *p_rng,
2015 mbedtls_md_type_t md_alg,
2016 unsigned int hashlen,
2017 const unsigned char *hash,
2018 unsigned char *sig)
Paul Bakkerb3869132013-02-28 17:21:01 +01002019{
Janos Follath24eed8d2019-11-22 13:21:35 +00002020 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerfdf38032017-09-06 12:35:55 +01002021 unsigned char *sig_try = NULL, *verif = NULL;
Paul Bakkerb3869132013-02-28 17:21:01 +01002022
Gilles Peskine449bd832023-01-11 14:50:10 +01002023 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +01002024 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +01002025 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002026
Gilles Peskine449bd832023-01-11 14:50:10 +01002027 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
2028 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2029 }
Thomas Daubneyd58ed582021-05-21 11:50:39 +01002030
Hanno Beckerfdf38032017-09-06 12:35:55 +01002031 /*
2032 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
2033 */
Paul Bakkerb3869132013-02-28 17:21:01 +01002034
Gilles Peskine449bd832023-01-11 14:50:10 +01002035 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
2036 ctx->len, sig)) != 0) {
2037 return ret;
2038 }
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02002039
Hanno Beckerfdf38032017-09-06 12:35:55 +01002040 /* Private key operation
2041 *
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02002042 * In order to prevent Lenstra's attack, make the signature in a
2043 * temporary buffer and check it before returning it.
2044 */
Hanno Beckerfdf38032017-09-06 12:35:55 +01002045
Gilles Peskine449bd832023-01-11 14:50:10 +01002046 sig_try = mbedtls_calloc(1, ctx->len);
2047 if (sig_try == NULL) {
2048 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
Simon Butcher1285ab52016-01-01 21:42:47 +00002049 }
2050
Gilles Peskine449bd832023-01-11 14:50:10 +01002051 verif = mbedtls_calloc(1, ctx->len);
2052 if (verif == NULL) {
2053 mbedtls_free(sig_try);
2054 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
2055 }
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02002056
Gilles Peskine449bd832023-01-11 14:50:10 +01002057 MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
2058 MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
2059
2060 if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02002061 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
2062 goto cleanup;
2063 }
2064
Gilles Peskine449bd832023-01-11 14:50:10 +01002065 memcpy(sig, sig_try, ctx->len);
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02002066
2067cleanup:
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01002068 mbedtls_zeroize_and_free(sig_try, ctx->len);
2069 mbedtls_zeroize_and_free(verif, ctx->len);
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02002070
Gilles Peskine449bd832023-01-11 14:50:10 +01002071 if (ret != 0) {
2072 memset(sig, '!', ctx->len);
2073 }
2074 return ret;
Paul Bakkerb3869132013-02-28 17:21:01 +01002075}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002076#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +01002077
2078/*
Paul Bakker5121ce52009-01-03 21:22:43 +00002079 * Do an RSA operation to sign the message digest
2080 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002081int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
2082 int (*f_rng)(void *, unsigned char *, size_t),
2083 void *p_rng,
2084 mbedtls_md_type_t md_alg,
2085 unsigned int hashlen,
2086 const unsigned char *hash,
2087 unsigned char *sig)
Paul Bakker5121ce52009-01-03 21:22:43 +00002088{
Gilles Peskine449bd832023-01-11 14:50:10 +01002089 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +01002090 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +01002091 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002092
Gilles Peskine449bd832023-01-11 14:50:10 +01002093 switch (ctx->padding) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002094#if defined(MBEDTLS_PKCS1_V15)
2095 case MBEDTLS_RSA_PKCS_V15:
Gilles Peskine449bd832023-01-11 14:50:10 +01002096 return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng,
2097 md_alg, hashlen, hash, sig);
Paul Bakker48377d92013-08-30 12:06:24 +02002098#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002099
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002100#if defined(MBEDTLS_PKCS1_V21)
2101 case MBEDTLS_RSA_PKCS_V21:
Gilles Peskine449bd832023-01-11 14:50:10 +01002102 return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
2103 hashlen, hash, sig);
Paul Bakker9dcc3222011-03-08 14:16:06 +00002104#endif
2105
Paul Bakker5121ce52009-01-03 21:22:43 +00002106 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01002107 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002108 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002109}
2110
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002111#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +00002112/*
Paul Bakkerb3869132013-02-28 17:21:01 +01002113 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker5121ce52009-01-03 21:22:43 +00002114 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002115int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
2116 mbedtls_md_type_t md_alg,
2117 unsigned int hashlen,
2118 const unsigned char *hash,
2119 mbedtls_md_type_t mgf1_hash_id,
2120 int expected_salt_len,
2121 const unsigned char *sig)
Paul Bakker5121ce52009-01-03 21:22:43 +00002122{
Janos Follath24eed8d2019-11-22 13:21:35 +00002123 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb3869132013-02-28 17:21:01 +01002124 size_t siglen;
2125 unsigned char *p;
Gilles Peskine6a54b022017-10-17 19:02:13 +02002126 unsigned char *hash_start;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +02002127 unsigned char result[MBEDTLS_MD_MAX_SIZE];
Paul Bakker23986e52011-04-24 08:57:21 +00002128 unsigned int hlen;
Gilles Peskine6a54b022017-10-17 19:02:13 +02002129 size_t observed_salt_len, msb;
Gilles Peskine449bd832023-01-11 14:50:10 +01002130 unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
Paul Bakkerb3869132013-02-28 17:21:01 +01002131
Gilles Peskine449bd832023-01-11 14:50:10 +01002132 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +01002133 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +01002134 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002135
Paul Bakker5121ce52009-01-03 21:22:43 +00002136 siglen = ctx->len;
2137
Gilles Peskine449bd832023-01-11 14:50:10 +01002138 if (siglen < 16 || siglen > sizeof(buf)) {
2139 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2140 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002141
Gilles Peskine449bd832023-01-11 14:50:10 +01002142 ret = mbedtls_rsa_public(ctx, sig, buf);
Paul Bakker5121ce52009-01-03 21:22:43 +00002143
Gilles Peskine449bd832023-01-11 14:50:10 +01002144 if (ret != 0) {
2145 return ret;
2146 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002147
2148 p = buf;
2149
Gilles Peskine449bd832023-01-11 14:50:10 +01002150 if (buf[siglen - 1] != 0xBC) {
2151 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakkerb3869132013-02-28 17:21:01 +01002152 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00002153
Gilles Peskine449bd832023-01-11 14:50:10 +01002154 if (md_alg != MBEDTLS_MD_NONE) {
2155 /* Gather length of hash to sign */
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +02002156 size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +01002157 if (exp_hashlen == 0) {
2158 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2159 }
2160
2161 if (hashlen != exp_hashlen) {
2162 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2163 }
2164 }
2165
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +02002166 hlen = mbedtls_md_get_size_from_type(mgf1_hash_id);
Gilles Peskine449bd832023-01-11 14:50:10 +01002167 if (hlen == 0) {
2168 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2169 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00002170
Simon Butcher02037452016-03-01 21:19:12 +00002171 /*
2172 * Note: EMSA-PSS verification is over the length of N - 1 bits
2173 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002174 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
Paul Bakker9dcc3222011-03-08 14:16:06 +00002175
Gilles Peskine449bd832023-01-11 14:50:10 +01002176 if (buf[0] >> (8 - siglen * 8 + msb)) {
2177 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2178 }
Gilles Peskineb00b0da2017-10-19 15:23:49 +02002179
Simon Butcher02037452016-03-01 21:19:12 +00002180 /* Compensate for boundary condition when applying mask */
Gilles Peskine449bd832023-01-11 14:50:10 +01002181 if (msb % 8 == 0) {
Paul Bakkerb3869132013-02-28 17:21:01 +01002182 p++;
2183 siglen -= 1;
2184 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00002185
Gilles Peskine449bd832023-01-11 14:50:10 +01002186 if (siglen < hlen + 2) {
2187 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2188 }
Gilles Peskine139108a2017-10-18 19:03:42 +02002189 hash_start = p + siglen - hlen - 1;
2190
Gilles Peskine449bd832023-01-11 14:50:10 +01002191 ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id);
2192 if (ret != 0) {
2193 return ret;
2194 }
Paul Bakker02303e82013-01-03 11:08:31 +01002195
Gilles Peskine449bd832023-01-11 14:50:10 +01002196 buf[0] &= 0xFF >> (siglen * 8 - msb);
Paul Bakker9dcc3222011-03-08 14:16:06 +00002197
Gilles Peskine449bd832023-01-11 14:50:10 +01002198 while (p < hash_start - 1 && *p == 0) {
Paul Bakkerb3869132013-02-28 17:21:01 +01002199 p++;
Gilles Peskine449bd832023-01-11 14:50:10 +01002200 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00002201
Gilles Peskine449bd832023-01-11 14:50:10 +01002202 if (*p++ != 0x01) {
2203 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2204 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00002205
Gilles Peskine6a54b022017-10-17 19:02:13 +02002206 observed_salt_len = hash_start - p;
Paul Bakker9dcc3222011-03-08 14:16:06 +00002207
Gilles Peskine449bd832023-01-11 14:50:10 +01002208 if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
2209 observed_salt_len != (size_t) expected_salt_len) {
2210 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002211 }
2212
Simon Butcher02037452016-03-01 21:19:12 +00002213 /*
2214 * Generate H = Hash( M' )
2215 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002216 ret = hash_mprime(hash, hashlen, p, observed_salt_len,
2217 result, mgf1_hash_id);
2218 if (ret != 0) {
2219 return ret;
2220 }
Paul Bakker53019ae2011-03-25 13:58:48 +00002221
Gilles Peskine449bd832023-01-11 14:50:10 +01002222 if (memcmp(hash_start, result, hlen) != 0) {
2223 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
2224 }
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002225
Gilles Peskine449bd832023-01-11 14:50:10 +01002226 return 0;
Paul Bakkerb3869132013-02-28 17:21:01 +01002227}
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002228
2229/*
2230 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2231 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002232int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
2233 mbedtls_md_type_t md_alg,
2234 unsigned int hashlen,
2235 const unsigned char *hash,
2236 const unsigned char *sig)
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002237{
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002238 mbedtls_md_type_t mgf1_hash_id;
Gilles Peskine449bd832023-01-11 14:50:10 +01002239 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +01002240 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +01002241 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002242
Gilles Peskine449bd832023-01-11 14:50:10 +01002243 mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002244 ? (mbedtls_md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002245 : md_alg;
2246
Gilles Peskine449bd832023-01-11 14:50:10 +01002247 return mbedtls_rsa_rsassa_pss_verify_ext(ctx,
2248 md_alg, hashlen, hash,
2249 mgf1_hash_id,
2250 MBEDTLS_RSA_SALT_LEN_ANY,
2251 sig);
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002252
2253}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002254#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker40628ba2013-01-03 10:50:31 +01002255
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002256#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +01002257/*
2258 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2259 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002260int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
2261 mbedtls_md_type_t md_alg,
2262 unsigned int hashlen,
2263 const unsigned char *hash,
2264 const unsigned char *sig)
Paul Bakkerb3869132013-02-28 17:21:01 +01002265{
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002266 int ret = 0;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002267 size_t sig_len;
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002268 unsigned char *encoded = NULL, *encoded_expected = NULL;
Paul Bakkerb3869132013-02-28 17:21:01 +01002269
Gilles Peskine449bd832023-01-11 14:50:10 +01002270 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +01002271 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +01002272 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002273
2274 sig_len = ctx->len;
2275
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002276 /*
2277 * Prepare expected PKCS1 v1.5 encoding of hash.
2278 */
Paul Bakkerb3869132013-02-28 17:21:01 +01002279
Gilles Peskine449bd832023-01-11 14:50:10 +01002280 if ((encoded = mbedtls_calloc(1, sig_len)) == NULL ||
2281 (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002282 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2283 goto cleanup;
2284 }
2285
Gilles Peskine449bd832023-01-11 14:50:10 +01002286 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
2287 encoded_expected)) != 0) {
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002288 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +01002289 }
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002290
2291 /*
2292 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2293 */
Paul Bakkerb3869132013-02-28 17:21:01 +01002294
Gilles Peskine449bd832023-01-11 14:50:10 +01002295 ret = mbedtls_rsa_public(ctx, sig, encoded);
2296 if (ret != 0) {
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002297 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +01002298 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002299
Simon Butcher02037452016-03-01 21:19:12 +00002300 /*
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002301 * Compare
Simon Butcher02037452016-03-01 21:19:12 +00002302 */
Paul Bakkerc70b9822013-04-07 22:00:46 +02002303
Gilles Peskine449bd832023-01-11 14:50:10 +01002304 if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
2305 sig_len)) != 0) {
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002306 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2307 goto cleanup;
2308 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002309
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002310cleanup:
Paul Bakkerc70b9822013-04-07 22:00:46 +02002311
Gilles Peskine449bd832023-01-11 14:50:10 +01002312 if (encoded != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01002313 mbedtls_zeroize_and_free(encoded, sig_len);
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002314 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002315
Gilles Peskine449bd832023-01-11 14:50:10 +01002316 if (encoded_expected != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +01002317 mbedtls_zeroize_and_free(encoded_expected, sig_len);
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002318 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002319
Gilles Peskine449bd832023-01-11 14:50:10 +01002320 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00002321}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002322#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002323
2324/*
Paul Bakkerb3869132013-02-28 17:21:01 +01002325 * Do an RSA operation and check the message digest
2326 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002327int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
2328 mbedtls_md_type_t md_alg,
2329 unsigned int hashlen,
2330 const unsigned char *hash,
2331 const unsigned char *sig)
Paul Bakkerb3869132013-02-28 17:21:01 +01002332{
Gilles Peskine449bd832023-01-11 14:50:10 +01002333 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +01002334 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +01002335 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002336
Gilles Peskine449bd832023-01-11 14:50:10 +01002337 switch (ctx->padding) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002338#if defined(MBEDTLS_PKCS1_V15)
2339 case MBEDTLS_RSA_PKCS_V15:
Gilles Peskine449bd832023-01-11 14:50:10 +01002340 return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg,
2341 hashlen, hash, sig);
Paul Bakker48377d92013-08-30 12:06:24 +02002342#endif
Paul Bakkerb3869132013-02-28 17:21:01 +01002343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002344#if defined(MBEDTLS_PKCS1_V21)
2345 case MBEDTLS_RSA_PKCS_V21:
Gilles Peskine449bd832023-01-11 14:50:10 +01002346 return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg,
2347 hashlen, hash, sig);
Paul Bakkerb3869132013-02-28 17:21:01 +01002348#endif
2349
2350 default:
Gilles Peskine449bd832023-01-11 14:50:10 +01002351 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakkerb3869132013-02-28 17:21:01 +01002352 }
2353}
2354
2355/*
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002356 * Copy the components of an RSA key
2357 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002358int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002359{
Janos Follath24eed8d2019-11-22 13:21:35 +00002360 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002361
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002362 dst->len = src->len;
2363
Gilles Peskine449bd832023-01-11 14:50:10 +01002364 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
2365 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002366
Gilles Peskine449bd832023-01-11 14:50:10 +01002367 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
2368 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
2369 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
Hanno Becker33c30a02017-08-23 07:00:22 +01002370
2371#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +01002372 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
2373 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
2374 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
2375 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
2376 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
Hanno Becker33c30a02017-08-23 07:00:22 +01002377#endif
2378
Gilles Peskine449bd832023-01-11 14:50:10 +01002379 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002380
Gilles Peskine449bd832023-01-11 14:50:10 +01002381 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
2382 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +02002383
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002384 dst->padding = src->padding;
Manuel Pégourié-Gonnardfdddac92014-03-25 15:58:35 +01002385 dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002386
2387cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +01002388 if (ret != 0) {
2389 mbedtls_rsa_free(dst);
2390 }
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002391
Gilles Peskine449bd832023-01-11 14:50:10 +01002392 return ret;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002393}
2394
2395/*
Paul Bakker5121ce52009-01-03 21:22:43 +00002396 * Free the components of an RSA key
2397 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002398void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
Paul Bakker5121ce52009-01-03 21:22:43 +00002399{
Gilles Peskine449bd832023-01-11 14:50:10 +01002400 if (ctx == NULL) {
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002401 return;
Gilles Peskine449bd832023-01-11 14:50:10 +01002402 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002403
Gilles Peskine449bd832023-01-11 14:50:10 +01002404 mbedtls_mpi_free(&ctx->Vi);
2405 mbedtls_mpi_free(&ctx->Vf);
2406 mbedtls_mpi_free(&ctx->RN);
2407 mbedtls_mpi_free(&ctx->D);
2408 mbedtls_mpi_free(&ctx->Q);
2409 mbedtls_mpi_free(&ctx->P);
2410 mbedtls_mpi_free(&ctx->E);
2411 mbedtls_mpi_free(&ctx->N);
Paul Bakkerc9965dc2013-09-29 14:58:17 +02002412
Hanno Becker33c30a02017-08-23 07:00:22 +01002413#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine449bd832023-01-11 14:50:10 +01002414 mbedtls_mpi_free(&ctx->RQ);
2415 mbedtls_mpi_free(&ctx->RP);
2416 mbedtls_mpi_free(&ctx->QP);
2417 mbedtls_mpi_free(&ctx->DQ);
2418 mbedtls_mpi_free(&ctx->DP);
Hanno Becker33c30a02017-08-23 07:00:22 +01002419#endif /* MBEDTLS_RSA_NO_CRT */
2420
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002421#if defined(MBEDTLS_THREADING_C)
Gilles Peskineeb940592021-02-01 17:57:41 +01002422 /* Free the mutex, but only if it hasn't been freed already. */
Gilles Peskine449bd832023-01-11 14:50:10 +01002423 if (ctx->ver != 0) {
2424 mbedtls_mutex_free(&ctx->mutex);
Gilles Peskineeb940592021-02-01 17:57:41 +01002425 ctx->ver = 0;
2426 }
Paul Bakkerc9965dc2013-09-29 14:58:17 +02002427#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002428}
2429
Hanno Beckerab377312017-08-23 16:24:51 +01002430#endif /* !MBEDTLS_RSA_ALT */
2431
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002432#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +00002433
Manuel Pégourié-Gonnardb33ef742023-03-07 00:04:16 +01002434#include "mbedtls/md.h"
Paul Bakker5121ce52009-01-03 21:22:43 +00002435
2436/*
2437 * Example RSA-1024 keypair, for test purposes
2438 */
2439#define KEY_LEN 128
2440
2441#define RSA_N "9292758453063D803DD603D5E777D788" \
2442 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2443 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2444 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2445 "93A89813FBF3C4F8066D2D800F7C38A8" \
2446 "1AE31942917403FF4946B0A83D3D3E05" \
2447 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2448 "5E94BB77B07507233A0BC7BAC8F90F79"
2449
2450#define RSA_E "10001"
2451
2452#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2453 "66CA472BC44D253102F8B4A9D3BFA750" \
2454 "91386C0077937FE33FA3252D28855837" \
2455 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2456 "DF79C5CE07EE72C7F123142198164234" \
2457 "CABB724CF78B8173B9F880FC86322407" \
2458 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2459 "071513A1E85B5DFA031F21ECAE91A34D"
2460
2461#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2462 "2C01CAD19EA484A87EA4377637E75500" \
2463 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2464 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2465
2466#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2467 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2468 "910E4168387E3C30AA1E00C339A79508" \
2469 "8452DD96A9A5EA5D9DCA68DA636032AF"
2470
Paul Bakker5121ce52009-01-03 21:22:43 +00002471#define PT_LEN 24
2472#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2473 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2474
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002475#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine449bd832023-01-11 14:50:10 +01002476static int myrand(void *rng_state, unsigned char *output, size_t len)
Paul Bakker545570e2010-07-18 09:00:25 +00002477{
gufe44c2620da2020-08-03 17:56:50 +02002478#if !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakkera3d195c2011-11-27 21:07:34 +00002479 size_t i;
2480
Gilles Peskine449bd832023-01-11 14:50:10 +01002481 if (rng_state != NULL) {
Paul Bakker545570e2010-07-18 09:00:25 +00002482 rng_state = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01002483 }
Paul Bakker545570e2010-07-18 09:00:25 +00002484
Gilles Peskine449bd832023-01-11 14:50:10 +01002485 for (i = 0; i < len; ++i) {
Paul Bakkera3d195c2011-11-27 21:07:34 +00002486 output[i] = rand();
Gilles Peskine449bd832023-01-11 14:50:10 +01002487 }
Paul Bakkerf96f7b62014-04-30 16:02:38 +02002488#else
Gilles Peskine449bd832023-01-11 14:50:10 +01002489 if (rng_state != NULL) {
Paul Bakkerf96f7b62014-04-30 16:02:38 +02002490 rng_state = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +01002491 }
Paul Bakkerf96f7b62014-04-30 16:02:38 +02002492
Gilles Peskine449bd832023-01-11 14:50:10 +01002493 arc4random_buf(output, len);
gufe44c2620da2020-08-03 17:56:50 +02002494#endif /* !OpenBSD && !NetBSD */
Paul Bakker48377d92013-08-30 12:06:24 +02002495
Gilles Peskine449bd832023-01-11 14:50:10 +01002496 return 0;
Paul Bakker545570e2010-07-18 09:00:25 +00002497}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002498#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker545570e2010-07-18 09:00:25 +00002499
Paul Bakker5121ce52009-01-03 21:22:43 +00002500/*
2501 * Checkup routine
2502 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002503int mbedtls_rsa_self_test(int verbose)
Paul Bakker5121ce52009-01-03 21:22:43 +00002504{
Paul Bakker3d8fb632014-04-17 12:42:41 +02002505 int ret = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002506#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker23986e52011-04-24 08:57:21 +00002507 size_t len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002508 mbedtls_rsa_context rsa;
Paul Bakker5121ce52009-01-03 21:22:43 +00002509 unsigned char rsa_plaintext[PT_LEN];
2510 unsigned char rsa_decrypted[PT_LEN];
2511 unsigned char rsa_ciphertext[KEY_LEN];
Manuel Pégourié-Gonnardc1f10442023-03-16 10:58:19 +01002512#if defined(MBEDTLS_MD_CAN_SHA1)
Paul Bakker5690efc2011-05-26 13:16:06 +00002513 unsigned char sha1sum[20];
2514#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002515
Hanno Becker3a701162017-08-22 13:52:43 +01002516 mbedtls_mpi K;
2517
Gilles Peskine449bd832023-01-11 14:50:10 +01002518 mbedtls_mpi_init(&K);
2519 mbedtls_rsa_init(&rsa);
Paul Bakker5121ce52009-01-03 21:22:43 +00002520
Gilles Peskine449bd832023-01-11 14:50:10 +01002521 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
2522 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
2523 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
2524 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
2525 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
2526 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
2527 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
2528 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
2529 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
2530 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
Hanno Becker3a701162017-08-22 13:52:43 +01002531
Gilles Peskine449bd832023-01-11 14:50:10 +01002532 MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
Paul Bakker5121ce52009-01-03 21:22:43 +00002533
Gilles Peskine449bd832023-01-11 14:50:10 +01002534 if (verbose != 0) {
2535 mbedtls_printf(" RSA key validation: ");
2536 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002537
Gilles Peskine449bd832023-01-11 14:50:10 +01002538 if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||
2539 mbedtls_rsa_check_privkey(&rsa) != 0) {
2540 if (verbose != 0) {
2541 mbedtls_printf("failed\n");
2542 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002543
Hanno Becker5bc87292017-05-03 15:09:31 +01002544 ret = 1;
2545 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002546 }
2547
Gilles Peskine449bd832023-01-11 14:50:10 +01002548 if (verbose != 0) {
2549 mbedtls_printf("passed\n PKCS#1 encryption : ");
2550 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002551
Gilles Peskine449bd832023-01-11 14:50:10 +01002552 memcpy(rsa_plaintext, RSA_PT, PT_LEN);
Paul Bakker5121ce52009-01-03 21:22:43 +00002553
Gilles Peskine449bd832023-01-11 14:50:10 +01002554 if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL,
2555 PT_LEN, rsa_plaintext,
2556 rsa_ciphertext) != 0) {
2557 if (verbose != 0) {
2558 mbedtls_printf("failed\n");
2559 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002560
Hanno Becker5bc87292017-05-03 15:09:31 +01002561 ret = 1;
2562 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002563 }
2564
Gilles Peskine449bd832023-01-11 14:50:10 +01002565 if (verbose != 0) {
2566 mbedtls_printf("passed\n PKCS#1 decryption : ");
2567 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002568
Gilles Peskine449bd832023-01-11 14:50:10 +01002569 if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL,
2570 &len, rsa_ciphertext, rsa_decrypted,
2571 sizeof(rsa_decrypted)) != 0) {
2572 if (verbose != 0) {
2573 mbedtls_printf("failed\n");
2574 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002575
Hanno Becker5bc87292017-05-03 15:09:31 +01002576 ret = 1;
2577 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002578 }
2579
Gilles Peskine449bd832023-01-11 14:50:10 +01002580 if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
2581 if (verbose != 0) {
2582 mbedtls_printf("failed\n");
2583 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002584
Hanno Becker5bc87292017-05-03 15:09:31 +01002585 ret = 1;
2586 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002587 }
2588
Gilles Peskine449bd832023-01-11 14:50:10 +01002589 if (verbose != 0) {
2590 mbedtls_printf("passed\n");
2591 }
Manuel Pégourié-Gonnardd1004f02015-08-07 10:46:54 +02002592
Manuel Pégourié-Gonnardc1f10442023-03-16 10:58:19 +01002593#if defined(MBEDTLS_MD_CAN_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +01002594 if (verbose != 0) {
2595 mbedtls_printf(" PKCS#1 data sign : ");
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002596 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002597
Manuel Pégourié-Gonnardb33ef742023-03-07 00:04:16 +01002598 if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
2599 rsa_plaintext, PT_LEN, sha1sum) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +01002600 if (verbose != 0) {
2601 mbedtls_printf("failed\n");
2602 }
2603
2604 return 1;
2605 }
2606
2607 if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
2608 MBEDTLS_MD_SHA1, 20,
2609 sha1sum, rsa_ciphertext) != 0) {
2610 if (verbose != 0) {
2611 mbedtls_printf("failed\n");
2612 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002613
Hanno Becker5bc87292017-05-03 15:09:31 +01002614 ret = 1;
2615 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002616 }
2617
Gilles Peskine449bd832023-01-11 14:50:10 +01002618 if (verbose != 0) {
2619 mbedtls_printf("passed\n PKCS#1 sig. verify: ");
2620 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002621
Gilles Peskine449bd832023-01-11 14:50:10 +01002622 if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20,
2623 sha1sum, rsa_ciphertext) != 0) {
2624 if (verbose != 0) {
2625 mbedtls_printf("failed\n");
2626 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002627
Hanno Becker5bc87292017-05-03 15:09:31 +01002628 ret = 1;
2629 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002630 }
2631
Gilles Peskine449bd832023-01-11 14:50:10 +01002632 if (verbose != 0) {
2633 mbedtls_printf("passed\n");
2634 }
Manuel Pégourié-Gonnardc1f10442023-03-16 10:58:19 +01002635#endif /* MBEDTLS_MD_CAN_SHA1 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002636
Gilles Peskine449bd832023-01-11 14:50:10 +01002637 if (verbose != 0) {
2638 mbedtls_printf("\n");
2639 }
Manuel Pégourié-Gonnardd1004f02015-08-07 10:46:54 +02002640
Paul Bakker3d8fb632014-04-17 12:42:41 +02002641cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +01002642 mbedtls_mpi_free(&K);
2643 mbedtls_rsa_free(&rsa);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002644#else /* MBEDTLS_PKCS1_V15 */
Paul Bakker3e41fe82013-09-15 17:42:50 +02002645 ((void) verbose);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002646#endif /* MBEDTLS_PKCS1_V15 */
Gilles Peskine449bd832023-01-11 14:50:10 +01002647 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00002648}
2649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002650#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +00002651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002652#endif /* MBEDTLS_RSA_C */