Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

2009-01-03 21:22:43 +0000

[diff] [blame]

1

/*

2

* The RSA public-key cryptosystem

3

*

Manuel Pégourié-Gonnard

6fb8187

2015-07-27 11:11:48 +0200

[diff] [blame]

4

Manuel Pégourié-Gonnard

37ff140

2015-09-04 14:21:07 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

Paul Bakker

b96f154

2010-07-18 20:36:00 +0000

[diff] [blame]

18

*

Manuel Pégourié-Gonnard

fe44643

2015-03-06 13:17:10 +0000

[diff] [blame]

19

* This file is part of mbed TLS (https://tls.mbed.org)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

20

*/

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

21

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

22

/*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

23

* The following sources were referenced in the design of this implementation

24

* of the RSA algorithm:

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

25

*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

26

* [1] A method for obtaining digital signatures and public-key cryptosystems

27

* R Rivest, A Shamir, and L Adleman

28

* http://people.csail.mit.edu/rivest/pubs.html#RSA78

29

*

30

* [2] Handbook of Applied Cryptography - 1997, Chapter 8

31

* Menezes, van Oorschot and Vanstone

32

*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

33

* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks

34

* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and

35

* Stefan Mangard

36

* https://arxiv.org/abs/1702.08719v2

37

*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

38

*/

39

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

40

#if !defined(MBEDTLS_CONFIG_FILE)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

41

#include "mbedtls/config.h"

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

42

#else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

43

#include MBEDTLS_CONFIG_FILE

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

44

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

45

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

46

#if defined(MBEDTLS_RSA_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

47

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

48

#include "mbedtls/rsa.h"

49

#include "mbedtls/oid.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

50

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

51

#include <string.h>

52

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

53

#if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

54

#include "mbedtls/md.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

55

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

56

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

57

#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

58

#include <stdlib.h>

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

59

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

60

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

61

#if defined(MBEDTLS_PLATFORM_C)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

62

#include "mbedtls/platform.h"

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

63

#else

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

64

#include <stdio.h>

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

65

#define mbedtls_printf printf

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

66

#define mbedtls_calloc calloc

67

#define mbedtls_free free

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

68

#endif

69

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

70

/* Implementation that should never be optimized out by the compiler */

71

static void mbedtls_zeroize( void *v, size_t n ) {

72

volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;

73

}

74

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

75

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

76

* Context-independent RSA helper functions.

77

*

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

78

* There are two classes of helper functions:

79

* (1) Parameter-generating helpers. These are:

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

80

* - mbedtls_rsa_deduce_primes

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

81

* - mbedtls_rsa_deduce_private_exponent

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

82

* - mbedtls_rsa_deduce_crt

83

* Each of these functions takes a set of core RSA parameters

84

* and generates some other, or CRT related parameters.

85

* (2) Parameter-checking helpers. These are:

86

* - mbedtls_rsa_validate_params

87

* - mbedtls_rsa_validate_crt

88

* They take a set of core or CRT related RSA parameters

89

* and check their validity.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

90

*

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

91

* The helper functions do not use the RSA context structure

92

* and therefore do not need to be replaced when providing

93

* an alternative RSA implementation.

94

*

95

* Their main purpose is to provide common MPI operations in the context

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

96

* of RSA that can be easily shared across multiple implementations.

97

*/

98

99

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

100

*

101

* Given the modulus N=PQ and a pair of public and private

102

* exponents E and D, respectively, factor N.

103

*

104

* Setting F := lcm(P-1,Q-1), the idea is as follows:

105

*

106

* (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)

107

* is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the

108

* square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four

109

* possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)

110

* or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime

111

* factors of N.

112

*

113

* (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same

114

* construction still applies since (-)^K is the identity on the set of

115

* roots of 1 in Z/NZ.

116

*

117

* The public and private key primitives (-)^E and (-)^D are mutually inverse

118

* bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.

119

* if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.

120

* Splitting L = 2^t * K with K odd, we have

121

*

122

* DE - 1 = FL = (F/2) * (2^(t+1)) * K,

123

*

124

* so (F / 2) * K is among the numbers

125

*

126

* (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord

127

*

128

* where ord is the order of 2 in (DE - 1).

129

* We can therefore iterate through these numbers apply the construction

130

* of (a) and (b) above to attempt to factor N.

131

*

132

*/

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

133

int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N,

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

134

mbedtls_mpi const *D, mbedtls_mpi const *E,

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

135

mbedtls_mpi *P, mbedtls_mpi *Q )

136

{

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

137

int ret = 0;

138

139

uint16_t attempt; /* Number of current attempt */

140

uint16_t iter; /* Number of squares computed in the current attempt */

141

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

142

uint16_t order; /* Order of 2 in DE - 1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

143

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

144

mbedtls_mpi T; /* Holds largest odd divisor of DE - 1 */

145

mbedtls_mpi K; /* During factorization attempts, stores a random integer

146

* in the range of [0,..,N] */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

147

Hanno Becker

68b4d58

2017-10-10 16:39:10 +0100

[diff] [blame]

148

const unsigned int primes[] = { 2,

149

3, 5, 7, 11, 13, 17, 19, 23,

150

29, 31, 37, 41, 43, 47, 53, 59,

151

61, 67, 71, 73, 79, 83, 89, 97,

152

101, 103, 107, 109, 113, 127, 131, 137,

153

139, 149, 151, 157, 163, 167, 173, 179,

154

181, 191, 193, 197, 199, 211, 223, 227,

155

229, 233, 239, 241, 251, 257, 263, 269,

156

271, 277, 281, 283, 293, 307, 311, 313

157

};

158

159

const size_t num_primes = sizeof( primes ) / sizeof( *primes );

160

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

161

if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )

162

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

163

164

if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||

165

mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||

166

mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||

167

mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||

168

mbedtls_mpi_cmp_mpi( E, N ) >= 0 )

169

{

170

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

}

/*

* Initializations and temporary changes

175

*/

176

177

mbedtls_mpi_init( &K );

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

178

mbedtls_mpi_init( &T );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

179

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

180

/* T := DE - 1 */

181

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, D, E ) );

182

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &T, &T, 1 ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

183

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

184

if( ( order = mbedtls_mpi_lsb( &T ) ) == 0 )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

185

{

186

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

goto cleanup;

}

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

190

/* After this operation, T holds the largest odd divisor of DE - 1. */

191

MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &T, order ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

192

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

/*

* Actual work

*/

Hanno Becker

2017-10-10 16:39:10 +0100

[diff] [blame]

197

/* Skip trying 2 if N == 1 mod 8 */

198

attempt = 0;

199

if( N->p[0] % 8 == 1 )

200

attempt = 1;

201

202

for( ; attempt < num_primes; ++attempt )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

203

{

Hanno Becker

68b4d58

2017-10-10 16:39:10 +0100

[diff] [blame]

204

mbedtls_mpi_lset( &K, primes[attempt] );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

205

206

/* Check if gcd(K,N) = 1 */

207

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );

208

if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )

209

continue;

210

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

211

/* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

212

* and check whether they have nontrivial GCD with N. */

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

213

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, &T, N,

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

214

Q /* temporarily use Q for storing Montgomery

215

* multiplication helper values */ ) );

216

217

for( iter = 1; iter < order; ++iter )

218

{

219

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );

220

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );

221

222

if( mbedtls_mpi_cmp_int( P, 1 ) == 1 &&

223

mbedtls_mpi_cmp_mpi( P, N ) == -1 )

224

{

225

/*

226

* Have found a nontrivial divisor P of N.

Hanno Becker

d56d83a

2017-08-25 07:29:35 +0100

[diff] [blame]

227

* Set Q := N / P.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

228

*/

229

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

230

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, NULL, N, P ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

235

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );

236

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );

}

}

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

cleanup:

mbedtls_mpi_free( &K );

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

245

mbedtls_mpi_free( &T );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

/*

* Given P, Q and the public exponent E, deduce D.

251

* This is essentially a modular inversion.

252

*/

253

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

254

int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,

255

mbedtls_mpi const *Q,

256

mbedtls_mpi const *E,

257

mbedtls_mpi *D )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

258

{

259

int ret = 0;

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

260

mbedtls_mpi K, L;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

261

262

if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )

263

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

264

265

if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||

266

mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||

267

mbedtls_mpi_cmp_int( E, 0 ) == 0 )

268

{

269

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

270

}

271

272

mbedtls_mpi_init( &K );

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

273

mbedtls_mpi_init( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

274

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

275

/* Temporarily put K := P-1 and L := Q-1 */

276

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

277

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

278

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

279

/* Temporarily put D := gcd(P-1, Q-1) */

280

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

281

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

282

/* K := LCM(P-1, Q-1) */

283

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

284

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );

285

286

/* Compute modular inverse of E in LCM(P-1, Q-1) */

287

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );

288

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

289

cleanup:

290

291

mbedtls_mpi_free( &K );

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

292

mbedtls_mpi_free( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

/*

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

298

* Check that RSA CRT parameters are in accordance with core parameters.

299

*/

300

301

int mbedtls_rsa_validate_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,

302

const mbedtls_mpi *D, const mbedtls_mpi *DP,

303

const mbedtls_mpi *DQ, const mbedtls_mpi *QP )

{

int ret = 0;

mbedtls_mpi K, L;

mbedtls_mpi_init( &K );

309

mbedtls_mpi_init( &L );

310

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

311

/* Check that DP - D == 0 mod P - 1 */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

if( DP != NULL )

{

if( P == NULL )

{

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

321

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );

322

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );

323

324

if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )

325

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

326

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

327

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

331

/* Check that DQ - D == 0 mod Q - 1 */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

if( DQ != NULL )

{

if( Q == NULL )

{

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );

341

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );

342

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );

343

344

if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )

345

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

346

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

347

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

351

/* Check that QP * Q - 1 == 0 mod P */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

352

if( QP != NULL )

353

{

354

if( P == NULL || Q == NULL )

355

{

356

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );

361

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

362

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );

363

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

364

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

365

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

366

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

cleanup:

/* Wrap MPI error codes by RSA check failure error code */

373

if( ret != 0 &&

374

ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&

375

ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )

376

{

377

ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

378

}

379

380

mbedtls_mpi_free( &K );

381

mbedtls_mpi_free( &L );

return( ret );

}

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

387

* Check that core RSA parameters are sane.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

388

*/

389

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

390

int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,

391

const mbedtls_mpi *Q, const mbedtls_mpi *D,

392

const mbedtls_mpi *E,

393

int (*f_rng)(void *, unsigned char *, size_t),

394

void *p_rng )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

395

{

396

int ret = 0;

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

397

mbedtls_mpi K, L;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

398

399

mbedtls_mpi_init( &K );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

400

mbedtls_mpi_init( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

401

402

/*

403

* Step 1: If PRNG provided, check that P and Q are prime

404

*/

405

Hanno Becker

fb81c0e

2017-08-24 06:55:11 +0100

[diff] [blame]

406

#if defined(MBEDTLS_GENPRIME)

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

407

if( f_rng != NULL && P != NULL &&

408

( ret = mbedtls_mpi_is_prime( P, f_rng, p_rng ) ) != 0 )

409

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

410

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

if( f_rng != NULL && Q != NULL &&

415

( ret = mbedtls_mpi_is_prime( Q, f_rng, p_rng ) ) != 0 )

416

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

417

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

418

goto cleanup;

419

}

Hanno Becker

fb81c0e

2017-08-24 06:55:11 +0100

[diff] [blame]

#else

((void) f_rng);

((void) p_rng);

#endif /* MBEDTLS_GENPRIME */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

424

425

/*

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

426

* Step 2: Check that 1 < N = PQ

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

427

*/

428

429

if( P != NULL && Q != NULL && N != NULL )

430

{

431

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

432

if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 ||

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

433

mbedtls_mpi_cmp_mpi( &K, N ) != 0 )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

434

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

435

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

}

/*

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

441

* Step 3: Check and 1 < D, E < N if present.

442

*/

443

444

if( N != NULL && D != NULL && E != NULL )

445

{

446

if ( mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||

447

mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||

448

mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||

449

mbedtls_mpi_cmp_mpi( E, N ) >= 0 )

450

{

451

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

goto cleanup;

}

}

/*

* Step 4: Check that D, E are inverse modulo P-1 and Q-1

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

458

*/

459

460

if( P != NULL && Q != NULL && D != NULL && E != NULL )

461

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

462

if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

463

mbedtls_mpi_cmp_int( Q, 1 ) <= 0 )

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

464

{

465

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

466

goto cleanup;

467

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

468

469

/* Compute DE-1 mod P-1 */

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

470

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );

471

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

472

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );

473

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

474

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

475

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

476

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

/* Compute DE-1 mod Q-1 */

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

481

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );

482

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

483

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );

484

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

485

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

486

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

487

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

488

goto cleanup;

489

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

}

cleanup:

mbedtls_mpi_free( &K );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

495

mbedtls_mpi_free( &L );

496

497

/* Wrap MPI error codes by RSA check failure error code */

498

if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )

499

{

500

ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

501

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,

507

const mbedtls_mpi *D, mbedtls_mpi *DP,

508

mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret = 0;

mbedtls_mpi K;

mbedtls_mpi_init( &K );

513

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

514

/* DP = D mod P-1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

515

if( DP != NULL )

516

{

517

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

518

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );

519

}

520

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

521

/* DQ = D mod Q-1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

522

if( DQ != NULL )

523

{

524

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );

525

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );

526

}

527

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

528

/* QP = Q^{-1} mod P */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

529

if( QP != NULL )

530

{

531

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );

}

cleanup:

mbedtls_mpi_free( &K );

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

540

541

/*

542

* Default RSA interface implementation

543

*/

544

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

545

#if !defined(MBEDTLS_RSA_ALT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

546

547

int mbedtls_rsa_import( mbedtls_rsa_context *ctx,

548

const mbedtls_mpi *N,

549

const mbedtls_mpi *P, const mbedtls_mpi *Q,

550

const mbedtls_mpi *D, const mbedtls_mpi *E )

{

int ret;

if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||

555

( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||

556

( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||

557

( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||

558

( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )

559

{

560

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

if( N != NULL )

ctx->len = mbedtls_mpi_size( &ctx->N );

return( 0 );

}

int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

570

unsigned char const *N, size_t N_len,

571

unsigned char const *P, size_t P_len,

572

unsigned char const *Q, size_t Q_len,

573

unsigned char const *D, size_t D_len,

574

unsigned char const *E, size_t E_len )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

{

int ret;

if( N != NULL )

{

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );

581

ctx->len = mbedtls_mpi_size( &ctx->N );

}

if( P != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );

586

587

if( Q != NULL )

588

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );

589

590

if( D != NULL )

591

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );

592

593

if( E != NULL )

594

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );

cleanup:

if( ret != 0 )

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

return( 0 );

}

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

604

/*

605

* Checks whether the context fields are set in such a way

606

* that the RSA primitives will be able to execute without error.

607

* It does *not* make guarantees for consistency of the parameters.

608

*/

609

static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv )

610

{

611

if( ctx->len != mbedtls_mpi_size( &ctx->N ) )

612

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

613

614

/*

615

* 1. Modular exponentiation needs positive, odd moduli.

616

*/

617

618

/* Modular exponentiation wrt. N is always used for

619

* RSA public key operations. */

620

if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||

621

mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )

622

{

623

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

624

}

625

626

#if !defined(MBEDTLS_RSA_NO_CRT)

627

/* Modular exponentiation for P and Q is only

628

* used for private key operations and if CRT

629

* is used. */

630

if( is_priv &&

631

( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||

632

mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||

633

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||

634

mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )

635

{

636

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

637

}

638

#endif /* !MBEDTLS_RSA_NO_CRT */

639

640

/*

641

* 2. Exponents must be positive

642

*/

643

644

/* Always need E for public key operations */

645

if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )

646

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

647

648

#if !defined(MBEDTLS_NO_CRT)

649

/* For private key operations, use D or DP & DQ

650

* as (unblinded) exponents. */

651

if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )

652

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

653

#else

654

if( is_priv &&

655

( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||

656

mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )

657

{

658

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

659

}

660

#endif /* MBEDTLS_RSA_NO_CRT */

661

662

/* Blinding shouldn't make exponents negative either,

663

* so check that P, Q >= 1 if that hasn't yet been

664

* done as part of 1. */

665

#if defined(MBEDTLS_NO_CRT)

666

if( is_priv &&

667

( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||

668

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )

669

{

670

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

#endif

/* It wouldn't lead to an error if it wasn't satisfied,

675

* but check for PQ >= 1 nonetheless. */

676

#if !defined(MBEDTLS_NO_CRT)

677

if( is_priv &&

678

mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )

679

{

680

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

#endif

return( 0 );

}

Hanno Becker

2017-10-10 16:49:26 +0100

[diff] [blame]

687

int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

{

int ret = 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

691

const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );

692

const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );

693

const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );

694

const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );

695

const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

696

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

697

/*

698

* Check whether provided parameters are enough

699

* to deduce all others. The following incomplete

700

* parameter sets for private keys are supported:

701

*

702

* (1) P, Q missing.

703

* (2) D and potentially N missing.

704

*

705

*/

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

706

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

707

const int n_missing = have_P && have_Q && have_D && have_E;

708

const int pq_missing = have_N && !have_P && !have_Q && have_D && have_E;

709

const int d_missing = have_P && have_Q && !have_D && have_E;

710

const int is_pub = have_N && !have_P && !have_Q && !have_D && have_E;

711

712

/* These three alternatives are mutually exclusive */

713

const int is_priv = n_missing || pq_missing || d_missing;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

714

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

715

if( !is_priv && !is_pub )

716

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

717

718

/*

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

719

* Step 1: Deduce N if P, Q are provided.

720

*/

721

722

if( !have_N && have_P && have_Q )

723

{

724

if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,

725

&ctx->Q ) ) != 0 )

726

{

727

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

728

}

729

730

ctx->len = mbedtls_mpi_size( &ctx->N );

}

/*

* Step 2: Deduce and verify all remaining core parameters.

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

*/

if( pq_missing )

{

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

739

ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->D, &ctx->E,

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

740

&ctx->P, &ctx->Q );

741

if( ret != 0 )

742

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

else if( d_missing )

{

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

747

if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,

748

&ctx->Q,

749

&ctx->E,

750

&ctx->D ) ) != 0 )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

751

{

752

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

753

}

754

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

755

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

756

/*

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

757

* Step 3: Deduce all additional parameters specific

Hanno Becker

e867489

2017-10-10 17:56:14 +0100

[diff] [blame]

758

* to our current RSA implementation.

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

759

*/

760

Hanno Becker

23344b5

2017-08-23 07:43:27 +0100

[diff] [blame]

761

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

762

if( is_priv )

763

{

764

ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

765

&ctx->DP, &ctx->DQ, &ctx->QP );

766

if( ret != 0 )

767

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

768

}

Hanno Becker

23344b5

2017-08-23 07:43:27 +0100

[diff] [blame]

769

#endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

770

771

/*

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

772

* Step 3: Basic sanity checks

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

773

*/

774

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

775

return( rsa_check_context( ctx, is_priv ) );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

776

}

777

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

778

int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,

779

unsigned char *N, size_t N_len,

780

unsigned char *P, size_t P_len,

781

unsigned char *Q, size_t Q_len,

782

unsigned char *D, size_t D_len,

783

unsigned char *E, size_t E_len )

{

int ret = 0;

/* Check if key is private or public */

788

const int is_priv =

789

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

790

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

791

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

792

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

793

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

798

* something must be wrong. */

799

if( P != NULL || Q != NULL || D != NULL )

800

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

if( N != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );

806

807

if( P != NULL )

808

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );

809

810

if( Q != NULL )

811

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );

812

813

if( D != NULL )

814

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );

815

816

if( E != NULL )

817

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

cleanup:

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

824

int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,

825

mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,

826

mbedtls_mpi *D, mbedtls_mpi *E )

{

int ret;

/* Check if key is private or public */

831

int is_priv =

832

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

833

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

834

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

835

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

836

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

841

* something must be wrong. */

842

if( P != NULL || Q != NULL || D != NULL )

843

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

/* Export all requested core parameters. */

848

849

if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||

850

( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||

851

( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||

852

( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||

853

( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )

{

return( ret );

}

return( 0 );

}

/*

* Export CRT parameters

863

* This must also be implemented if CRT is not used, for being able to

864

* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt

865

* can be used in this case.

866

*/

867

int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,

868

mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret;

/* Check if key is private or public */

873

int is_priv =

874

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

875

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

876

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

877

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

878

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

879

880

if( !is_priv )

881

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

882

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

883

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

884

/* Export all requested blinding parameters. */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

885

if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||

886

( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||

887

( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )

888

{

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

889

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

890

}

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

891

#else

892

if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

893

DP, DQ, QP ) ) != 0 )

894

{

895

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

896

}

897

#endif

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

898

899

return( 0 );

900

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

901

902

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

903

* Initialize an RSA context

904

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

905

void mbedtls_rsa_init( mbedtls_rsa_context *ctx,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

906

int padding,

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

907

int hash_id )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

908

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

909

memset( ctx, 0, sizeof( mbedtls_rsa_context ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

910

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

911

mbedtls_rsa_set_padding( ctx, padding, hash_id );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

912

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

913

#if defined(MBEDTLS_THREADING_C)

914

mbedtls_mutex_init( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

915

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

916

}

917

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

918

/*

919

* Set padding for an existing RSA context

920

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

921

void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

922

{

923

ctx->padding = padding;

924

ctx->hash_id = hash_id;

925

}

926

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

927

/*

928

* Get length in bytes of RSA modulus

929

*/

930

931

size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )

932

{

Hanno Becker

2f8f06a

2017-09-29 11:47:26 +0100

[diff] [blame]

933

return( ctx->len );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

934

}

935

936

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

937

#if defined(MBEDTLS_GENPRIME)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

938

939

/*

940

* Generate an RSA keypair

941

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

942

int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

943

int (*f_rng)(void *, unsigned char *, size_t),

944

void *p_rng,

945

unsigned int nbits, int exponent )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

946

{

947

int ret;

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

948

mbedtls_mpi H, G;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

949

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

950

if( f_rng == NULL || nbits < 128 || exponent < 3 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

951

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

952

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

953

if( nbits % 2 )

954

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

955

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

956

mbedtls_mpi_init( &H );

957

mbedtls_mpi_init( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

958

959

/*

960

* find primes P and Q with Q < P so that:

961

* GCD( E, (P-1)*(Q-1) ) == 1

962

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

963

MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

964

965

do

966

{

Janos Follath

10c575b

2016-02-23 14:42:48 +0000

[diff] [blame]

967

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

968

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

969

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

970

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

971

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

972

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

973

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

974

continue;

975

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

976

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

977

if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

978

continue;

979

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

980

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

981

mbedtls_mpi_swap( &ctx->P, &ctx->Q );

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

982

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

983

/* Temporarily replace P,Q by P-1, Q-1 */

984

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );

985

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );

986

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

987

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

988

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

989

while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

990

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

991

/* Restore P,Q */

992

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );

993

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );

994

995

ctx->len = mbedtls_mpi_size( &ctx->N );

996

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

997

/*

998

* D = E^-1 mod ((P-1)*(Q-1))

* DP = D mod (P - 1)

* DQ = D mod (Q - 1)

* QP = Q^-1 mod P

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1003

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

1004

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &H ) );

1005

1006

#if !defined(MBEDTLS_RSA_NO_CRT)

1007

MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

1008

&ctx->DP, &ctx->DQ, &ctx->QP ) );

1009

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1010

Hanno Becker

83aad1f

2017-08-23 06:45:10 +0100

[diff] [blame]

1011

/* Double-check */

1012

MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );

1013

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1014

cleanup:

1015

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

1016

mbedtls_mpi_free( &H );

1017

mbedtls_mpi_free( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1018

1019

if( ret != 0 )

1020

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1021

mbedtls_rsa_free( ctx );

1022

return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1023

}

1024

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1025

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1026

}

1027

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1028

#endif /* MBEDTLS_GENPRIME */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1029

1030

/*

1031

* Check a public RSA key

1032

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1033

int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1034

{

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

1035

if( rsa_check_context( ctx, 0 /* public */ ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1036

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1037

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1038

if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||

1039

mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1040

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1041

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1042

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1043

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

1044

if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||

1045

mbedtls_mpi_bitlen( &ctx->E ) < 2 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1046

mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1047

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1048

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1049

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

/*

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

1055

* Check for the consistency of all fields in an RSA private key context

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1056

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1057

int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1058

{

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

1059

if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||

1060

rsa_check_context( ctx, 1 /* private */ ) != 0 )

1061

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1062

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

1063

}

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1064

1065

if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1066

&ctx->D, &ctx->E, NULL, NULL ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1067

{

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1068

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1069

}

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

1070

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1071

#if !defined(MBEDTLS_RSA_NO_CRT)

1072

else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,

1073

&ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )

1074

{

1075

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

1076

}

1077

#endif

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

1078

1079

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1080

}

1081

1082

/*

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1083

* Check if contexts holding a public and private key match

1084

*/

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1085

int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,

1086

const mbedtls_rsa_context *prv )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1087

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1088

if( mbedtls_rsa_check_pubkey( pub ) != 0 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1089

mbedtls_rsa_check_privkey( prv ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1090

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1091

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1092

}

1093

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1094

if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||

1095

mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1096

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1097

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

}

return( 0 );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1104

* Do an RSA public key operation

1105

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1106

int mbedtls_rsa_public( mbedtls_rsa_context *ctx,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1107

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1108

unsigned char *output )

1109

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1110

int ret;

1111

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1112

mbedtls_mpi T;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1113

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

1114

if( rsa_check_context( ctx, 0 /* public */ ) )

1115

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1116

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1117

mbedtls_mpi_init( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1118

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1119

#if defined(MBEDTLS_THREADING_C)

1120

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

1121

return( ret );

1122

#endif

1123

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1124

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1125

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1126

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1127

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1128

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1129

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1130

}

1131

1132

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1133

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );

1134

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1135

1136

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1137

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1138

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

1139

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

88fca3e

2015-03-27 15:06:07 +0100

[diff] [blame]

1140

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1141

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1142

mbedtls_mpi_free( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1143

1144

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1145

return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1150

/*

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1151

* Generate or update blinding values, see section 10 of:

1152

* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,

Manuel Pégourié-Gonnard

998930a

2015-04-03 13:48:06 +0200

[diff] [blame]

1153

* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1154

* Berlin Heidelberg, 1996. p. 104-113.

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1155

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1156

static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1157

int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )

1158

{

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1159

int ret, count = 0;

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1160

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1161

if( ctx->Vf.p != NULL )

1162

{

1163

/* We already have blinding values, just update them by squaring */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1164

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );

1165

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );

1166

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );

1167

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1168

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1169

goto cleanup;

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1170

}

1171

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1172

/* Unblinding value: Vf = random number, invertible mod N */

1173

do {

1174

if( count++ > 10 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1175

return( MBEDTLS_ERR_RSA_RNG_FAILED );

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1176

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1177

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );

1178

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );

1179

} while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1180

1181

/* Blinding value: Vi = Vf^(-e) mod N */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1182

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );

1183

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1184

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

1185

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1186

cleanup:

1187

return( ret );

1188

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1189

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1190

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1191

* Exponent blinding supposed to prevent side-channel attacks using multiple

1192

* traces of measurements to recover the RSA key. The more collisions are there,

1193

* the more bits of the key can be recovered. See [3].

1194

*

1195

* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)

1196

* observations on avarage.

1197

*

1198

* For example with 28 byte blinding to achieve 2 collisions the adversary has

1199

* to make 2^112 observations on avarage.

1200

*

1201

* (With the currently (as of 2017 April) known best algorithms breaking 2048

1202

* bit RSA requires approximately as much time as trying out 2^112 random keys.

1203

* Thus in this sense with 28 byte blinding the security is not reduced by

1204

* side-channel attacks like the one in [3])

1205

*

1206

* This countermeasure does not help if the key recovery is possible with a

1207

* single trace.

1208

*/

1209

#define RSA_EXPONENT_BLINDING 28

1210

1211

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1212

* Do an RSA private key operation

1213

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1214

int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1215

int (*f_rng)(void *, unsigned char *, size_t),

1216

void *p_rng,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1217

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1218

unsigned char *output )

1219

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1220

int ret;

1221

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1222

mbedtls_mpi T, T1, T2;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1223

mbedtls_mpi P1, Q1, R;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1224

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1225

mbedtls_mpi D_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1226

mbedtls_mpi *D = &ctx->D;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1227

#else

1228

mbedtls_mpi DP_blind, DQ_blind;

1229

mbedtls_mpi *DP = &ctx->DP;

1230

mbedtls_mpi *DQ = &ctx->DQ;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1231

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1232

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame^]

1233

if( rsa_check_context( ctx, 1 /* private */ ) != 0 )

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

1234

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1235

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1236

mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1237

mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );

1238

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1239

if( f_rng != NULL )

1240

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1241

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1242

mbedtls_mpi_init( &D_blind );

1243

#else

1244

mbedtls_mpi_init( &DP_blind );

1245

mbedtls_mpi_init( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1246

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1247

}

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1248

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1249

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1250

#if defined(MBEDTLS_THREADING_C)

1251

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

1252

return( ret );

1253

#endif

1254

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1255

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

1256

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1257

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1258

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1259

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1260

}

1261

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1262

if( f_rng != NULL )

1263

{

1264

/*

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1265

* Blinding

1266

* T = T * Vi mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1267

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1268

MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );

1269

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1270

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1271

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

/*

* Exponent blinding

*/

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );

1276

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );

1277

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1278

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1279

/*

1280

* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D

1281

*/

1282

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1283

f_rng, p_rng ) );

1284

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );

1285

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );

1286

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );

1287

1288

D = &D_blind;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1289

#else

1290

/*

1291

* DP_blind = ( P - 1 ) * R + DP

1292

*/

1293

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1294

f_rng, p_rng ) );

1295

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );

1296

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,

&ctx->DP ) );

DP = &DP_blind;

/*

* DQ_blind = ( Q - 1 ) * R + DQ

1303

*/

1304

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1305

f_rng, p_rng ) );

1306

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );

1307

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,

1308

&ctx->DQ ) );

1309

1310

DQ = &DQ_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1311

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1312

}

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1313

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1314

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1315

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

e10e06d

2014-11-06 18:15:12 +0100

[diff] [blame]

1316

#else

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1317

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1318

* Faster decryption using the CRT

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1319

*

1320

* T1 = input ^ dP mod P

1321

* T2 = input ^ dQ mod Q

1322

*/

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1323

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );

1324

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1325

1326

/*

1327

* T = (T1 - T2) * (Q^-1 mod P) mod P

1328

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1329

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );

1330

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );

1331

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1332

1333

/*

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1334

* T = T2 + T * Q

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1335

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1336

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );

1337

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );

1338

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1339

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

if( f_rng != NULL )

{

/*

* Unblind

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1344

* T = T * Vf mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1345

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1346

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1347

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1348

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1349

1350

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1351

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1352

1353

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1354

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1355

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

1356

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

1357

#endif

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1358

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1359

mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1360

mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );

1361

1362

if( f_rng != NULL )

1363

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1364

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1365

mbedtls_mpi_free( &D_blind );

1366

#else

1367

mbedtls_mpi_free( &DP_blind );

1368

mbedtls_mpi_free( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1369

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1370

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1371

1372

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1373

return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1378

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1379

/**

1380

* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.

1381

*

Paul Bakker

b125ed8

2011-11-10 13:33:51 +0000

[diff] [blame]

1382

* \param dst buffer to mask

1383

* \param dlen length of destination buffer

1384

* \param src source of the mask generation

1385

* \param slen length of the source buffer

1386

* \param md_ctx message digest context to use

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1387

*/

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1388

static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1389

size_t slen, mbedtls_md_context_t *md_ctx )

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1390

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1391

unsigned char mask[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1392

unsigned char counter[4];

1393

unsigned char *p;

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1394

unsigned int hlen;

1395

size_t i, use_len;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1396

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1397

memset( mask, 0, MBEDTLS_MD_MAX_SIZE );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1398

memset( counter, 0, 4 );

1399

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1400

hlen = mbedtls_md_get_size( md_ctx->md_info );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1401

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1402

/* Generate and apply dbMask */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

p = dst;

while( dlen > 0 )

{

use_len = hlen;

if( dlen < hlen )

use_len = dlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1411

mbedtls_md_starts( md_ctx );

1412

mbedtls_md_update( md_ctx, src, slen );

1413

mbedtls_md_update( md_ctx, counter, 4 );

1414

mbedtls_md_finish( md_ctx, mask );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1415

1416

for( i = 0; i < use_len; ++i )

*p++ ^= mask[i];

counter[3]++;

dlen -= use_len;

}

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1423

1424

mbedtls_zeroize( mask, sizeof( mask ) );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1425

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1426

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1427

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1428

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1429

/*

1430

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function

1431

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1432

int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1433

int (*f_rng)(void *, unsigned char *, size_t),

1434

void *p_rng,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1435

int mode,

1436

const unsigned char *label, size_t label_len,

1437

size_t ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1438

const unsigned char *input,

1439

unsigned char *output )

{

size_t olen;

int ret;

unsigned char *p = output;

1444

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1445

const mbedtls_md_info_t *md_info;

1446

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1447

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1448

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1449

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1450

1451

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1452

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1453

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1454

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1455

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1456

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1457

1458

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1459

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1460

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1461

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1462

if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1463

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1464

1465

memset( output, 0, olen );

*p++ = 0;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1469

/* Generate a random octet string seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1470

if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1471

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p += hlen;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1475

/* Construct DB */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1476

mbedtls_md( md_info, label, label_len, p );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1477

p += hlen;

1478

p += olen - 2 * hlen - 2 - ilen;

1479

*p++ = 1;

1480

memcpy( p, input, ilen );

1481

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1482

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1483

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1484

{

1485

mbedtls_md_free( &md_ctx );

1486

return( ret );

1487

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1488

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1489

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1490

mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,

1491

&md_ctx );

1492

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1493

/* maskedSeed: Apply seedMask to seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1494

mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,

1495

&md_ctx );

1496

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1497

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1498

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1499

return( ( mode == MBEDTLS_RSA_PUBLIC )

1500

? mbedtls_rsa_public( ctx, output, output )

1501

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1502

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1503

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1504

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1505

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1506

/*

1507

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function

1508

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1509

int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1510

int (*f_rng)(void *, unsigned char *, size_t),

1511

void *p_rng,

1512

int mode, size_t ilen,

1513

const unsigned char *input,

1514

unsigned char *output )

{

size_t nb_pad, olen;

int ret;

unsigned char *p = output;

1519

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1520

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1521

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1522

Janos Follath

1ed9f99

2016-03-18 11:45:44 +0000

[diff] [blame]

1523

// We don't check p_rng because it won't be dereferenced here

1524

if( f_rng == NULL || input == NULL || output == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1525

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1526

1527

olen = ctx->len;

Manuel Pégourié-Gonnard

370717b

2016-02-11 10:35:13 +0100

[diff] [blame]

1528

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1529

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1530

if( ilen + 11 < ilen || olen < ilen + 11 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1531

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1532

1533

nb_pad = olen - 3 - ilen;

1534

1535

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1536

if( mode == MBEDTLS_RSA_PUBLIC )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1537

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1538

*p++ = MBEDTLS_RSA_CRYPT;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1539

1540

while( nb_pad-- > 0 )

{

int rng_dl = 100;

do {

ret = f_rng( p_rng, p, 1 );

1546

} while( *p == 0 && --rng_dl && ret == 0 );

1547

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1548

/* Check if RNG failed to generate data */

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1549

if( rng_dl == 0 || ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1550

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p++;

}

}

else

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1557

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1558

1559

while( nb_pad-- > 0 )

*p++ = 0xFF;

}

*p++ = 0;

memcpy( p, input, ilen );

1565

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1566

return( ( mode == MBEDTLS_RSA_PUBLIC )

1567

? mbedtls_rsa_public( ctx, output, output )

1568

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1569

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1570

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1571

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1572

/*

1573

* Add the message padding, then do an RSA operation

1574

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1575

int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

1576

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

1577

void *p_rng,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1578

int mode, size_t ilen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1579

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1580

unsigned char *output )

1581

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1582

switch( ctx->padding )

1583

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1584

#if defined(MBEDTLS_PKCS1_V15)

1585

case MBEDTLS_RSA_PKCS_V15:

1586

return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1587

input, output );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1588

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1589

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1590

#if defined(MBEDTLS_PKCS1_V21)

1591

case MBEDTLS_RSA_PKCS_V21:

1592

return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1593

ilen, input, output );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1594

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1595

1596

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1597

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1598

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1599

}

1600

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1601

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1602

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1603

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1604

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1605

int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1606

int (*f_rng)(void *, unsigned char *, size_t),

1607

void *p_rng,

1608

int mode,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1609

const unsigned char *label, size_t label_len,

1610

size_t *olen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1611

const unsigned char *input,

1612

unsigned char *output,

1613

size_t output_max_len )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1614

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1615

int ret;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1616

size_t ilen, i, pad_len;

1617

unsigned char *p, bad, pad_done;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1618

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

1619

unsigned char lhash[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1620

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1621

const mbedtls_md_info_t *md_info;

1622

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1623

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1624

/*

1625

* Parameters sanity checks

1626

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1627

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1628

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

ilen = ctx->len;

Paul Bakker

2011-06-09 13:55:13 +0000

[diff] [blame]

1632

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1633

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1634

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1635

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1636

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1637

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1638

Janos Follath

c17cda1

2016-02-11 11:08:18 +0000

[diff] [blame]

1639

hlen = mbedtls_md_get_size( md_info );

1640

1641

// checking for integer underflow

1642

if( 2 * hlen + 2 > ilen )

1643

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1644

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1645

/*

1646

* RSA operation

1647

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1648

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1649

? mbedtls_rsa_public( ctx, input, buf )

1650

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1651

1652

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1653

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1654

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1655

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1656

* Unmask data and generate lHash

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1657

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1658

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1659

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1660

{

1661

mbedtls_md_free( &md_ctx );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1662

goto cleanup;

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1663

}

1664

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1665

1666

/* Generate lHash */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1667

mbedtls_md( md_info, label, label_len, lhash );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1668

1669

/* seed: Apply seedMask to maskedSeed */

1670

mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,

1671

&md_ctx );

1672

1673

/* DB: Apply dbMask to maskedDB */

1674

mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,

1675

&md_ctx );

1676

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1677

mbedtls_md_free( &md_ctx );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1678

1679

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1680

* Check contents, in "constant-time"

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1681

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1682

p = buf;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1683

bad = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1684

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1685

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1686

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1687

p += hlen; /* Skip seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1688

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1689

/* Check lHash */

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1690

for( i = 0; i < hlen; i++ )

1691

bad |= lhash[i] ^ *p++;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1692

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1693

/* Get zero-padding len, but always read till end of buffer

1694

* (minus one, for the 01 byte) */

1695

pad_len = 0;

1696

pad_done = 0;

1697

for( i = 0; i < ilen - 2 * hlen - 2; i++ )

1698

{

1699

pad_done |= p[i];

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1700

pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1701

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1702

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1703

p += pad_len;

1704

bad |= *p++ ^ 0x01;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1705

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1706

/*

1707

* The only information "leaked" is whether the padding was correct or not

1708

* (eg, no data is copied if it was not correct). This meets the

1709

* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between

1710

* the different error conditions.

1711

*/

1712

if( bad != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1713

{

1714

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1715

goto cleanup;

1716

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1717

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1718

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1719

{

1720

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1721

goto cleanup;

1722

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1723

1724

*olen = ilen - (p - buf);

1725

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1726

ret = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1727

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1728

cleanup:

1729

mbedtls_zeroize( buf, sizeof( buf ) );

1730

mbedtls_zeroize( lhash, sizeof( lhash ) );

1731

1732

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1733

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1734

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1735

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1736

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1737

/*

1738

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function

1739

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1740

int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1741

int (*f_rng)(void *, unsigned char *, size_t),

1742

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1743

int mode, size_t *olen,

1744

const unsigned char *input,

1745

unsigned char *output,

1746

size_t output_max_len)

1747

{

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1748

int ret;

1749

size_t ilen, pad_count = 0, i;

1750

unsigned char *p, bad, pad_done = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1751

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1752

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1753

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1754

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

ilen = ctx->len;

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1759

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1760

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1761

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1762

? mbedtls_rsa_public( ctx, input, buf )

1763

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1764

1765

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1766

goto cleanup;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1767

1768

p = buf;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1769

bad = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1770

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1771

/*

1772

* Check and get padding len in "constant-time"

1773

*/

1774

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1775

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1776

/* This test does not depend on secret data */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1777

if( mode == MBEDTLS_RSA_PRIVATE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1778

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1779

bad |= *p++ ^ MBEDTLS_RSA_CRYPT;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1780

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1781

/* Get padding len, but always read till end of buffer

1782

* (minus one, for the 00 byte) */

1783

for( i = 0; i < ilen - 3; i++ )

1784

{

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1785

pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;

1786

pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1787

}

Paul Bakker

e6ee41f

2012-05-19 08:43:48 +0000

[diff] [blame]

1788

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1789

p += pad_count;

1790

bad |= *p++; /* Must be zero */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1791

}

1792

else

1793

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1794

bad |= *p++ ^ MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1795

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1796

/* Get padding len, but always read till end of buffer

1797

* (minus one, for the 00 byte) */

1798

for( i = 0; i < ilen - 3; i++ )

1799

{

Manuel Pégourié-Gonnard

fbf0915

2014-02-03 11:58:55 +0100

[diff] [blame]

1800

pad_done |= ( p[i] != 0xFF );

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1801

pad_count += ( pad_done == 0 );

1802

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1803

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1804

p += pad_count;

1805

bad |= *p++; /* Must be zero */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1806

}

1807

Janos Follath

c69fa50

2016-02-12 13:30:09 +0000

[diff] [blame]

1808

bad |= ( pad_count < 8 );

Janos Follath

b6eb1ca

2016-02-08 13:59:25 +0000

[diff] [blame]

1809

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1810

if( bad )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1811

{

1812

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1813

goto cleanup;

1814

}

Paul Bakker

8804f69

2013-02-28 18:06:26 +0100

[diff] [blame]

1815

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1816

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1817

{

1818

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1819

goto cleanup;

1820

}

Paul Bakker

060c568

2009-01-12 21:48:39 +0000

[diff] [blame]

1821

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

1822

*olen = ilen - (p - buf);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1823

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1824

ret = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1825

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1826

cleanup:

1827

mbedtls_zeroize( buf, sizeof( buf ) );

1828

1829

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1830

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1831

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1832

1833

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1834

* Do an RSA operation, then remove the message padding

1835

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1836

int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1837

int (*f_rng)(void *, unsigned char *, size_t),

1838

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1839

int mode, size_t *olen,

1840

const unsigned char *input,

1841

unsigned char *output,

1842

size_t output_max_len)

1843

{

1844

switch( ctx->padding )

1845

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1846

#if defined(MBEDTLS_PKCS1_V15)

1847

case MBEDTLS_RSA_PKCS_V15:

1848

return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1849

input, output, output_max_len );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1850

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1851

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1852

#if defined(MBEDTLS_PKCS1_V21)

1853

case MBEDTLS_RSA_PKCS_V21:

1854

return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1855

olen, input, output,

1856

output_max_len );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1857

#endif

1858

1859

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1860

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1861

}

1862

}

1863

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1864

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1865

/*

1866

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function

1867

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1868

int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1869

int (*f_rng)(void *, unsigned char *, size_t),

1870

void *p_rng,

1871

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1872

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1873

unsigned int hashlen,

1874

const unsigned char *hash,

unsigned char *sig )

{

size_t olen;

unsigned char *p = sig;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1879

unsigned char salt[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1880

unsigned int slen, hlen, offset = 0;

1881

int ret;

1882

size_t msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1883

const mbedtls_md_info_t *md_info;

1884

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1885

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1886

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1887

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1888

1889

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1890

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1891

1892

olen = ctx->len;

1893

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1894

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1895

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1896

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1897

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1898

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1899

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1900

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1901

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1902

}

1903

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1904

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1905

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1906

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1907

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1908

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1909

slen = hlen;

1910

1911

if( olen < hlen + slen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1912

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1913

1914

memset( sig, 0, olen );

1915

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1916

/* Generate salt of length slen */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1917

if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1918

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1919

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1920

/* Note: EMSA-PSS encoding is over the length of N - 1 bits */

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1921

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1922

p += olen - hlen * 2 - 2;

1923

*p++ = 0x01;

1924

memcpy( p, salt, slen );

1925

p += slen;

1926

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1927

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1928

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1929

{

1930

mbedtls_md_free( &md_ctx );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1931

/* No need to zeroize salt: we didn't use it. */

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1932

return( ret );

1933

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1934

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1935

/* Generate H = Hash( M' ) */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1936

mbedtls_md_starts( &md_ctx );

1937

mbedtls_md_update( &md_ctx, p, 8 );

1938

mbedtls_md_update( &md_ctx, hash, hashlen );

1939

mbedtls_md_update( &md_ctx, salt, slen );

1940

mbedtls_md_finish( &md_ctx, p );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1941

mbedtls_zeroize( salt, sizeof( salt ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1942

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1943

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

offset = 1;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1947

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1948

mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );

1949

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1950

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1951

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1952

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1953

sig[0] &= 0xFF >> ( olen * 8 - msb );

p += hlen;

*p++ = 0xBC;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1958

return( ( mode == MBEDTLS_RSA_PUBLIC )

1959

? mbedtls_rsa_public( ctx, sig, sig )

1960

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1961

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1962

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1963

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1964

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1965

/*

1966

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function

1967

*/

1968

/*

1969

* Do an RSA operation to sign the message digest

1970

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1971

int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1972

int (*f_rng)(void *, unsigned char *, size_t),

1973

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1974

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1975

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1976

unsigned int hashlen,

1977

const unsigned char *hash,

1978

unsigned char *sig )

1979

{

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1980

size_t nb_pad, olen, oid_size = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1981

unsigned char *p = sig;

Paul Bakker

21e081b

2014-07-24 10:38:01 +0200

[diff] [blame]

1982

const char *oid = NULL;

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1983

unsigned char *sig_try = NULL, *verif = NULL;

1984

size_t i;

1985

unsigned char diff;

1986

volatile unsigned char diff_no_optimize;

1987

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1988

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1989

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1990

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1991

1992

olen = ctx->len;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1993

nb_pad = olen - 3;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1994

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1995

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1996

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1997

const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1998

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1999

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2000

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2001

if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )

2002

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2003

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2004

nb_pad -= 10 + oid_size;

2005

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2006

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2007

}

2008

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2009

nb_pad -= hashlen;

2010

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2011

if( ( nb_pad < 8 ) || ( nb_pad > olen ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2012

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2013

2014

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2015

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2016

memset( p, 0xFF, nb_pad );

2017

p += nb_pad;

2018

*p++ = 0;

2019

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2020

if( md_alg == MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2021

{

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2022

memcpy( p, hash, hashlen );

}

else

{

/*

* DigestInfo ::= SEQUENCE {

2028

* digestAlgorithm DigestAlgorithmIdentifier,

2029

* digest Digest }

2030

*

2031

* DigestAlgorithmIdentifier ::= AlgorithmIdentifier

2032

*

2033

* Digest ::= OCTET STRING

2034

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2035

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2036

*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2037

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2038

*p++ = (unsigned char) ( 0x04 + oid_size );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2039

*p++ = MBEDTLS_ASN1_OID;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2040

*p++ = oid_size & 0xFF;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2041

memcpy( p, oid, oid_size );

2042

p += oid_size;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2043

*p++ = MBEDTLS_ASN1_NULL;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2044

*p++ = 0x00;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2045

*p++ = MBEDTLS_ASN1_OCTET_STRING;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2046

*p++ = hashlen;

2047

memcpy( p, hash, hashlen );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2048

}

2049

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2050

if( mode == MBEDTLS_RSA_PUBLIC )

2051

return( mbedtls_rsa_public( ctx, sig, sig ) );

2052

2053

/*

2054

* In order to prevent Lenstra's attack, make the signature in a

2055

* temporary buffer and check it before returning it.

2056

*/

2057

sig_try = mbedtls_calloc( 1, ctx->len );

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2058

if( sig_try == NULL )

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2059

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

2060

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2061

verif = mbedtls_calloc( 1, ctx->len );

2062

if( verif == NULL )

2063

{

2064

mbedtls_free( sig_try );

2065

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

2066

}

2067

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2068

MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );

2069

MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );

2070

2071

/* Compare in constant time just in case */

2072

for( diff = 0, i = 0; i < ctx->len; i++ )

2073

diff |= verif[i] ^ sig[i];

2074

diff_no_optimize = diff;

2075

2076

if( diff_no_optimize != 0 )

2077

{

2078

ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;

goto cleanup;

}

memcpy( sig, sig_try, ctx->len );

2083

2084

cleanup:

2085

mbedtls_free( sig_try );

2086

mbedtls_free( verif );

2087

2088

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2089

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2090

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2091

2092

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2093

* Do an RSA operation to sign the message digest

2094

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2095

int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2096

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2097

void *p_rng,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2098

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2099

mbedtls_md_type_t md_alg,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2100

unsigned int hashlen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

2101

const unsigned char *hash,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2102

unsigned char *sig )

2103

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2104

switch( ctx->padding )

2105

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2106

#if defined(MBEDTLS_PKCS1_V15)

2107

case MBEDTLS_RSA_PKCS_V15:

2108

return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2109

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2110

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2111

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2112

#if defined(MBEDTLS_PKCS1_V21)

2113

case MBEDTLS_RSA_PKCS_V21:

2114

return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2115

hashlen, hash, sig );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2116

#endif

2117

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2118

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2119

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2120

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2121

}

2122

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2123

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2124

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2125

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2126

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2127

int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2128

int (*f_rng)(void *, unsigned char *, size_t),

2129

void *p_rng,

2130

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2131

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2132

unsigned int hashlen,

2133

const unsigned char *hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2134

mbedtls_md_type_t mgf1_hash_id,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2135

int expected_salt_len,

2136

const unsigned char *sig )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2137

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2138

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2139

size_t siglen;

2140

unsigned char *p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2141

unsigned char result[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2142

unsigned char zeros[8];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2143

unsigned int hlen;

2144

size_t slen, msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2145

const mbedtls_md_info_t *md_info;

2146

mbedtls_md_context_t md_ctx;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2147

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2148

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2149

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

2150

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2151

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2152

siglen = ctx->len;

2153

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

2154

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2155

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2156

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2157

ret = ( mode == MBEDTLS_RSA_PUBLIC )

2158

? mbedtls_rsa_public( ctx, sig, buf )

2159

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2166

if( buf[siglen - 1] != 0xBC )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2167

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2168

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2169

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2170

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2171

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2172

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2173

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2174

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2175

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2176

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2177

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2178

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2179

md_info = mbedtls_md_info_from_type( mgf1_hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2180

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2181

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2182

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2183

hlen = mbedtls_md_get_size( md_info );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2184

slen = siglen - hlen - 1; /* Currently length of salt + padding */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2185

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2186

memset( zeros, 0, 8 );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2187

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2188

/*

2189

* Note: EMSA-PSS verification is over the length of N - 1 bits

2190

*/

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

2191

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2192

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2193

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

{

p++;

siglen -= 1;

}

if( buf[0] >> ( 8 - siglen * 8 + msb ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2200

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2201

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2202

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

2203

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

2204

{

2205

mbedtls_md_free( &md_ctx );

2206

return( ret );

2207

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2208

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2209

mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );

Paul Bakker

02303e8

2013-01-03 11:08:31 +0100

[diff] [blame]

2210

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2211

buf[0] &= 0xFF >> ( siglen * 8 - msb );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2212

Paul Bakker

4de44aa

2013-12-31 11:43:01 +0100

[diff] [blame]

2213

while( p < buf + siglen && *p == 0 )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2214

p++;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2215

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2216

if( p == buf + siglen ||

2217

*p++ != 0x01 )

2218

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2219

mbedtls_md_free( &md_ctx );

2220

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2221

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2222

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2223

/* Actual salt len */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2224

slen -= p - buf;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2225

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2226

if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2227

slen != (size_t) expected_salt_len )

2228

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2229

mbedtls_md_free( &md_ctx );

2230

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2231

}

2232

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2233

/*

2234

* Generate H = Hash( M' )

2235

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2236

mbedtls_md_starts( &md_ctx );

2237

mbedtls_md_update( &md_ctx, zeros, 8 );

2238

mbedtls_md_update( &md_ctx, hash, hashlen );

2239

mbedtls_md_update( &md_ctx, p, slen );

2240

mbedtls_md_finish( &md_ctx, result );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2241

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2242

mbedtls_md_free( &md_ctx );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2243

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2244

if( memcmp( p + slen, result, hlen ) == 0 )

2245

return( 0 );

2246

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2247

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2248

}

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2249

2250

/*

2251

* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function

2252

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2253

int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2254

int (*f_rng)(void *, unsigned char *, size_t),

2255

void *p_rng,

2256

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2257

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2258

unsigned int hashlen,

2259

const unsigned char *hash,

2260

const unsigned char *sig )

2261

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2262

mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )

2263

? (mbedtls_md_type_t) ctx->hash_id

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2264

: md_alg;

2265

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2266

return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2267

md_alg, hashlen, hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2268

mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2269

sig ) );

2270

2271

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2272

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

40628ba

2013-01-03 10:50:31 +0100

[diff] [blame]

2273

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2274

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2275

/*

2276

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function

2277

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2278

int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

2279

int (*f_rng)(void *, unsigned char *, size_t),

2280

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2281

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2282

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2283

unsigned int hashlen,

2284

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

2285

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2286

{

2287

int ret;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2288

size_t len, siglen, asn1_len;

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2289

unsigned char *p, *p0, *end;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2290

mbedtls_md_type_t msg_md_alg;

2291

const mbedtls_md_info_t *md_info;

2292

mbedtls_asn1_buf oid;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2293

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2294

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2295

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

2296

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

siglen = ctx->len;

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2301

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2302

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2303

ret = ( mode == MBEDTLS_RSA_PUBLIC )

2304

? mbedtls_rsa_public( ctx, sig, buf )

2305

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2312

if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )

2313

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

while( *p != 0 )

{

if( p >= buf + siglen - 1 || *p != 0xFF )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2318

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2319

p++;

2320

}

Manuel Pégourié-Gonnard

c1380de

2017-05-11 12:49:51 +0200

[diff] [blame]

2321

p++; /* skip 00 byte */

2322

2323

/* We've read: 00 01 PS 00 where PS must be at least 8 bytes */

2324

if( p - buf < 11 )

2325

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2326

2327

len = siglen - ( p - buf );

2328

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2329

if( len == hashlen && md_alg == MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2330

{

2331

if( memcmp( p, hash, hashlen ) == 0 )

2332

return( 0 );

2333

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2334

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2335

}

2336

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2337

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2338

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2339

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

2340

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

end = p + len;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2344

/*

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2345

* Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.

2346

* Insist on 2-byte length tags, to protect against variants of

2347

* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2348

*/

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2349

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2350

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,

2351

MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )

2352

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2353

if( p != p0 + 2 || asn1_len + 2 != len )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2354

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2355

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2356

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2357

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,

2358

MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )

2359

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2360

if( p != p0 + 2 || asn1_len + 6 + hashlen != len )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2361

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2362

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2363

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2364

if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )

2365

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2366

if( p != p0 + 2 )

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2367

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

oid.p = p;

p += oid.len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2372

if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )

2373

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2374

2375

if( md_alg != msg_md_alg )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2376

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2377

2378

/*

2379

* assume the algorithm parameters must be NULL

2380

*/

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2381

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2382

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )

2383

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2384

if( p != p0 + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2385

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2386

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2387

p0 = p;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2388

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )

2389

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2390

if( p != p0 + 2 || asn1_len != hashlen )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2391

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2392

2393

if( memcmp( p, hash, hashlen ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2394

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

p += hashlen;

if( p != end )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2399

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2400

2401

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2402

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2403

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2404

2405

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2406

* Do an RSA operation and check the message digest

2407

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2408

int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

2409

int (*f_rng)(void *, unsigned char *, size_t),

2410

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2411

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2412

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2413

unsigned int hashlen,

2414

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

2415

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2416

{

2417

switch( ctx->padding )

2418

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2419

#if defined(MBEDTLS_PKCS1_V15)

2420

case MBEDTLS_RSA_PKCS_V15:

2421

return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2422

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2423

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2424

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2425

#if defined(MBEDTLS_PKCS1_V21)

2426

case MBEDTLS_RSA_PKCS_V21:

2427

return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2428

hashlen, hash, sig );

2429

#endif

2430

2431

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2432

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

}

}

/*

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2437

* Copy the components of an RSA key

2438

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2439

int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

{

int ret;

dst->ver = src->ver;

dst->len = src->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2446

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );

2447

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2448

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2449

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );

2450

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );

2451

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2452

2453

#if !defined(MBEDTLS_RSA_NO_CRT)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2454

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );

2455

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );

2456

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2457

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );

2458

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2459

#endif

2460

2461

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2462

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2463

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );

2464

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

2465

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2466

dst->padding = src->padding;

Manuel Pégourié-Gonnard

fdddac9

2014-03-25 15:58:35 +0100

[diff] [blame]

2467

dst->hash_id = src->hash_id;

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2468

2469

cleanup:

2470

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2471

mbedtls_rsa_free( dst );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

return( ret );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2477

* Free the components of an RSA key

2478

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2479

void mbedtls_rsa_free( mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2480

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2481

mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2482

mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D );

2483

mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2484

mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2485

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2486

#if !defined(MBEDTLS_RSA_NO_CRT)

2487

mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );

2488

mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );

2489

mbedtls_mpi_free( &ctx->DP );

2490

#endif /* MBEDTLS_RSA_NO_CRT */

2491

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2492

#if defined(MBEDTLS_THREADING_C)

2493

mbedtls_mutex_free( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2494

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2495

}

2496

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

2497

#endif /* !MBEDTLS_RSA_ALT */

2498

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2499

#if defined(MBEDTLS_SELF_TEST)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2500

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

2501

#include "mbedtls/sha1.h"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2502

2503

/*

2504

* Example RSA-1024 keypair, for test purposes

*/

#define KEY_LEN 128

#define RSA_N "9292758453063D803DD603D5E777D788" \

2509

"8ED1D5BF35786190FA2F23EBC0848AEA" \

2510

"DDA92CA6C3D80B32C4D109BE0F36D6AE" \

2511

"7130B9CED7ACDF54CFC7555AC14EEBAB" \

2512

"93A89813FBF3C4F8066D2D800F7C38A8" \

2513

"1AE31942917403FF4946B0A83D3D3E05" \

2514

"EE57C6F5F5606FB5D4BC6CD34EE0801A" \

2515

"5E94BB77B07507233A0BC7BAC8F90F79"

2516

2517

#define RSA_E "10001"

2518

2519

#define RSA_D "24BF6185468786FDD303083D25E64EFC" \

2520

"66CA472BC44D253102F8B4A9D3BFA750" \

2521

"91386C0077937FE33FA3252D28855837" \

2522

"AE1B484A8A9A45F7EE8C0C634F99E8CD" \

2523

"DF79C5CE07EE72C7F123142198164234" \

2524

"CABB724CF78B8173B9F880FC86322407" \

2525

"AF1FEDFDDE2BEB674CA15F3E81A1521E" \

2526

"071513A1E85B5DFA031F21ECAE91A34D"

2527

2528

#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \

2529

"2C01CAD19EA484A87EA4377637E75500" \

2530

"FCB2005C5C7DD6EC4AC023CDA285D796" \

2531

"C3D9E75E1EFC42488BB4F1D13AC30A57"

2532

2533

#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \

2534

"E211C2B9E5DB1ED0BF61D0D9899620F4" \

2535

"910E4168387E3C30AA1E00C339A79508" \

2536

"8452DD96A9A5EA5D9DCA68DA636032AF"

2537

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2538

#define PT_LEN 24

2539

#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \

2540

"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"

2541

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2542

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2543

static int myrand( void *rng_state, unsigned char *output, size_t len )

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2544

{

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2545

#if !defined(__OpenBSD__)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2546

size_t i;

2547

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2548

if( rng_state != NULL )

2549

rng_state = NULL;

2550

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2551

for( i = 0; i < len; ++i )

2552

output[i] = rand();

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2553

#else

2554

if( rng_state != NULL )

2555

rng_state = NULL;

2556

2557

arc4random_buf( output, len );

2558

#endif /* !OpenBSD */

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2559

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2560

return( 0 );

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2561

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2562

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2563

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2564

/*

2565

* Checkup routine

2566

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2567

int mbedtls_rsa_self_test( int verbose )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2568

{

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2569

int ret = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2570

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2571

size_t len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2572

mbedtls_rsa_context rsa;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2573

unsigned char rsa_plaintext[PT_LEN];

2574

unsigned char rsa_decrypted[PT_LEN];

2575

unsigned char rsa_ciphertext[KEY_LEN];

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2576

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

5690efc

2011-05-26 13:16:06 +0000

[diff] [blame]

2577

unsigned char sha1sum[20];

2578

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2579

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2580

mbedtls_mpi K;

2581

2582

mbedtls_mpi_init( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2583

mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2584

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2585

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );

2586

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );

2587

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );

2588

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );

2589

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );

2590

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );

2591

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );

2592

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );

2593

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );

2594

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );

2595

Hanno Becker

7f25f85

2017-10-10 16:56:22 +0100

[diff] [blame]

2596

MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2597

2598

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2599

mbedtls_printf( " RSA key validation: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2600

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2601

if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||

2602

mbedtls_rsa_check_privkey( &rsa ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2603

{

2604

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2605

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2611

mbedtls_printf( "passed\n PKCS#1 encryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2612

2613

memcpy( rsa_plaintext, RSA_PT, PT_LEN );

2614

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2615

if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,

2616

PT_LEN, rsa_plaintext,

2617

rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2618

{

2619

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2620

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2626

mbedtls_printf( "passed\n PKCS#1 decryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2627

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2628

if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,

2629

&len, rsa_ciphertext, rsa_decrypted,

2630

sizeof(rsa_decrypted) ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2631

{

2632

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2633

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )

2639

{

2640

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2641

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2646

if( verbose != 0 )

2647

mbedtls_printf( "passed\n" );

2648

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2649

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2650

if( verbose != 0 )

Brian Murray

930a370

2016-05-18 14:38:02 -0700

[diff] [blame]

2651

mbedtls_printf( " PKCS#1 data sign : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2652

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2653

mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2654

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2655

if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,

2656

MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,

2657

sha1sum, rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2658

{

2659

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2660

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2666

mbedtls_printf( "passed\n PKCS#1 sig. verify: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2667

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2668

if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,

2669

MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,

2670

sha1sum, rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2671

{

2672

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2673

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2679

mbedtls_printf( "passed\n" );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2680

#endif /* MBEDTLS_SHA1_C */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2681

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2682

if( verbose != 0 )

2683

mbedtls_printf( "\n" );

2684

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2685

cleanup:

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2686

mbedtls_mpi_free( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2687

mbedtls_rsa_free( &rsa );

2688

#else /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3e41fe8

2013-09-15 17:42:50 +0200

[diff] [blame]

2689

((void) verbose);

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2690

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2691

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2692

}

2693

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2694

#endif /* MBEDTLS_SELF_TEST */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2695

Manuel Pégourié-Gonnard