Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

2009-01-03 21:22:43 +0000

[diff] [blame]

1

/*

2

* The RSA public-key cryptosystem

3

*

Manuel Pégourié-Gonnard

6fb8187

2015-07-27 11:11:48 +0200

[diff] [blame]

4

Manuel Pégourié-Gonnard

37ff140

2015-09-04 14:21:07 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

Paul Bakker

b96f154

2010-07-18 20:36:00 +0000

[diff] [blame]

18

*

Manuel Pégourié-Gonnard

fe44643

2015-03-06 13:17:10 +0000

[diff] [blame]

19

* This file is part of mbed TLS (https://tls.mbed.org)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

20

*/

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

21

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

22

/*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

23

* The following sources were referenced in the design of this implementation

24

* of the RSA algorithm:

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

25

*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

26

* [1] A method for obtaining digital signatures and public-key cryptosystems

27

* R Rivest, A Shamir, and L Adleman

28

* http://people.csail.mit.edu/rivest/pubs.html#RSA78

29

*

30

* [2] Handbook of Applied Cryptography - 1997, Chapter 8

31

* Menezes, van Oorschot and Vanstone

32

*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

33

* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks

34

* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and

35

* Stefan Mangard

36

* https://arxiv.org/abs/1702.08719v2

37

*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

38

*/

39

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

40

#if !defined(MBEDTLS_CONFIG_FILE)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

41

#include "mbedtls/config.h"

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

42

#else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

43

#include MBEDTLS_CONFIG_FILE

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

44

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

45

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

46

#if defined(MBEDTLS_RSA_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

47

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

48

#include "mbedtls/rsa.h"

49

#include "mbedtls/oid.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

50

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

51

#include <string.h>

52

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

53

#if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

54

#include "mbedtls/md.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

55

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

56

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

57

#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

58

#include <stdlib.h>

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

59

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

60

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

61

#if defined(MBEDTLS_PLATFORM_C)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

62

#include "mbedtls/platform.h"

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

63

#else

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

64

#include <stdio.h>

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

65

#define mbedtls_printf printf

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

66

#define mbedtls_calloc calloc

67

#define mbedtls_free free

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

68

#endif

69

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

70

/* Implementation that should never be optimized out by the compiler */

71

static void mbedtls_zeroize( void *v, size_t n ) {

72

volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;

73

}

74

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

75

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

76

* Context-independent RSA helper functions.

77

*

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

78

* There are two classes of helper functions:

79

* (1) Parameter-generating helpers. These are:

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

80

* - mbedtls_rsa_deduce_primes

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

81

* - mbedtls_rsa_deduce_private_exponent

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

82

* - mbedtls_rsa_deduce_crt

83

* Each of these functions takes a set of core RSA parameters

84

* and generates some other, or CRT related parameters.

85

* (2) Parameter-checking helpers. These are:

86

* - mbedtls_rsa_validate_params

87

* - mbedtls_rsa_validate_crt

88

* They take a set of core or CRT related RSA parameters

89

* and check their validity.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

90

*

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

91

* The helper functions do not use the RSA context structure

92

* and therefore do not need to be replaced when providing

93

* an alternative RSA implementation.

94

*

95

* Their main purpose is to provide common MPI operations in the context

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

96

* of RSA that can be easily shared across multiple implementations.

97

*/

98

99

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

100

*

101

* Given the modulus N=PQ and a pair of public and private

102

* exponents E and D, respectively, factor N.

103

*

104

* Setting F := lcm(P-1,Q-1), the idea is as follows:

105

*

106

* (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)

107

* is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the

108

* square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four

109

* possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)

110

* or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime

111

* factors of N.

112

*

113

* (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same

114

* construction still applies since (-)^K is the identity on the set of

115

* roots of 1 in Z/NZ.

116

*

117

* The public and private key primitives (-)^E and (-)^D are mutually inverse

118

* bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.

119

* if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.

120

* Splitting L = 2^t * K with K odd, we have

121

*

122

* DE - 1 = FL = (F/2) * (2^(t+1)) * K,

123

*

124

* so (F / 2) * K is among the numbers

125

*

126

* (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord

127

*

128

* where ord is the order of 2 in (DE - 1).

129

* We can therefore iterate through these numbers apply the construction

130

* of (a) and (b) above to attempt to factor N.

131

*

132

*/

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

133

int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N,

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

134

mbedtls_mpi const *D, mbedtls_mpi const *E,

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

135

mbedtls_mpi *P, mbedtls_mpi *Q )

136

{

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

137

int ret = 0;

138

139

uint16_t attempt; /* Number of current attempt */

140

uint16_t iter; /* Number of squares computed in the current attempt */

141

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

142

uint16_t order; /* Order of 2 in DE - 1 */

143

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

144

mbedtls_mpi T; /* Holds largest odd divisor of DE - 1 */

145

mbedtls_mpi K; /* During factorization attempts, stores a random integer

146

* in the range of [0,..,N] */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

147

Hanno Becker

68b4d58

2017-10-10 16:39:10 +0100

[diff] [blame]

148

const unsigned int primes[] = { 2,

149

3, 5, 7, 11, 13, 17, 19, 23,

150

29, 31, 37, 41, 43, 47, 53, 59,

151

61, 67, 71, 73, 79, 83, 89, 97,

152

101, 103, 107, 109, 113, 127, 131, 137,

153

139, 149, 151, 157, 163, 167, 173, 179,

154

181, 191, 193, 197, 199, 211, 223, 227,

155

229, 233, 239, 241, 251, 257, 263, 269,

156

271, 277, 281, 283, 293, 307, 311, 313

157

};

158

159

const size_t num_primes = sizeof( primes ) / sizeof( *primes );

160

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

161

if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )

162

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

163

164

if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||

165

mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||

166

mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||

167

mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||

168

mbedtls_mpi_cmp_mpi( E, N ) >= 0 )

169

{

170

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

}

/*

* Initializations and temporary changes

175

*/

176

177

mbedtls_mpi_init( &K );

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

178

mbedtls_mpi_init( &T );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

179

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

180

/* T := DE - 1 */

181

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, D, E ) );

182

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &T, &T, 1 ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

183

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

184

if( ( order = mbedtls_mpi_lsb( &T ) ) == 0 )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

185

{

186

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

goto cleanup;

}

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

190

/* After this operation, T holds the largest odd divisor of DE - 1. */

191

MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &T, order ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

192

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

/*

* Actual work

*/

Hanno Becker

2017-10-10 16:39:10 +0100

[diff] [blame]

197

/* Skip trying 2 if N == 1 mod 8 */

198

attempt = 0;

199

if( N->p[0] % 8 == 1 )

200

attempt = 1;

201

202

for( ; attempt < num_primes; ++attempt )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

203

{

Hanno Becker

68b4d58

2017-10-10 16:39:10 +0100

[diff] [blame]

204

mbedtls_mpi_lset( &K, primes[attempt] );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

205

206

/* Check if gcd(K,N) = 1 */

207

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );

208

if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )

209

continue;

210

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

211

/* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

212

* and check whether they have nontrivial GCD with N. */

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

213

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, &T, N,

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

214

Q /* temporarily use Q for storing Montgomery

215

* multiplication helper values */ ) );

216

217

for( iter = 1; iter < order; ++iter )

218

{

219

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );

220

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );

221

222

if( mbedtls_mpi_cmp_int( P, 1 ) == 1 &&

223

mbedtls_mpi_cmp_mpi( P, N ) == -1 )

224

{

225

/*

226

* Have found a nontrivial divisor P of N.

Hanno Becker

d56d83a

2017-08-25 07:29:35 +0100

[diff] [blame]

227

* Set Q := N / P.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

228

*/

229

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

230

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, NULL, N, P ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

235

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );

236

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );

}

}

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

cleanup:

mbedtls_mpi_free( &K );

Hanno Becker

2017-10-02 09:55:49 +0100

[diff] [blame]

245

mbedtls_mpi_free( &T );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

/*

* Given P, Q and the public exponent E, deduce D.

251

* This is essentially a modular inversion.

252

*/

253

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

254

int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,

255

mbedtls_mpi const *Q,

256

mbedtls_mpi const *E,

257

mbedtls_mpi *D )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

258

{

259

int ret = 0;

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

260

mbedtls_mpi K, L;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

261

262

if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )

263

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

264

265

if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||

266

mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||

267

mbedtls_mpi_cmp_int( E, 0 ) == 0 )

268

{

269

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

270

}

271

272

mbedtls_mpi_init( &K );

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

273

mbedtls_mpi_init( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

274

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

275

/* Temporarily put K := P-1 and L := Q-1 */

276

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

277

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

278

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

279

/* Temporarily put D := gcd(P-1, Q-1) */

280

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

281

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

282

/* K := LCM(P-1, Q-1) */

283

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

284

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );

285

286

/* Compute modular inverse of E in LCM(P-1, Q-1) */

287

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );

288

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

289

cleanup:

290

291

mbedtls_mpi_free( &K );

Hanno Becker

2017-10-02 09:57:50 +0100

[diff] [blame]

292

mbedtls_mpi_free( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

/*

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

298

* Check that RSA CRT parameters are in accordance with core parameters.

299

*/

300

301

int mbedtls_rsa_validate_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,

302

const mbedtls_mpi *D, const mbedtls_mpi *DP,

303

const mbedtls_mpi *DQ, const mbedtls_mpi *QP )

{

int ret = 0;

mbedtls_mpi K, L;

mbedtls_mpi_init( &K );

309

mbedtls_mpi_init( &L );

310

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

311

/* Check that DP - D == 0 mod P - 1 */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

if( DP != NULL )

{

if( P == NULL )

{

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

321

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );

322

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );

323

324

if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )

325

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

326

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

327

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

331

/* Check that DQ - D == 0 mod Q - 1 */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

if( DQ != NULL )

{

if( Q == NULL )

{

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );

341

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );

342

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );

343

344

if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )

345

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

346

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

347

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

351

/* Check that QP * Q - 1 == 0 mod P */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

352

if( QP != NULL )

353

{

354

if( P == NULL || Q == NULL )

355

{

356

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );

361

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

362

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );

363

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

364

{

Hanno Becker

45a0ef3

2017-10-03 14:32:56 +0100

[diff] [blame]

365

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

366

goto cleanup;

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

}

}

cleanup:

/* Wrap MPI error codes by RSA check failure error code */

373

if( ret != 0 &&

374

ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&

375

ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )

376

{

377

ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

378

}

379

380

mbedtls_mpi_free( &K );

381

mbedtls_mpi_free( &L );

return( ret );

}

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

387

* Check that core RSA parameters are sane.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

388

*/

389

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

390

int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,

391

const mbedtls_mpi *Q, const mbedtls_mpi *D,

392

const mbedtls_mpi *E,

393

int (*f_rng)(void *, unsigned char *, size_t),

394

void *p_rng )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

395

{

396

int ret = 0;

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

397

mbedtls_mpi K, L;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

398

399

mbedtls_mpi_init( &K );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

400

mbedtls_mpi_init( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

401

402

/*

403

* Step 1: If PRNG provided, check that P and Q are prime

404

*/

405

Hanno Becker

fb81c0e

2017-08-24 06:55:11 +0100

[diff] [blame]

406

#if defined(MBEDTLS_GENPRIME)

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

407

if( f_rng != NULL && P != NULL &&

408

( ret = mbedtls_mpi_is_prime( P, f_rng, p_rng ) ) != 0 )

409

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

410

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

if( f_rng != NULL && Q != NULL &&

415

( ret = mbedtls_mpi_is_prime( Q, f_rng, p_rng ) ) != 0 )

416

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

417

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

418

goto cleanup;

419

}

Hanno Becker

fb81c0e

2017-08-24 06:55:11 +0100

[diff] [blame]

#else

((void) f_rng);

((void) p_rng);

#endif /* MBEDTLS_GENPRIME */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

424

425

/*

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

426

* Step 2: Check that 1 < N = PQ

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

427

*/

428

429

if( P != NULL && Q != NULL && N != NULL )

430

{

431

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

432

if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 ||

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

433

mbedtls_mpi_cmp_mpi( &K, N ) != 0 )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

434

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

435

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

}

/*

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

441

* Step 3: Check and 1 < D, E < N if present.

442

*/

443

444

if( N != NULL && D != NULL && E != NULL )

445

{

446

if ( mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||

447

mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||

448

mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||

449

mbedtls_mpi_cmp_mpi( E, N ) >= 0 )

450

{

451

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

goto cleanup;

}

}

/*

* Step 4: Check that D, E are inverse modulo P-1 and Q-1

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

458

*/

459

460

if( P != NULL && Q != NULL && D != NULL && E != NULL )

461

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

462

if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||

Hanno Becker

2017-10-02 13:01:43 +0100

[diff] [blame]

463

mbedtls_mpi_cmp_int( Q, 1 ) <= 0 )

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

464

{

465

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

466

goto cleanup;

467

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

468

469

/* Compute DE-1 mod P-1 */

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

470

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );

471

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

472

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );

473

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

474

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

475

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

476

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

/* Compute DE-1 mod Q-1 */

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

481

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );

482

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

483

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );

484

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

485

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

486

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

487

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

488

goto cleanup;

489

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

}

cleanup:

mbedtls_mpi_free( &K );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

495

mbedtls_mpi_free( &L );

496

497

/* Wrap MPI error codes by RSA check failure error code */

498

if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )

499

{

500

ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

501

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,

507

const mbedtls_mpi *D, mbedtls_mpi *DP,

508

mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret = 0;

mbedtls_mpi K;

mbedtls_mpi_init( &K );

513

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

514

/* DP = D mod P-1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

515

if( DP != NULL )

516

{

517

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

518

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );

519

}

520

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

521

/* DQ = D mod Q-1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

522

if( DQ != NULL )

523

{

524

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );

525

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );

526

}

527

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame]

528

/* QP = Q^{-1} mod P */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

529

if( QP != NULL )

530

{

531

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );

}

cleanup:

mbedtls_mpi_free( &K );

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

540

541

/*

542

* Default RSA interface implementation

543

*/

544

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

545

#if !defined(MBEDTLS_RSA_ALT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

546

547

int mbedtls_rsa_import( mbedtls_rsa_context *ctx,

548

const mbedtls_mpi *N,

549

const mbedtls_mpi *P, const mbedtls_mpi *Q,

550

const mbedtls_mpi *D, const mbedtls_mpi *E )

{

int ret;

if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||

555

( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||

556

( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||

557

( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||

558

( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )

559

{

560

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

if( N != NULL )

ctx->len = mbedtls_mpi_size( &ctx->N );

return( 0 );

}

int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

570

unsigned char const *N, size_t N_len,

571

unsigned char const *P, size_t P_len,

572

unsigned char const *Q, size_t Q_len,

573

unsigned char const *D, size_t D_len,

574

unsigned char const *E, size_t E_len )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

{

int ret;

if( N != NULL )

{

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );

581

ctx->len = mbedtls_mpi_size( &ctx->N );

}

if( P != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );

586

587

if( Q != NULL )

588

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );

589

590

if( D != NULL )

591

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );

592

593

if( E != NULL )

594

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );

cleanup:

if( ret != 0 )

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

return( 0 );

}

Hanno Becker

2017-10-10 16:49:26 +0100

[diff] [blame]

604

int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

{

int ret = 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

608

const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );

609

const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );

610

const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );

611

const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );

612

const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

613

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

614

/*

615

* Check whether provided parameters are enough

616

* to deduce all others. The following incomplete

617

* parameter sets for private keys are supported:

618

*

619

* (1) P, Q missing.

620

* (2) D and potentially N missing.

621

*

622

*/

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

623

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

624

const int n_missing = have_P && have_Q && have_D && have_E;

625

const int pq_missing = have_N && !have_P && !have_Q && have_D && have_E;

626

const int d_missing = have_P && have_Q && !have_D && have_E;

627

const int is_pub = have_N && !have_P && !have_Q && !have_D && have_E;

628

629

/* These three alternatives are mutually exclusive */

630

const int is_priv = n_missing || pq_missing || d_missing;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

631

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

632

if( !is_priv && !is_pub )

633

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

634

635

/*

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

636

* Step 1: Deduce N if P, Q are provided.

637

*/

638

639

if( !have_N && have_P && have_Q )

640

{

641

if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,

642

&ctx->Q ) ) != 0 )

643

{

644

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

645

}

646

647

ctx->len = mbedtls_mpi_size( &ctx->N );

}

/*

* Step 2: Deduce and verify all remaining core parameters.

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

*/

if( pq_missing )

{

/* This includes sanity checking of core parameters,

657

* so no further checks necessary. */

Hanno Becker

0f65e0c

2017-10-03 14:39:16 +0100

[diff] [blame]

658

ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->D, &ctx->E,

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

659

&ctx->P, &ctx->Q );

660

if( ret != 0 )

661

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

else if( d_missing )

{

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

666

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

667

/* Deduce private exponent. This includes double-checking of the result,

668

* so together with the primality test above all core parameters are

669

* guaranteed to be sane if this call succeeds. */

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

670

if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,

671

&ctx->Q,

672

&ctx->E,

673

&ctx->D ) ) != 0 )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

674

{

675

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

676

}

677

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

678

679

/* In the remaining case of a public key, there's nothing to check for. */

680

681

/*

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

682

* Step 3: Deduce all additional parameters specific

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

683

* to our current RSA implementaiton.

684

*/

685

Hanno Becker

23344b5

2017-08-23 07:43:27 +0100

[diff] [blame]

686

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

687

if( is_priv )

688

{

689

ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

690

&ctx->DP, &ctx->DQ, &ctx->QP );

691

if( ret != 0 )

692

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

693

}

Hanno Becker

23344b5

2017-08-23 07:43:27 +0100

[diff] [blame]

694

#endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

695

696

/*

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

697

* Step 3: Basic sanity check

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

*/

if( is_priv )

{

if( ( ret = mbedtls_rsa_check_privkey( ctx ) ) != 0 )

return( ret );

}

else

{

if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )

return( ret );

}

return( 0 );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

714

int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,

715

unsigned char *N, size_t N_len,

716

unsigned char *P, size_t P_len,

717

unsigned char *Q, size_t Q_len,

718

unsigned char *D, size_t D_len,

719

unsigned char *E, size_t E_len )

{

int ret = 0;

/* Check if key is private or public */

724

const int is_priv =

725

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

726

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

727

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

728

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

729

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

734

* something must be wrong. */

735

if( P != NULL || Q != NULL || D != NULL )

736

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

if( N != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );

742

743

if( P != NULL )

744

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );

745

746

if( Q != NULL )

747

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );

748

749

if( D != NULL )

750

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );

751

752

if( E != NULL )

753

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

cleanup:

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

760

int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,

761

mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,

762

mbedtls_mpi *D, mbedtls_mpi *E )

{

int ret;

/* Check if key is private or public */

767

int is_priv =

768

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

769

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

770

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

771

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

772

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

777

* something must be wrong. */

778

if( P != NULL || Q != NULL || D != NULL )

779

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

/* Export all requested core parameters. */

784

785

if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||

786

( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||

787

( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||

788

( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||

789

( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )

{

return( ret );

}

return( 0 );

}

/*

* Export CRT parameters

799

* This must also be implemented if CRT is not used, for being able to

800

* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt

801

* can be used in this case.

802

*/

803

int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,

804

mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret;

/* Check if key is private or public */

809

int is_priv =

810

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

811

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

812

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

813

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

814

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

815

816

if( !is_priv )

817

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

818

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

819

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

820

/* Export all requested blinding parameters. */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

821

if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||

822

( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||

823

( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )

824

{

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

825

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

826

}

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

827

#else

828

if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

829

DP, DQ, QP ) ) != 0 )

830

{

831

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

832

}

833

#endif

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

834

835

return( 0 );

836

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

837

838

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

839

* Initialize an RSA context

840

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

841

void mbedtls_rsa_init( mbedtls_rsa_context *ctx,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

842

int padding,

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

843

int hash_id )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

844

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

845

memset( ctx, 0, sizeof( mbedtls_rsa_context ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

846

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

847

mbedtls_rsa_set_padding( ctx, padding, hash_id );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

848

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

849

#if defined(MBEDTLS_THREADING_C)

850

mbedtls_mutex_init( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

851

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

852

}

853

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

854

/*

855

* Set padding for an existing RSA context

856

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

857

void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

858

{

859

ctx->padding = padding;

860

ctx->hash_id = hash_id;

861

}

862

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

863

/*

864

* Get length in bytes of RSA modulus

865

*/

866

867

size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )

868

{

Hanno Becker

2f8f06a

2017-09-29 11:47:26 +0100

[diff] [blame]

869

return( ctx->len );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

870

}

871

872

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

873

#if defined(MBEDTLS_GENPRIME)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

874

875

/*

876

* Generate an RSA keypair

877

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

878

int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

879

int (*f_rng)(void *, unsigned char *, size_t),

880

void *p_rng,

881

unsigned int nbits, int exponent )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

882

{

883

int ret;

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

884

mbedtls_mpi H, G;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

885

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

886

if( f_rng == NULL || nbits < 128 || exponent < 3 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

887

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

888

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

889

if( nbits % 2 )

890

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

891

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

892

mbedtls_mpi_init( &H );

893

mbedtls_mpi_init( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

894

895

/*

896

* find primes P and Q with Q < P so that:

897

* GCD( E, (P-1)*(Q-1) ) == 1

898

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

899

MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

900

901

do

902

{

Janos Follath

10c575b

2016-02-23 14:42:48 +0000

[diff] [blame]

903

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

904

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

905

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

906

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

907

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

908

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

909

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

910

continue;

911

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

912

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

913

if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

914

continue;

915

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

916

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

917

mbedtls_mpi_swap( &ctx->P, &ctx->Q );

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

918

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

919

/* Temporarily replace P,Q by P-1, Q-1 */

920

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );

921

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );

922

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

923

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

924

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

925

while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

926

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

927

/* Restore P,Q */

928

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );

929

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );

930

931

ctx->len = mbedtls_mpi_size( &ctx->N );

932

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

933

/*

934

* D = E^-1 mod ((P-1)*(Q-1))

* DP = D mod (P - 1)

* DQ = D mod (Q - 1)

* QP = Q^-1 mod P

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

939

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

940

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &H ) );

941

942

#if !defined(MBEDTLS_RSA_NO_CRT)

943

MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

944

&ctx->DP, &ctx->DQ, &ctx->QP ) );

945

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

946

Hanno Becker

83aad1f

2017-08-23 06:45:10 +0100

[diff] [blame]

947

/* Double-check */

948

MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );

949

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

950

cleanup:

951

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

952

mbedtls_mpi_free( &H );

953

mbedtls_mpi_free( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

954

955

if( ret != 0 )

956

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

957

mbedtls_rsa_free( ctx );

958

return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

959

}

960

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

961

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

962

}

963

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

964

#endif /* MBEDTLS_GENPRIME */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

965

966

/*

967

* Check a public RSA key

968

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

969

int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

970

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

971

if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) == 0 ||

972

mbedtls_mpi_cmp_int( &ctx->E, 0 ) == 0 )

973

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

974

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

975

}

Paul Bakker

37940d9f

2009-07-10 22:38:58 +0000

[diff] [blame]

976

Hanno Becker

ba1ba11

2017-09-29 11:48:23 +0100

[diff] [blame]

977

if( ctx->len != mbedtls_mpi_size( &ctx->N ) )

978

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

979

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

980

if( mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 ||

981

mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 )

982

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

983

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

984

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

985

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

986

if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||

987

mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

988

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

989

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

990

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

991

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

992

if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

993

mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

994

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

995

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

996

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

/*

* Check a private RSA key

1003

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1004

int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1005

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1006

if( mbedtls_rsa_check_pubkey( ctx ) != 0 )

1007

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

1008

1009

if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1010

&ctx->D, &ctx->E, NULL, NULL ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1011

{

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1012

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1013

}

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

1014

#if !defined(MBEDTLS_RSA_NO_CRT)

1015

else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,

1016

&ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )

1017

{

1018

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

1019

}

1020

#endif

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

1021

1022

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1023

}

1024

1025

/*

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1026

* Check if contexts holding a public and private key match

1027

*/

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1028

int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,

1029

const mbedtls_rsa_context *prv )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1030

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

1031

if( mbedtls_rsa_check_pubkey( pub ) != 0 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1032

mbedtls_rsa_check_privkey( prv ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1033

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1034

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1035

}

1036

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1037

if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||

1038

mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1039

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1040

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

}

return( 0 );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1047

* Do an RSA public key operation

1048

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1049

int mbedtls_rsa_public( mbedtls_rsa_context *ctx,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1050

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1051

unsigned char *output )

1052

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1053

int ret;

1054

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1055

mbedtls_mpi T;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1056

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1057

mbedtls_mpi_init( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1058

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1059

#if defined(MBEDTLS_THREADING_C)

1060

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

1061

return( ret );

1062

#endif

1063

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1064

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1065

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1066

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1067

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1068

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1069

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1070

}

1071

1072

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1073

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );

1074

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1075

1076

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1077

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1078

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

1079

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

88fca3e

2015-03-27 15:06:07 +0100

[diff] [blame]

1080

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1081

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1082

mbedtls_mpi_free( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1083

1084

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1085

return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1090

/*

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1091

* Generate or update blinding values, see section 10 of:

1092

* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,

Manuel Pégourié-Gonnard

998930a

2015-04-03 13:48:06 +0200

[diff] [blame]

1093

* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1094

* Berlin Heidelberg, 1996. p. 104-113.

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1095

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1096

static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1097

int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )

1098

{

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1099

int ret, count = 0;

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1100

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1101

if( ctx->Vf.p != NULL )

1102

{

1103

/* We already have blinding values, just update them by squaring */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1104

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );

1105

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );

1106

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );

1107

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1108

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1109

goto cleanup;

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1110

}

1111

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1112

/* Unblinding value: Vf = random number, invertible mod N */

1113

do {

1114

if( count++ > 10 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1115

return( MBEDTLS_ERR_RSA_RNG_FAILED );

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1116

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1117

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );

1118

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );

1119

} while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1120

1121

/* Blinding value: Vi = Vf^(-e) mod N */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1122

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );

1123

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1124

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

1125

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1126

cleanup:

1127

return( ret );

1128

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1129

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1130

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1131

* Exponent blinding supposed to prevent side-channel attacks using multiple

1132

* traces of measurements to recover the RSA key. The more collisions are there,

1133

* the more bits of the key can be recovered. See [3].

1134

*

1135

* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)

1136

* observations on avarage.

1137

*

1138

* For example with 28 byte blinding to achieve 2 collisions the adversary has

1139

* to make 2^112 observations on avarage.

1140

*

1141

* (With the currently (as of 2017 April) known best algorithms breaking 2048

1142

* bit RSA requires approximately as much time as trying out 2^112 random keys.

1143

* Thus in this sense with 28 byte blinding the security is not reduced by

1144

* side-channel attacks like the one in [3])

1145

*

1146

* This countermeasure does not help if the key recovery is possible with a

1147

* single trace.

1148

*/

1149

#define RSA_EXPONENT_BLINDING 28

1150

1151

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1152

* Do an RSA private key operation

1153

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1154

int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1155

int (*f_rng)(void *, unsigned char *, size_t),

1156

void *p_rng,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1157

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1158

unsigned char *output )

1159

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1160

int ret;

1161

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1162

mbedtls_mpi T, T1, T2;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1163

mbedtls_mpi P1, Q1, R;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1164

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1165

mbedtls_mpi D_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1166

mbedtls_mpi *D = &ctx->D;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1167

#else

1168

mbedtls_mpi DP_blind, DQ_blind;

1169

mbedtls_mpi *DP = &ctx->DP;

1170

mbedtls_mpi *DQ = &ctx->DQ;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1171

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1172

Hanno Becker

45037ce

2017-08-25 11:03:34 +0100

[diff] [blame]

1173

/* Sanity-check that all relevant fields are at least set,

1174

* but don't perform a full keycheck. */

1175

if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) == 0 ||

1176

mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 ||

1177

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) == 0 ||

1178

mbedtls_mpi_cmp_int( &ctx->D, 0 ) == 0 ||

1179

mbedtls_mpi_cmp_int( &ctx->E, 0 ) == 0 )

1180

{

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

1181

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Hanno Becker

45037ce

2017-08-25 11:03:34 +0100

[diff] [blame]

1182

}

1183

#if !defined(MBEDTLS_RSA_NO_CRT)

1184

if( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) == 0 ||

1185

mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) == 0 ||

1186

mbedtls_mpi_cmp_int( &ctx->QP, 0 ) == 0 )

1187

{

1188

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1189

}

1190

#endif /* MBEDTLS_RSA_NO_CRT */

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

1191

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1192

mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1193

mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );

1194

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1195

if( f_rng != NULL )

1196

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1197

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1198

mbedtls_mpi_init( &D_blind );

1199

#else

1200

mbedtls_mpi_init( &DP_blind );

1201

mbedtls_mpi_init( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1202

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1203

}

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1204

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1205

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1206

#if defined(MBEDTLS_THREADING_C)

1207

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

1208

return( ret );

1209

#endif

1210

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1211

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

1212

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1213

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1214

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1215

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1216

}

1217

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1218

if( f_rng != NULL )

1219

{

1220

/*

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1221

* Blinding

1222

* T = T * Vi mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1223

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1224

MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );

1225

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1226

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1227

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

/*

* Exponent blinding

*/

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );

1232

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );

1233

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1234

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1235

/*

1236

* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D

1237

*/

1238

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1239

f_rng, p_rng ) );

1240

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );

1241

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );

1242

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );

1243

1244

D = &D_blind;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1245

#else

1246

/*

1247

* DP_blind = ( P - 1 ) * R + DP

1248

*/

1249

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1250

f_rng, p_rng ) );

1251

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );

1252

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,

&ctx->DP ) );

DP = &DP_blind;

/*

* DQ_blind = ( Q - 1 ) * R + DQ

1259

*/

1260

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1261

f_rng, p_rng ) );

1262

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );

1263

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,

1264

&ctx->DQ ) );

1265

1266

DQ = &DQ_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1267

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1268

}

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1269

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1270

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1271

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

e10e06d

2014-11-06 18:15:12 +0100

[diff] [blame]

1272

#else

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1273

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1274

* Faster decryption using the CRT

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1275

*

1276

* T1 = input ^ dP mod P

1277

* T2 = input ^ dQ mod Q

1278

*/

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1279

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );

1280

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1281

1282

/*

1283

* T = (T1 - T2) * (Q^-1 mod P) mod P

1284

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1285

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );

1286

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );

1287

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1288

1289

/*

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1290

* T = T2 + T * Q

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1291

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1292

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );

1293

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );

1294

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1295

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

if( f_rng != NULL )

{

/*

* Unblind

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1300

* T = T * Vf mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1301

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1302

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1303

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1304

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1305

1306

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1307

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1308

1309

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1310

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1311

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

1312

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

1313

#endif

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1314

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1315

mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1316

mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );

1317

1318

if( f_rng != NULL )

1319

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1320

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1321

mbedtls_mpi_free( &D_blind );

1322

#else

1323

mbedtls_mpi_free( &DP_blind );

1324

mbedtls_mpi_free( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1325

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1326

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1327

1328

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1329

return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1334

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1335

/**

1336

* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.

1337

*

Paul Bakker

b125ed8

2011-11-10 13:33:51 +0000

[diff] [blame]

1338

* \param dst buffer to mask

1339

* \param dlen length of destination buffer

1340

* \param src source of the mask generation

1341

* \param slen length of the source buffer

1342

* \param md_ctx message digest context to use

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1343

*/

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1344

static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1345

size_t slen, mbedtls_md_context_t *md_ctx )

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1346

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1347

unsigned char mask[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1348

unsigned char counter[4];

1349

unsigned char *p;

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1350

unsigned int hlen;

1351

size_t i, use_len;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1352

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1353

memset( mask, 0, MBEDTLS_MD_MAX_SIZE );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1354

memset( counter, 0, 4 );

1355

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1356

hlen = mbedtls_md_get_size( md_ctx->md_info );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1357

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1358

/* Generate and apply dbMask */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

p = dst;

while( dlen > 0 )

{

use_len = hlen;

if( dlen < hlen )

use_len = dlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1367

mbedtls_md_starts( md_ctx );

1368

mbedtls_md_update( md_ctx, src, slen );

1369

mbedtls_md_update( md_ctx, counter, 4 );

1370

mbedtls_md_finish( md_ctx, mask );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1371

1372

for( i = 0; i < use_len; ++i )

*p++ ^= mask[i];

counter[3]++;

dlen -= use_len;

}

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1379

1380

mbedtls_zeroize( mask, sizeof( mask ) );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1381

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1382

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1383

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1384

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1385

/*

1386

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function

1387

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1388

int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1389

int (*f_rng)(void *, unsigned char *, size_t),

1390

void *p_rng,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1391

int mode,

1392

const unsigned char *label, size_t label_len,

1393

size_t ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1394

const unsigned char *input,

1395

unsigned char *output )

{

size_t olen;

int ret;

unsigned char *p = output;

1400

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1401

const mbedtls_md_info_t *md_info;

1402

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1403

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1404

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1405

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1406

1407

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1408

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1409

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1410

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1411

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1412

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1413

1414

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1415

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1416

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1417

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1418

if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1419

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1420

1421

memset( output, 0, olen );

*p++ = 0;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1425

/* Generate a random octet string seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1426

if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1427

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p += hlen;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1431

/* Construct DB */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1432

mbedtls_md( md_info, label, label_len, p );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1433

p += hlen;

1434

p += olen - 2 * hlen - 2 - ilen;

1435

*p++ = 1;

1436

memcpy( p, input, ilen );

1437

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1438

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1439

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1440

{

1441

mbedtls_md_free( &md_ctx );

1442

return( ret );

1443

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1444

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1445

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1446

mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,

1447

&md_ctx );

1448

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1449

/* maskedSeed: Apply seedMask to seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1450

mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,

1451

&md_ctx );

1452

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1453

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1454

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1455

return( ( mode == MBEDTLS_RSA_PUBLIC )

1456

? mbedtls_rsa_public( ctx, output, output )

1457

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1458

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1459

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1460

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1461

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1462

/*

1463

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function

1464

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1465

int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1466

int (*f_rng)(void *, unsigned char *, size_t),

1467

void *p_rng,

1468

int mode, size_t ilen,

1469

const unsigned char *input,

1470

unsigned char *output )

{

size_t nb_pad, olen;

int ret;

unsigned char *p = output;

1475

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1476

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1477

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1478

Janos Follath

1ed9f99

2016-03-18 11:45:44 +0000

[diff] [blame]

1479

// We don't check p_rng because it won't be dereferenced here

1480

if( f_rng == NULL || input == NULL || output == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1481

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1482

1483

olen = ctx->len;

Manuel Pégourié-Gonnard

370717b

2016-02-11 10:35:13 +0100

[diff] [blame]

1484

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1485

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1486

if( ilen + 11 < ilen || olen < ilen + 11 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1487

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1488

1489

nb_pad = olen - 3 - ilen;

1490

1491

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1492

if( mode == MBEDTLS_RSA_PUBLIC )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1493

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1494

*p++ = MBEDTLS_RSA_CRYPT;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1495

1496

while( nb_pad-- > 0 )

{

int rng_dl = 100;

do {

ret = f_rng( p_rng, p, 1 );

1502

} while( *p == 0 && --rng_dl && ret == 0 );

1503

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1504

/* Check if RNG failed to generate data */

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1505

if( rng_dl == 0 || ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1506

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p++;

}

}

else

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1513

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1514

1515

while( nb_pad-- > 0 )

*p++ = 0xFF;

}

*p++ = 0;

memcpy( p, input, ilen );

1521

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1522

return( ( mode == MBEDTLS_RSA_PUBLIC )

1523

? mbedtls_rsa_public( ctx, output, output )

1524

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1525

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1526

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1527

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1528

/*

1529

* Add the message padding, then do an RSA operation

1530

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1531

int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

1532

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

1533

void *p_rng,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1534

int mode, size_t ilen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1535

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1536

unsigned char *output )

1537

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1538

switch( ctx->padding )

1539

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1540

#if defined(MBEDTLS_PKCS1_V15)

1541

case MBEDTLS_RSA_PKCS_V15:

1542

return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1543

input, output );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1544

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1545

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1546

#if defined(MBEDTLS_PKCS1_V21)

1547

case MBEDTLS_RSA_PKCS_V21:

1548

return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1549

ilen, input, output );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1550

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1551

1552

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1553

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1554

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1555

}

1556

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1557

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1558

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1559

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1560

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1561

int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1562

int (*f_rng)(void *, unsigned char *, size_t),

1563

void *p_rng,

1564

int mode,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1565

const unsigned char *label, size_t label_len,

1566

size_t *olen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1567

const unsigned char *input,

1568

unsigned char *output,

1569

size_t output_max_len )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1570

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1571

int ret;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1572

size_t ilen, i, pad_len;

1573

unsigned char *p, bad, pad_done;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1574

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

1575

unsigned char lhash[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1576

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1577

const mbedtls_md_info_t *md_info;

1578

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1579

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1580

/*

1581

* Parameters sanity checks

1582

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1583

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1584

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

ilen = ctx->len;

Paul Bakker

2011-06-09 13:55:13 +0000

[diff] [blame]

1588

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1589

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1590

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1591

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1592

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1593

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1594

Janos Follath

c17cda1

2016-02-11 11:08:18 +0000

[diff] [blame]

1595

hlen = mbedtls_md_get_size( md_info );

1596

1597

// checking for integer underflow

1598

if( 2 * hlen + 2 > ilen )

1599

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1600

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1601

/*

1602

* RSA operation

1603

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1604

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1605

? mbedtls_rsa_public( ctx, input, buf )

1606

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1607

1608

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1609

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1610

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1611

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1612

* Unmask data and generate lHash

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1613

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1614

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1615

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1616

{

1617

mbedtls_md_free( &md_ctx );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1618

goto cleanup;

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1619

}

1620

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1621

1622

/* Generate lHash */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1623

mbedtls_md( md_info, label, label_len, lhash );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1624

1625

/* seed: Apply seedMask to maskedSeed */

1626

mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,

1627

&md_ctx );

1628

1629

/* DB: Apply dbMask to maskedDB */

1630

mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,

1631

&md_ctx );

1632

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1633

mbedtls_md_free( &md_ctx );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1634

1635

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1636

* Check contents, in "constant-time"

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1637

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1638

p = buf;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1639

bad = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1640

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1641

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1642

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1643

p += hlen; /* Skip seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1644

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1645

/* Check lHash */

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1646

for( i = 0; i < hlen; i++ )

1647

bad |= lhash[i] ^ *p++;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1648

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1649

/* Get zero-padding len, but always read till end of buffer

1650

* (minus one, for the 01 byte) */

1651

pad_len = 0;

1652

pad_done = 0;

1653

for( i = 0; i < ilen - 2 * hlen - 2; i++ )

1654

{

1655

pad_done |= p[i];

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1656

pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1657

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1658

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1659

p += pad_len;

1660

bad |= *p++ ^ 0x01;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1661

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1662

/*

1663

* The only information "leaked" is whether the padding was correct or not

1664

* (eg, no data is copied if it was not correct). This meets the

1665

* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between

1666

* the different error conditions.

1667

*/

1668

if( bad != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1669

{

1670

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1671

goto cleanup;

1672

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1673

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1674

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1675

{

1676

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1677

goto cleanup;

1678

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1679

1680

*olen = ilen - (p - buf);

1681

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1682

ret = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1683

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1684

cleanup:

1685

mbedtls_zeroize( buf, sizeof( buf ) );

1686

mbedtls_zeroize( lhash, sizeof( lhash ) );

1687

1688

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1689

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1690

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1691

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1692

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1693

/*

1694

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function

1695

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1696

int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1697

int (*f_rng)(void *, unsigned char *, size_t),

1698

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1699

int mode, size_t *olen,

1700

const unsigned char *input,

1701

unsigned char *output,

1702

size_t output_max_len)

1703

{

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1704

int ret;

1705

size_t ilen, pad_count = 0, i;

1706

unsigned char *p, bad, pad_done = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1707

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1708

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1709

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1710

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

ilen = ctx->len;

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1715

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1716

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1717

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1718

? mbedtls_rsa_public( ctx, input, buf )

1719

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1720

1721

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1722

goto cleanup;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1723

1724

p = buf;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1725

bad = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1726

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1727

/*

1728

* Check and get padding len in "constant-time"

1729

*/

1730

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1731

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1732

/* This test does not depend on secret data */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1733

if( mode == MBEDTLS_RSA_PRIVATE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1734

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1735

bad |= *p++ ^ MBEDTLS_RSA_CRYPT;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1736

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1737

/* Get padding len, but always read till end of buffer

1738

* (minus one, for the 00 byte) */

1739

for( i = 0; i < ilen - 3; i++ )

1740

{

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1741

pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;

1742

pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1743

}

Paul Bakker

e6ee41f

2012-05-19 08:43:48 +0000

[diff] [blame]

1744

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1745

p += pad_count;

1746

bad |= *p++; /* Must be zero */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1747

}

1748

else

1749

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1750

bad |= *p++ ^ MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1751

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1752

/* Get padding len, but always read till end of buffer

1753

* (minus one, for the 00 byte) */

1754

for( i = 0; i < ilen - 3; i++ )

1755

{

Manuel Pégourié-Gonnard

fbf0915

2014-02-03 11:58:55 +0100

[diff] [blame]

1756

pad_done |= ( p[i] != 0xFF );

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1757

pad_count += ( pad_done == 0 );

1758

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1759

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1760

p += pad_count;

1761

bad |= *p++; /* Must be zero */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1762

}

1763

Janos Follath

c69fa50

2016-02-12 13:30:09 +0000

[diff] [blame]

1764

bad |= ( pad_count < 8 );

Janos Follath

b6eb1ca

2016-02-08 13:59:25 +0000

[diff] [blame]

1765

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1766

if( bad )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1767

{

1768

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1769

goto cleanup;

1770

}

Paul Bakker

8804f69

2013-02-28 18:06:26 +0100

[diff] [blame]

1771

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1772

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1773

{

1774

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1775

goto cleanup;

1776

}

Paul Bakker

060c568

2009-01-12 21:48:39 +0000

[diff] [blame]

1777

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

1778

*olen = ilen - (p - buf);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1779

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1780

ret = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1781

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1782

cleanup:

1783

mbedtls_zeroize( buf, sizeof( buf ) );

1784

1785

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1786

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1787

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1788

1789

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1790

* Do an RSA operation, then remove the message padding

1791

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1792

int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1793

int (*f_rng)(void *, unsigned char *, size_t),

1794

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1795

int mode, size_t *olen,

1796

const unsigned char *input,

1797

unsigned char *output,

1798

size_t output_max_len)

1799

{

1800

switch( ctx->padding )

1801

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1802

#if defined(MBEDTLS_PKCS1_V15)

1803

case MBEDTLS_RSA_PKCS_V15:

1804

return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1805

input, output, output_max_len );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1806

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1807

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1808

#if defined(MBEDTLS_PKCS1_V21)

1809

case MBEDTLS_RSA_PKCS_V21:

1810

return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1811

olen, input, output,

1812

output_max_len );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1813

#endif

1814

1815

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1816

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1817

}

1818

}

1819

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1820

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1821

/*

1822

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function

1823

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1824

int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1825

int (*f_rng)(void *, unsigned char *, size_t),

1826

void *p_rng,

1827

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1828

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1829

unsigned int hashlen,

1830

const unsigned char *hash,

unsigned char *sig )

{

size_t olen;

unsigned char *p = sig;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1835

unsigned char salt[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1836

unsigned int slen, hlen, offset = 0;

1837

int ret;

1838

size_t msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1839

const mbedtls_md_info_t *md_info;

1840

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1841

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1842

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1843

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1844

1845

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1846

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1847

1848

olen = ctx->len;

1849

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1850

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1851

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1852

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1853

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1854

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1855

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1856

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1857

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1858

}

1859

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1860

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1861

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1862

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1863

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1864

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1865

slen = hlen;

1866

1867

if( olen < hlen + slen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1868

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1869

1870

memset( sig, 0, olen );

1871

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1872

/* Generate salt of length slen */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1873

if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1874

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1875

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1876

/* Note: EMSA-PSS encoding is over the length of N - 1 bits */

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1877

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1878

p += olen - hlen * 2 - 2;

1879

*p++ = 0x01;

1880

memcpy( p, salt, slen );

1881

p += slen;

1882

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1883

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1884

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1885

{

1886

mbedtls_md_free( &md_ctx );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1887

/* No need to zeroize salt: we didn't use it. */

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1888

return( ret );

1889

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1890

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1891

/* Generate H = Hash( M' ) */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1892

mbedtls_md_starts( &md_ctx );

1893

mbedtls_md_update( &md_ctx, p, 8 );

1894

mbedtls_md_update( &md_ctx, hash, hashlen );

1895

mbedtls_md_update( &md_ctx, salt, slen );

1896

mbedtls_md_finish( &md_ctx, p );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1897

mbedtls_zeroize( salt, sizeof( salt ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1898

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1899

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

offset = 1;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1903

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1904

mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );

1905

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1906

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1907

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1908

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1909

sig[0] &= 0xFF >> ( olen * 8 - msb );

p += hlen;

*p++ = 0xBC;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1914

return( ( mode == MBEDTLS_RSA_PUBLIC )

1915

? mbedtls_rsa_public( ctx, sig, sig )

1916

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1917

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1918

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1919

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1920

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1921

/*

1922

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function

1923

*/

1924

/*

1925

* Do an RSA operation to sign the message digest

1926

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1927

int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1928

int (*f_rng)(void *, unsigned char *, size_t),

1929

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1930

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1931

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1932

unsigned int hashlen,

1933

const unsigned char *hash,

1934

unsigned char *sig )

1935

{

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1936

size_t nb_pad, olen, oid_size = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1937

unsigned char *p = sig;

Paul Bakker

21e081b

2014-07-24 10:38:01 +0200

[diff] [blame]

1938

const char *oid = NULL;

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1939

unsigned char *sig_try = NULL, *verif = NULL;

1940

size_t i;

1941

unsigned char diff;

1942

volatile unsigned char diff_no_optimize;

1943

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1944

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1945

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1946

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1947

1948

olen = ctx->len;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1949

nb_pad = olen - 3;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1950

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1951

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1952

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1953

const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1954

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1955

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1956

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1957

if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )

1958

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1959

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1960

nb_pad -= 10 + oid_size;

1961

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1962

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1963

}

1964

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1965

nb_pad -= hashlen;

1966

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1967

if( ( nb_pad < 8 ) || ( nb_pad > olen ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1968

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1969

1970

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1971

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1972

memset( p, 0xFF, nb_pad );

1973

p += nb_pad;

1974

*p++ = 0;

1975

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1976

if( md_alg == MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1977

{

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1978

memcpy( p, hash, hashlen );

}

else

{

/*

* DigestInfo ::= SEQUENCE {

1984

* digestAlgorithm DigestAlgorithmIdentifier,

1985

* digest Digest }

1986

*

1987

* DigestAlgorithmIdentifier ::= AlgorithmIdentifier

1988

*

1989

* Digest ::= OCTET STRING

1990

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1991

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

1992

*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1993

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

1994

*p++ = (unsigned char) ( 0x04 + oid_size );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1995

*p++ = MBEDTLS_ASN1_OID;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

1996

*p++ = oid_size & 0xFF;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1997

memcpy( p, oid, oid_size );

1998

p += oid_size;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1999

*p++ = MBEDTLS_ASN1_NULL;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2000

*p++ = 0x00;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2001

*p++ = MBEDTLS_ASN1_OCTET_STRING;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2002

*p++ = hashlen;

2003

memcpy( p, hash, hashlen );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2004

}

2005

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2006

if( mode == MBEDTLS_RSA_PUBLIC )

2007

return( mbedtls_rsa_public( ctx, sig, sig ) );

2008

2009

/*

2010

* In order to prevent Lenstra's attack, make the signature in a

2011

* temporary buffer and check it before returning it.

2012

*/

2013

sig_try = mbedtls_calloc( 1, ctx->len );

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2014

if( sig_try == NULL )

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2015

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

2016

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2017

verif = mbedtls_calloc( 1, ctx->len );

2018

if( verif == NULL )

2019

{

2020

mbedtls_free( sig_try );

2021

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

2022

}

2023

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2024

MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );

2025

MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );

2026

2027

/* Compare in constant time just in case */

2028

for( diff = 0, i = 0; i < ctx->len; i++ )

2029

diff |= verif[i] ^ sig[i];

2030

diff_no_optimize = diff;

2031

2032

if( diff_no_optimize != 0 )

2033

{

2034

ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;

goto cleanup;

}

memcpy( sig, sig_try, ctx->len );

2039

2040

cleanup:

2041

mbedtls_free( sig_try );

2042

mbedtls_free( verif );

2043

2044

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2045

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2046

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2047

2048

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2049

* Do an RSA operation to sign the message digest

2050

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2051

int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2052

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2053

void *p_rng,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2054

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2055

mbedtls_md_type_t md_alg,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2056

unsigned int hashlen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

2057

const unsigned char *hash,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2058

unsigned char *sig )

2059

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2060

switch( ctx->padding )

2061

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2062

#if defined(MBEDTLS_PKCS1_V15)

2063

case MBEDTLS_RSA_PKCS_V15:

2064

return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2065

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2066

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2067

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2068

#if defined(MBEDTLS_PKCS1_V21)

2069

case MBEDTLS_RSA_PKCS_V21:

2070

return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2071

hashlen, hash, sig );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2072

#endif

2073

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2074

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2075

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2076

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2077

}

2078

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2079

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2080

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2081

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2082

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2083

int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2084

int (*f_rng)(void *, unsigned char *, size_t),

2085

void *p_rng,

2086

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2087

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2088

unsigned int hashlen,

2089

const unsigned char *hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2090

mbedtls_md_type_t mgf1_hash_id,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2091

int expected_salt_len,

2092

const unsigned char *sig )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2093

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2094

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2095

size_t siglen;

2096

unsigned char *p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2097

unsigned char result[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2098

unsigned char zeros[8];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2099

unsigned int hlen;

2100

size_t slen, msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2101

const mbedtls_md_info_t *md_info;

2102

mbedtls_md_context_t md_ctx;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2103

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2104

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2105

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

2106

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2107

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2108

siglen = ctx->len;

2109

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

2110

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2111

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2112

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2113

ret = ( mode == MBEDTLS_RSA_PUBLIC )

2114

? mbedtls_rsa_public( ctx, sig, buf )

2115

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2122

if( buf[siglen - 1] != 0xBC )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2123

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2124

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2125

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2126

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2127

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2128

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2129

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2130

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2131

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2132

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2133

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2134

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2135

md_info = mbedtls_md_info_from_type( mgf1_hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2136

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2137

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2138

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2139

hlen = mbedtls_md_get_size( md_info );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2140

slen = siglen - hlen - 1; /* Currently length of salt + padding */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2141

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2142

memset( zeros, 0, 8 );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2143

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2144

/*

2145

* Note: EMSA-PSS verification is over the length of N - 1 bits

2146

*/

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

2147

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2148

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2149

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

{

p++;

siglen -= 1;

}

if( buf[0] >> ( 8 - siglen * 8 + msb ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2156

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2157

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2158

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

2159

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

2160

{

2161

mbedtls_md_free( &md_ctx );

2162

return( ret );

2163

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2164

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2165

mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );

Paul Bakker

02303e8

2013-01-03 11:08:31 +0100

[diff] [blame]

2166

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2167

buf[0] &= 0xFF >> ( siglen * 8 - msb );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2168

Paul Bakker

4de44aa

2013-12-31 11:43:01 +0100

[diff] [blame]

2169

while( p < buf + siglen && *p == 0 )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2170

p++;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2171

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2172

if( p == buf + siglen ||

2173

*p++ != 0x01 )

2174

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2175

mbedtls_md_free( &md_ctx );

2176

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2177

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2178

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2179

/* Actual salt len */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2180

slen -= p - buf;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2181

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2182

if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2183

slen != (size_t) expected_salt_len )

2184

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2185

mbedtls_md_free( &md_ctx );

2186

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2187

}

2188

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2189

/*

2190

* Generate H = Hash( M' )

2191

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2192

mbedtls_md_starts( &md_ctx );

2193

mbedtls_md_update( &md_ctx, zeros, 8 );

2194

mbedtls_md_update( &md_ctx, hash, hashlen );

2195

mbedtls_md_update( &md_ctx, p, slen );

2196

mbedtls_md_finish( &md_ctx, result );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2197

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2198

mbedtls_md_free( &md_ctx );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2199

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2200

if( memcmp( p + slen, result, hlen ) == 0 )

2201

return( 0 );

2202

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2203

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2204

}

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2205

2206

/*

2207

* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function

2208

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2209

int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2210

int (*f_rng)(void *, unsigned char *, size_t),

2211

void *p_rng,

2212

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2213

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2214

unsigned int hashlen,

2215

const unsigned char *hash,

2216

const unsigned char *sig )

2217

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2218

mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )

2219

? (mbedtls_md_type_t) ctx->hash_id

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2220

: md_alg;

2221

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2222

return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2223

md_alg, hashlen, hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2224

mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2225

sig ) );

2226

2227

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2228

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

40628ba

2013-01-03 10:50:31 +0100

[diff] [blame]

2229

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2230

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2231

/*

2232

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function

2233

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2234

int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

2235

int (*f_rng)(void *, unsigned char *, size_t),

2236

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2237

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2238

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2239

unsigned int hashlen,

2240

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

2241

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2242

{

2243

int ret;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2244

size_t len, siglen, asn1_len;

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2245

unsigned char *p, *p0, *end;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2246

mbedtls_md_type_t msg_md_alg;

2247

const mbedtls_md_info_t *md_info;

2248

mbedtls_asn1_buf oid;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2249

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2250

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2251

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

2252

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

siglen = ctx->len;

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2257

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2258

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2259

ret = ( mode == MBEDTLS_RSA_PUBLIC )

2260

? mbedtls_rsa_public( ctx, sig, buf )

2261

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2268

if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )

2269

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

while( *p != 0 )

{

if( p >= buf + siglen - 1 || *p != 0xFF )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2274

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2275

p++;

2276

}

Manuel Pégourié-Gonnard

c1380de

2017-05-11 12:49:51 +0200

[diff] [blame]

2277

p++; /* skip 00 byte */

2278

2279

/* We've read: 00 01 PS 00 where PS must be at least 8 bytes */

2280

if( p - buf < 11 )

2281

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2282

2283

len = siglen - ( p - buf );

2284

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2285

if( len == hashlen && md_alg == MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2286

{

2287

if( memcmp( p, hash, hashlen ) == 0 )

2288

return( 0 );

2289

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2290

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2291

}

2292

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2293

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2294

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2295

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

2296

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

end = p + len;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2300

/*

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2301

* Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.

2302

* Insist on 2-byte length tags, to protect against variants of

2303

* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2304

*/

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2305

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2306

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,

2307

MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )

2308

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2309

if( p != p0 + 2 || asn1_len + 2 != len )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2310

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2311

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2312

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2313

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,

2314

MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )

2315

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2316

if( p != p0 + 2 || asn1_len + 6 + hashlen != len )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2317

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2318

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2319

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2320

if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )

2321

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2322

if( p != p0 + 2 )

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2323

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

oid.p = p;

p += oid.len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2328

if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )

2329

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2330

2331

if( md_alg != msg_md_alg )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2332

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2333

2334

/*

2335

* assume the algorithm parameters must be NULL

2336

*/

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2337

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2338

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )

2339

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2340

if( p != p0 + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2341

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2342

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2343

p0 = p;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2344

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )

2345

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2346

if( p != p0 + 2 || asn1_len != hashlen )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2347

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2348

2349

if( memcmp( p, hash, hashlen ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2350

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

p += hashlen;

if( p != end )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2355

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2356

2357

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2358

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2359

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2360

2361

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2362

* Do an RSA operation and check the message digest

2363

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2364

int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

2365

int (*f_rng)(void *, unsigned char *, size_t),

2366

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2367

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2368

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2369

unsigned int hashlen,

2370

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

2371

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2372

{

2373

switch( ctx->padding )

2374

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2375

#if defined(MBEDTLS_PKCS1_V15)

2376

case MBEDTLS_RSA_PKCS_V15:

2377

return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2378

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2379

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2380

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2381

#if defined(MBEDTLS_PKCS1_V21)

2382

case MBEDTLS_RSA_PKCS_V21:

2383

return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2384

hashlen, hash, sig );

2385

#endif

2386

2387

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2388

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

}

}

/*

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2393

* Copy the components of an RSA key

2394

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2395

int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

{

int ret;

dst->ver = src->ver;

dst->len = src->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2402

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );

2403

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2404

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2405

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );

2406

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );

2407

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2408

2409

#if !defined(MBEDTLS_RSA_NO_CRT)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2410

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );

2411

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );

2412

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2413

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );

2414

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2415

#endif

2416

2417

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2418

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2419

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );

2420

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

2421

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2422

dst->padding = src->padding;

Manuel Pégourié-Gonnard

fdddac9

2014-03-25 15:58:35 +0100

[diff] [blame]

2423

dst->hash_id = src->hash_id;

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2424

2425

cleanup:

2426

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2427

mbedtls_rsa_free( dst );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

return( ret );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2433

* Free the components of an RSA key

2434

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2435

void mbedtls_rsa_free( mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2436

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2437

mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2438

mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D );

2439

mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2440

mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2441

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2442

#if !defined(MBEDTLS_RSA_NO_CRT)

2443

mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );

2444

mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );

2445

mbedtls_mpi_free( &ctx->DP );

2446

#endif /* MBEDTLS_RSA_NO_CRT */

2447

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2448

#if defined(MBEDTLS_THREADING_C)

2449

mbedtls_mutex_free( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2450

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2451

}

2452

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

2453

#endif /* !MBEDTLS_RSA_ALT */

2454

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2455

#if defined(MBEDTLS_SELF_TEST)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2456

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

2457

#include "mbedtls/sha1.h"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2458

2459

/*

2460

* Example RSA-1024 keypair, for test purposes

*/

#define KEY_LEN 128

#define RSA_N "9292758453063D803DD603D5E777D788" \

2465

"8ED1D5BF35786190FA2F23EBC0848AEA" \

2466

"DDA92CA6C3D80B32C4D109BE0F36D6AE" \

2467

"7130B9CED7ACDF54CFC7555AC14EEBAB" \

2468

"93A89813FBF3C4F8066D2D800F7C38A8" \

2469

"1AE31942917403FF4946B0A83D3D3E05" \

2470

"EE57C6F5F5606FB5D4BC6CD34EE0801A" \

2471

"5E94BB77B07507233A0BC7BAC8F90F79"

2472

2473

#define RSA_E "10001"

2474

2475

#define RSA_D "24BF6185468786FDD303083D25E64EFC" \

2476

"66CA472BC44D253102F8B4A9D3BFA750" \

2477

"91386C0077937FE33FA3252D28855837" \

2478

"AE1B484A8A9A45F7EE8C0C634F99E8CD" \

2479

"DF79C5CE07EE72C7F123142198164234" \

2480

"CABB724CF78B8173B9F880FC86322407" \

2481

"AF1FEDFDDE2BEB674CA15F3E81A1521E" \

2482

"071513A1E85B5DFA031F21ECAE91A34D"

2483

2484

#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \

2485

"2C01CAD19EA484A87EA4377637E75500" \

2486

"FCB2005C5C7DD6EC4AC023CDA285D796" \

2487

"C3D9E75E1EFC42488BB4F1D13AC30A57"

2488

2489

#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \

2490

"E211C2B9E5DB1ED0BF61D0D9899620F4" \

2491

"910E4168387E3C30AA1E00C339A79508" \

2492

"8452DD96A9A5EA5D9DCA68DA636032AF"

2493

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2494

#define PT_LEN 24

2495

#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \

2496

"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"

2497

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2498

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2499

static int myrand( void *rng_state, unsigned char *output, size_t len )

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2500

{

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2501

#if !defined(__OpenBSD__)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2502

size_t i;

2503

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2504

if( rng_state != NULL )

2505

rng_state = NULL;

2506

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2507

for( i = 0; i < len; ++i )

2508

output[i] = rand();

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2509

#else

2510

if( rng_state != NULL )

2511

rng_state = NULL;

2512

2513

arc4random_buf( output, len );

2514

#endif /* !OpenBSD */

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2515

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2516

return( 0 );

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2517

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2518

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2519

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2520

/*

2521

* Checkup routine

2522

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2523

int mbedtls_rsa_self_test( int verbose )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2524

{

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2525

int ret = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2526

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2527

size_t len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2528

mbedtls_rsa_context rsa;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2529

unsigned char rsa_plaintext[PT_LEN];

2530

unsigned char rsa_decrypted[PT_LEN];

2531

unsigned char rsa_ciphertext[KEY_LEN];

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2532

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

5690efc

2011-05-26 13:16:06 +0000

[diff] [blame]

2533

unsigned char sha1sum[20];

2534

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2535

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2536

mbedtls_mpi K;

2537

2538

mbedtls_mpi_init( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2539

mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2540

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2541

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );

2542

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );

2543

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );

2544

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );

2545

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );

2546

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );

2547

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );

2548

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );

2549

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );

2550

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );

2551

Hanno Becker

7f25f85

2017-10-10 16:56:22 +0100

[diff] [blame^]

2552

MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2553

2554

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2555

mbedtls_printf( " RSA key validation: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2556

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2557

if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||

2558

mbedtls_rsa_check_privkey( &rsa ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2559

{

2560

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2561

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2567

mbedtls_printf( "passed\n PKCS#1 encryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2568

2569

memcpy( rsa_plaintext, RSA_PT, PT_LEN );

2570

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2571

if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,

2572

PT_LEN, rsa_plaintext,

2573

rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2574

{

2575

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2576

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2582

mbedtls_printf( "passed\n PKCS#1 decryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2583

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2584

if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,

2585

&len, rsa_ciphertext, rsa_decrypted,

2586

sizeof(rsa_decrypted) ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2587

{

2588

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2589

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )

2595

{

2596

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2597

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2602

if( verbose != 0 )

2603

mbedtls_printf( "passed\n" );

2604

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2605

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2606

if( verbose != 0 )

Brian Murray

930a370

2016-05-18 14:38:02 -0700

[diff] [blame]

2607

mbedtls_printf( " PKCS#1 data sign : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2608

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2609

mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2610

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2611

if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,

2612

MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,

2613

sha1sum, rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2614

{

2615

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2616

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2622

mbedtls_printf( "passed\n PKCS#1 sig. verify: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2623

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2624

if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,

2625

MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,

2626

sha1sum, rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2627

{

2628

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2629

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2635

mbedtls_printf( "passed\n" );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2636

#endif /* MBEDTLS_SHA1_C */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2637

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2638

if( verbose != 0 )

2639

mbedtls_printf( "\n" );

2640

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2641

cleanup:

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2642

mbedtls_mpi_free( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2643

mbedtls_rsa_free( &rsa );

2644

#else /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3e41fe8

2013-09-15 17:42:50 +0200

[diff] [blame]

2645

((void) verbose);

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2646

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2647

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2648

}

2649

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2650

#endif /* MBEDTLS_SELF_TEST */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2651

Manuel Pégourié-Gonnard