Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

2009-01-03 21:22:43 +0000

[diff] [blame]

1

/*

2

* The RSA public-key cryptosystem

3

*

Manuel Pégourié-Gonnard

6fb8187

2015-07-27 11:11:48 +0200

[diff] [blame]

4

Manuel Pégourié-Gonnard

37ff140

2015-09-04 14:21:07 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

Paul Bakker

b96f154

2010-07-18 20:36:00 +0000

[diff] [blame]

18

*

Manuel Pégourié-Gonnard

fe44643

2015-03-06 13:17:10 +0000

[diff] [blame]

19

* This file is part of mbed TLS (https://tls.mbed.org)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

20

*/

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

21

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

22

/*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

23

* The following sources were referenced in the design of this implementation

24

* of the RSA algorithm:

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

25

*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

26

* [1] A method for obtaining digital signatures and public-key cryptosystems

27

* R Rivest, A Shamir, and L Adleman

28

* http://people.csail.mit.edu/rivest/pubs.html#RSA78

29

*

30

* [2] Handbook of Applied Cryptography - 1997, Chapter 8

31

* Menezes, van Oorschot and Vanstone

32

*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

33

* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks

34

* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and

35

* Stefan Mangard

36

* https://arxiv.org/abs/1702.08719v2

37

*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

38

*/

39

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

40

#if !defined(MBEDTLS_CONFIG_FILE)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

41

#include "mbedtls/config.h"

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

42

#else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

43

#include MBEDTLS_CONFIG_FILE

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

44

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

45

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

46

#if defined(MBEDTLS_RSA_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

47

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

48

#include "mbedtls/rsa.h"

Hanno Becker

a565f54

2017-10-11 11:00:19 +0100

[diff] [blame]

49

#include "mbedtls/rsa_internal.h"

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

50

#include "mbedtls/oid.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

51

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

52

#include <string.h>

53

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

54

#if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

55

#include "mbedtls/md.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

56

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

57

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

58

#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

59

#include <stdlib.h>

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

60

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

61

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

62

#if defined(MBEDTLS_PLATFORM_C)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

63

#include "mbedtls/platform.h"

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

64

#else

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

65

#include <stdio.h>

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

66

#define mbedtls_printf printf

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

67

#define mbedtls_calloc calloc

68

#define mbedtls_free free

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

69

#endif

70

Hanno Becker

a565f54

2017-10-11 11:00:19 +0100

[diff] [blame]

71

#if !defined(MBEDTLS_RSA_ALT)

72

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

73

/* Implementation that should never be optimized out by the compiler */

74

static void mbedtls_zeroize( void *v, size_t n ) {

75

volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;

76

}

77

Hanno Becker

171a8f1

2017-09-06 12:32:16 +0100

[diff] [blame]

78

/* constant-time buffer comparison */

79

static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )

80

{

81

size_t i;

82

const unsigned char *A = (const unsigned char *) a;

83

const unsigned char *B = (const unsigned char *) b;

84

unsigned char diff = 0;

85

86

for( i = 0; i < n; i++ )

diff |= A[i] ^ B[i];

return( diff );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

92

int mbedtls_rsa_import( mbedtls_rsa_context *ctx,

93

const mbedtls_mpi *N,

94

const mbedtls_mpi *P, const mbedtls_mpi *Q,

95

const mbedtls_mpi *D, const mbedtls_mpi *E )

{

int ret;

if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||

100

( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||

101

( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||

102

( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||

103

( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )

104

{

105

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

if( N != NULL )

ctx->len = mbedtls_mpi_size( &ctx->N );

return( 0 );

}

int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

115

unsigned char const *N, size_t N_len,

116

unsigned char const *P, size_t P_len,

117

unsigned char const *Q, size_t Q_len,

118

unsigned char const *D, size_t D_len,

119

unsigned char const *E, size_t E_len )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

120

{

Hanno Becker

d4d6057

2018-01-10 07:12:01 +0000

[diff] [blame]

121

int ret = 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

if( N != NULL )

{

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );

126

ctx->len = mbedtls_mpi_size( &ctx->N );

}

if( P != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );

131

132

if( Q != NULL )

133

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );

134

135

if( D != NULL )

136

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );

137

138

if( E != NULL )

139

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );

cleanup:

if( ret != 0 )

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

return( 0 );

}

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

149

/*

150

* Checks whether the context fields are set in such a way

151

* that the RSA primitives will be able to execute without error.

152

* It does *not* make guarantees for consistency of the parameters.

153

*/

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

154

static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,

155

int blinding_needed )

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

156

{

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

157

#if !defined(MBEDTLS_RSA_NO_CRT)

158

/* blinding_needed is only used for NO_CRT to decide whether

159

* P,Q need to be present or not. */

160

((void) blinding_needed);

161

#endif

162

Hanno Becker

3a760a1

2018-01-05 08:14:49 +0000

[diff] [blame]

163

if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||

164

ctx->len > MBEDTLS_MPI_MAX_SIZE )

165

{

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

166

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Hanno Becker

3a760a1

2018-01-05 08:14:49 +0000

[diff] [blame]

167

}

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

168

169

/*

170

* 1. Modular exponentiation needs positive, odd moduli.

171

*/

172

173

/* Modular exponentiation wrt. N is always used for

174

* RSA public key operations. */

175

if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||

176

mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )

177

{

178

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

179

}

180

181

#if !defined(MBEDTLS_RSA_NO_CRT)

182

/* Modular exponentiation for P and Q is only

183

* used for private key operations and if CRT

184

* is used. */

185

if( is_priv &&

186

( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||

187

mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||

188

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||

189

mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )

190

{

191

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

192

}

193

#endif /* !MBEDTLS_RSA_NO_CRT */

194

195

/*

196

* 2. Exponents must be positive

197

*/

198

199

/* Always need E for public key operations */

200

if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )

201

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

202

Hanno Becker

b82a5b5

2017-10-11 19:10:23 +0100

[diff] [blame]

203

#if defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

204

/* For private key operations, use D or DP & DQ

205

* as (unblinded) exponents. */

206

if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )

207

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

208

#else

209

if( is_priv &&

210

( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||

211

mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )

212

{

213

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

214

}

215

#endif /* MBEDTLS_RSA_NO_CRT */

216

217

/* Blinding shouldn't make exponents negative either,

218

* so check that P, Q >= 1 if that hasn't yet been

219

* done as part of 1. */

Hanno Becker

b82a5b5

2017-10-11 19:10:23 +0100

[diff] [blame]

220

#if defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

221

if( is_priv && blinding_needed &&

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

222

( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||

223

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )

224

{

225

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

#endif

/* It wouldn't lead to an error if it wasn't satisfied,

Hanno Becker

f8c028a

2017-10-17 09:20:57 +0100

[diff] [blame]

230

* but check for QP >= 1 nonetheless. */

Hanno Becker

b82a5b5

2017-10-11 19:10:23 +0100

[diff] [blame]

231

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

232

if( is_priv &&

233

mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )

234

{

235

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

#endif

return( 0 );

}

Hanno Becker

2017-10-10 16:49:26 +0100

[diff] [blame]

242

int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

{

int ret = 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

246

const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );

247

const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );

248

const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );

249

const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );

250

const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

251

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

252

/*

253

* Check whether provided parameters are enough

254

* to deduce all others. The following incomplete

255

* parameter sets for private keys are supported:

256

*

257

* (1) P, Q missing.

258

* (2) D and potentially N missing.

259

*

260

*/

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

261

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

262

const int n_missing = have_P && have_Q && have_D && have_E;

263

const int pq_missing = have_N && !have_P && !have_Q && have_D && have_E;

264

const int d_missing = have_P && have_Q && !have_D && have_E;

265

const int is_pub = have_N && !have_P && !have_Q && !have_D && have_E;

266

267

/* These three alternatives are mutually exclusive */

268

const int is_priv = n_missing || pq_missing || d_missing;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

269

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

270

if( !is_priv && !is_pub )

271

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

272

273

/*

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

274

* Step 1: Deduce N if P, Q are provided.

275

*/

276

277

if( !have_N && have_P && have_Q )

278

{

279

if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,

280

&ctx->Q ) ) != 0 )

281

{

282

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

283

}

284

285

ctx->len = mbedtls_mpi_size( &ctx->N );

}

/*

* Step 2: Deduce and verify all remaining core parameters.

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

*/

if( pq_missing )

{

Hanno Becker

c36aab6

2017-10-17 09:15:06 +0100

[diff] [blame]

294

ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

295

&ctx->P, &ctx->Q );

296

if( ret != 0 )

297

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

else if( d_missing )

{

Hanno Becker

8ba6ce4

2017-10-03 14:36:26 +0100

[diff] [blame]

302

if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,

303

&ctx->Q,

304

&ctx->E,

305

&ctx->D ) ) != 0 )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

306

{

307

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

308

}

309

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

310

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

311

/*

Hanno Becker

2cca6f3

2017-09-29 11:46:40 +0100

[diff] [blame]

312

* Step 3: Deduce all additional parameters specific

Hanno Becker

e867489

2017-10-10 17:56:14 +0100

[diff] [blame]

313

* to our current RSA implementation.

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

314

*/

315

Hanno Becker

23344b5

2017-08-23 07:43:27 +0100

[diff] [blame]

316

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

317

if( is_priv )

318

{

319

ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

320

&ctx->DP, &ctx->DQ, &ctx->QP );

321

if( ret != 0 )

322

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

323

}

Hanno Becker

23344b5

2017-08-23 07:43:27 +0100

[diff] [blame]

324

#endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

325

326

/*

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

327

* Step 3: Basic sanity checks

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

328

*/

329

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

330

return( rsa_check_context( ctx, is_priv, 1 ) );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

331

}

332

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

333

int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,

334

unsigned char *N, size_t N_len,

335

unsigned char *P, size_t P_len,

336

unsigned char *Q, size_t Q_len,

337

unsigned char *D, size_t D_len,

338

unsigned char *E, size_t E_len )

{

int ret = 0;

/* Check if key is private or public */

343

const int is_priv =

344

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

345

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

346

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

347

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

348

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

353

* something must be wrong. */

354

if( P != NULL || Q != NULL || D != NULL )

355

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

if( N != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );

361

362

if( P != NULL )

363

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );

364

365

if( Q != NULL )

366

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );

367

368

if( D != NULL )

369

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );

370

371

if( E != NULL )

372

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

cleanup:

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

379

int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,

380

mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,

381

mbedtls_mpi *D, mbedtls_mpi *E )

{

int ret;

/* Check if key is private or public */

386

int is_priv =

387

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

388

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

389

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

390

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

391

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

396

* something must be wrong. */

397

if( P != NULL || Q != NULL || D != NULL )

398

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

/* Export all requested core parameters. */

403

404

if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||

405

( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||

406

( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||

407

( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||

408

( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )

{

return( ret );

}

return( 0 );

}

/*

* Export CRT parameters

418

* This must also be implemented if CRT is not used, for being able to

419

* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt

420

* can be used in this case.

421

*/

422

int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,

423

mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret;

/* Check if key is private or public */

428

int is_priv =

429

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

430

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

431

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

432

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

433

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

434

435

if( !is_priv )

436

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

437

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

438

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

439

/* Export all requested blinding parameters. */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

440

if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||

441

( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||

442

( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )

443

{

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

444

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

445

}

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

446

#else

447

if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

448

DP, DQ, QP ) ) != 0 )

449

{

450

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

451

}

452

#endif

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

453

454

return( 0 );

455

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

456

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

457

/*

458

* Initialize an RSA context

459

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

460

void mbedtls_rsa_init( mbedtls_rsa_context *ctx,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

461

int padding,

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

462

int hash_id )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

463

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

464

memset( ctx, 0, sizeof( mbedtls_rsa_context ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

465

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

466

mbedtls_rsa_set_padding( ctx, padding, hash_id );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

467

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

468

#if defined(MBEDTLS_THREADING_C)

469

mbedtls_mutex_init( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

470

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

471

}

472

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

473

/*

474

* Set padding for an existing RSA context

475

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

476

void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

477

{

478

ctx->padding = padding;

479

ctx->hash_id = hash_id;

480

}

481

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

482

/*

483

* Get length in bytes of RSA modulus

484

*/

485

486

size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )

487

{

Hanno Becker

2f8f06a

2017-09-29 11:47:26 +0100

[diff] [blame]

488

return( ctx->len );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

489

}

490

491

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

492

#if defined(MBEDTLS_GENPRIME)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

493

494

/*

495

* Generate an RSA keypair

496

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

497

int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

498

int (*f_rng)(void *, unsigned char *, size_t),

499

void *p_rng,

500

unsigned int nbits, int exponent )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

501

{

502

int ret;

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

503

mbedtls_mpi H, G;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

504

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

505

if( f_rng == NULL || nbits < 128 || exponent < 3 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

506

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

507

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

508

if( nbits % 2 )

509

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

510

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

511

mbedtls_mpi_init( &H );

512

mbedtls_mpi_init( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

513

514

/*

515

* find primes P and Q with Q < P so that:

516

* GCD( E, (P-1)*(Q-1) ) == 1

517

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

518

MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

519

520

do

521

{

Janos Follath

10c575b

2016-02-23 14:42:48 +0000

[diff] [blame]

522

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

523

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

524

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

525

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

526

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

527

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

528

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

529

continue;

530

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

531

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

532

if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

533

continue;

534

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

535

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

536

mbedtls_mpi_swap( &ctx->P, &ctx->Q );

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

537

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

538

/* Temporarily replace P,Q by P-1, Q-1 */

539

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );

540

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );

541

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

542

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

543

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

544

while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

545

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

546

/* Restore P,Q */

547

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );

548

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );

549

550

ctx->len = mbedtls_mpi_size( &ctx->N );

551

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

552

/*

553

* D = E^-1 mod ((P-1)*(Q-1))

* DP = D mod (P - 1)

* DQ = D mod (Q - 1)

* QP = Q^-1 mod P

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

558

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

559

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &H ) );

560

561

#if !defined(MBEDTLS_RSA_NO_CRT)

562

MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

563

&ctx->DP, &ctx->DQ, &ctx->QP ) );

564

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

565

Hanno Becker

83aad1f

2017-08-23 06:45:10 +0100

[diff] [blame]

566

/* Double-check */

567

MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

cleanup:

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

571

mbedtls_mpi_free( &H );

572

mbedtls_mpi_free( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

573

574

if( ret != 0 )

575

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

576

mbedtls_rsa_free( ctx );

577

return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

578

}

579

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

580

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

581

}

582

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

583

#endif /* MBEDTLS_GENPRIME */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

584

585

/*

586

* Check a public RSA key

587

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

588

int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

589

{

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

590

if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

591

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

37940d9f

2009-07-10 22:38:58 +0000

[diff] [blame]

592

Hanno Becker

3a760a1

2018-01-05 08:14:49 +0000

[diff] [blame]

593

if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

594

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

595

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

596

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

597

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

598

if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||

599

mbedtls_mpi_bitlen( &ctx->E ) < 2 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

600

mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

601

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

602

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

603

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

/*

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

609

* Check for the consistency of all fields in an RSA private key context

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

610

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

611

int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

612

{

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

613

if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

614

rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

615

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

616

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

617

}

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

618

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

619

if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

620

&ctx->D, &ctx->E, NULL, NULL ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

621

{

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

622

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

623

}

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

624

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

625

#if !defined(MBEDTLS_RSA_NO_CRT)

626

else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,

627

&ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )

628

{

629

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

630

}

631

#endif

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

632

633

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

634

}

635

636

/*

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

637

* Check if contexts holding a public and private key match

638

*/

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

639

int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,

640

const mbedtls_rsa_context *prv )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

641

{

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

642

if( mbedtls_rsa_check_pubkey( pub ) != 0 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

643

mbedtls_rsa_check_privkey( prv ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

644

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

645

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

646

}

647

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

648

if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||

649

mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

650

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

651

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

}

return( 0 );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

658

* Do an RSA public key operation

659

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

660

int mbedtls_rsa_public( mbedtls_rsa_context *ctx,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

661

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

662

unsigned char *output )

663

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

664

int ret;

665

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

666

mbedtls_mpi T;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

667

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

668

if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

669

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

670

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

671

mbedtls_mpi_init( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

672

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

673

#if defined(MBEDTLS_THREADING_C)

674

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

675

return( ret );

676

#endif

677

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

678

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

679

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

680

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

681

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

682

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

683

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

684

}

685

686

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

687

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );

688

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

689

690

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

691

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

692

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

693

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

88fca3e

2015-03-27 15:06:07 +0100

[diff] [blame]

694

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

695

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

696

mbedtls_mpi_free( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

697

698

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

699

return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

704

/*

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

705

* Generate or update blinding values, see section 10 of:

706

* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,

Manuel Pégourié-Gonnard

998930a

2015-04-03 13:48:06 +0200

[diff] [blame]

707

* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

708

* Berlin Heidelberg, 1996. p. 104-113.

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

709

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

710

static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

711

int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )

712

{

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

713

int ret, count = 0;

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

714

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

715

if( ctx->Vf.p != NULL )

716

{

717

/* We already have blinding values, just update them by squaring */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

718

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );

719

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );

720

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );

721

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

722

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

723

goto cleanup;

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

724

}

725

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

726

/* Unblinding value: Vf = random number, invertible mod N */

727

do {

728

if( count++ > 10 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

729

return( MBEDTLS_ERR_RSA_RNG_FAILED );

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

730

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

731

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );

732

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );

733

} while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

734

735

/* Blinding value: Vi = Vf^(-e) mod N */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

736

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );

737

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

738

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

739

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

740

cleanup:

741

return( ret );

742

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

743

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

744

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

745

* Exponent blinding supposed to prevent side-channel attacks using multiple

746

* traces of measurements to recover the RSA key. The more collisions are there,

747

* the more bits of the key can be recovered. See [3].

748

*

749

* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)

750

* observations on avarage.

751

*

752

* For example with 28 byte blinding to achieve 2 collisions the adversary has

753

* to make 2^112 observations on avarage.

754

*

755

* (With the currently (as of 2017 April) known best algorithms breaking 2048

756

* bit RSA requires approximately as much time as trying out 2^112 random keys.

757

* Thus in this sense with 28 byte blinding the security is not reduced by

758

* side-channel attacks like the one in [3])

759

*

760

* This countermeasure does not help if the key recovery is possible with a

761

* single trace.

762

*/

763

#define RSA_EXPONENT_BLINDING 28

764

765

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

766

* Do an RSA private key operation

767

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

768

int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

769

int (*f_rng)(void *, unsigned char *, size_t),

770

void *p_rng,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

771

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

772

unsigned char *output )

773

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

774

int ret;

775

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

776

mbedtls_mpi T, T1, T2;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

777

mbedtls_mpi P1, Q1, R;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

778

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

779

mbedtls_mpi D_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

780

mbedtls_mpi *D = &ctx->D;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

781

#else

782

mbedtls_mpi DP_blind, DQ_blind;

783

mbedtls_mpi *DP = &ctx->DP;

784

mbedtls_mpi *DQ = &ctx->DQ;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

785

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

786

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

787

if( rsa_check_context( ctx, 1 /* private key checks */,

788

f_rng != NULL /* blinding y/n */ ) != 0 )

789

{

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

790

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Hanno Becker

2017-10-12 10:54:53 +0100

[diff] [blame]

791

}

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

792

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

793

mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

794

mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );

795

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

796

if( f_rng != NULL )

797

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

798

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

799

mbedtls_mpi_init( &D_blind );

800

#else

801

mbedtls_mpi_init( &DP_blind );

802

mbedtls_mpi_init( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

803

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

804

}

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

805

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

806

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

807

#if defined(MBEDTLS_THREADING_C)

808

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

809

return( ret );

810

#endif

811

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

812

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

813

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

814

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

815

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

816

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

817

}

818

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

819

if( f_rng != NULL )

820

{

821

/*

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

822

* Blinding

823

* T = T * Vi mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

824

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

825

MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );

826

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

827

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

828

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

/*

* Exponent blinding

*/

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );

833

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );

834

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

835

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

836

/*

837

* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D

838

*/

839

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

840

f_rng, p_rng ) );

841

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );

842

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );

843

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );

844

845

D = &D_blind;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

846

#else

847

/*

848

* DP_blind = ( P - 1 ) * R + DP

849

*/

850

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

851

f_rng, p_rng ) );

852

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );

853

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,

&ctx->DP ) );

DP = &DP_blind;

/*

* DQ_blind = ( Q - 1 ) * R + DQ

860

*/

861

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

862

f_rng, p_rng ) );

863

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );

864

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,

865

&ctx->DQ ) );

866

867

DQ = &DQ_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

868

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

869

}

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

870

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

871

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

872

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

e10e06d

2014-11-06 18:15:12 +0100

[diff] [blame]

873

#else

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

874

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

875

* Faster decryption using the CRT

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

876

*

877

* T1 = input ^ dP mod P

878

* T2 = input ^ dQ mod Q

879

*/

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

880

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );

881

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

882

883

/*

884

* T = (T1 - T2) * (Q^-1 mod P) mod P

885

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

886

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );

887

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );

888

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

889

890

/*

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

891

* T = T2 + T * Q

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

892

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

893

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );

894

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );

895

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

896

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

if( f_rng != NULL )

{

/*

* Unblind

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

901

* T = T * Vf mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

902

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

903

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

904

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

905

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

906

907

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

908

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

909

910

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

911

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

912

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

913

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

914

#endif

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

915

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

916

mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

917

mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );

918

919

if( f_rng != NULL )

920

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

921

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

922

mbedtls_mpi_free( &D_blind );

923

#else

924

mbedtls_mpi_free( &DP_blind );

925

mbedtls_mpi_free( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

926

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

927

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

928

929

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

930

return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

935

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

936

/**

937

* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.

938

*

Paul Bakker

b125ed8

2011-11-10 13:33:51 +0000

[diff] [blame]

939

* \param dst buffer to mask

940

* \param dlen length of destination buffer

941

* \param src source of the mask generation

942

* \param slen length of the source buffer

943

* \param md_ctx message digest context to use

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

944

*/

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

945

static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

946

size_t slen, mbedtls_md_context_t *md_ctx )

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

947

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

948

unsigned char mask[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

949

unsigned char counter[4];

950

unsigned char *p;

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

951

unsigned int hlen;

952

size_t i, use_len;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

953

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

954

memset( mask, 0, MBEDTLS_MD_MAX_SIZE );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

955

memset( counter, 0, 4 );

956

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

957

hlen = mbedtls_md_get_size( md_ctx->md_info );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

958

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

959

/* Generate and apply dbMask */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

p = dst;

while( dlen > 0 )

{

use_len = hlen;

if( dlen < hlen )

use_len = dlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

968

mbedtls_md_starts( md_ctx );

969

mbedtls_md_update( md_ctx, src, slen );

970

mbedtls_md_update( md_ctx, counter, 4 );

971

mbedtls_md_finish( md_ctx, mask );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

972

973

for( i = 0; i < use_len; ++i )

*p++ ^= mask[i];

counter[3]++;

dlen -= use_len;

}

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

980

981

mbedtls_zeroize( mask, sizeof( mask ) );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

982

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

983

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

984

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

985

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

986

/*

987

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function

988

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

989

int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

990

int (*f_rng)(void *, unsigned char *, size_t),

991

void *p_rng,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

992

int mode,

993

const unsigned char *label, size_t label_len,

994

size_t ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

995

const unsigned char *input,

996

unsigned char *output )

{

size_t olen;

int ret;

unsigned char *p = output;

1001

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1002

const mbedtls_md_info_t *md_info;

1003

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1004

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1005

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1006

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1007

1008

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1009

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1010

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1011

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1012

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1013

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1014

1015

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1016

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1017

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1018

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1019

if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1020

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1021

1022

memset( output, 0, olen );

*p++ = 0;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1026

/* Generate a random octet string seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1027

if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1028

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p += hlen;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1032

/* Construct DB */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1033

mbedtls_md( md_info, label, label_len, p );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1034

p += hlen;

1035

p += olen - 2 * hlen - 2 - ilen;

1036

*p++ = 1;

1037

memcpy( p, input, ilen );

1038

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1039

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1040

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1041

{

1042

mbedtls_md_free( &md_ctx );

1043

return( ret );

1044

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1045

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1046

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1047

mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,

1048

&md_ctx );

1049

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1050

/* maskedSeed: Apply seedMask to seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1051

mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,

1052

&md_ctx );

1053

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1054

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1055

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1056

return( ( mode == MBEDTLS_RSA_PUBLIC )

1057

? mbedtls_rsa_public( ctx, output, output )

1058

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1059

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1060

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1061

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1062

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1063

/*

1064

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function

1065

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1066

int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1067

int (*f_rng)(void *, unsigned char *, size_t),

1068

void *p_rng,

1069

int mode, size_t ilen,

1070

const unsigned char *input,

1071

unsigned char *output )

{

size_t nb_pad, olen;

int ret;

unsigned char *p = output;

1076

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1077

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1078

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1079

Janos Follath

1ed9f99

2016-03-18 11:45:44 +0000

[diff] [blame]

1080

// We don't check p_rng because it won't be dereferenced here

1081

if( f_rng == NULL || input == NULL || output == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1082

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1083

1084

olen = ctx->len;

Manuel Pégourié-Gonnard

370717b

2016-02-11 10:35:13 +0100

[diff] [blame]

1085

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1086

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1087

if( ilen + 11 < ilen || olen < ilen + 11 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1088

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1089

1090

nb_pad = olen - 3 - ilen;

1091

1092

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1093

if( mode == MBEDTLS_RSA_PUBLIC )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1094

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1095

*p++ = MBEDTLS_RSA_CRYPT;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1096

1097

while( nb_pad-- > 0 )

{

int rng_dl = 100;

do {

ret = f_rng( p_rng, p, 1 );

1103

} while( *p == 0 && --rng_dl && ret == 0 );

1104

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1105

/* Check if RNG failed to generate data */

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1106

if( rng_dl == 0 || ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1107

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p++;

}

}

else

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1114

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1115

1116

while( nb_pad-- > 0 )

*p++ = 0xFF;

}

*p++ = 0;

memcpy( p, input, ilen );

1122

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1123

return( ( mode == MBEDTLS_RSA_PUBLIC )

1124

? mbedtls_rsa_public( ctx, output, output )

1125

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1126

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1127

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1128

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1129

/*

1130

* Add the message padding, then do an RSA operation

1131

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1132

int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

1133

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

1134

void *p_rng,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1135

int mode, size_t ilen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1136

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1137

unsigned char *output )

1138

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1139

switch( ctx->padding )

1140

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1141

#if defined(MBEDTLS_PKCS1_V15)

1142

case MBEDTLS_RSA_PKCS_V15:

1143

return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1144

input, output );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1145

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1146

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1147

#if defined(MBEDTLS_PKCS1_V21)

1148

case MBEDTLS_RSA_PKCS_V21:

1149

return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1150

ilen, input, output );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1151

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1152

1153

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1154

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1155

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1156

}

1157

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1158

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1159

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1160

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1161

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1162

int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1163

int (*f_rng)(void *, unsigned char *, size_t),

1164

void *p_rng,

1165

int mode,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1166

const unsigned char *label, size_t label_len,

1167

size_t *olen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1168

const unsigned char *input,

1169

unsigned char *output,

1170

size_t output_max_len )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1171

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1172

int ret;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1173

size_t ilen, i, pad_len;

1174

unsigned char *p, bad, pad_done;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1175

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

1176

unsigned char lhash[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1177

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1178

const mbedtls_md_info_t *md_info;

1179

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1180

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1181

/*

1182

* Parameters sanity checks

1183

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1184

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1185

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

ilen = ctx->len;

Paul Bakker

2011-06-09 13:55:13 +0000

[diff] [blame]

1189

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1190

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1191

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1192

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1193

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1194

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1195

Janos Follath

c17cda1

2016-02-11 11:08:18 +0000

[diff] [blame]

1196

hlen = mbedtls_md_get_size( md_info );

1197

1198

// checking for integer underflow

1199

if( 2 * hlen + 2 > ilen )

1200

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1201

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1202

/*

1203

* RSA operation

1204

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1205

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1206

? mbedtls_rsa_public( ctx, input, buf )

1207

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1208

1209

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1210

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1211

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1212

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1213

* Unmask data and generate lHash

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1214

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1215

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1216

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1217

{

1218

mbedtls_md_free( &md_ctx );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1219

goto cleanup;

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1220

}

1221

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1222

1223

/* Generate lHash */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1224

mbedtls_md( md_info, label, label_len, lhash );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1225

1226

/* seed: Apply seedMask to maskedSeed */

1227

mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,

1228

&md_ctx );

1229

1230

/* DB: Apply dbMask to maskedDB */

1231

mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,

1232

&md_ctx );

1233

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1234

mbedtls_md_free( &md_ctx );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1235

1236

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1237

* Check contents, in "constant-time"

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1238

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1239

p = buf;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1240

bad = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1241

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1242

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1243

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1244

p += hlen; /* Skip seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1245

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1246

/* Check lHash */

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1247

for( i = 0; i < hlen; i++ )

1248

bad |= lhash[i] ^ *p++;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1249

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1250

/* Get zero-padding len, but always read till end of buffer

1251

* (minus one, for the 01 byte) */

1252

pad_len = 0;

1253

pad_done = 0;

1254

for( i = 0; i < ilen - 2 * hlen - 2; i++ )

1255

{

1256

pad_done |= p[i];

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1257

pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1258

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1259

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1260

p += pad_len;

1261

bad |= *p++ ^ 0x01;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1262

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1263

/*

1264

* The only information "leaked" is whether the padding was correct or not

1265

* (eg, no data is copied if it was not correct). This meets the

1266

* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between

1267

* the different error conditions.

1268

*/

1269

if( bad != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1270

{

1271

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1272

goto cleanup;

1273

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1274

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1275

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1276

{

1277

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1278

goto cleanup;

1279

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1280

1281

*olen = ilen - (p - buf);

1282

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1283

ret = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1284

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1285

cleanup:

1286

mbedtls_zeroize( buf, sizeof( buf ) );

1287

mbedtls_zeroize( lhash, sizeof( lhash ) );

1288

1289

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1290

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1291

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1292

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1293

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1294

/*

1295

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function

1296

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1297

int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1298

int (*f_rng)(void *, unsigned char *, size_t),

1299

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1300

int mode, size_t *olen,

1301

const unsigned char *input,

1302

unsigned char *output,

1303

size_t output_max_len)

1304

{

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1305

int ret;

1306

size_t ilen, pad_count = 0, i;

1307

unsigned char *p, bad, pad_done = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1308

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1309

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1310

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1311

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

ilen = ctx->len;

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1316

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1317

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1318

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1319

? mbedtls_rsa_public( ctx, input, buf )

1320

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1321

1322

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1323

goto cleanup;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1324

1325

p = buf;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1326

bad = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1327

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1328

/*

1329

* Check and get padding len in "constant-time"

1330

*/

1331

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1332

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1333

/* This test does not depend on secret data */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1334

if( mode == MBEDTLS_RSA_PRIVATE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1335

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1336

bad |= *p++ ^ MBEDTLS_RSA_CRYPT;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1337

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1338

/* Get padding len, but always read till end of buffer

1339

* (minus one, for the 00 byte) */

1340

for( i = 0; i < ilen - 3; i++ )

1341

{

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1342

pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;

1343

pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1344

}

Paul Bakker

e6ee41f

2012-05-19 08:43:48 +0000

[diff] [blame]

1345

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1346

p += pad_count;

1347

bad |= *p++; /* Must be zero */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1348

}

1349

else

1350

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1351

bad |= *p++ ^ MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1352

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1353

/* Get padding len, but always read till end of buffer

1354

* (minus one, for the 00 byte) */

1355

for( i = 0; i < ilen - 3; i++ )

1356

{

Manuel Pégourié-Gonnard

fbf0915

2014-02-03 11:58:55 +0100

[diff] [blame]

1357

pad_done |= ( p[i] != 0xFF );

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1358

pad_count += ( pad_done == 0 );

1359

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1360

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1361

p += pad_count;

1362

bad |= *p++; /* Must be zero */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1363

}

1364

Janos Follath

c69fa50

2016-02-12 13:30:09 +0000

[diff] [blame]

1365

bad |= ( pad_count < 8 );

Janos Follath

b6eb1ca

2016-02-08 13:59:25 +0000

[diff] [blame]

1366

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1367

if( bad )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1368

{

1369

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1370

goto cleanup;

1371

}

Paul Bakker

8804f69

2013-02-28 18:06:26 +0100

[diff] [blame]

1372

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1373

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1374

{

1375

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1376

goto cleanup;

1377

}

Paul Bakker

060c568

2009-01-12 21:48:39 +0000

[diff] [blame]

1378

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

1379

*olen = ilen - (p - buf);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1380

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1381

ret = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1382

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1383

cleanup:

1384

mbedtls_zeroize( buf, sizeof( buf ) );

1385

1386

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1387

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1388

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1389

1390

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1391

* Do an RSA operation, then remove the message padding

1392

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1393

int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1394

int (*f_rng)(void *, unsigned char *, size_t),

1395

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1396

int mode, size_t *olen,

1397

const unsigned char *input,

1398

unsigned char *output,

1399

size_t output_max_len)

1400

{

1401

switch( ctx->padding )

1402

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1403

#if defined(MBEDTLS_PKCS1_V15)

1404

case MBEDTLS_RSA_PKCS_V15:

1405

return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1406

input, output, output_max_len );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1407

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1408

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1409

#if defined(MBEDTLS_PKCS1_V21)

1410

case MBEDTLS_RSA_PKCS_V21:

1411

return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1412

olen, input, output,

1413

output_max_len );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1414

#endif

1415

1416

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1417

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1418

}

1419

}

1420

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1421

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1422

/*

1423

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function

1424

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1425

int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1426

int (*f_rng)(void *, unsigned char *, size_t),

1427

void *p_rng,

1428

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1429

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1430

unsigned int hashlen,

1431

const unsigned char *hash,

unsigned char *sig )

{

size_t olen;

unsigned char *p = sig;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1436

unsigned char salt[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1437

unsigned int slen, hlen, offset = 0;

1438

int ret;

1439

size_t msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1440

const mbedtls_md_info_t *md_info;

1441

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1442

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1443

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1444

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1445

1446

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1447

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1448

1449

olen = ctx->len;

1450

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1451

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1452

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1453

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1454

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1455

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1456

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1457

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1458

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1459

}

1460

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1461

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1462

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1463

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1464

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1465

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1466

slen = hlen;

1467

1468

if( olen < hlen + slen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1469

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1470

1471

memset( sig, 0, olen );

1472

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1473

/* Generate salt of length slen */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1474

if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1475

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1476

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1477

/* Note: EMSA-PSS encoding is over the length of N - 1 bits */

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1478

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1479

p += olen - hlen * 2 - 2;

1480

*p++ = 0x01;

1481

memcpy( p, salt, slen );

1482

p += slen;

1483

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1484

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1485

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1486

{

1487

mbedtls_md_free( &md_ctx );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1488

/* No need to zeroize salt: we didn't use it. */

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1489

return( ret );

1490

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1491

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1492

/* Generate H = Hash( M' ) */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1493

mbedtls_md_starts( &md_ctx );

1494

mbedtls_md_update( &md_ctx, p, 8 );

1495

mbedtls_md_update( &md_ctx, hash, hashlen );

1496

mbedtls_md_update( &md_ctx, salt, slen );

1497

mbedtls_md_finish( &md_ctx, p );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1498

mbedtls_zeroize( salt, sizeof( salt ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1499

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1500

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

offset = 1;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1504

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1505

mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );

1506

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1507

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1508

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1509

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1510

sig[0] &= 0xFF >> ( olen * 8 - msb );

p += hlen;

*p++ = 0xBC;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1515

return( ( mode == MBEDTLS_RSA_PUBLIC )

1516

? mbedtls_rsa_public( ctx, sig, sig )

1517

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1518

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1519

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1520

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1521

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1522

/*

1523

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function

1524

*/

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1525

1526

/* Construct a PKCS v1.5 encoding of a hashed message

1527

*

1528

* This is used both for signature generation and verification.

1529

*

1530

* Parameters:

1531

* - md_alg: Identifies the hash algorithm used to generate the given hash;

Hanno Becker

2017-09-27 17:09:00 +0100

[diff] [blame]

1532

* MBEDTLS_MD_NONE if raw data is signed.

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1533

* - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.

Hanno Becker

2017-09-27 17:09:00 +0100

[diff] [blame]

1534

* - hash: Buffer containing the hashed message or the raw data.

1535

* - dst_len: Length of the encoded message.

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1536

* - dst: Buffer to hold the encoded message.

1537

*

1538

* Assumptions:

1539

* - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.

1540

* - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.

Hanno Becker

2017-09-27 17:09:00 +0100

[diff] [blame]

1541

* - dst points to a buffer of size at least dst_len.

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1542

*

1543

*/

1544

static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,

1545

unsigned int hashlen,

1546

const unsigned char *hash,

Hanno Becker

2017-09-27 17:09:00 +0100

[diff] [blame]

1547

size_t dst_len,

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1548

unsigned char *dst )

1549

{

1550

size_t oid_size = 0;

Hanno Becker

2017-09-27 17:09:00 +0100

[diff] [blame]

1551

size_t nb_pad = dst_len;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1552

unsigned char *p = dst;

1553

const char *oid = NULL;

1554

1555

/* Are we signing hashed or raw data? */

1556

if( md_alg != MBEDTLS_MD_NONE )

1557

{

1558

const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );

1559

if( md_info == NULL )

1560

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1561

1562

if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )

1563

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1564

1565

hashlen = mbedtls_md_get_size( md_info );

1566

1567

/* Double-check that 8 + hashlen + oid_size can be used as a

1568

* 1-byte ASN.1 length encoding and that there's no overflow. */

1569

if( 8 + hashlen + oid_size >= 0x80 ||

1570

10 + hashlen < hashlen ||

1571

10 + hashlen + oid_size < 10 + hashlen )

1572

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1573

1574

/*

1575

* Static bounds check:

1576

* - Need 10 bytes for five tag-length pairs.

1577

* (Insist on 1-byte length encodings to protect against variants of

1578

* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)

1579

* - Need hashlen bytes for hash

1580

* - Need oid_size bytes for hash alg OID.

1581

*/

1582

if( nb_pad < 10 + hashlen + oid_size )

1583

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1584

nb_pad -= 10 + hashlen + oid_size;

}

else

{

if( nb_pad < hashlen )

1589

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

nb_pad -= hashlen;

}

Hanno Becker

2017-09-27 17:10:03 +0100

[diff] [blame]

1594

/* Need space for signature header and padding delimiter (3 bytes),

1595

* and 8 bytes for the minimal padding */

1596

if( nb_pad < 3 + 8 )

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1597

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1598

nb_pad -= 3;

1599

1600

/* Now nb_pad is the amount of memory to be filled

Hanno Becker

2b2f898

2017-09-27 17:10:03 +0100

[diff] [blame]

1601

* with padding, and at least 8 bytes long. */

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1602

1603

/* Write signature header and padding */

1604

*p++ = 0;

1605

*p++ = MBEDTLS_RSA_SIGN;

1606

memset( p, 0xFF, nb_pad );

p += nb_pad;

*p++ = 0;

/* Are we signing raw data? */

1611

if( md_alg == MBEDTLS_MD_NONE )

1612

{

1613

memcpy( p, hash, hashlen );

return( 0 );

}

/* Signing hashed data, add corresponding ASN.1 structure

1618

*

1619

* DigestInfo ::= SEQUENCE {

1620

* digestAlgorithm DigestAlgorithmIdentifier,

1621

* digest Digest }

1622

* DigestAlgorithmIdentifier ::= AlgorithmIdentifier

1623

* Digest ::= OCTET STRING

1624

*

1625

* Schematic:

1626

* TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]

1627

* TAG-NULL + LEN [ NULL ] ]

1628

* TAG-OCTET + LEN [ HASH ] ]

1629

*/

1630

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Hanno Becker

2018-01-15 15:27:56 +0000

[diff] [blame^]

1631

*p++ = (unsigned char)( 0x08 + oid_size + hashlen );

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1632

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Hanno Becker

2018-01-15 15:27:56 +0000

[diff] [blame^]

1633

*p++ = (unsigned char)( 0x04 + oid_size );

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1634

*p++ = MBEDTLS_ASN1_OID;

Hanno Becker

2018-01-15 15:27:56 +0000

[diff] [blame^]

1635

*p++ = (unsigned char) oid_size;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1636

memcpy( p, oid, oid_size );

1637

p += oid_size;

1638

*p++ = MBEDTLS_ASN1_NULL;

1639

*p++ = 0x00;

1640

*p++ = MBEDTLS_ASN1_OCTET_STRING;

Hanno Becker

2018-01-15 15:27:56 +0000

[diff] [blame^]

1641

*p++ = (unsigned char) hashlen;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1642

memcpy( p, hash, hashlen );

1643

p += hashlen;

1644

1645

/* Just a sanity-check, should be automatic

1646

* after the initial bounds check. */

Hanno Becker

2017-09-27 17:09:00 +0100

[diff] [blame]

1647

if( p != dst + dst_len )

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1648

{

Hanno Becker

2017-09-27 17:09:00 +0100

[diff] [blame]

1649

mbedtls_zeroize( dst, dst_len );

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1650

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

return( 0 );

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1656

/*

1657

* Do an RSA operation to sign the message digest

1658

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1659

int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1660

int (*f_rng)(void *, unsigned char *, size_t),

1661

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1662

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1663

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1664

unsigned int hashlen,

1665

const unsigned char *hash,

1666

unsigned char *sig )

1667

{

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1668

int ret;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1669

unsigned char *sig_try = NULL, *verif = NULL;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1670

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1671

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1672

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1673

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1674

/*

1675

* Prepare PKCS1-v1.5 encoding (padding and hash identifier)

1676

*/

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1677

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1678

if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,

1679

ctx->len, sig ) ) != 0 )

1680

return( ret );

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1681

1682

/*

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1683

* Call respective RSA primitive

1684

*/

1685

1686

if( mode == MBEDTLS_RSA_PUBLIC )

1687

{

1688

/* Skip verification on a public key operation */

1689

return( mbedtls_rsa_public( ctx, sig, sig ) );

1690

}

1691

1692

/* Private key operation

1693

*

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1694

* In order to prevent Lenstra's attack, make the signature in a

1695

* temporary buffer and check it before returning it.

1696

*/

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1697

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1698

sig_try = mbedtls_calloc( 1, ctx->len );

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

1699

if( sig_try == NULL )

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1700

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

1701

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1702

verif = mbedtls_calloc( 1, ctx->len );

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

1703

if( verif == NULL )

1704

{

1705

mbedtls_free( sig_try );

1706

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

1707

}

1708

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1709

MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );

1710

MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );

1711

Hanno Becker

171a8f1

2017-09-06 12:32:16 +0100

[diff] [blame]

1712

if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

1713

{

1714

ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;

goto cleanup;

}

memcpy( sig, sig_try, ctx->len );

1719

1720

cleanup:

1721

mbedtls_free( sig_try );

1722

mbedtls_free( verif );

1723

1724

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1725

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1726

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1727

1728

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1729

* Do an RSA operation to sign the message digest

1730

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1731

int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

1732

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1733

void *p_rng,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1734

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1735

mbedtls_md_type_t md_alg,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1736

unsigned int hashlen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1737

const unsigned char *hash,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1738

unsigned char *sig )

1739

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1740

switch( ctx->padding )

1741

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1742

#if defined(MBEDTLS_PKCS1_V15)

1743

case MBEDTLS_RSA_PKCS_V15:

1744

return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1745

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1746

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1747

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1748

#if defined(MBEDTLS_PKCS1_V21)

1749

case MBEDTLS_RSA_PKCS_V21:

1750

return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1751

hashlen, hash, sig );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1752

#endif

1753

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1754

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1755

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1756

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1757

}

1758

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1759

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1760

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1761

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1762

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1763

int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1764

int (*f_rng)(void *, unsigned char *, size_t),

1765

void *p_rng,

1766

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1767

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1768

unsigned int hashlen,

1769

const unsigned char *hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1770

mbedtls_md_type_t mgf1_hash_id,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1771

int expected_salt_len,

1772

const unsigned char *sig )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1773

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1774

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1775

size_t siglen;

1776

unsigned char *p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1777

unsigned char result[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1778

unsigned char zeros[8];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1779

unsigned int hlen;

1780

size_t slen, msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1781

const mbedtls_md_info_t *md_info;

1782

mbedtls_md_context_t md_ctx;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

1783

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1784

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1785

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1786

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1787

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1788

siglen = ctx->len;

1789

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

1790

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1791

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1792

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1793

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1794

? mbedtls_rsa_public( ctx, sig, buf )

1795

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1802

if( buf[siglen - 1] != 0xBC )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1803

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1804

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1805

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1806

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1807

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1808

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1809

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1810

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1811

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1812

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1813

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1814

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1815

md_info = mbedtls_md_info_from_type( mgf1_hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1816

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1817

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1818

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1819

hlen = mbedtls_md_get_size( md_info );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1820

slen = siglen - hlen - 1; /* Currently length of salt + padding */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1821

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1822

memset( zeros, 0, 8 );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

1823

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1824

/*

1825

* Note: EMSA-PSS verification is over the length of N - 1 bits

1826

*/

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1827

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1828

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1829

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

{

p++;

siglen -= 1;

}

if( buf[0] >> ( 8 - siglen * 8 + msb ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1836

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1837

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1838

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1839

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1840

{

1841

mbedtls_md_free( &md_ctx );

1842

return( ret );

1843

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1844

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1845

mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );

Paul Bakker

02303e8

2013-01-03 11:08:31 +0100

[diff] [blame]

1846

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1847

buf[0] &= 0xFF >> ( siglen * 8 - msb );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1848

Paul Bakker

4de44aa

2013-12-31 11:43:01 +0100

[diff] [blame]

1849

while( p < buf + siglen && *p == 0 )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1850

p++;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1851

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1852

if( p == buf + siglen ||

1853

*p++ != 0x01 )

1854

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1855

mbedtls_md_free( &md_ctx );

1856

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1857

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1858

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1859

/* Actual salt len */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1860

slen -= p - buf;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1861

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1862

if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1863

slen != (size_t) expected_salt_len )

1864

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1865

mbedtls_md_free( &md_ctx );

1866

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1867

}

1868

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1869

/*

1870

* Generate H = Hash( M' )

1871

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1872

mbedtls_md_starts( &md_ctx );

1873

mbedtls_md_update( &md_ctx, zeros, 8 );

1874

mbedtls_md_update( &md_ctx, hash, hashlen );

1875

mbedtls_md_update( &md_ctx, p, slen );

1876

mbedtls_md_finish( &md_ctx, result );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

1877

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1878

mbedtls_md_free( &md_ctx );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1879

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1880

if( memcmp( p + slen, result, hlen ) == 0 )

1881

return( 0 );

1882

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1883

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1884

}

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1885

1886

/*

1887

* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function

1888

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1889

int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1890

int (*f_rng)(void *, unsigned char *, size_t),

1891

void *p_rng,

1892

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1893

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1894

unsigned int hashlen,

1895

const unsigned char *hash,

1896

const unsigned char *sig )

1897

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1898

mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )

1899

? (mbedtls_md_type_t) ctx->hash_id

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1900

: md_alg;

1901

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1902

return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1903

md_alg, hashlen, hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1904

mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

1905

sig ) );

1906

1907

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1908

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

40628ba

2013-01-03 10:50:31 +0100

[diff] [blame]

1909

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1910

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1911

/*

1912

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function

1913

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1914

int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1915

int (*f_rng)(void *, unsigned char *, size_t),

1916

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1917

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1918

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1919

unsigned int hashlen,

1920

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

1921

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1922

{

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1923

int ret = 0;

1924

const size_t sig_len = ctx->len;

1925

unsigned char *encoded = NULL, *encoded_expected = NULL;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1926

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1927

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1928

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1929

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1930

/*

1931

* Prepare expected PKCS1 v1.5 encoding of hash.

1932

*/

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1933

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1934

if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL ||

1935

( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )

1936

{

1937

ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;

goto cleanup;

}

if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,

1942

encoded_expected ) ) != 0 )

goto cleanup;

/*

* Apply RSA primitive to get what should be PKCS1 encoded hash.

1947

*/

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1948

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1949

ret = ( mode == MBEDTLS_RSA_PUBLIC )

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1950

? mbedtls_rsa_public( ctx, sig, encoded )

1951

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1952

if( ret != 0 )

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1953

goto cleanup;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1954

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1955

/*

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1956

* Compare

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1957

*/

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1958

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1959

if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,

1960

sig_len ) ) != 0 )

1961

{

1962

ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;

1963

goto cleanup;

1964

}

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1965

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1966

cleanup:

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1967

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1968

if( encoded != NULL )

1969

{

1970

mbedtls_zeroize( encoded, sig_len );

1971

mbedtls_free( encoded );

1972

}

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1973

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1974

if( encoded_expected != NULL )

1975

{

1976

mbedtls_zeroize( encoded_expected, sig_len );

1977

mbedtls_free( encoded_expected );

1978

}

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1979

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

1980

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1981

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1982

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1983

1984

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1985

* Do an RSA operation and check the message digest

1986

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1987

int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1988

int (*f_rng)(void *, unsigned char *, size_t),

1989

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1990

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1991

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1992

unsigned int hashlen,

1993

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

1994

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1995

{

1996

switch( ctx->padding )

1997

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1998

#if defined(MBEDTLS_PKCS1_V15)

1999

case MBEDTLS_RSA_PKCS_V15:

2000

return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2001

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2002

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2003

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2004

#if defined(MBEDTLS_PKCS1_V21)

2005

case MBEDTLS_RSA_PKCS_V21:

2006

return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2007

hashlen, hash, sig );

2008

#endif

2009

2010

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2011

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

}

}

/*

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2016

* Copy the components of an RSA key

2017

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2018

int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

{

int ret;

dst->ver = src->ver;

dst->len = src->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2025

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );

2026

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2027

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2028

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );

2029

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );

2030

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2031

2032

#if !defined(MBEDTLS_RSA_NO_CRT)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2033

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );

2034

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );

2035

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2036

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );

2037

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2038

#endif

2039

2040

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2041

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2042

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );

2043

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

2044

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2045

dst->padding = src->padding;

Manuel Pégourié-Gonnard

fdddac9

2014-03-25 15:58:35 +0100

[diff] [blame]

2046

dst->hash_id = src->hash_id;

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2047

2048

cleanup:

2049

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2050

mbedtls_rsa_free( dst );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

return( ret );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2056

* Free the components of an RSA key

2057

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2058

void mbedtls_rsa_free( mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2059

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2060

mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2061

mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D );

2062

mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2063

mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2064

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2065

#if !defined(MBEDTLS_RSA_NO_CRT)

2066

mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );

2067

mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );

2068

mbedtls_mpi_free( &ctx->DP );

2069

#endif /* MBEDTLS_RSA_NO_CRT */

2070

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2071

#if defined(MBEDTLS_THREADING_C)

2072

mbedtls_mutex_free( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2073

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2074

}

2075

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

2076

#endif /* !MBEDTLS_RSA_ALT */

2077

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2078

#if defined(MBEDTLS_SELF_TEST)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2079

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

2080

#include "mbedtls/sha1.h"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2081

2082

/*

2083

* Example RSA-1024 keypair, for test purposes

*/

#define KEY_LEN 128

#define RSA_N "9292758453063D803DD603D5E777D788" \

2088

"8ED1D5BF35786190FA2F23EBC0848AEA" \

2089

"DDA92CA6C3D80B32C4D109BE0F36D6AE" \

2090

"7130B9CED7ACDF54CFC7555AC14EEBAB" \

2091

"93A89813FBF3C4F8066D2D800F7C38A8" \

2092

"1AE31942917403FF4946B0A83D3D3E05" \

2093

"EE57C6F5F5606FB5D4BC6CD34EE0801A" \

2094

"5E94BB77B07507233A0BC7BAC8F90F79"

2095

2096

#define RSA_E "10001"

2097

2098

#define RSA_D "24BF6185468786FDD303083D25E64EFC" \

2099

"66CA472BC44D253102F8B4A9D3BFA750" \

2100

"91386C0077937FE33FA3252D28855837" \

2101

"AE1B484A8A9A45F7EE8C0C634F99E8CD" \

2102

"DF79C5CE07EE72C7F123142198164234" \

2103

"CABB724CF78B8173B9F880FC86322407" \

2104

"AF1FEDFDDE2BEB674CA15F3E81A1521E" \

2105

"071513A1E85B5DFA031F21ECAE91A34D"

2106

2107

#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \

2108

"2C01CAD19EA484A87EA4377637E75500" \

2109

"FCB2005C5C7DD6EC4AC023CDA285D796" \

2110

"C3D9E75E1EFC42488BB4F1D13AC30A57"

2111

2112

#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \

2113

"E211C2B9E5DB1ED0BF61D0D9899620F4" \

2114

"910E4168387E3C30AA1E00C339A79508" \

2115

"8452DD96A9A5EA5D9DCA68DA636032AF"

2116

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2117

#define PT_LEN 24

2118

#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \

2119

"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"

2120

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2121

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2122

static int myrand( void *rng_state, unsigned char *output, size_t len )

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2123

{

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2124

#if !defined(__OpenBSD__)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2125

size_t i;

2126

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2127

if( rng_state != NULL )

2128

rng_state = NULL;

2129

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2130

for( i = 0; i < len; ++i )

2131

output[i] = rand();

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2132

#else

2133

if( rng_state != NULL )

2134

rng_state = NULL;

2135

2136

arc4random_buf( output, len );

2137

#endif /* !OpenBSD */

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2138

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2139

return( 0 );

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2140

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2141

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2142

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2143

/*

2144

* Checkup routine

2145

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2146

int mbedtls_rsa_self_test( int verbose )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2147

{

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2148

int ret = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2149

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2150

size_t len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2151

mbedtls_rsa_context rsa;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2152

unsigned char rsa_plaintext[PT_LEN];

2153

unsigned char rsa_decrypted[PT_LEN];

2154

unsigned char rsa_ciphertext[KEY_LEN];

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2155

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

5690efc

2011-05-26 13:16:06 +0000

[diff] [blame]

2156

unsigned char sha1sum[20];

2157

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2158

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2159

mbedtls_mpi K;

2160

2161

mbedtls_mpi_init( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2162

mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2163

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2164

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );

2165

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );

2166

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );

2167

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );

2168

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );

2169

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );

2170

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );

2171

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );

2172

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );

2173

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );

2174

Hanno Becker

7f25f85

2017-10-10 16:56:22 +0100

[diff] [blame]

2175

MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2176

2177

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2178

mbedtls_printf( " RSA key validation: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2179

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2180

if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||

2181

mbedtls_rsa_check_privkey( &rsa ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2182

{

2183

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2184

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2190

mbedtls_printf( "passed\n PKCS#1 encryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2191

2192

memcpy( rsa_plaintext, RSA_PT, PT_LEN );

2193

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2194

if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,

2195

PT_LEN, rsa_plaintext,

2196

rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2197

{

2198

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2199

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2205

mbedtls_printf( "passed\n PKCS#1 decryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2206

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2207

if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,

2208

&len, rsa_ciphertext, rsa_decrypted,

2209

sizeof(rsa_decrypted) ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2210

{

2211

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2212

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )

2218

{

2219

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2220

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2225

if( verbose != 0 )

2226

mbedtls_printf( "passed\n" );

2227

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2228

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2229

if( verbose != 0 )

Brian Murray

930a370

2016-05-18 14:38:02 -0700

[diff] [blame]

2230

mbedtls_printf( " PKCS#1 data sign : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2231

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2232

mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2233

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2234

if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,

2235

MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,

2236

sha1sum, rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2237

{

2238

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2239

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2245

mbedtls_printf( "passed\n PKCS#1 sig. verify: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2246

Hanno Becker

2017-10-02 13:16:10 +0100

[diff] [blame]

2247

if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,

2248

MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,

2249

sha1sum, rsa_ciphertext ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2250

{

2251

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2252

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2258

mbedtls_printf( "passed\n" );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2259

#endif /* MBEDTLS_SHA1_C */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2260

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2261

if( verbose != 0 )

2262

mbedtls_printf( "\n" );

2263

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2264

cleanup:

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2265

mbedtls_mpi_free( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2266

mbedtls_rsa_free( &rsa );

2267

#else /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3e41fe8

2013-09-15 17:42:50 +0200

[diff] [blame]

2268

((void) verbose);

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2269

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2270

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2271

}

2272

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2273

#endif /* MBEDTLS_SELF_TEST */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2274

Manuel Pégourié-Gonnard