Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: ef262d9dd5936d0224ed778ba39358cf3843c7a0 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* The RSA public-key cryptosystem
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	18	*/
Hanno Becker	7471631	2017-10-02 10:00:37 +0100	[diff] [blame]	19
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	20	/*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	21	* The following sources were referenced in the design of this implementation
				22	* of the RSA algorithm:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23	*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	24	* [1] A method for obtaining digital signatures and public-key cryptosystems
				25	* R Rivest, A Shamir, and L Adleman
				26	* http://people.csail.mit.edu/rivest/pubs.html#RSA78
				27	*
				28	* [2] Handbook of Applied Cryptography - 1997, Chapter 8
				29	* Menezes, van Oorschot and Vanstone
				30	*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	31	* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
				32	* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
				33	* Stefan Mangard
				34	* https://arxiv.org/abs/1702.08719v2
				35	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	36	*/
				37
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	38	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	39
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	40	#if defined(MBEDTLS_RSA_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	41
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	42	#include "mbedtls/rsa.h"
Chris Jones	66a4cd4	2021-03-09 16:04:12 +0000	[diff] [blame]	43	#include "rsa_alt_helpers.h"
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	44	#include "mbedtls/oid.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	45	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	46	#include "mbedtls/error.h"
Gabor Mezei	22c9a6f	2021-10-20 12:09:35 +0200	[diff] [blame]	47	#include "constant_time_internal.h"
Gabor Mezei	765862c	2021-10-19 12:22:25 +0200	[diff] [blame]	48	#include "mbedtls/constant_time.h"
Paul Bakker	bb51f0c	2012-08-23 07:46:58 +0000	[diff] [blame]	49
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	50	#include <string.h>
				51
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	52	#if defined(MBEDTLS_PKCS1_V21)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	53	#include "mbedtls/md.h"
Paul Bakker	bb51f0c	2012-08-23 07:46:58 +0000	[diff] [blame]	54	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	55
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	56	#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	57	#include <stdlib.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	58	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	59
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	60	#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	61	#include "mbedtls/platform.h"
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	62	#else
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	63	#include <stdio.h>
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	64	#define mbedtls_printf printf
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	65	#define mbedtls_calloc calloc
				66	#define mbedtls_free free
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	67	#endif
				68
Neil Armstrong	ea76196	2022-02-21 10:42:29 +0100	[diff] [blame^]	69	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				70	#include "mbedtls/pk.h"
				71	#endif
				72
				73	#if defined(MBEDTLS_USE_PSA_CRYPTO)
				74	int mbedtls_pk_rsa_psa_err_translate( psa_status_t status )
				75	{
				76	switch( status )
				77	{
				78	case PSA_ERROR_NOT_PERMITTED:
				79	case PSA_ERROR_INVALID_ARGUMENT:
				80	case PSA_ERROR_INVALID_HANDLE:
				81	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				82	case PSA_ERROR_BUFFER_TOO_SMALL:
				83	return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
				84	case PSA_ERROR_INSUFFICIENT_ENTROPY:
				85	return( MBEDTLS_ERR_RSA_RNG_FAILED );
				86	case PSA_ERROR_INVALID_SIGNATURE:
				87	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
				88	case PSA_ERROR_INVALID_PADDING:
				89	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
				90	default:
				91	return( mbedtls_pk_psa_err_translate( status ) );
				92	}
				93	}
				94	#endif
				95
Hanno Becker	a565f54	2017-10-11 11:00:19 +0100	[diff] [blame]	96	#if !defined(MBEDTLS_RSA_ALT)
				97
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	98	/* Parameter validation macros */
				99	#define RSA_VALIDATE_RET( cond ) \
				100	MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
				101	#define RSA_VALIDATE( cond ) \
				102	MBEDTLS_INTERNAL_VALIDATE( cond )
				103
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	104	int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
				105	const mbedtls_mpi *N,
				106	const mbedtls_mpi P, const mbedtls_mpi Q,
				107	const mbedtls_mpi D, const mbedtls_mpi E )
				108	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	109	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	110	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	111
				112	if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) \|\|
				113	( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) \|\|
				114	( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) \|\|
				115	( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) \|\|
				116	( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
				117	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	118	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	119	}
				120
				121	if( N != NULL )
				122	ctx->len = mbedtls_mpi_size( &ctx->N );
				123
				124	return( 0 );
				125	}
				126
				127	int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
Hanno Becker	7471631	2017-10-02 10:00:37 +0100	[diff] [blame]	128	unsigned char const *N, size_t N_len,
				129	unsigned char const *P, size_t P_len,
				130	unsigned char const *Q, size_t Q_len,
				131	unsigned char const *D, size_t D_len,
				132	unsigned char const *E, size_t E_len )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	133	{
Hanno Becker	d4d6057	2018-01-10 07:12:01 +0000	[diff] [blame]	134	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	135	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	136
				137	if( N != NULL )
				138	{
				139	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
				140	ctx->len = mbedtls_mpi_size( &ctx->N );
				141	}
				142
				143	if( P != NULL )
				144	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
				145
				146	if( Q != NULL )
				147	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
				148
				149	if( D != NULL )
				150	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
				151
				152	if( E != NULL )
				153	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
				154
				155	cleanup:
				156
				157	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	158	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	159
				160	return( 0 );
				161	}
				162
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	163	/*
				164	* Checks whether the context fields are set in such a way
				165	* that the RSA primitives will be able to execute without error.
				166	* It does not make guarantees for consistency of the parameters.
				167	*/
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	168	static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
				169	int blinding_needed )
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	170	{
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	171	#if !defined(MBEDTLS_RSA_NO_CRT)
				172	/* blinding_needed is only used for NO_CRT to decide whether
				173	* P,Q need to be present or not. */
				174	((void) blinding_needed);
				175	#endif
				176
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	177	if( ctx->len != mbedtls_mpi_size( &ctx->N ) \|\|
				178	ctx->len > MBEDTLS_MPI_MAX_SIZE )
				179	{
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	180	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	181	}
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	182
				183	/*
				184	* 1. Modular exponentiation needs positive, odd moduli.
				185	*/
				186
				187	/* Modular exponentiation wrt. N is always used for
				188	* RSA public key operations. */
				189	if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 \|\|
				190	mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )
				191	{
				192	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				193	}
				194
				195	#if !defined(MBEDTLS_RSA_NO_CRT)
				196	/* Modular exponentiation for P and Q is only
				197	* used for private key operations and if CRT
				198	* is used. */
				199	if( is_priv &&
				200	( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 \|\|
				201	mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 \|\|
				202	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 \|\|
				203	mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
				204	{
				205	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				206	}
				207	#endif /* !MBEDTLS_RSA_NO_CRT */
				208
				209	/*
				210	* 2. Exponents must be positive
				211	*/
				212
				213	/* Always need E for public key operations */
				214	if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
				215	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				216
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	217	#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	218	/* For private key operations, use D or DP & DQ
				219	* as (unblinded) exponents. */
				220	if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
				221	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				222	#else
				223	if( is_priv &&
				224	( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 \|\|
				225	mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
				226	{
				227	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				228	}
				229	#endif /* MBEDTLS_RSA_NO_CRT */
				230
				231	/* Blinding shouldn't make exponents negative either,
				232	* so check that P, Q >= 1 if that hasn't yet been
				233	* done as part of 1. */
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	234	#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	235	if( is_priv && blinding_needed &&
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	236	( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 \|\|
				237	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
				238	{
				239	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				240	}
				241	#endif
				242
				243	/* It wouldn't lead to an error if it wasn't satisfied,
Hanno Becker	f8c028a	2017-10-17 09:20:57 +0100	[diff] [blame]	244	* but check for QP >= 1 nonetheless. */
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	245	#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	246	if( is_priv &&
				247	mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
				248	{
				249	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				250	}
				251	#endif
				252
				253	return( 0 );
				254	}
				255
Hanno Becker	f9e184b	2017-10-10 16:49:26 +0100	[diff] [blame]	256	int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	257	{
				258	int ret = 0;
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	259	int have_N, have_P, have_Q, have_D, have_E;
				260	#if !defined(MBEDTLS_RSA_NO_CRT)
				261	int have_DP, have_DQ, have_QP;
				262	#endif
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	263	int n_missing, pq_missing, d_missing, is_pub, is_priv;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	264
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	265	RSA_VALIDATE_RET( ctx != NULL );
				266
				267	have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
				268	have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
				269	have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
				270	have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
				271	have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	272
				273	#if !defined(MBEDTLS_RSA_NO_CRT)
Jack Lloyd	80cc811	2020-01-22 17:34:29 -0500	[diff] [blame]	274	have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
				275	have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
				276	have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	277	#endif
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	278
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	279	/*
				280	* Check whether provided parameters are enough
				281	* to deduce all others. The following incomplete
				282	* parameter sets for private keys are supported:
				283	*
				284	* (1) P, Q missing.
				285	* (2) D and potentially N missing.
				286	*
				287	*/
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	288
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	289	n_missing = have_P && have_Q && have_D && have_E;
				290	pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
				291	d_missing = have_P && have_Q && !have_D && have_E;
				292	is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	293
				294	/* These three alternatives are mutually exclusive */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	295	is_priv = n_missing \|\| pq_missing \|\| d_missing;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	296
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	297	if( !is_priv && !is_pub )
				298	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				299
				300	/*
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	301	* Step 1: Deduce N if P, Q are provided.
				302	*/
				303
				304	if( !have_N && have_P && have_Q )
				305	{
				306	if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
				307	&ctx->Q ) ) != 0 )
				308	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	309	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	310	}
				311
				312	ctx->len = mbedtls_mpi_size( &ctx->N );
				313	}
				314
				315	/*
				316	* Step 2: Deduce and verify all remaining core parameters.
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	317	*/
				318
				319	if( pq_missing )
				320	{
Hanno Becker	c36aab6	2017-10-17 09:15:06 +0100	[diff] [blame]	321	ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	322	&ctx->P, &ctx->Q );
				323	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	324	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	325
				326	}
				327	else if( d_missing )
				328	{
Hanno Becker	8ba6ce4	2017-10-03 14:36:26 +0100	[diff] [blame]	329	if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
				330	&ctx->Q,
				331	&ctx->E,
				332	&ctx->D ) ) != 0 )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	333	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	334	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	335	}
				336	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	337
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	338	/*
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	339	* Step 3: Deduce all additional parameters specific
Hanno Becker	e867489	2017-10-10 17:56:14 +0100	[diff] [blame]	340	* to our current RSA implementation.
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	341	*/
				342
Hanno Becker	23344b5	2017-08-23 07:43:27 +0100	[diff] [blame]	343	#if !defined(MBEDTLS_RSA_NO_CRT)
Jack Lloyd	2e9eef4	2020-01-28 14:43:52 -0500	[diff] [blame]	344	if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	345	{
				346	ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				347	&ctx->DP, &ctx->DQ, &ctx->QP );
				348	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	349	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	350	}
Hanno Becker	23344b5	2017-08-23 07:43:27 +0100	[diff] [blame]	351	#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	352
				353	/*
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	354	* Step 3: Basic sanity checks
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	355	*/
				356
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	357	return( rsa_check_context( ctx, is_priv, 1 ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	358	}
				359
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	360	int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
				361	unsigned char *N, size_t N_len,
				362	unsigned char *P, size_t P_len,
				363	unsigned char *Q, size_t Q_len,
				364	unsigned char *D, size_t D_len,
				365	unsigned char *E, size_t E_len )
				366	{
				367	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	368	int is_priv;
				369	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	370
				371	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	372	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	373	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				374	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				375	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				376	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				377	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				378
				379	if( !is_priv )
				380	{
				381	/* If we're trying to export private parameters for a public key,
				382	* something must be wrong. */
				383	if( P != NULL \|\| Q != NULL \|\| D != NULL )
				384	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				385
				386	}
				387
				388	if( N != NULL )
				389	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
				390
				391	if( P != NULL )
				392	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
				393
				394	if( Q != NULL )
				395	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
				396
				397	if( D != NULL )
				398	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
				399
				400	if( E != NULL )
				401	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	402
				403	cleanup:
				404
				405	return( ret );
				406	}
				407
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	408	int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
				409	mbedtls_mpi N, mbedtls_mpi P, mbedtls_mpi *Q,
				410	mbedtls_mpi D, mbedtls_mpi E )
				411	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	412	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	413	int is_priv;
				414	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	415
				416	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	417	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	418	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				419	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				420	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				421	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				422	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				423
				424	if( !is_priv )
				425	{
				426	/* If we're trying to export private parameters for a public key,
				427	* something must be wrong. */
				428	if( P != NULL \|\| Q != NULL \|\| D != NULL )
				429	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				430
				431	}
				432
				433	/* Export all requested core parameters. */
				434
				435	if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) \|\|
				436	( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) \|\|
				437	( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) \|\|
				438	( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) \|\|
				439	( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
				440	{
				441	return( ret );
				442	}
				443
				444	return( 0 );
				445	}
				446
				447	/*
				448	* Export CRT parameters
				449	* This must also be implemented if CRT is not used, for being able to
				450	* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
				451	* can be used in this case.
				452	*/
				453	int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
				454	mbedtls_mpi DP, mbedtls_mpi DQ, mbedtls_mpi *QP )
				455	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	456	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	457	int is_priv;
				458	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	459
				460	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	461	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	462	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				463	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				464	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				465	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				466	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				467
				468	if( !is_priv )
				469	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				470
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	471	#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	472	/* Export all requested blinding parameters. */
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	473	if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) \|\|
				474	( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) \|\|
				475	( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
				476	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	477	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	478	}
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	479	#else
				480	if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				481	DP, DQ, QP ) ) != 0 )
				482	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	483	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	484	}
				485	#endif
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	486
				487	return( 0 );
				488	}
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	489
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	490	/*
				491	* Initialize an RSA context
				492	*/
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	493	void mbedtls_rsa_init( mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	494	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	495	RSA_VALIDATE( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	496
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	497	memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	498
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	499	ctx->padding = MBEDTLS_RSA_PKCS_V15;
				500	ctx->hash_id = MBEDTLS_MD_NONE;
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	501
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	502	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	503	/* Set ctx->ver to nonzero to indicate that the mutex has been
				504	* initialized and will need to be freed. */
				505	ctx->ver = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	506	mbedtls_mutex_init( &ctx->mutex );
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	507	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	508	}
				509
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	510	/*
				511	* Set padding for an existing RSA context
				512	*/
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	513	int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
				514	mbedtls_md_type_t hash_id )
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	515	{
Ronald Cron	3a0375f	2021-06-08 10:22:28 +0200	[diff] [blame]	516	switch( padding )
				517	{
				518	#if defined(MBEDTLS_PKCS1_V15)
				519	case MBEDTLS_RSA_PKCS_V15:
				520	break;
				521	#endif
				522
				523	#if defined(MBEDTLS_PKCS1_V21)
				524	case MBEDTLS_RSA_PKCS_V21:
				525	break;
				526	#endif
				527	default:
				528	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
				529	}
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	530
				531	if( ( padding == MBEDTLS_RSA_PKCS_V21 ) &&
				532	( hash_id != MBEDTLS_MD_NONE ) )
				533	{
				534	const mbedtls_md_info_t *md_info;
				535
				536	md_info = mbedtls_md_info_from_type( hash_id );
				537	if( md_info == NULL )
				538	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
				539	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	540
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	541	ctx->padding = padding;
				542	ctx->hash_id = hash_id;
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	543
				544	return( 0 );
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	545	}
				546
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	547	/*
				548	* Get length in bytes of RSA modulus
				549	*/
				550
				551	size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
				552	{
Hanno Becker	2f8f06a	2017-09-29 11:47:26 +0100	[diff] [blame]	553	return( ctx->len );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	554	}
				555
				556
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	557	#if defined(MBEDTLS_GENPRIME)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	558
				559	/*
				560	* Generate an RSA keypair
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	561	*
				562	* This generation method follows the RSA key pair generation procedure of
				563	* FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	564	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	565	int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	566	int (f_rng)(void , unsigned char *, size_t),
				567	void *p_rng,
				568	unsigned int nbits, int exponent )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	569	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	570	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	571	mbedtls_mpi H, G, L;
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	572	int prime_quality = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	573	RSA_VALIDATE_RET( ctx != NULL );
				574	RSA_VALIDATE_RET( f_rng != NULL );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	575
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	576	/*
				577	* If the modulus is 1024 bit long or shorter, then the security strength of
				578	* the RSA algorithm is less than or equal to 80 bits and therefore an error
				579	* rate of 2^-80 is sufficient.
				580	*/
				581	if( nbits > 1024 )
				582	prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
				583
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	584	mbedtls_mpi_init( &H );
				585	mbedtls_mpi_init( &G );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	586	mbedtls_mpi_init( &L );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	587
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	588	if( nbits < 128 \|\| exponent < 3 \|\| nbits % 2 != 0 )
				589	{
				590	ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				591	goto cleanup;
				592	}
				593
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	594	/*
				595	* find primes P and Q with Q < P so that:
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	596	* 1. \|P-Q\| > 2^( nbits / 2 - 100 )
				597	* 2. GCD( E, (P-1)*(Q-1) ) == 1
				598	* 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	599	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	600	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	601
				602	do
				603	{
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	604	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
				605	prime_quality, f_rng, p_rng ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	606
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	607	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
				608	prime_quality, f_rng, p_rng ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	609
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	610	/* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
				611	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
				612	if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	613	continue;
				614
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	615	/* not required by any standards, but some users rely on the fact that P > Q */
				616	if( H.s < 0 )
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	617	mbedtls_mpi_swap( &ctx->P, &ctx->Q );
Janos Follath	ef44178	2016-09-21 13:18:12 +0100	[diff] [blame]	618
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	619	/* Temporarily replace P,Q by P-1, Q-1 */
				620	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
				621	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
				622	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	623
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	624	/* check GCD( E, (P-1)(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) /
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	625	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	626	if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
				627	continue;
				628
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	629	/* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	630	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
				631	MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
				632	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
				633
				634	if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
				635	continue;
				636
				637	break;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	638	}
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	639	while( 1 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	640
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	641	/* Restore P,Q */
				642	MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
				643	MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
				644
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	645	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
				646
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	647	ctx->len = mbedtls_mpi_size( &ctx->N );
				648
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	649	#if !defined(MBEDTLS_RSA_NO_CRT)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	650	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	651	* DP = D mod (P - 1)
				652	* DQ = D mod (Q - 1)
				653	* QP = Q^-1 mod P
				654	*/
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	655	MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				656	&ctx->DP, &ctx->DQ, &ctx->QP ) );
				657	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	658
Hanno Becker	83aad1f	2017-08-23 06:45:10 +0100	[diff] [blame]	659	/* Double-check */
				660	MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	661
				662	cleanup:
				663
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	664	mbedtls_mpi_free( &H );
				665	mbedtls_mpi_free( &G );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	666	mbedtls_mpi_free( &L );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	667
				668	if( ret != 0 )
				669	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	670	mbedtls_rsa_free( ctx );
Chris Jones	7439209	2021-04-01 16:00:01 +0100	[diff] [blame]	671
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	672	if( ( -ret & ~0x7f ) == 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	673	ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret );
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	674	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	675	}
				676
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	677	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	678	}
				679
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	680	#endif /* MBEDTLS_GENPRIME */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	681
				682	/*
				683	* Check a public RSA key
				684	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	685	int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	686	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	687	RSA_VALIDATE_RET( ctx != NULL );
				688
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	689	if( rsa_check_context( ctx, 0 /* public /, 0 / no blinding */ ) != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	690	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	37940d9f	2009-07-10 22:38:58 +0000	[diff] [blame]	691
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	692	if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	693	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	694	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	695	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	696
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	697	if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 \|\|
				698	mbedtls_mpi_bitlen( &ctx->E ) < 2 \|\|
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	699	mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	700	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	701	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	702	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	703
				704	return( 0 );
				705	}
				706
				707	/*
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	708	* Check for the consistency of all fields in an RSA private key context
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	709	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	710	int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	711	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	712	RSA_VALIDATE_RET( ctx != NULL );
				713
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	714	if( mbedtls_rsa_check_pubkey( ctx ) != 0 \|\|
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	715	rsa_check_context( ctx, 1 /* private /, 1 / blinding */ ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	716	{
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	717	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	718	}
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	719
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	720	if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	721	&ctx->D, &ctx->E, NULL, NULL ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	722	{
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	723	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	724	}
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	725
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	726	#if !defined(MBEDTLS_RSA_NO_CRT)
				727	else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
				728	&ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
				729	{
				730	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
				731	}
				732	#endif
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	733
				734	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	735	}
				736
				737	/*
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	738	* Check if contexts holding a public and private key match
				739	*/
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	740	int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
				741	const mbedtls_rsa_context *prv )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	742	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	743	RSA_VALIDATE_RET( pub != NULL );
				744	RSA_VALIDATE_RET( prv != NULL );
				745
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	746	if( mbedtls_rsa_check_pubkey( pub ) != 0 \|\|
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	747	mbedtls_rsa_check_privkey( prv ) != 0 )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	748	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	749	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	750	}
				751
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	752	if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 \|\|
				753	mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	754	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	755	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	756	}
				757
				758	return( 0 );
				759	}
				760
				761	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	762	* Do an RSA public key operation
				763	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	764	int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	765	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	766	unsigned char *output )
				767	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	768	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	769	size_t olen;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	770	mbedtls_mpi T;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	771	RSA_VALIDATE_RET( ctx != NULL );
				772	RSA_VALIDATE_RET( input != NULL );
				773	RSA_VALIDATE_RET( output != NULL );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	774
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	775	if( rsa_check_context( ctx, 0 /* public /, 0 / no blinding */ ) )
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	776	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				777
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	778	mbedtls_mpi_init( &T );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	779
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	780	#if defined(MBEDTLS_THREADING_C)
				781	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				782	return( ret );
				783	#endif
				784
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	785	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	786
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	787	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	788	{
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	789	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				790	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	791	}
				792
				793	olen = ctx->len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	794	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
				795	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	796
				797	cleanup:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	798	#if defined(MBEDTLS_THREADING_C)
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	799	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				800	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard	88fca3e	2015-03-27 15:06:07 +0100	[diff] [blame]	801	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	802
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	803	mbedtls_mpi_free( &T );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	804
				805	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	806	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	807
				808	return( 0 );
				809	}
				810
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	811	/*
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	812	* Generate or update blinding values, see section 10 of:
				813	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard	998930a	2015-04-03 13:48:06 +0200	[diff] [blame]	814	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	815	* Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	816	*/
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	817	static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	818	int (f_rng)(void , unsigned char , size_t), void p_rng )
				819	{
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	820	int ret, count = 0;
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	821	mbedtls_mpi R;
				822
				823	mbedtls_mpi_init( &R );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	824
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	825	if( ctx->Vf.p != NULL )
				826	{
				827	/* We already have blinding values, just update them by squaring */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	828	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
				829	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
				830	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
				831	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	832
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	833	goto cleanup;
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	834	}
				835
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	836	/* Unblinding value: Vf = random number, invertible mod N */
				837	do {
				838	if( count++ > 10 )
Manuel Pégourié-Gonnard	e288ec0	2020-07-16 09:23:30 +0200	[diff] [blame]	839	{
				840	ret = MBEDTLS_ERR_RSA_RNG_FAILED;
				841	goto cleanup;
				842	}
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	843
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	844	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	845
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	846	/* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	847	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
				848	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
				849	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
				850
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	851	/* At this point, Vi is invertible mod N if and only if both Vf and R
				852	* are invertible mod N. If one of them isn't, we don't need to know
				853	* which one, we just loop and choose new values for both of them.
				854	* (Each iteration succeeds with overwhelming probability.) */
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	855	ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
Peter Kolbus	ca8b8e7	2020-09-24 11:11:50 -0500	[diff] [blame]	856	if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
Manuel Pégourié-Gonnard	b3e3d79	2020-06-26 11:03:19 +0200	[diff] [blame]	857	goto cleanup;
				858
Peter Kolbus	ca8b8e7	2020-09-24 11:11:50 -0500	[diff] [blame]	859	} while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
				860
				861	/* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
				862	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
				863	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	864
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	865	/* Blinding value: Vi = Vf^(-e) mod N
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	866	* (Vi already contains Vf^-1 at this point) */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	867	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	868
Manuel Pégourié-Gonnard	ae10299	2013-10-04 17:07:12 +0200	[diff] [blame]	869
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	870	cleanup:
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	871	mbedtls_mpi_free( &R );
				872
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	873	return( ret );
				874	}
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	875
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	876	/*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	877	* Exponent blinding supposed to prevent side-channel attacks using multiple
				878	* traces of measurements to recover the RSA key. The more collisions are there,
				879	* the more bits of the key can be recovered. See [3].
				880	*
				881	* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
				882	* observations on avarage.
				883	*
				884	* For example with 28 byte blinding to achieve 2 collisions the adversary has
				885	* to make 2^112 observations on avarage.
				886	*
				887	* (With the currently (as of 2017 April) known best algorithms breaking 2048
				888	* bit RSA requires approximately as much time as trying out 2^112 random keys.
				889	* Thus in this sense with 28 byte blinding the security is not reduced by
				890	* side-channel attacks like the one in [3])
				891	*
				892	* This countermeasure does not help if the key recovery is possible with a
				893	* single trace.
				894	*/
				895	#define RSA_EXPONENT_BLINDING 28
				896
				897	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	898	* Do an RSA private key operation
				899	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	900	int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	901	int (f_rng)(void , unsigned char *, size_t),
				902	void *p_rng,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	903	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	904	unsigned char *output )
				905	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	906	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	907	size_t olen;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	908
				909	/* Temporary holding the result */
				910	mbedtls_mpi T;
				911
				912	/* Temporaries holding P-1, Q-1 and the
				913	* exponent blinding factor, respectively. */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	914	mbedtls_mpi P1, Q1, R;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	915
				916	#if !defined(MBEDTLS_RSA_NO_CRT)
				917	/* Temporaries holding the results mod p resp. mod q. */
				918	mbedtls_mpi TP, TQ;
				919
				920	/* Temporaries holding the blinded exponents for
				921	* the mod p resp. mod q computation (if used). */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	922	mbedtls_mpi DP_blind, DQ_blind;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	923
				924	/* Pointers to actual exponents to be used - either the unblinded
				925	* or the blinded ones, depending on the presence of a PRNG. */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	926	mbedtls_mpi *DP = &ctx->DP;
				927	mbedtls_mpi *DQ = &ctx->DQ;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	928	#else
				929	/* Temporary holding the blinded exponent (if used). */
				930	mbedtls_mpi D_blind;
				931
				932	/* Pointer to actual exponent to be used - either the unblinded
				933	* or the blinded one, depending on the presence of a PRNG. */
				934	mbedtls_mpi *D = &ctx->D;
Hanno Becker	43f9472	2017-08-25 11:50:00 +0100	[diff] [blame]	935	#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	936
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	937	/* Temporaries holding the initial input and the double
				938	* checked result; should be the same in the end. */
				939	mbedtls_mpi I, C;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	940
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	941	RSA_VALIDATE_RET( ctx != NULL );
				942	RSA_VALIDATE_RET( input != NULL );
				943	RSA_VALIDATE_RET( output != NULL );
				944
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	945	if( f_rng == NULL )
				946	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				947
				948	if( rsa_check_context( ctx, 1 /* private key checks */,
				949	1 /* blinding on */ ) != 0 )
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	950	{
Manuel Pégourié-Gonnard	fb84d38	2015-10-30 10:56:25 +0100	[diff] [blame]	951	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	952	}
Manuel Pégourié-Gonnard	fb84d38	2015-10-30 10:56:25 +0100	[diff] [blame]	953
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	954	#if defined(MBEDTLS_THREADING_C)
				955	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				956	return( ret );
				957	#endif
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	958
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	959	/* MPI Initialization */
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	960	mbedtls_mpi_init( &T );
				961
				962	mbedtls_mpi_init( &P1 );
				963	mbedtls_mpi_init( &Q1 );
				964	mbedtls_mpi_init( &R );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	965
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	966	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	967	mbedtls_mpi_init( &D_blind );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	968	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	969	mbedtls_mpi_init( &DP_blind );
				970	mbedtls_mpi_init( &DQ_blind );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	971	#endif
				972
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	973	#if !defined(MBEDTLS_RSA_NO_CRT)
				974	mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	975	#endif
				976
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	977	mbedtls_mpi_init( &I );
				978	mbedtls_mpi_init( &C );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	979
				980	/* End of MPI initialization */
				981
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	982	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
				983	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	984	{
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	985	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				986	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	987	}
				988
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	989	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	990
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	991	/*
				992	* Blinding
				993	* T = T * Vi mod N
				994	*/
				995	MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
				996	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
				997	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	998
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	999	/*
				1000	* Exponent blinding
				1001	*/
				1002	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
				1003	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1004
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1005	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1006	/*
				1007	* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
				1008	*/
				1009	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				1010	f_rng, p_rng ) );
				1011	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
				1012	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
				1013	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1014
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1015	D = &D_blind;
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1016	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1017	/*
				1018	* DP_blind = ( P - 1 ) * R + DP
				1019	*/
				1020	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				1021	f_rng, p_rng ) );
				1022	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
				1023	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
				1024	&ctx->DP ) );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1025
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1026	DP = &DP_blind;
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1027
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1028	/*
				1029	* DQ_blind = ( Q - 1 ) * R + DQ
				1030	*/
				1031	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				1032	f_rng, p_rng ) );
				1033	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
				1034	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
				1035	&ctx->DQ ) );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1036
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1037	DQ = &DQ_blind;
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1038	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	1039
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1040	#if defined(MBEDTLS_RSA_NO_CRT)
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1041	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnard	e10e06d	2014-11-06 18:15:12 +0100	[diff] [blame]	1042	#else
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	1043	/*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1044	* Faster decryption using the CRT
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1045	*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1046	* TP = input ^ dP mod P
				1047	* TQ = input ^ dQ mod Q
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1048	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1049
				1050	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
				1051	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1052
				1053	/*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1054	* T = (TP - TQ) * (Q^-1 mod P) mod P
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1055	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1056	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
				1057	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
				1058	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1059
				1060	/*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1061	* T = TQ + T * Q
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1062	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1063	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
				1064	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1065	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	1066
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1067	/*
				1068	* Unblind
				1069	* T = T * Vf mod N
				1070	*/
				1071	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
				1072	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1073
Hanno Becker	2dec5e8	2017-10-03 07:49:52 +0100	[diff] [blame]	1074	/* Verify the result to prevent glitching attacks. */
				1075	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
				1076	&ctx->N, &ctx->RN ) );
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	1077	if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1078	{
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1079	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
				1080	goto cleanup;
				1081	}
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1082
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1083	olen = ctx->len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1084	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1085
				1086	cleanup:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1087	#if defined(MBEDTLS_THREADING_C)
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	1088	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				1089	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard	ae10299	2013-10-04 17:07:12 +0200	[diff] [blame]	1090	#endif
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	1091
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1092	mbedtls_mpi_free( &P1 );
				1093	mbedtls_mpi_free( &Q1 );
				1094	mbedtls_mpi_free( &R );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1095
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1096	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1097	mbedtls_mpi_free( &D_blind );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1098	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1099	mbedtls_mpi_free( &DP_blind );
				1100	mbedtls_mpi_free( &DQ_blind );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1101	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1102
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1103	mbedtls_mpi_free( &T );
				1104
				1105	#if !defined(MBEDTLS_RSA_NO_CRT)
				1106	mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
				1107	#endif
				1108
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	1109	mbedtls_mpi_free( &C );
				1110	mbedtls_mpi_free( &I );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1111
Gilles Peskine	ae3741e	2020-11-25 00:10:31 +0100	[diff] [blame]	1112	if( ret != 0 && ret >= -0x007f )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1113	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1114
Gilles Peskine	ae3741e	2020-11-25 00:10:31 +0100	[diff] [blame]	1115	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1116	}
				1117
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1118	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1119	/**
				1120	* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
				1121	*
Paul Bakker	b125ed8	2011-11-10 13:33:51 +0000	[diff] [blame]	1122	* \param dst buffer to mask
				1123	* \param dlen length of destination buffer
				1124	* \param src source of the mask generation
				1125	* \param slen length of the source buffer
				1126	* \param md_ctx message digest context to use
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1127	*/
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1128	static int mgf_mask( unsigned char dst, size_t dlen, unsigned char src,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1129	size_t slen, mbedtls_md_context_t *md_ctx )
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1130	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1131	unsigned char mask[MBEDTLS_MD_MAX_SIZE];
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1132	unsigned char counter[4];
				1133	unsigned char *p;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1134	unsigned int hlen;
				1135	size_t i, use_len;
Andres Amaya Garcia	94682d1	2017-07-20 14:26:37 +0100	[diff] [blame]	1136	int ret = 0;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1137
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1138	memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1139	memset( counter, 0, 4 );
				1140
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1141	hlen = mbedtls_md_get_size( md_ctx->md_info );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1142
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1143	/* Generate and apply dbMask */
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1144	p = dst;
				1145
				1146	while( dlen > 0 )
				1147	{
				1148	use_len = hlen;
				1149	if( dlen < hlen )
				1150	use_len = dlen;
				1151
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1152	if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
				1153	goto exit;
				1154	if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
				1155	goto exit;
				1156	if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
				1157	goto exit;
				1158	if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
				1159	goto exit;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1160
				1161	for( i = 0; i < use_len; ++i )
				1162	*p++ ^= mask[i];
				1163
				1164	counter[3]++;
				1165
				1166	dlen -= use_len;
				1167	}
Gilles Peskine	18ac716	2017-05-05 19:24:06 +0200	[diff] [blame]	1168
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1169	exit:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1170	mbedtls_platform_zeroize( mask, sizeof( mask ) );
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1171
				1172	return( ret );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1173	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1174	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1175
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1176	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1177	/*
				1178	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
				1179	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1180	int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1181	int (f_rng)(void , unsigned char *, size_t),
				1182	void *p_rng,
Paul Bakker	a43231c	2013-02-28 17:33:49 +0100	[diff] [blame]	1183	const unsigned char *label, size_t label_len,
				1184	size_t ilen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1185	const unsigned char *input,
				1186	unsigned char *output )
				1187	{
				1188	size_t olen;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1189	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1190	unsigned char *p = output;
				1191	unsigned int hlen;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1192	const mbedtls_md_info_t *md_info;
				1193	mbedtls_md_context_t md_ctx;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1194
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1195	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1196	RSA_VALIDATE_RET( output != NULL );
Jaeden Amero	fb23673	2019-02-08 13:11:59 +0000	[diff] [blame]	1197	RSA_VALIDATE_RET( ilen == 0 \|\| input != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1198	RSA_VALIDATE_RET( label_len == 0 \|\| label != NULL );
				1199
Manuel Pégourié-Gonnard	e6d1d82	2014-06-02 16:47:02 +0200	[diff] [blame]	1200	if( f_rng == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1201	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1202
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1203	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1204	if( md_info == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1205	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1206
				1207	olen = ctx->len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1208	hlen = mbedtls_md_get_size( md_info );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1209
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1210	/* first comparison checks for overflow */
Janos Follath	eddfe8f	2016-02-08 14:52:29 +0000	[diff] [blame]	1211	if( ilen + 2 * hlen + 2 < ilen \|\| olen < ilen + 2 * hlen + 2 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1212	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1213
				1214	memset( output, 0, olen );
				1215
				1216	*p++ = 0;
				1217
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1218	/* Generate a random octet string seed */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1219	if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1220	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1221
				1222	p += hlen;
				1223
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1224	/* Construct DB */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1225	if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
				1226	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1227	p += hlen;
				1228	p += olen - 2 * hlen - 2 - ilen;
				1229	*p++ = 1;
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1230	if( ilen != 0 )
				1231	memcpy( p, input, ilen );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1232
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1233	mbedtls_md_init( &md_ctx );
Brian J Murray	e7be5bd	2016-06-23 12:57:03 -0700	[diff] [blame]	1234	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1235	goto exit;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1236
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1237	/* maskedDB: Apply dbMask to DB */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1238	if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
				1239	&md_ctx ) ) != 0 )
				1240	goto exit;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1241
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1242	/* maskedSeed: Apply seedMask to seed */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1243	if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
				1244	&md_ctx ) ) != 0 )
				1245	goto exit;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1246
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1247	exit:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1248	mbedtls_md_free( &md_ctx );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1249
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1250	if( ret != 0 )
				1251	return( ret );
				1252
Thomas Daubney	141700f	2021-05-13 19:06:10 +0100	[diff] [blame]	1253	return( mbedtls_rsa_public( ctx, output, output ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1254	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1255	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1256
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1257	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1258	/*
				1259	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
				1260	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1261	int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1262	int (f_rng)(void , unsigned char *, size_t),
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1263	void *p_rng, size_t ilen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1264	const unsigned char *input,
				1265	unsigned char *output )
				1266	{
				1267	size_t nb_pad, olen;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1268	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1269	unsigned char *p = output;
				1270
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1271	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1272	RSA_VALIDATE_RET( output != NULL );
Jaeden Amero	fb23673	2019-02-08 13:11:59 +0000	[diff] [blame]	1273	RSA_VALIDATE_RET( ilen == 0 \|\| input != NULL );
Manuel Pégourié-Gonnard	e6d1d82	2014-06-02 16:47:02 +0200	[diff] [blame]	1274
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1275	olen = ctx->len;
Manuel Pégourié-Gonnard	370717b	2016-02-11 10:35:13 +0100	[diff] [blame]	1276
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1277	/* first comparison checks for overflow */
Janos Follath	eddfe8f	2016-02-08 14:52:29 +0000	[diff] [blame]	1278	if( ilen + 11 < ilen \|\| olen < ilen + 11 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1279	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1280
				1281	nb_pad = olen - 3 - ilen;
				1282
				1283	*p++ = 0;
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1284
				1285	if( f_rng == NULL )
				1286	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1287
				1288	*p++ = MBEDTLS_RSA_CRYPT;
				1289
				1290	while( nb_pad-- > 0 )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1291	{
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1292	int rng_dl = 100;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1293
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1294	do {
				1295	ret = f_rng( p_rng, p, 1 );
				1296	} while( *p == 0 && --rng_dl && ret == 0 );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1297
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1298	/* Check if RNG failed to generate data */
				1299	if( rng_dl == 0 \|\| ret != 0 )
				1300	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1301
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1302	p++;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1303	}
				1304
				1305	*p++ = 0;
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1306	if( ilen != 0 )
				1307	memcpy( p, input, ilen );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1308
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1309	return( mbedtls_rsa_public( ctx, output, output ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1310	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1311	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1312
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1313	/*
				1314	* Add the message padding, then do an RSA operation
				1315	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1316	int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	1317	int (f_rng)(void , unsigned char *, size_t),
Paul Bakker	21eb280	2010-08-16 11:10:02 +0000	[diff] [blame]	1318	void *p_rng,
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1319	size_t ilen,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	1320	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1321	unsigned char *output )
				1322	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1323	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1324	RSA_VALIDATE_RET( output != NULL );
Jaeden Amero	fb23673	2019-02-08 13:11:59 +0000	[diff] [blame]	1325	RSA_VALIDATE_RET( ilen == 0 \|\| input != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1326
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1327	switch( ctx->padding )
				1328	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1329	#if defined(MBEDTLS_PKCS1_V15)
				1330	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1331	return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng,
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1332	ilen, input, output );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1333	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1334
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1335	#if defined(MBEDTLS_PKCS1_V21)
				1336	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	141700f	2021-05-13 19:06:10 +0100	[diff] [blame]	1337	return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, NULL, 0,
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1338	ilen, input, output );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1339	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1340
				1341	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1342	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1343	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1344	}
				1345
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1346	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1347	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1348	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1349	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1350	int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1351	int (f_rng)(void , unsigned char *, size_t),
				1352	void *p_rng,
Paul Bakker	a43231c	2013-02-28 17:33:49 +0100	[diff] [blame]	1353	const unsigned char *label, size_t label_len,
				1354	size_t *olen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1355	const unsigned char *input,
				1356	unsigned char *output,
				1357	size_t output_max_len )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1358	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1359	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1360	size_t ilen, i, pad_len;
				1361	unsigned char *p, bad, pad_done;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1362	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
				1363	unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1364	unsigned int hlen;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1365	const mbedtls_md_info_t *md_info;
				1366	mbedtls_md_context_t md_ctx;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1367
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1368	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1369	RSA_VALIDATE_RET( output_max_len == 0 \|\| output != NULL );
				1370	RSA_VALIDATE_RET( label_len == 0 \|\| label != NULL );
				1371	RSA_VALIDATE_RET( input != NULL );
				1372	RSA_VALIDATE_RET( olen != NULL );
				1373
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1374	/*
				1375	* Parameters sanity checks
				1376	*/
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1377	if( ctx->padding != MBEDTLS_RSA_PKCS_V21 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1378	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1379
				1380	ilen = ctx->len;
				1381
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	1382	if( ilen < 16 \|\| ilen > sizeof( buf ) )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1383	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1384
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1385	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1386	if( md_info == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1387	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1388
Janos Follath	c17cda1	2016-02-11 11:08:18 +0000	[diff] [blame]	1389	hlen = mbedtls_md_get_size( md_info );
				1390
				1391	// checking for integer underflow
				1392	if( 2 * hlen + 2 > ilen )
				1393	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1394
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1395	/*
				1396	* RSA operation
				1397	*/
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1398	ret = mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1399
				1400	if( ret != 0 )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1401	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1402
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1403	/*
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1404	* Unmask data and generate lHash
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1405	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1406	mbedtls_md_init( &md_ctx );
Brian J Murray	e7be5bd	2016-06-23 12:57:03 -0700	[diff] [blame]	1407	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
				1408	{
				1409	mbedtls_md_free( &md_ctx );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1410	goto cleanup;
Brian J Murray	e7be5bd	2016-06-23 12:57:03 -0700	[diff] [blame]	1411	}
				1412
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1413	/* seed: Apply seedMask to maskedSeed */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1414	if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
				1415	&md_ctx ) ) != 0 \|\|
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1416	/* DB: Apply dbMask to maskedDB */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1417	( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
				1418	&md_ctx ) ) != 0 )
				1419	{
				1420	mbedtls_md_free( &md_ctx );
				1421	goto cleanup;
				1422	}
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1423
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1424	mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1425
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1426	/* Generate lHash */
				1427	if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
				1428	goto cleanup;
				1429
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1430	/*
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1431	* Check contents, in "constant-time"
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1432	*/
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1433	p = buf;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1434	bad = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1435
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1436	bad \|= p++; / First byte must be 0 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1437
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1438	p += hlen; /* Skip seed */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1439
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1440	/* Check lHash */
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1441	for( i = 0; i < hlen; i++ )
				1442	bad \|= lhash[i] ^ *p++;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1443
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1444	/* Get zero-padding len, but always read till end of buffer
				1445	* (minus one, for the 01 byte) */
				1446	pad_len = 0;
				1447	pad_done = 0;
				1448	for( i = 0; i < ilen - 2 * hlen - 2; i++ )
				1449	{
				1450	pad_done \|= p[i];
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	1451	pad_len += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1452	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1453
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1454	p += pad_len;
				1455	bad \|= *p++ ^ 0x01;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1456
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1457	/*
				1458	* The only information "leaked" is whether the padding was correct or not
				1459	* (eg, no data is copied if it was not correct). This meets the
				1460	* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
				1461	* the different error conditions.
				1462	*/
				1463	if( bad != 0 )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1464	{
				1465	ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
				1466	goto cleanup;
				1467	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1468
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1469	if( ilen - ( p - buf ) > output_max_len )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1470	{
				1471	ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
				1472	goto cleanup;
				1473	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1474
				1475	*olen = ilen - (p - buf);
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1476	if( *olen != 0 )
				1477	memcpy( output, p, *olen );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1478	ret = 0;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1479
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1480	cleanup:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1481	mbedtls_platform_zeroize( buf, sizeof( buf ) );
				1482	mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1483
				1484	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1485	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1486	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1487
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1488	#if defined(MBEDTLS_PKCS1_V15)
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1489	/*
				1490	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
				1491	*/
				1492	int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
				1493	int (f_rng)(void , unsigned char *, size_t),
				1494	void *p_rng,
				1495	size_t *olen,
				1496	const unsigned char *input,
				1497	unsigned char *output,
				1498	size_t output_max_len )
				1499	{
				1500	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				1501	size_t ilen;
				1502	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
				1503
				1504	RSA_VALIDATE_RET( ctx != NULL );
				1505	RSA_VALIDATE_RET( output_max_len == 0 \|\| output != NULL );
				1506	RSA_VALIDATE_RET( input != NULL );
				1507	RSA_VALIDATE_RET( olen != NULL );
				1508
				1509	ilen = ctx->len;
				1510
				1511	if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
				1512	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1513
				1514	if( ilen < 16 \|\| ilen > sizeof( buf ) )
				1515	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1516
				1517	ret = mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
				1518
				1519	if( ret != 0 )
				1520	goto cleanup;
				1521
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	1522	ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding( buf, ilen,
Gabor Mezei	63bbba5	2021-10-18 16:17:57 +0200	[diff] [blame]	1523	output, output_max_len, olen );
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1524
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1525	cleanup:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1526	mbedtls_platform_zeroize( buf, sizeof( buf ) );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1527
				1528	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1529	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1530	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1531
				1532	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1533	* Do an RSA operation, then remove the message padding
				1534	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1535	int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1536	int (f_rng)(void , unsigned char *, size_t),
				1537	void *p_rng,
Thomas Daubney	c7feaf3	2021-05-07 14:02:43 +0100	[diff] [blame]	1538	size_t *olen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1539	const unsigned char *input,
				1540	unsigned char *output,
				1541	size_t output_max_len)
				1542	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1543	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1544	RSA_VALIDATE_RET( output_max_len == 0 \|\| output != NULL );
				1545	RSA_VALIDATE_RET( input != NULL );
				1546	RSA_VALIDATE_RET( olen != NULL );
				1547
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1548	switch( ctx->padding )
				1549	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1550	#if defined(MBEDTLS_PKCS1_V15)
				1551	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	3473308	2021-05-12 09:24:29 +0100	[diff] [blame]	1552	return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, olen,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1553	input, output, output_max_len );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1554	#endif
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1555
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1556	#if defined(MBEDTLS_PKCS1_V21)
				1557	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1558	return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, NULL, 0,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1559	olen, input, output,
				1560	output_max_len );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1561	#endif
				1562
				1563	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1564	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1565	}
				1566	}
				1567
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1568	#if defined(MBEDTLS_PKCS1_V21)
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1569	static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1570	int (f_rng)(void , unsigned char *, size_t),
				1571	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1572	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1573	unsigned int hashlen,
				1574	const unsigned char *hash,
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1575	int saltlen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1576	unsigned char *sig )
				1577	{
				1578	size_t olen;
				1579	unsigned char *p = sig;
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1580	unsigned char *salt = NULL;
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1581	size_t slen, min_slen, hlen, offset = 0;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1582	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1583	size_t msb;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1584	const mbedtls_md_info_t *md_info;
				1585	mbedtls_md_context_t md_ctx;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1586	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1587	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				1588	hashlen == 0 ) \|\|
				1589	hash != NULL );
				1590	RSA_VALIDATE_RET( sig != NULL );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1591
Thomas Daubney	d58ed58	2021-05-21 11:50:39 +0100	[diff] [blame]	1592	if( ctx->padding != MBEDTLS_RSA_PKCS_V21 )
				1593	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1594
Manuel Pégourié-Gonnard	e6d1d82	2014-06-02 16:47:02 +0200	[diff] [blame]	1595	if( f_rng == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1596	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1597
				1598	olen = ctx->len;
				1599
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1600	if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1601	{
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1602	/* Gather length of hash to sign */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1603	md_info = mbedtls_md_info_from_type( md_alg );
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	1604	if( md_info == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1605	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	1606
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1607	if( hashlen != mbedtls_md_get_size( md_info ) )
				1608	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1609	}
				1610
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1611	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1612	if( md_info == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1613	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1614
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1615	hlen = mbedtls_md_get_size( md_info );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1616
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1617	if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY)
				1618	{
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1619	/* Calculate the largest possible salt length, up to the hash size.
				1620	* Normally this is the hash length, which is the maximum salt length
				1621	* according to FIPS 185-4 §5.5 (e) and common practice. If there is not
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1622	* enough room, use the maximum salt length that fits. The constraint is
				1623	* that the hash length plus the salt length plus 2 bytes must be at most
				1624	* the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
				1625	* (PKCS#1 v2.2) §9.1.1 step 3. */
				1626	min_slen = hlen - 2;
				1627	if( olen < hlen + min_slen + 2 )
				1628	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1629	else if( olen >= hlen + hlen + 2 )
				1630	slen = hlen;
				1631	else
				1632	slen = olen - hlen - 2;
				1633	}
Cédric Meuter	46bad33	2021-01-10 12:57:19 +0100	[diff] [blame]	1634	else if ( (saltlen < 0) \|\| (saltlen + hlen + 2 > olen) )
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1635	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1636	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1637	}
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1638	else
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1639	{
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1640	slen = (size_t) saltlen;
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1641	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1642
				1643	memset( sig, 0, olen );
				1644
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1645	/* Note: EMSA-PSS encoding is over the length of N - 1 bits */
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	1646	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1647	p += olen - hlen - slen - 2;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1648	*p++ = 0x01;
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1649
				1650	/* Generate salt of length slen in place in the encoded message */
				1651	salt = p;
				1652	if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1653	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1654
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1655	p += slen;
				1656
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1657	mbedtls_md_init( &md_ctx );
Brian J Murray	e7be5bd	2016-06-23 12:57:03 -0700	[diff] [blame]	1658	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1659	goto exit;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1660
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1661	/* Generate H = Hash( M' ) */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1662	if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
				1663	goto exit;
				1664	if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
				1665	goto exit;
				1666	if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
				1667	goto exit;
				1668	if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
				1669	goto exit;
				1670	if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
				1671	goto exit;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1672
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1673	/* Compensate for boundary condition when applying mask */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1674	if( msb % 8 == 0 )
				1675	offset = 1;
				1676
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1677	/* maskedDB: Apply dbMask to DB */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1678	if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
				1679	&md_ctx ) ) != 0 )
				1680	goto exit;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1681
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	1682	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1683	sig[0] &= 0xFF >> ( olen * 8 - msb );
				1684
				1685	p += hlen;
				1686	*p++ = 0xBC;
				1687
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1688	exit:
				1689	mbedtls_md_free( &md_ctx );
				1690
				1691	if( ret != 0 )
				1692	return( ret );
				1693
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1694	return mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1695	}
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1696
				1697	/*
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1698	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
				1699	* the option to pass in the salt length.
				1700	*/
				1701	int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx,
				1702	int (f_rng)(void , unsigned char *, size_t),
				1703	void *p_rng,
				1704	mbedtls_md_type_t md_alg,
				1705	unsigned int hashlen,
				1706	const unsigned char *hash,
				1707	int saltlen,
				1708	unsigned char *sig )
				1709	{
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1710	return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1711	hashlen, hash, saltlen, sig );
				1712	}
				1713
				1714
				1715	/*
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1716	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
				1717	*/
				1718	int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
				1719	int (f_rng)(void , unsigned char *, size_t),
				1720	void *p_rng,
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1721	mbedtls_md_type_t md_alg,
				1722	unsigned int hashlen,
				1723	const unsigned char *hash,
				1724	unsigned char *sig )
				1725	{
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1726	return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1727	hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig );
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1728	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1729	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1730
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1731	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1732	/*
				1733	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
				1734	*/
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1735
				1736	/* Construct a PKCS v1.5 encoding of a hashed message
				1737	*
				1738	* This is used both for signature generation and verification.
				1739	*
				1740	* Parameters:
				1741	* - md_alg: Identifies the hash algorithm used to generate the given hash;
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1742	* MBEDTLS_MD_NONE if raw data is signed.
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1743	* - hashlen: Length of hash. Must match md_alg if that's not NONE.
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1744	* - hash: Buffer containing the hashed message or the raw data.
				1745	* - dst_len: Length of the encoded message.
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1746	* - dst: Buffer to hold the encoded message.
				1747	*
				1748	* Assumptions:
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1749	* - hash has size hashlen.
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1750	* - dst points to a buffer of size at least dst_len.
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1751	*
				1752	*/
				1753	static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
				1754	unsigned int hashlen,
				1755	const unsigned char *hash,
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1756	size_t dst_len,
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1757	unsigned char *dst )
				1758	{
				1759	size_t oid_size = 0;
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1760	size_t nb_pad = dst_len;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1761	unsigned char *p = dst;
				1762	const char *oid = NULL;
				1763
				1764	/* Are we signing hashed or raw data? */
				1765	if( md_alg != MBEDTLS_MD_NONE )
				1766	{
				1767	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
				1768	if( md_info == NULL )
				1769	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1770
				1771	if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
				1772	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1773
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1774	if( hashlen != mbedtls_md_get_size( md_info ) )
				1775	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1776
				1777	/* Double-check that 8 + hashlen + oid_size can be used as a
				1778	* 1-byte ASN.1 length encoding and that there's no overflow. */
				1779	if( 8 + hashlen + oid_size >= 0x80 \|\|
				1780	10 + hashlen < hashlen \|\|
				1781	10 + hashlen + oid_size < 10 + hashlen )
				1782	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1783
				1784	/*
				1785	* Static bounds check:
				1786	* - Need 10 bytes for five tag-length pairs.
				1787	* (Insist on 1-byte length encodings to protect against variants of
				1788	* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
				1789	* - Need hashlen bytes for hash
				1790	* - Need oid_size bytes for hash alg OID.
				1791	*/
				1792	if( nb_pad < 10 + hashlen + oid_size )
				1793	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1794	nb_pad -= 10 + hashlen + oid_size;
				1795	}
				1796	else
				1797	{
				1798	if( nb_pad < hashlen )
				1799	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1800
				1801	nb_pad -= hashlen;
				1802	}
				1803
Hanno Becker	2b2f898	2017-09-27 17:10:03 +0100	[diff] [blame]	1804	/* Need space for signature header and padding delimiter (3 bytes),
				1805	* and 8 bytes for the minimal padding */
				1806	if( nb_pad < 3 + 8 )
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1807	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1808	nb_pad -= 3;
				1809
				1810	/* Now nb_pad is the amount of memory to be filled
Hanno Becker	2b2f898	2017-09-27 17:10:03 +0100	[diff] [blame]	1811	* with padding, and at least 8 bytes long. */
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1812
				1813	/* Write signature header and padding */
				1814	*p++ = 0;
				1815	*p++ = MBEDTLS_RSA_SIGN;
				1816	memset( p, 0xFF, nb_pad );
				1817	p += nb_pad;
				1818	*p++ = 0;
				1819
				1820	/* Are we signing raw data? */
				1821	if( md_alg == MBEDTLS_MD_NONE )
				1822	{
				1823	memcpy( p, hash, hashlen );
				1824	return( 0 );
				1825	}
				1826
				1827	/* Signing hashed data, add corresponding ASN.1 structure
				1828	*
				1829	* DigestInfo ::= SEQUENCE {
				1830	* digestAlgorithm DigestAlgorithmIdentifier,
				1831	* digest Digest }
				1832	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
				1833	* Digest ::= OCTET STRING
				1834	*
				1835	* Schematic:
				1836	* TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
				1837	* TAG-NULL + LEN [ NULL ] ]
				1838	* TAG-OCTET + LEN [ HASH ] ]
				1839	*/
				1840	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1841	*p++ = (unsigned char)( 0x08 + oid_size + hashlen );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1842	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1843	*p++ = (unsigned char)( 0x04 + oid_size );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1844	*p++ = MBEDTLS_ASN1_OID;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1845	*p++ = (unsigned char) oid_size;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1846	memcpy( p, oid, oid_size );
				1847	p += oid_size;
				1848	*p++ = MBEDTLS_ASN1_NULL;
				1849	*p++ = 0x00;
				1850	*p++ = MBEDTLS_ASN1_OCTET_STRING;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1851	*p++ = (unsigned char) hashlen;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1852	memcpy( p, hash, hashlen );
				1853	p += hashlen;
				1854
				1855	/* Just a sanity-check, should be automatic
				1856	* after the initial bounds check. */
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1857	if( p != dst + dst_len )
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1858	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1859	mbedtls_platform_zeroize( dst, dst_len );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1860	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1861	}
				1862
				1863	return( 0 );
				1864	}
				1865
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1866	/*
				1867	* Do an RSA operation to sign the message digest
				1868	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1869	int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1870	int (f_rng)(void , unsigned char *, size_t),
				1871	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1872	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1873	unsigned int hashlen,
				1874	const unsigned char *hash,
				1875	unsigned char *sig )
				1876	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1877	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1878	unsigned char sig_try = NULL, verif = NULL;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1879
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1880	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1881	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				1882	hashlen == 0 ) \|\|
				1883	hash != NULL );
				1884	RSA_VALIDATE_RET( sig != NULL );
				1885
Thomas Daubney	d58ed58	2021-05-21 11:50:39 +0100	[diff] [blame]	1886	if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
				1887	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1888
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1889	/*
				1890	* Prepare PKCS1-v1.5 encoding (padding and hash identifier)
				1891	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1892
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1893	if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
				1894	ctx->len, sig ) ) != 0 )
				1895	return( ret );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1896
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1897	/* Private key operation
				1898	*
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1899	* In order to prevent Lenstra's attack, make the signature in a
				1900	* temporary buffer and check it before returning it.
				1901	*/
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1902
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1903	sig_try = mbedtls_calloc( 1, ctx->len );
Simon Butcher	1285ab5	2016-01-01 21:42:47 +0000	[diff] [blame]	1904	if( sig_try == NULL )
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1905	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
				1906
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1907	verif = mbedtls_calloc( 1, ctx->len );
Simon Butcher	1285ab5	2016-01-01 21:42:47 +0000	[diff] [blame]	1908	if( verif == NULL )
				1909	{
				1910	mbedtls_free( sig_try );
				1911	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
				1912	}
				1913
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1914	MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
				1915	MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
				1916
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	1917	if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 )
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1918	{
				1919	ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
				1920	goto cleanup;
				1921	}
				1922
				1923	memcpy( sig, sig_try, ctx->len );
				1924
				1925	cleanup:
Gilles Peskine	14d5fef	2021-12-13 12:37:55 +0100	[diff] [blame]	1926	mbedtls_platform_zeroize( sig_try, ctx->len );
				1927	mbedtls_platform_zeroize( verif, ctx->len );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1928	mbedtls_free( sig_try );
				1929	mbedtls_free( verif );
				1930
Gilles Peskine	14d5fef	2021-12-13 12:37:55 +0100	[diff] [blame]	1931	if( ret != 0 )
				1932	memset( sig, '!', ctx->len );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1933	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1934	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1935	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1936
				1937	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1938	* Do an RSA operation to sign the message digest
				1939	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1940	int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	1941	int (f_rng)(void , unsigned char *, size_t),
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1942	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1943	mbedtls_md_type_t md_alg,
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1944	unsigned int hashlen,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	1945	const unsigned char *hash,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1946	unsigned char *sig )
				1947	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1948	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1949	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				1950	hashlen == 0 ) \|\|
				1951	hash != NULL );
				1952	RSA_VALIDATE_RET( sig != NULL );
				1953
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1954	switch( ctx->padding )
				1955	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1956	#if defined(MBEDTLS_PKCS1_V15)
				1957	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	5265498	2021-05-18 16:54:00 +0100	[diff] [blame]	1958	return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng,
Thomas Daubney	140184d	2021-05-18 16:04:07 +0100	[diff] [blame]	1959	md_alg, hashlen, hash, sig );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1960	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1961
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1962	#if defined(MBEDTLS_PKCS1_V21)
				1963	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	de9fdc4	2021-05-18 17:10:04 +0100	[diff] [blame]	1964	return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
				1965	hashlen, hash, sig );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1966	#endif
				1967
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1968	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1969	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1970	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1971	}
				1972
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1973	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1974	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1975	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1976	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1977	int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1978	mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	1979	unsigned int hashlen,
				1980	const unsigned char *hash,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1981	mbedtls_md_type_t mgf1_hash_id,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	1982	int expected_salt_len,
				1983	const unsigned char *sig )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1984	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1985	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1986	size_t siglen;
				1987	unsigned char *p;
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	1988	unsigned char *hash_start;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1989	unsigned char result[MBEDTLS_MD_MAX_SIZE];
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1990	unsigned char zeros[8];
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1991	unsigned int hlen;
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	1992	size_t observed_salt_len, msb;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1993	const mbedtls_md_info_t *md_info;
				1994	mbedtls_md_context_t md_ctx;
Nicholas Wilson	409401c	2016-04-13 11:48:25 +0100	[diff] [blame]	1995	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1996
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1997	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1998	RSA_VALIDATE_RET( sig != NULL );
				1999	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2000	hashlen == 0 ) \|\|
				2001	hash != NULL );
				2002
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2003	siglen = ctx->len;
				2004
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	2005	if( siglen < 16 \|\| siglen > sizeof( buf ) )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2006	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2007
Thomas Daubney	782a7f5	2021-05-19 12:27:35 +0100	[diff] [blame]	2008	ret = mbedtls_rsa_public( ctx, sig, buf );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2009
				2010	if( ret != 0 )
				2011	return( ret );
				2012
				2013	p = buf;
				2014
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2015	if( buf[siglen - 1] != 0xBC )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2016	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2017
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2018	if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2019	{
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2020	/* Gather length of hash to sign */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2021	md_info = mbedtls_md_info_from_type( md_alg );
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2022	if( md_info == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2023	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2024
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2025	if( hashlen != mbedtls_md_get_size( md_info ) )
				2026	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2027	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2028
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2029	md_info = mbedtls_md_info_from_type( mgf1_hash_id );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2030	if( md_info == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2031	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2032
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2033	hlen = mbedtls_md_get_size( md_info );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2034
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2035	memset( zeros, 0, 8 );
Paul Bakker	53019ae	2011-03-25 13:58:48 +0000	[diff] [blame]	2036
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2037	/*
				2038	* Note: EMSA-PSS verification is over the length of N - 1 bits
				2039	*/
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	2040	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2041
Gilles Peskine	b00b0da	2017-10-19 15:23:49 +0200	[diff] [blame]	2042	if( buf[0] >> ( 8 - siglen * 8 + msb ) )
				2043	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				2044
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2045	/* Compensate for boundary condition when applying mask */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2046	if( msb % 8 == 0 )
				2047	{
				2048	p++;
				2049	siglen -= 1;
				2050	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2051
Gilles Peskine	139108a	2017-10-18 19:03:42 +0200	[diff] [blame]	2052	if( siglen < hlen + 2 )
				2053	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				2054	hash_start = p + siglen - hlen - 1;
				2055
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2056	mbedtls_md_init( &md_ctx );
Brian J Murray	e7be5bd	2016-06-23 12:57:03 -0700	[diff] [blame]	2057	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2058	goto exit;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2059
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2060	ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
				2061	if( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2062	goto exit;
Paul Bakker	02303e8	2013-01-03 11:08:31 +0100	[diff] [blame]	2063
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2064	buf[0] &= 0xFF >> ( siglen * 8 - msb );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2065
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2066	while( p < hash_start - 1 && *p == 0 )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2067	p++;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2068
Gilles Peskine	91048a3	2017-10-19 17:46:14 +0200	[diff] [blame]	2069	if( *p++ != 0x01 )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2070	{
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2071	ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
				2072	goto exit;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2073	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2074
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2075	observed_salt_len = hash_start - p;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2076
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2077	if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2078	observed_salt_len != (size_t) expected_salt_len )
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2079	{
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2080	ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
				2081	goto exit;
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2082	}
				2083
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2084	/*
				2085	* Generate H = Hash( M' )
				2086	*/
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2087	ret = mbedtls_md_starts( &md_ctx );
				2088	if ( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2089	goto exit;
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2090	ret = mbedtls_md_update( &md_ctx, zeros, 8 );
				2091	if ( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2092	goto exit;
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2093	ret = mbedtls_md_update( &md_ctx, hash, hashlen );
				2094	if ( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2095	goto exit;
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2096	ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
				2097	if ( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2098	goto exit;
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2099	ret = mbedtls_md_finish( &md_ctx, result );
				2100	if ( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2101	goto exit;
Paul Bakker	53019ae	2011-03-25 13:58:48 +0000	[diff] [blame]	2102
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2103	if( memcmp( hash_start, result, hlen ) != 0 )
Andres Amaya Garcia	c5c7d76	2017-07-20 14:42:16 +0100	[diff] [blame]	2104	{
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2105	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
Andres Amaya Garcia	c5c7d76	2017-07-20 14:42:16 +0100	[diff] [blame]	2106	goto exit;
				2107	}
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2108
				2109	exit:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2110	mbedtls_md_free( &md_ctx );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2111
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2112	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2113	}
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2114
				2115	/*
				2116	* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
				2117	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2118	int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2119	mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2120	unsigned int hashlen,
				2121	const unsigned char *hash,
				2122	const unsigned char *sig )
				2123	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2124	mbedtls_md_type_t mgf1_hash_id;
				2125	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2126	RSA_VALIDATE_RET( sig != NULL );
				2127	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2128	hashlen == 0 ) \|\|
				2129	hash != NULL );
				2130
				2131	mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2132	? (mbedtls_md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2133	: md_alg;
				2134
Thomas Daubney	9e65f79	2021-05-19 12:18:58 +0100	[diff] [blame]	2135	return( mbedtls_rsa_rsassa_pss_verify_ext( ctx,
Thomas Daubney	5ee4cc0	2021-05-19 12:07:42 +0100	[diff] [blame]	2136	md_alg, hashlen, hash,
				2137	mgf1_hash_id,
				2138	MBEDTLS_RSA_SALT_LEN_ANY,
				2139	sig ) );
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2140
				2141	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2142	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	40628ba	2013-01-03 10:50:31 +0100	[diff] [blame]	2143
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2144	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2145	/*
				2146	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
				2147	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2148	int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2149	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2150	unsigned int hashlen,
				2151	const unsigned char *hash,
Manuel Pégourié-Gonnard	cc0a9d0	2013-08-12 11:34:35 +0200	[diff] [blame]	2152	const unsigned char *sig )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2153	{
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2154	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2155	size_t sig_len;
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2156	unsigned char encoded = NULL, encoded_expected = NULL;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2157
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2158	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2159	RSA_VALIDATE_RET( sig != NULL );
				2160	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2161	hashlen == 0 ) \|\|
				2162	hash != NULL );
				2163
				2164	sig_len = ctx->len;
				2165
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2166	/*
				2167	* Prepare expected PKCS1 v1.5 encoding of hash.
				2168	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2169
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2170	if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL \|\|
				2171	( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
				2172	{
				2173	ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
				2174	goto cleanup;
				2175	}
				2176
				2177	if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
				2178	encoded_expected ) ) != 0 )
				2179	goto cleanup;
				2180
				2181	/*
				2182	* Apply RSA primitive to get what should be PKCS1 encoded hash.
				2183	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2184
Thomas Daubney	41e4ce4	2021-05-19 15:10:05 +0100	[diff] [blame]	2185	ret = mbedtls_rsa_public( ctx, sig, encoded );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2186	if( ret != 0 )
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2187	goto cleanup;
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2188
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2189	/*
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2190	* Compare
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2191	*/
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2192
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	2193	if( ( ret = mbedtls_ct_memcmp( encoded, encoded_expected,
gabor-mezei-arm	4602564	2021-07-19 15:19:19 +0200	[diff] [blame]	2194	sig_len ) ) != 0 )
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2195	{
				2196	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
				2197	goto cleanup;
				2198	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2199
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2200	cleanup:
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2201
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2202	if( encoded != NULL )
				2203	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	2204	mbedtls_platform_zeroize( encoded, sig_len );
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2205	mbedtls_free( encoded );
				2206	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2207
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2208	if( encoded_expected != NULL )
				2209	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	2210	mbedtls_platform_zeroize( encoded_expected, sig_len );
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2211	mbedtls_free( encoded_expected );
				2212	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2213
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2214	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2215	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2216	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2217
				2218	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2219	* Do an RSA operation and check the message digest
				2220	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2221	int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2222	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2223	unsigned int hashlen,
				2224	const unsigned char *hash,
Manuel Pégourié-Gonnard	cc0a9d0	2013-08-12 11:34:35 +0200	[diff] [blame]	2225	const unsigned char *sig )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2226	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2227	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2228	RSA_VALIDATE_RET( sig != NULL );
				2229	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2230	hashlen == 0 ) \|\|
				2231	hash != NULL );
				2232
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2233	switch( ctx->padding )
				2234	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2235	#if defined(MBEDTLS_PKCS1_V15)
				2236	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	2e12625	2021-05-19 11:48:53 +0100	[diff] [blame]	2237	return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, md_alg,
				2238	hashlen, hash, sig );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2239	#endif
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2240
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2241	#if defined(MBEDTLS_PKCS1_V21)
				2242	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	5ee4cc0	2021-05-19 12:07:42 +0100	[diff] [blame]	2243	return mbedtls_rsa_rsassa_pss_verify( ctx, md_alg,
				2244	hashlen, hash, sig );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2245	#endif
				2246
				2247	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2248	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2249	}
				2250	}
				2251
				2252	/*
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2253	* Copy the components of an RSA key
				2254	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2255	int mbedtls_rsa_copy( mbedtls_rsa_context dst, const mbedtls_rsa_context src )
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2256	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2257	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2258	RSA_VALIDATE_RET( dst != NULL );
				2259	RSA_VALIDATE_RET( src != NULL );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2260
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2261	dst->len = src->len;
				2262
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2263	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
				2264	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2265
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2266	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
				2267	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
				2268	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2269
				2270	#if !defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2271	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
				2272	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
				2273	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2274	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
				2275	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2276	#endif
				2277
				2278	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2279
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2280	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
				2281	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	2282
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2283	dst->padding = src->padding;
Manuel Pégourié-Gonnard	fdddac9	2014-03-25 15:58:35 +0100	[diff] [blame]	2284	dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2285
				2286	cleanup:
				2287	if( ret != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2288	mbedtls_rsa_free( dst );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2289
				2290	return( ret );
				2291	}
				2292
				2293	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2294	* Free the components of an RSA key
				2295	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2296	void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2297	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2298	if( ctx == NULL )
				2299	return;
				2300
				2301	mbedtls_mpi_free( &ctx->Vi );
				2302	mbedtls_mpi_free( &ctx->Vf );
				2303	mbedtls_mpi_free( &ctx->RN );
				2304	mbedtls_mpi_free( &ctx->D );
				2305	mbedtls_mpi_free( &ctx->Q );
				2306	mbedtls_mpi_free( &ctx->P );
				2307	mbedtls_mpi_free( &ctx->E );
				2308	mbedtls_mpi_free( &ctx->N );
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	2309
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2310	#if !defined(MBEDTLS_RSA_NO_CRT)
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2311	mbedtls_mpi_free( &ctx->RQ );
				2312	mbedtls_mpi_free( &ctx->RP );
				2313	mbedtls_mpi_free( &ctx->QP );
				2314	mbedtls_mpi_free( &ctx->DQ );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2315	mbedtls_mpi_free( &ctx->DP );
				2316	#endif /* MBEDTLS_RSA_NO_CRT */
				2317
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2318	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	2319	/* Free the mutex, but only if it hasn't been freed already. */
				2320	if( ctx->ver != 0 )
				2321	{
				2322	mbedtls_mutex_free( &ctx->mutex );
				2323	ctx->ver = 0;
				2324	}
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	2325	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2326	}
				2327
Hanno Becker	ab37731	2017-08-23 16:24:51 +0100	[diff] [blame]	2328	#endif /* !MBEDTLS_RSA_ALT */
				2329
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2330	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2331
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	2332	#include "mbedtls/sha1.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2333
				2334	/*
				2335	* Example RSA-1024 keypair, for test purposes
				2336	*/
				2337	#define KEY_LEN 128
				2338
				2339	#define RSA_N "9292758453063D803DD603D5E777D788" \
				2340	"8ED1D5BF35786190FA2F23EBC0848AEA" \
				2341	"DDA92CA6C3D80B32C4D109BE0F36D6AE" \
				2342	"7130B9CED7ACDF54CFC7555AC14EEBAB" \
				2343	"93A89813FBF3C4F8066D2D800F7C38A8" \
				2344	"1AE31942917403FF4946B0A83D3D3E05" \
				2345	"EE57C6F5F5606FB5D4BC6CD34EE0801A" \
				2346	"5E94BB77B07507233A0BC7BAC8F90F79"
				2347
				2348	#define RSA_E "10001"
				2349
				2350	#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
				2351	"66CA472BC44D253102F8B4A9D3BFA750" \
				2352	"91386C0077937FE33FA3252D28855837" \
				2353	"AE1B484A8A9A45F7EE8C0C634F99E8CD" \
				2354	"DF79C5CE07EE72C7F123142198164234" \
				2355	"CABB724CF78B8173B9F880FC86322407" \
				2356	"AF1FEDFDDE2BEB674CA15F3E81A1521E" \
				2357	"071513A1E85B5DFA031F21ECAE91A34D"
				2358
				2359	#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
				2360	"2C01CAD19EA484A87EA4377637E75500" \
				2361	"FCB2005C5C7DD6EC4AC023CDA285D796" \
				2362	"C3D9E75E1EFC42488BB4F1D13AC30A57"
				2363
				2364	#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
				2365	"E211C2B9E5DB1ED0BF61D0D9899620F4" \
				2366	"910E4168387E3C30AA1E00C339A79508" \
				2367	"8452DD96A9A5EA5D9DCA68DA636032AF"
				2368
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2369	#define PT_LEN 24
				2370	#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
				2371	"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
				2372
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2373	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2374	static int myrand( void rng_state, unsigned char output, size_t len )
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2375	{
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	2376	#if !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2377	size_t i;
				2378
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2379	if( rng_state != NULL )
				2380	rng_state = NULL;
				2381
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2382	for( i = 0; i < len; ++i )
				2383	output[i] = rand();
Paul Bakker	f96f7b6	2014-04-30 16:02:38 +0200	[diff] [blame]	2384	#else
				2385	if( rng_state != NULL )
				2386	rng_state = NULL;
				2387
				2388	arc4random_buf( output, len );
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	2389	#endif /* !OpenBSD && !NetBSD */
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2390
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2391	return( 0 );
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2392	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2393	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2394
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2395	/*
				2396	* Checkup routine
				2397	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2398	int mbedtls_rsa_self_test( int verbose )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2399	{
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2400	int ret = 0;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2401	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2402	size_t len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2403	mbedtls_rsa_context rsa;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2404	unsigned char rsa_plaintext[PT_LEN];
				2405	unsigned char rsa_decrypted[PT_LEN];
				2406	unsigned char rsa_ciphertext[KEY_LEN];
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2407	#if defined(MBEDTLS_SHA1_C)
Paul Bakker	5690efc	2011-05-26 13:16:06 +0000	[diff] [blame]	2408	unsigned char sha1sum[20];
				2409	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2410
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2411	mbedtls_mpi K;
				2412
				2413	mbedtls_mpi_init( &K );
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	2414	mbedtls_rsa_init( &rsa );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2415
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2416	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );
				2417	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
				2418	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );
				2419	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
				2420	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );
				2421	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
				2422	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );
				2423	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
				2424	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );
				2425	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
				2426
Hanno Becker	7f25f85	2017-10-10 16:56:22 +0100	[diff] [blame]	2427	MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2428
				2429	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2430	mbedtls_printf( " RSA key validation: " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2431
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2432	if( mbedtls_rsa_check_pubkey( &rsa ) != 0 \|\|
				2433	mbedtls_rsa_check_privkey( &rsa ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2434	{
				2435	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2436	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2437
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2438	ret = 1;
				2439	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2440	}
				2441
				2442	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2443	mbedtls_printf( "passed\n PKCS#1 encryption : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2444
				2445	memcpy( rsa_plaintext, RSA_PT, PT_LEN );
				2446
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	2447	if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2448	PT_LEN, rsa_plaintext,
				2449	rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2450	{
				2451	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2452	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2453
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2454	ret = 1;
				2455	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2456	}
				2457
				2458	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2459	mbedtls_printf( "passed\n PKCS#1 decryption : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2460
Thomas Daubney	c7feaf3	2021-05-07 14:02:43 +0100	[diff] [blame]	2461	if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2462	&len, rsa_ciphertext, rsa_decrypted,
				2463	sizeof(rsa_decrypted) ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2464	{
				2465	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2466	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2467
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2468	ret = 1;
				2469	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2470	}
				2471
				2472	if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
				2473	{
				2474	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2475	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2476
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2477	ret = 1;
				2478	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2479	}
				2480
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2481	if( verbose != 0 )
				2482	mbedtls_printf( "passed\n" );
				2483
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2484	#if defined(MBEDTLS_SHA1_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2485	if( verbose != 0 )
Brian Murray	930a370	2016-05-18 14:38:02 -0700	[diff] [blame]	2486	mbedtls_printf( " PKCS#1 data sign : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2487
TRodziewicz	26371e4	2021-06-08 16:45:41 +0200	[diff] [blame]	2488	if( mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2489	{
				2490	if( verbose != 0 )
				2491	mbedtls_printf( "failed\n" );
				2492
				2493	return( 1 );
				2494	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2495
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2496	if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2497	MBEDTLS_MD_SHA1, 20,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2498	sha1sum, rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2499	{
				2500	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2501	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2502
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2503	ret = 1;
				2504	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2505	}
				2506
				2507	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2508	mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2509
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2510	if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA1, 20,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2511	sha1sum, rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2512	{
				2513	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2514	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2515
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2516	ret = 1;
				2517	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2518	}
				2519
				2520	if( verbose != 0 )
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2521	mbedtls_printf( "passed\n" );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2522	#endif /* MBEDTLS_SHA1_C */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2523
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2524	if( verbose != 0 )
				2525	mbedtls_printf( "\n" );
				2526
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2527	cleanup:
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2528	mbedtls_mpi_free( &K );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2529	mbedtls_rsa_free( &rsa );
				2530	#else /* MBEDTLS_PKCS1_V15 */
Paul Bakker	3e41fe8	2013-09-15 17:42:50 +0200	[diff] [blame]	2531	((void) verbose);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2532	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2533	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2534	}
				2535
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2536	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2537
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2538	#endif /* MBEDTLS_RSA_C */