1 /*
2 * The RSA public-key cryptosystem
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47 /*
48 * The following sources were referenced in the design of this implementation
49 * of the RSA algorithm:
50 *
51 * [1] A method for obtaining digital signatures and public-key cryptosystems
52 * R Rivest, A Shamir, and L Adleman
53 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
54 *
55 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
56 * Menezes, van Oorschot and Vanstone
57 *
58 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
59 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
60 * Stefan Mangard
61 * https://arxiv.org/abs/1702.08719v2
62 *
63 */
64
65 #if !defined(MBEDTLS_CONFIG_FILE)
66 #include "mbedtls/config.h"
67 #else
68 #include MBEDTLS_CONFIG_FILE
69 #endif
70
71 #if defined(MBEDTLS_RSA_C)
72
73 #include "mbedtls/rsa.h"
74 #include "mbedtls/rsa_internal.h"
75 #include "mbedtls/oid.h"
76 #include "mbedtls/platform_util.h"
77
78 #include <string.h>
79
80 #if defined(MBEDTLS_PKCS1_V21)
81 #include "mbedtls/md.h"
82 #endif
83
84 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
85 #include <stdlib.h>
86 #endif
87
88 #if defined(MBEDTLS_PLATFORM_C)
89 #include "mbedtls/platform.h"
90 #else
91 #include <stdio.h>
92 #define mbedtls_printf printf
93 #define mbedtls_calloc calloc
94 #define mbedtls_free free
95 #endif
96
97 #if !defined(MBEDTLS_RSA_ALT)
98
99 /* Parameter validation macros */
100 #define RSA_VALIDATE_RET( cond ) \
101 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
102 #define RSA_VALIDATE( cond ) \
103 MBEDTLS_INTERNAL_VALIDATE( cond )
104
105 #if defined(MBEDTLS_PKCS1_V15)
106 /* constant-time buffer comparison */
mbedtls_safer_memcmp(const void * a,const void * b,size_t n)107 static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
108 {
109 size_t i;
110 const unsigned char *A = (const unsigned char *) a;
111 const unsigned char *B = (const unsigned char *) b;
112 unsigned char diff = 0;
113
114 for( i = 0; i < n; i++ )
115 diff |= A[i] ^ B[i];
116
117 return( diff );
118 }
119 #endif /* MBEDTLS_PKCS1_V15 */
120
mbedtls_rsa_import(mbedtls_rsa_context * ctx,const mbedtls_mpi * N,const mbedtls_mpi * P,const mbedtls_mpi * Q,const mbedtls_mpi * D,const mbedtls_mpi * E)121 int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
122 const mbedtls_mpi *N,
123 const mbedtls_mpi *P, const mbedtls_mpi *Q,
124 const mbedtls_mpi *D, const mbedtls_mpi *E )
125 {
126 int ret;
127 RSA_VALIDATE_RET( ctx != NULL );
128
129 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
130 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
131 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
132 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
133 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
134 {
135 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
136 }
137
138 if( N != NULL )
139 ctx->len = mbedtls_mpi_size( &ctx->N );
140
141 return( 0 );
142 }
143
mbedtls_rsa_import_raw(mbedtls_rsa_context * ctx,unsigned char const * N,size_t N_len,unsigned char const * P,size_t P_len,unsigned char const * Q,size_t Q_len,unsigned char const * D,size_t D_len,unsigned char const * E,size_t E_len)144 int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
145 unsigned char const *N, size_t N_len,
146 unsigned char const *P, size_t P_len,
147 unsigned char const *Q, size_t Q_len,
148 unsigned char const *D, size_t D_len,
149 unsigned char const *E, size_t E_len )
150 {
151 int ret = 0;
152 RSA_VALIDATE_RET( ctx != NULL );
153
154 if( N != NULL )
155 {
156 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
157 ctx->len = mbedtls_mpi_size( &ctx->N );
158 }
159
160 if( P != NULL )
161 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
162
163 if( Q != NULL )
164 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
165
166 if( D != NULL )
167 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
168
169 if( E != NULL )
170 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
171
172 cleanup:
173
174 if( ret != 0 )
175 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
176
177 return( 0 );
178 }
179
180 /*
181 * Checks whether the context fields are set in such a way
182 * that the RSA primitives will be able to execute without error.
183 * It does *not* make guarantees for consistency of the parameters.
184 */
rsa_check_context(mbedtls_rsa_context const * ctx,int is_priv,int blinding_needed)185 static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
186 int blinding_needed )
187 {
188 #if !defined(MBEDTLS_RSA_NO_CRT)
189 /* blinding_needed is only used for NO_CRT to decide whether
190 * P,Q need to be present or not. */
191 ((void) blinding_needed);
192 #endif
193
194 if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
195 ctx->len > MBEDTLS_MPI_MAX_SIZE )
196 {
197 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
198 }
199
200 /*
201 * 1. Modular exponentiation needs positive, odd moduli.
202 */
203
204 /* Modular exponentiation wrt. N is always used for
205 * RSA public key operations. */
206 if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
207 mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )
208 {
209 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
210 }
211
212 #if !defined(MBEDTLS_RSA_NO_CRT)
213 /* Modular exponentiation for P and Q is only
214 * used for private key operations and if CRT
215 * is used. */
216 if( is_priv &&
217 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
218 mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||
219 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
220 mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
221 {
222 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
223 }
224 #endif /* !MBEDTLS_RSA_NO_CRT */
225
226 /*
227 * 2. Exponents must be positive
228 */
229
230 /* Always need E for public key operations */
231 if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
232 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
233
234 #if defined(MBEDTLS_RSA_NO_CRT)
235 /* For private key operations, use D or DP & DQ
236 * as (unblinded) exponents. */
237 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
238 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
239 #else
240 if( is_priv &&
241 ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
242 mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
243 {
244 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
245 }
246 #endif /* MBEDTLS_RSA_NO_CRT */
247
248 /* Blinding shouldn't make exponents negative either,
249 * so check that P, Q >= 1 if that hasn't yet been
250 * done as part of 1. */
251 #if defined(MBEDTLS_RSA_NO_CRT)
252 if( is_priv && blinding_needed &&
253 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
254 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
255 {
256 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
257 }
258 #endif
259
260 /* It wouldn't lead to an error if it wasn't satisfied,
261 * but check for QP >= 1 nonetheless. */
262 #if !defined(MBEDTLS_RSA_NO_CRT)
263 if( is_priv &&
264 mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
265 {
266 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
267 }
268 #endif
269
270 return( 0 );
271 }
272
mbedtls_rsa_complete(mbedtls_rsa_context * ctx)273 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
274 {
275 int ret = 0;
276 int have_N, have_P, have_Q, have_D, have_E;
277 #if !defined(MBEDTLS_RSA_NO_CRT)
278 int have_DP, have_DQ, have_QP;
279 #endif
280 int n_missing, pq_missing, d_missing, is_pub, is_priv;
281
282 RSA_VALIDATE_RET( ctx != NULL );
283
284 have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
285 have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
286 have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
287 have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
288 have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
289
290 #if !defined(MBEDTLS_RSA_NO_CRT)
291 have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
292 have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
293 have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
294 #endif
295
296 /*
297 * Check whether provided parameters are enough
298 * to deduce all others. The following incomplete
299 * parameter sets for private keys are supported:
300 *
301 * (1) P, Q missing.
302 * (2) D and potentially N missing.
303 *
304 */
305
306 n_missing = have_P && have_Q && have_D && have_E;
307 pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
308 d_missing = have_P && have_Q && !have_D && have_E;
309 is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
310
311 /* These three alternatives are mutually exclusive */
312 is_priv = n_missing || pq_missing || d_missing;
313
314 if( !is_priv && !is_pub )
315 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
316
317 /*
318 * Step 1: Deduce N if P, Q are provided.
319 */
320
321 if( !have_N && have_P && have_Q )
322 {
323 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
324 &ctx->Q ) ) != 0 )
325 {
326 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
327 }
328
329 ctx->len = mbedtls_mpi_size( &ctx->N );
330 }
331
332 /*
333 * Step 2: Deduce and verify all remaining core parameters.
334 */
335
336 if( pq_missing )
337 {
338 ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
339 &ctx->P, &ctx->Q );
340 if( ret != 0 )
341 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
342
343 }
344 else if( d_missing )
345 {
346 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
347 &ctx->Q,
348 &ctx->E,
349 &ctx->D ) ) != 0 )
350 {
351 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
352 }
353 }
354
355 /*
356 * Step 3: Deduce all additional parameters specific
357 * to our current RSA implementation.
358 */
359
360 #if !defined(MBEDTLS_RSA_NO_CRT)
361 if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
362 {
363 ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
364 &ctx->DP, &ctx->DQ, &ctx->QP );
365 if( ret != 0 )
366 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
367 }
368 #endif /* MBEDTLS_RSA_NO_CRT */
369
370 /*
371 * Step 3: Basic sanity checks
372 */
373
374 return( rsa_check_context( ctx, is_priv, 1 ) );
375 }
376
mbedtls_rsa_export_raw(const mbedtls_rsa_context * ctx,unsigned char * N,size_t N_len,unsigned char * P,size_t P_len,unsigned char * Q,size_t Q_len,unsigned char * D,size_t D_len,unsigned char * E,size_t E_len)377 int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
378 unsigned char *N, size_t N_len,
379 unsigned char *P, size_t P_len,
380 unsigned char *Q, size_t Q_len,
381 unsigned char *D, size_t D_len,
382 unsigned char *E, size_t E_len )
383 {
384 int ret = 0;
385 int is_priv;
386 RSA_VALIDATE_RET( ctx != NULL );
387
388 /* Check if key is private or public */
389 is_priv =
390 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
391 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
392 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
393 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
394 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
395
396 if( !is_priv )
397 {
398 /* If we're trying to export private parameters for a public key,
399 * something must be wrong. */
400 if( P != NULL || Q != NULL || D != NULL )
401 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
402
403 }
404
405 if( N != NULL )
406 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
407
408 if( P != NULL )
409 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
410
411 if( Q != NULL )
412 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
413
414 if( D != NULL )
415 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
416
417 if( E != NULL )
418 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
419
420 cleanup:
421
422 return( ret );
423 }
424
mbedtls_rsa_export(const mbedtls_rsa_context * ctx,mbedtls_mpi * N,mbedtls_mpi * P,mbedtls_mpi * Q,mbedtls_mpi * D,mbedtls_mpi * E)425 int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
426 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
427 mbedtls_mpi *D, mbedtls_mpi *E )
428 {
429 int ret;
430 int is_priv;
431 RSA_VALIDATE_RET( ctx != NULL );
432
433 /* Check if key is private or public */
434 is_priv =
435 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
436 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
437 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
438 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
439 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
440
441 if( !is_priv )
442 {
443 /* If we're trying to export private parameters for a public key,
444 * something must be wrong. */
445 if( P != NULL || Q != NULL || D != NULL )
446 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
447
448 }
449
450 /* Export all requested core parameters. */
451
452 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||
453 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||
454 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
455 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||
456 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
457 {
458 return( ret );
459 }
460
461 return( 0 );
462 }
463
464 /*
465 * Export CRT parameters
466 * This must also be implemented if CRT is not used, for being able to
467 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
468 * can be used in this case.
469 */
mbedtls_rsa_export_crt(const mbedtls_rsa_context * ctx,mbedtls_mpi * DP,mbedtls_mpi * DQ,mbedtls_mpi * QP)470 int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
471 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
472 {
473 int ret;
474 int is_priv;
475 RSA_VALIDATE_RET( ctx != NULL );
476
477 /* Check if key is private or public */
478 is_priv =
479 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
480 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
481 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
482 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
483 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
484
485 if( !is_priv )
486 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
487
488 #if !defined(MBEDTLS_RSA_NO_CRT)
489 /* Export all requested blinding parameters. */
490 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
491 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
492 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
493 {
494 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
495 }
496 #else
497 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
498 DP, DQ, QP ) ) != 0 )
499 {
500 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
501 }
502 #endif
503
504 return( 0 );
505 }
506
507 /*
508 * Initialize an RSA context
509 */
mbedtls_rsa_init(mbedtls_rsa_context * ctx,int padding,int hash_id)510 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
511 int padding,
512 int hash_id )
513 {
514 RSA_VALIDATE( ctx != NULL );
515 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
516 padding == MBEDTLS_RSA_PKCS_V21 );
517
518 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
519
520 mbedtls_rsa_set_padding( ctx, padding, hash_id );
521
522 #if defined(MBEDTLS_THREADING_C)
523 /* Set ctx->ver to nonzero to indicate that the mutex has been
524 * initialized and will need to be freed. */
525 ctx->ver = 1;
526 mbedtls_mutex_init( &ctx->mutex );
527 #endif
528 }
529
530 /*
531 * Set padding for an existing RSA context
532 */
mbedtls_rsa_set_padding(mbedtls_rsa_context * ctx,int padding,int hash_id)533 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
534 int hash_id )
535 {
536 RSA_VALIDATE( ctx != NULL );
537 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
538 padding == MBEDTLS_RSA_PKCS_V21 );
539
540 ctx->padding = padding;
541 ctx->hash_id = hash_id;
542 }
543
544 /*
545 * Get length in bytes of RSA modulus
546 */
547
mbedtls_rsa_get_len(const mbedtls_rsa_context * ctx)548 size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
549 {
550 return( ctx->len );
551 }
552
553
554 #if defined(MBEDTLS_GENPRIME)
555
556 /*
557 * Generate an RSA keypair
558 *
559 * This generation method follows the RSA key pair generation procedure of
560 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
561 */
mbedtls_rsa_gen_key(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,unsigned int nbits,int exponent)562 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
563 int (*f_rng)(void *, unsigned char *, size_t),
564 void *p_rng,
565 unsigned int nbits, int exponent )
566 {
567 int ret;
568 mbedtls_mpi H, G, L;
569 int prime_quality = 0;
570 RSA_VALIDATE_RET( ctx != NULL );
571 RSA_VALIDATE_RET( f_rng != NULL );
572
573 /*
574 * If the modulus is 1024 bit long or shorter, then the security strength of
575 * the RSA algorithm is less than or equal to 80 bits and therefore an error
576 * rate of 2^-80 is sufficient.
577 */
578 if( nbits > 1024 )
579 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
580
581 mbedtls_mpi_init( &H );
582 mbedtls_mpi_init( &G );
583 mbedtls_mpi_init( &L );
584
585 if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
586 {
587 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
588 goto cleanup;
589 }
590
591 /*
592 * find primes P and Q with Q < P so that:
593 * 1. |P-Q| > 2^( nbits / 2 - 100 )
594 * 2. GCD( E, (P-1)*(Q-1) ) == 1
595 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
596 */
597 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
598
599 do
600 {
601 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
602 prime_quality, f_rng, p_rng ) );
603
604 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
605 prime_quality, f_rng, p_rng ) );
606
607 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
608 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
609 if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
610 continue;
611
612 /* not required by any standards, but some users rely on the fact that P > Q */
613 if( H.s < 0 )
614 mbedtls_mpi_swap( &ctx->P, &ctx->Q );
615
616 /* Temporarily replace P,Q by P-1, Q-1 */
617 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
618 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
619 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
620
621 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
622 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
623 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
624 continue;
625
626 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
627 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
628 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
629 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
630
631 if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
632 continue;
633
634 break;
635 }
636 while( 1 );
637
638 /* Restore P,Q */
639 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
640 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
641
642 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
643
644 ctx->len = mbedtls_mpi_size( &ctx->N );
645
646 #if !defined(MBEDTLS_RSA_NO_CRT)
647 /*
648 * DP = D mod (P - 1)
649 * DQ = D mod (Q - 1)
650 * QP = Q^-1 mod P
651 */
652 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
653 &ctx->DP, &ctx->DQ, &ctx->QP ) );
654 #endif /* MBEDTLS_RSA_NO_CRT */
655
656 /* Double-check */
657 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
658
659 cleanup:
660
661 mbedtls_mpi_free( &H );
662 mbedtls_mpi_free( &G );
663 mbedtls_mpi_free( &L );
664
665 if( ret != 0 )
666 {
667 mbedtls_rsa_free( ctx );
668 if( ( -ret & ~0x7f ) == 0 )
669 ret = MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret;
670 return( ret );
671 }
672
673 return( 0 );
674 }
675
676 #endif /* MBEDTLS_GENPRIME */
677
678 /*
679 * Check a public RSA key
680 */
mbedtls_rsa_check_pubkey(const mbedtls_rsa_context * ctx)681 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
682 {
683 RSA_VALIDATE_RET( ctx != NULL );
684
685 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
686 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
687
688 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
689 {
690 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
691 }
692
693 if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||
694 mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
695 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
696 {
697 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
698 }
699
700 return( 0 );
701 }
702
703 /*
704 * Check for the consistency of all fields in an RSA private key context
705 */
mbedtls_rsa_check_privkey(const mbedtls_rsa_context * ctx)706 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
707 {
708 RSA_VALIDATE_RET( ctx != NULL );
709
710 if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
711 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
712 {
713 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
714 }
715
716 if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
717 &ctx->D, &ctx->E, NULL, NULL ) != 0 )
718 {
719 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
720 }
721
722 #if !defined(MBEDTLS_RSA_NO_CRT)
723 else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
724 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
725 {
726 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
727 }
728 #endif
729
730 return( 0 );
731 }
732
733 /*
734 * Check if contexts holding a public and private key match
735 */
mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context * pub,const mbedtls_rsa_context * prv)736 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
737 const mbedtls_rsa_context *prv )
738 {
739 RSA_VALIDATE_RET( pub != NULL );
740 RSA_VALIDATE_RET( prv != NULL );
741
742 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
743 mbedtls_rsa_check_privkey( prv ) != 0 )
744 {
745 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
746 }
747
748 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
749 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
750 {
751 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
752 }
753
754 return( 0 );
755 }
756
757 /*
758 * Do an RSA public key operation
759 */
mbedtls_rsa_public(mbedtls_rsa_context * ctx,const unsigned char * input,unsigned char * output)760 int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
761 const unsigned char *input,
762 unsigned char *output )
763 {
764 int ret;
765 size_t olen;
766 mbedtls_mpi T;
767 RSA_VALIDATE_RET( ctx != NULL );
768 RSA_VALIDATE_RET( input != NULL );
769 RSA_VALIDATE_RET( output != NULL );
770
771 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
772 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
773
774 mbedtls_mpi_init( &T );
775
776 #if defined(MBEDTLS_THREADING_C)
777 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
778 return( ret );
779 #endif
780
781 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
782
783 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
784 {
785 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
786 goto cleanup;
787 }
788
789 olen = ctx->len;
790 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
791 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
792
793 cleanup:
794 #if defined(MBEDTLS_THREADING_C)
795 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
796 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
797 #endif
798
799 mbedtls_mpi_free( &T );
800
801 if( ret != 0 )
802 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
803
804 return( 0 );
805 }
806
807 /*
808 * Generate or update blinding values, see section 10 of:
809 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
810 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
811 * Berlin Heidelberg, 1996. p. 104-113.
812 */
rsa_prepare_blinding(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)813 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
814 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
815 {
816 int ret, count = 0;
817 mbedtls_mpi R;
818
819 mbedtls_mpi_init( &R );
820
821 if( ctx->Vf.p != NULL )
822 {
823 /* We already have blinding values, just update them by squaring */
824 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
825 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
826 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
827 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
828
829 goto cleanup;
830 }
831
832 /* Unblinding value: Vf = random number, invertible mod N */
833 do {
834 if( count++ > 10 )
835 {
836 ret = MBEDTLS_ERR_RSA_RNG_FAILED;
837 goto cleanup;
838 }
839
840 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
841
842 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
843 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
844 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
845 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
846
847 /* At this point, Vi is invertible mod N if and only if both Vf and R
848 * are invertible mod N. If one of them isn't, we don't need to know
849 * which one, we just loop and choose new values for both of them.
850 * (Each iteration succeeds with overwhelming probability.) */
851 ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
852 if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
853 goto cleanup;
854
855 } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
856
857 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
858 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
859 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
860
861 /* Blinding value: Vi = Vf^(-e) mod N
862 * (Vi already contains Vf^-1 at this point) */
863 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
864
865
866 cleanup:
867 mbedtls_mpi_free( &R );
868
869 return( ret );
870 }
871
872 /*
873 * Exponent blinding supposed to prevent side-channel attacks using multiple
874 * traces of measurements to recover the RSA key. The more collisions are there,
875 * the more bits of the key can be recovered. See [3].
876 *
877 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
878 * observations on avarage.
879 *
880 * For example with 28 byte blinding to achieve 2 collisions the adversary has
881 * to make 2^112 observations on avarage.
882 *
883 * (With the currently (as of 2017 April) known best algorithms breaking 2048
884 * bit RSA requires approximately as much time as trying out 2^112 random keys.
885 * Thus in this sense with 28 byte blinding the security is not reduced by
886 * side-channel attacks like the one in [3])
887 *
888 * This countermeasure does not help if the key recovery is possible with a
889 * single trace.
890 */
891 #define RSA_EXPONENT_BLINDING 28
892
893 /*
894 * Do an RSA private key operation
895 */
mbedtls_rsa_private(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * input,unsigned char * output)896 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
897 int (*f_rng)(void *, unsigned char *, size_t),
898 void *p_rng,
899 const unsigned char *input,
900 unsigned char *output )
901 {
902 int ret;
903 size_t olen;
904
905 /* Temporary holding the result */
906 mbedtls_mpi T;
907
908 /* Temporaries holding P-1, Q-1 and the
909 * exponent blinding factor, respectively. */
910 mbedtls_mpi P1, Q1, R;
911
912 #if !defined(MBEDTLS_RSA_NO_CRT)
913 /* Temporaries holding the results mod p resp. mod q. */
914 mbedtls_mpi TP, TQ;
915
916 /* Temporaries holding the blinded exponents for
917 * the mod p resp. mod q computation (if used). */
918 mbedtls_mpi DP_blind, DQ_blind;
919
920 /* Pointers to actual exponents to be used - either the unblinded
921 * or the blinded ones, depending on the presence of a PRNG. */
922 mbedtls_mpi *DP = &ctx->DP;
923 mbedtls_mpi *DQ = &ctx->DQ;
924 #else
925 /* Temporary holding the blinded exponent (if used). */
926 mbedtls_mpi D_blind;
927
928 /* Pointer to actual exponent to be used - either the unblinded
929 * or the blinded one, depending on the presence of a PRNG. */
930 mbedtls_mpi *D = &ctx->D;
931 #endif /* MBEDTLS_RSA_NO_CRT */
932
933 /* Temporaries holding the initial input and the double
934 * checked result; should be the same in the end. */
935 mbedtls_mpi I, C;
936
937 RSA_VALIDATE_RET( ctx != NULL );
938 RSA_VALIDATE_RET( input != NULL );
939 RSA_VALIDATE_RET( output != NULL );
940
941 if( rsa_check_context( ctx, 1 /* private key checks */,
942 f_rng != NULL /* blinding y/n */ ) != 0 )
943 {
944 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
945 }
946
947 #if defined(MBEDTLS_THREADING_C)
948 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
949 return( ret );
950 #endif
951
952 /* MPI Initialization */
953 mbedtls_mpi_init( &T );
954
955 mbedtls_mpi_init( &P1 );
956 mbedtls_mpi_init( &Q1 );
957 mbedtls_mpi_init( &R );
958
959 if( f_rng != NULL )
960 {
961 #if defined(MBEDTLS_RSA_NO_CRT)
962 mbedtls_mpi_init( &D_blind );
963 #else
964 mbedtls_mpi_init( &DP_blind );
965 mbedtls_mpi_init( &DQ_blind );
966 #endif
967 }
968
969 #if !defined(MBEDTLS_RSA_NO_CRT)
970 mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
971 #endif
972
973 mbedtls_mpi_init( &I );
974 mbedtls_mpi_init( &C );
975
976 /* End of MPI initialization */
977
978 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
979 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
980 {
981 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
982 goto cleanup;
983 }
984
985 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
986
987 if( f_rng != NULL )
988 {
989 /*
990 * Blinding
991 * T = T * Vi mod N
992 */
993 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
994 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
995 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
996
997 /*
998 * Exponent blinding
999 */
1000 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
1001 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
1002
1003 #if defined(MBEDTLS_RSA_NO_CRT)
1004 /*
1005 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
1006 */
1007 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
1008 f_rng, p_rng ) );
1009 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
1010 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
1011 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
1012
1013 D = &D_blind;
1014 #else
1015 /*
1016 * DP_blind = ( P - 1 ) * R + DP
1017 */
1018 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
1019 f_rng, p_rng ) );
1020 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
1021 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
1022 &ctx->DP ) );
1023
1024 DP = &DP_blind;
1025
1026 /*
1027 * DQ_blind = ( Q - 1 ) * R + DQ
1028 */
1029 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
1030 f_rng, p_rng ) );
1031 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
1032 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
1033 &ctx->DQ ) );
1034
1035 DQ = &DQ_blind;
1036 #endif /* MBEDTLS_RSA_NO_CRT */
1037 }
1038
1039 #if defined(MBEDTLS_RSA_NO_CRT)
1040 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
1041 #else
1042 /*
1043 * Faster decryption using the CRT
1044 *
1045 * TP = input ^ dP mod P
1046 * TQ = input ^ dQ mod Q
1047 */
1048
1049 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
1050 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
1051
1052 /*
1053 * T = (TP - TQ) * (Q^-1 mod P) mod P
1054 */
1055 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
1056 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
1057 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
1058
1059 /*
1060 * T = TQ + T * Q
1061 */
1062 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
1063 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
1064 #endif /* MBEDTLS_RSA_NO_CRT */
1065
1066 if( f_rng != NULL )
1067 {
1068 /*
1069 * Unblind
1070 * T = T * Vf mod N
1071 */
1072 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
1073 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
1074 }
1075
1076 /* Verify the result to prevent glitching attacks. */
1077 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
1078 &ctx->N, &ctx->RN ) );
1079 if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
1080 {
1081 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1082 goto cleanup;
1083 }
1084
1085 olen = ctx->len;
1086 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
1087
1088 cleanup:
1089 #if defined(MBEDTLS_THREADING_C)
1090 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
1091 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
1092 #endif
1093
1094 mbedtls_mpi_free( &P1 );
1095 mbedtls_mpi_free( &Q1 );
1096 mbedtls_mpi_free( &R );
1097
1098 if( f_rng != NULL )
1099 {
1100 #if defined(MBEDTLS_RSA_NO_CRT)
1101 mbedtls_mpi_free( &D_blind );
1102 #else
1103 mbedtls_mpi_free( &DP_blind );
1104 mbedtls_mpi_free( &DQ_blind );
1105 #endif
1106 }
1107
1108 mbedtls_mpi_free( &T );
1109
1110 #if !defined(MBEDTLS_RSA_NO_CRT)
1111 mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
1112 #endif
1113
1114 mbedtls_mpi_free( &C );
1115 mbedtls_mpi_free( &I );
1116
1117 if( ret != 0 && ret >= -0x007f )
1118 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
1119
1120 return( ret );
1121 }
1122
1123 #if defined(MBEDTLS_PKCS1_V21)
1124 /**
1125 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1126 *
1127 * \param dst buffer to mask
1128 * \param dlen length of destination buffer
1129 * \param src source of the mask generation
1130 * \param slen length of the source buffer
1131 * \param md_ctx message digest context to use
1132 */
mgf_mask(unsigned char * dst,size_t dlen,unsigned char * src,size_t slen,mbedtls_md_context_t * md_ctx)1133 static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
1134 size_t slen, mbedtls_md_context_t *md_ctx )
1135 {
1136 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
1137 unsigned char counter[4];
1138 unsigned char *p;
1139 unsigned int hlen;
1140 size_t i, use_len;
1141 int ret = 0;
1142
1143 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
1144 memset( counter, 0, 4 );
1145
1146 hlen = mbedtls_md_get_size( md_ctx->md_info );
1147
1148 /* Generate and apply dbMask */
1149 p = dst;
1150
1151 while( dlen > 0 )
1152 {
1153 use_len = hlen;
1154 if( dlen < hlen )
1155 use_len = dlen;
1156
1157 if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
1158 goto exit;
1159 if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
1160 goto exit;
1161 if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
1162 goto exit;
1163 if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
1164 goto exit;
1165
1166 for( i = 0; i < use_len; ++i )
1167 *p++ ^= mask[i];
1168
1169 counter[3]++;
1170
1171 dlen -= use_len;
1172 }
1173
1174 exit:
1175 mbedtls_platform_zeroize( mask, sizeof( mask ) );
1176
1177 return( ret );
1178 }
1179 #endif /* MBEDTLS_PKCS1_V21 */
1180
1181 #if defined(MBEDTLS_PKCS1_V21)
1182 /*
1183 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1184 */
mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,const unsigned char * label,size_t label_len,size_t ilen,const unsigned char * input,unsigned char * output)1185 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
1186 int (*f_rng)(void *, unsigned char *, size_t),
1187 void *p_rng,
1188 int mode,
1189 const unsigned char *label, size_t label_len,
1190 size_t ilen,
1191 const unsigned char *input,
1192 unsigned char *output )
1193 {
1194 size_t olen;
1195 int ret;
1196 unsigned char *p = output;
1197 unsigned int hlen;
1198 const mbedtls_md_info_t *md_info;
1199 mbedtls_md_context_t md_ctx;
1200
1201 RSA_VALIDATE_RET( ctx != NULL );
1202 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1203 mode == MBEDTLS_RSA_PUBLIC );
1204 RSA_VALIDATE_RET( output != NULL );
1205 RSA_VALIDATE_RET( input != NULL );
1206 RSA_VALIDATE_RET( label_len == 0 || label != NULL );
1207
1208 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1209 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1210
1211 if( f_rng == NULL )
1212 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1213
1214 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1215 if( md_info == NULL )
1216 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1217
1218 olen = ctx->len;
1219 hlen = mbedtls_md_get_size( md_info );
1220
1221 /* first comparison checks for overflow */
1222 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
1223 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1224
1225 memset( output, 0, olen );
1226
1227 *p++ = 0;
1228
1229 /* Generate a random octet string seed */
1230 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
1231 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1232
1233 p += hlen;
1234
1235 /* Construct DB */
1236 if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
1237 return( ret );
1238 p += hlen;
1239 p += olen - 2 * hlen - 2 - ilen;
1240 *p++ = 1;
1241 memcpy( p, input, ilen );
1242
1243 mbedtls_md_init( &md_ctx );
1244 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1245 goto exit;
1246
1247 /* maskedDB: Apply dbMask to DB */
1248 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1249 &md_ctx ) ) != 0 )
1250 goto exit;
1251
1252 /* maskedSeed: Apply seedMask to seed */
1253 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1254 &md_ctx ) ) != 0 )
1255 goto exit;
1256
1257 exit:
1258 mbedtls_md_free( &md_ctx );
1259
1260 if( ret != 0 )
1261 return( ret );
1262
1263 return( ( mode == MBEDTLS_RSA_PUBLIC )
1264 ? mbedtls_rsa_public( ctx, output, output )
1265 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
1266 }
1267 #endif /* MBEDTLS_PKCS1_V21 */
1268
1269 #if defined(MBEDTLS_PKCS1_V15)
1270 /*
1271 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1272 */
mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t ilen,const unsigned char * input,unsigned char * output)1273 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
1274 int (*f_rng)(void *, unsigned char *, size_t),
1275 void *p_rng,
1276 int mode, size_t ilen,
1277 const unsigned char *input,
1278 unsigned char *output )
1279 {
1280 size_t nb_pad, olen;
1281 int ret;
1282 unsigned char *p = output;
1283
1284 RSA_VALIDATE_RET( ctx != NULL );
1285 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1286 mode == MBEDTLS_RSA_PUBLIC );
1287 RSA_VALIDATE_RET( output != NULL );
1288 RSA_VALIDATE_RET( input != NULL );
1289
1290 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1291 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1292
1293 olen = ctx->len;
1294
1295 /* first comparison checks for overflow */
1296 if( ilen + 11 < ilen || olen < ilen + 11 )
1297 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1298
1299 nb_pad = olen - 3 - ilen;
1300
1301 *p++ = 0;
1302 if( mode == MBEDTLS_RSA_PUBLIC )
1303 {
1304 if( f_rng == NULL )
1305 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1306
1307 *p++ = MBEDTLS_RSA_CRYPT;
1308
1309 while( nb_pad-- > 0 )
1310 {
1311 int rng_dl = 100;
1312
1313 do {
1314 ret = f_rng( p_rng, p, 1 );
1315 } while( *p == 0 && --rng_dl && ret == 0 );
1316
1317 /* Check if RNG failed to generate data */
1318 if( rng_dl == 0 || ret != 0 )
1319 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1320
1321 p++;
1322 }
1323 }
1324 else
1325 {
1326 *p++ = MBEDTLS_RSA_SIGN;
1327
1328 while( nb_pad-- > 0 )
1329 *p++ = 0xFF;
1330 }
1331
1332 *p++ = 0;
1333 memcpy( p, input, ilen );
1334
1335 return( ( mode == MBEDTLS_RSA_PUBLIC )
1336 ? mbedtls_rsa_public( ctx, output, output )
1337 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
1338 }
1339 #endif /* MBEDTLS_PKCS1_V15 */
1340
1341 /*
1342 * Add the message padding, then do an RSA operation
1343 */
mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t ilen,const unsigned char * input,unsigned char * output)1344 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
1345 int (*f_rng)(void *, unsigned char *, size_t),
1346 void *p_rng,
1347 int mode, size_t ilen,
1348 const unsigned char *input,
1349 unsigned char *output )
1350 {
1351 RSA_VALIDATE_RET( ctx != NULL );
1352 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1353 mode == MBEDTLS_RSA_PUBLIC );
1354 RSA_VALIDATE_RET( output != NULL );
1355 RSA_VALIDATE_RET( input != NULL );
1356
1357 switch( ctx->padding )
1358 {
1359 #if defined(MBEDTLS_PKCS1_V15)
1360 case MBEDTLS_RSA_PKCS_V15:
1361 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
1362 input, output );
1363 #endif
1364
1365 #if defined(MBEDTLS_PKCS1_V21)
1366 case MBEDTLS_RSA_PKCS_V21:
1367 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1368 ilen, input, output );
1369 #endif
1370
1371 default:
1372 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1373 }
1374 }
1375
1376 #if defined(MBEDTLS_PKCS1_V21)
1377 /*
1378 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1379 */
mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,const unsigned char * label,size_t label_len,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1380 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
1381 int (*f_rng)(void *, unsigned char *, size_t),
1382 void *p_rng,
1383 int mode,
1384 const unsigned char *label, size_t label_len,
1385 size_t *olen,
1386 const unsigned char *input,
1387 unsigned char *output,
1388 size_t output_max_len )
1389 {
1390 int ret;
1391 size_t ilen, i, pad_len;
1392 unsigned char *p, bad, pad_done;
1393 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1394 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
1395 unsigned int hlen;
1396 const mbedtls_md_info_t *md_info;
1397 mbedtls_md_context_t md_ctx;
1398
1399 RSA_VALIDATE_RET( ctx != NULL );
1400 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1401 mode == MBEDTLS_RSA_PUBLIC );
1402 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1403 RSA_VALIDATE_RET( label_len == 0 || label != NULL );
1404 RSA_VALIDATE_RET( input != NULL );
1405 RSA_VALIDATE_RET( olen != NULL );
1406
1407 /*
1408 * Parameters sanity checks
1409 */
1410 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1411 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1412
1413 ilen = ctx->len;
1414
1415 if( ilen < 16 || ilen > sizeof( buf ) )
1416 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1417
1418 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1419 if( md_info == NULL )
1420 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1421
1422 hlen = mbedtls_md_get_size( md_info );
1423
1424 // checking for integer underflow
1425 if( 2 * hlen + 2 > ilen )
1426 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1427
1428 /*
1429 * RSA operation
1430 */
1431 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1432 ? mbedtls_rsa_public( ctx, input, buf )
1433 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
1434
1435 if( ret != 0 )
1436 goto cleanup;
1437
1438 /*
1439 * Unmask data and generate lHash
1440 */
1441 mbedtls_md_init( &md_ctx );
1442 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1443 {
1444 mbedtls_md_free( &md_ctx );
1445 goto cleanup;
1446 }
1447
1448 /* seed: Apply seedMask to maskedSeed */
1449 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1450 &md_ctx ) ) != 0 ||
1451 /* DB: Apply dbMask to maskedDB */
1452 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1453 &md_ctx ) ) != 0 )
1454 {
1455 mbedtls_md_free( &md_ctx );
1456 goto cleanup;
1457 }
1458
1459 mbedtls_md_free( &md_ctx );
1460
1461 /* Generate lHash */
1462 if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
1463 goto cleanup;
1464
1465 /*
1466 * Check contents, in "constant-time"
1467 */
1468 p = buf;
1469 bad = 0;
1470
1471 bad |= *p++; /* First byte must be 0 */
1472
1473 p += hlen; /* Skip seed */
1474
1475 /* Check lHash */
1476 for( i = 0; i < hlen; i++ )
1477 bad |= lhash[i] ^ *p++;
1478
1479 /* Get zero-padding len, but always read till end of buffer
1480 * (minus one, for the 01 byte) */
1481 pad_len = 0;
1482 pad_done = 0;
1483 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
1484 {
1485 pad_done |= p[i];
1486 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1487 }
1488
1489 p += pad_len;
1490 bad |= *p++ ^ 0x01;
1491
1492 /*
1493 * The only information "leaked" is whether the padding was correct or not
1494 * (eg, no data is copied if it was not correct). This meets the
1495 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1496 * the different error conditions.
1497 */
1498 if( bad != 0 )
1499 {
1500 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1501 goto cleanup;
1502 }
1503
1504 if( ilen - ( p - buf ) > output_max_len )
1505 {
1506 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1507 goto cleanup;
1508 }
1509
1510 *olen = ilen - (p - buf);
1511 memcpy( output, p, *olen );
1512 ret = 0;
1513
1514 cleanup:
1515 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1516 mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
1517
1518 return( ret );
1519 }
1520 #endif /* MBEDTLS_PKCS1_V21 */
1521
1522 #if defined(MBEDTLS_PKCS1_V15)
1523 /** Turn zero-or-nonzero into zero-or-all-bits-one, without branches.
1524 *
1525 * \param value The value to analyze.
1526 * \return Zero if \p value is zero, otherwise all-bits-one.
1527 */
all_or_nothing_int(unsigned value)1528 static unsigned all_or_nothing_int( unsigned value )
1529 {
1530 /* MSVC has a warning about unary minus on unsigned, but this is
1531 * well-defined and precisely what we want to do here */
1532 #if defined(_MSC_VER)
1533 #pragma warning( push )
1534 #pragma warning( disable : 4146 )
1535 #endif
1536 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
1537 #if defined(_MSC_VER)
1538 #pragma warning( pop )
1539 #endif
1540 }
1541
1542 /** Check whether a size is out of bounds, without branches.
1543 *
1544 * This is equivalent to `size > max`, but is likely to be compiled to
1545 * to code using bitwise operation rather than a branch.
1546 *
1547 * \param size Size to check.
1548 * \param max Maximum desired value for \p size.
1549 * \return \c 0 if `size <= max`.
1550 * \return \c 1 if `size > max`.
1551 */
size_greater_than(size_t size,size_t max)1552 static unsigned size_greater_than( size_t size, size_t max )
1553 {
1554 /* Return the sign bit (1 for negative) of (max - size). */
1555 return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) );
1556 }
1557
1558 /** Choose between two integer values, without branches.
1559 *
1560 * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled
1561 * to code using bitwise operation rather than a branch.
1562 *
1563 * \param cond Condition to test.
1564 * \param if1 Value to use if \p cond is nonzero.
1565 * \param if0 Value to use if \p cond is zero.
1566 * \return \c if1 if \p cond is nonzero, otherwise \c if0.
1567 */
if_int(unsigned cond,unsigned if1,unsigned if0)1568 static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 )
1569 {
1570 unsigned mask = all_or_nothing_int( cond );
1571 return( ( mask & if1 ) | (~mask & if0 ) );
1572 }
1573
1574 /** Shift some data towards the left inside a buffer without leaking
1575 * the length of the data through side channels.
1576 *
1577 * `mem_move_to_left(start, total, offset)` is functionally equivalent to
1578 * ```
1579 * memmove(start, start + offset, total - offset);
1580 * memset(start + offset, 0, total - offset);
1581 * ```
1582 * but it strives to use a memory access pattern (and thus total timing)
1583 * that does not depend on \p offset. This timing independence comes at
1584 * the expense of performance.
1585 *
1586 * \param start Pointer to the start of the buffer.
1587 * \param total Total size of the buffer.
1588 * \param offset Offset from which to copy \p total - \p offset bytes.
1589 */
mem_move_to_left(void * start,size_t total,size_t offset)1590 static void mem_move_to_left( void *start,
1591 size_t total,
1592 size_t offset )
1593 {
1594 volatile unsigned char *buf = start;
1595 size_t i, n;
1596 if( total == 0 )
1597 return;
1598 for( i = 0; i < total; i++ )
1599 {
1600 unsigned no_op = size_greater_than( total - offset, i );
1601 /* The first `total - offset` passes are a no-op. The last
1602 * `offset` passes shift the data one byte to the left and
1603 * zero out the last byte. */
1604 for( n = 0; n < total - 1; n++ )
1605 {
1606 unsigned char current = buf[n];
1607 unsigned char next = buf[n+1];
1608 buf[n] = if_int( no_op, current, next );
1609 }
1610 buf[total-1] = if_int( no_op, buf[total-1], 0 );
1611 }
1612 }
1613
1614 /*
1615 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1616 */
mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1617 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
1618 int (*f_rng)(void *, unsigned char *, size_t),
1619 void *p_rng,
1620 int mode, size_t *olen,
1621 const unsigned char *input,
1622 unsigned char *output,
1623 size_t output_max_len )
1624 {
1625 int ret;
1626 size_t ilen, i, plaintext_max_size;
1627 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1628 /* The following variables take sensitive values: their value must
1629 * not leak into the observable behavior of the function other than
1630 * the designated outputs (output, olen, return value). Otherwise
1631 * this would open the execution of the function to
1632 * side-channel-based variants of the Bleichenbacher padding oracle
1633 * attack. Potential side channels include overall timing, memory
1634 * access patterns (especially visible to an adversary who has access
1635 * to a shared memory cache), and branches (especially visible to
1636 * an adversary who has access to a shared code cache or to a shared
1637 * branch predictor). */
1638 size_t pad_count = 0;
1639 unsigned bad = 0;
1640 unsigned char pad_done = 0;
1641 size_t plaintext_size = 0;
1642 unsigned output_too_large;
1643
1644 RSA_VALIDATE_RET( ctx != NULL );
1645 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1646 mode == MBEDTLS_RSA_PUBLIC );
1647 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1648 RSA_VALIDATE_RET( input != NULL );
1649 RSA_VALIDATE_RET( olen != NULL );
1650
1651 ilen = ctx->len;
1652 plaintext_max_size = ( output_max_len > ilen - 11 ?
1653 ilen - 11 :
1654 output_max_len );
1655
1656 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1657 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1658
1659 if( ilen < 16 || ilen > sizeof( buf ) )
1660 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1661
1662 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1663 ? mbedtls_rsa_public( ctx, input, buf )
1664 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
1665
1666 if( ret != 0 )
1667 goto cleanup;
1668
1669 /* Check and get padding length in constant time and constant
1670 * memory trace. The first byte must be 0. */
1671 bad |= buf[0];
1672
1673 if( mode == MBEDTLS_RSA_PRIVATE )
1674 {
1675 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
1676 * where PS must be at least 8 nonzero bytes. */
1677 bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
1678
1679 /* Read the whole buffer. Set pad_done to nonzero if we find
1680 * the 0x00 byte and remember the padding length in pad_count. */
1681 for( i = 2; i < ilen; i++ )
1682 {
1683 pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
1684 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1685 }
1686 }
1687 else
1688 {
1689 /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
1690 * where PS must be at least 8 bytes with the value 0xFF. */
1691 bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
1692
1693 /* Read the whole buffer. Set pad_done to nonzero if we find
1694 * the 0x00 byte and remember the padding length in pad_count.
1695 * If there's a non-0xff byte in the padding, the padding is bad. */
1696 for( i = 2; i < ilen; i++ )
1697 {
1698 pad_done |= if_int( buf[i], 0, 1 );
1699 pad_count += if_int( pad_done, 0, 1 );
1700 bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
1701 }
1702 }
1703
1704 /* If pad_done is still zero, there's no data, only unfinished padding. */
1705 bad |= if_int( pad_done, 0, 1 );
1706
1707 /* There must be at least 8 bytes of padding. */
1708 bad |= size_greater_than( 8, pad_count );
1709
1710 /* If the padding is valid, set plaintext_size to the number of
1711 * remaining bytes after stripping the padding. If the padding
1712 * is invalid, avoid leaking this fact through the size of the
1713 * output: use the maximum message size that fits in the output
1714 * buffer. Do it without branches to avoid leaking the padding
1715 * validity through timing. RSA keys are small enough that all the
1716 * size_t values involved fit in unsigned int. */
1717 plaintext_size = if_int( bad,
1718 (unsigned) plaintext_max_size,
1719 (unsigned) ( ilen - pad_count - 3 ) );
1720
1721 /* Set output_too_large to 0 if the plaintext fits in the output
1722 * buffer and to 1 otherwise. */
1723 output_too_large = size_greater_than( plaintext_size,
1724 plaintext_max_size );
1725
1726 /* Set ret without branches to avoid timing attacks. Return:
1727 * - INVALID_PADDING if the padding is bad (bad != 0).
1728 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
1729 * plaintext does not fit in the output buffer.
1730 * - 0 if the padding is correct. */
1731 ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
1732 if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
1733 0 ) );
1734
1735 /* If the padding is bad or the plaintext is too large, zero the
1736 * data that we're about to copy to the output buffer.
1737 * We need to copy the same amount of data
1738 * from the same buffer whether the padding is good or not to
1739 * avoid leaking the padding validity through overall timing or
1740 * through memory or cache access patterns. */
1741 bad = all_or_nothing_int( bad | output_too_large );
1742 for( i = 11; i < ilen; i++ )
1743 buf[i] &= ~bad;
1744
1745 /* If the plaintext is too large, truncate it to the buffer size.
1746 * Copy anyway to avoid revealing the length through timing, because
1747 * revealing the length is as bad as revealing the padding validity
1748 * for a Bleichenbacher attack. */
1749 plaintext_size = if_int( output_too_large,
1750 (unsigned) plaintext_max_size,
1751 (unsigned) plaintext_size );
1752
1753 /* Move the plaintext to the leftmost position where it can start in
1754 * the working buffer, i.e. make it start plaintext_max_size from
1755 * the end of the buffer. Do this with a memory access trace that
1756 * does not depend on the plaintext size. After this move, the
1757 * starting location of the plaintext is no longer sensitive
1758 * information. */
1759 mem_move_to_left( buf + ilen - plaintext_max_size,
1760 plaintext_max_size,
1761 plaintext_max_size - plaintext_size );
1762
1763 /* Finally copy the decrypted plaintext plus trailing zeros
1764 * into the output buffer. */
1765 memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
1766
1767 /* Report the amount of data we copied to the output buffer. In case
1768 * of errors (bad padding or output too large), the value of *olen
1769 * when this function returns is not specified. Making it equivalent
1770 * to the good case limits the risks of leaking the padding validity. */
1771 *olen = plaintext_size;
1772
1773 cleanup:
1774 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1775
1776 return( ret );
1777 }
1778 #endif /* MBEDTLS_PKCS1_V15 */
1779
1780 /*
1781 * Do an RSA operation, then remove the message padding
1782 */
mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1783 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
1784 int (*f_rng)(void *, unsigned char *, size_t),
1785 void *p_rng,
1786 int mode, size_t *olen,
1787 const unsigned char *input,
1788 unsigned char *output,
1789 size_t output_max_len)
1790 {
1791 RSA_VALIDATE_RET( ctx != NULL );
1792 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1793 mode == MBEDTLS_RSA_PUBLIC );
1794 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1795 RSA_VALIDATE_RET( input != NULL );
1796 RSA_VALIDATE_RET( olen != NULL );
1797
1798 switch( ctx->padding )
1799 {
1800 #if defined(MBEDTLS_PKCS1_V15)
1801 case MBEDTLS_RSA_PKCS_V15:
1802 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
1803 input, output, output_max_len );
1804 #endif
1805
1806 #if defined(MBEDTLS_PKCS1_V21)
1807 case MBEDTLS_RSA_PKCS_V21:
1808 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1809 olen, input, output,
1810 output_max_len );
1811 #endif
1812
1813 default:
1814 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1815 }
1816 }
1817
1818 #if defined(MBEDTLS_PKCS1_V21)
1819 /*
1820 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1821 */
mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)1822 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
1823 int (*f_rng)(void *, unsigned char *, size_t),
1824 void *p_rng,
1825 int mode,
1826 mbedtls_md_type_t md_alg,
1827 unsigned int hashlen,
1828 const unsigned char *hash,
1829 unsigned char *sig )
1830 {
1831 size_t olen;
1832 unsigned char *p = sig;
1833 unsigned char salt[MBEDTLS_MD_MAX_SIZE];
1834 size_t slen, min_slen, hlen, offset = 0;
1835 int ret;
1836 size_t msb;
1837 const mbedtls_md_info_t *md_info;
1838 mbedtls_md_context_t md_ctx;
1839 RSA_VALIDATE_RET( ctx != NULL );
1840 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1841 mode == MBEDTLS_RSA_PUBLIC );
1842 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
1843 hashlen == 0 ) ||
1844 hash != NULL );
1845 RSA_VALIDATE_RET( sig != NULL );
1846
1847 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1848 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1849
1850 if( f_rng == NULL )
1851 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1852
1853 olen = ctx->len;
1854
1855 if( md_alg != MBEDTLS_MD_NONE )
1856 {
1857 /* Gather length of hash to sign */
1858 md_info = mbedtls_md_info_from_type( md_alg );
1859 if( md_info == NULL )
1860 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1861
1862 hashlen = mbedtls_md_get_size( md_info );
1863 }
1864
1865 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1866 if( md_info == NULL )
1867 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1868
1869 hlen = mbedtls_md_get_size( md_info );
1870
1871 /* Calculate the largest possible salt length. Normally this is the hash
1872 * length, which is the maximum length the salt can have. If there is not
1873 * enough room, use the maximum salt length that fits. The constraint is
1874 * that the hash length plus the salt length plus 2 bytes must be at most
1875 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
1876 * (PKCS#1 v2.2) §9.1.1 step 3. */
1877 min_slen = hlen - 2;
1878 if( olen < hlen + min_slen + 2 )
1879 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1880 else if( olen >= hlen + hlen + 2 )
1881 slen = hlen;
1882 else
1883 slen = olen - hlen - 2;
1884
1885 memset( sig, 0, olen );
1886
1887 /* Generate salt of length slen */
1888 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
1889 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1890
1891 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1892 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1893 p += olen - hlen - slen - 2;
1894 *p++ = 0x01;
1895 memcpy( p, salt, slen );
1896 p += slen;
1897
1898 mbedtls_md_init( &md_ctx );
1899 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1900 goto exit;
1901
1902 /* Generate H = Hash( M' ) */
1903 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
1904 goto exit;
1905 if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
1906 goto exit;
1907 if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
1908 goto exit;
1909 if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
1910 goto exit;
1911 if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
1912 goto exit;
1913
1914 /* Compensate for boundary condition when applying mask */
1915 if( msb % 8 == 0 )
1916 offset = 1;
1917
1918 /* maskedDB: Apply dbMask to DB */
1919 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
1920 &md_ctx ) ) != 0 )
1921 goto exit;
1922
1923 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1924 sig[0] &= 0xFF >> ( olen * 8 - msb );
1925
1926 p += hlen;
1927 *p++ = 0xBC;
1928
1929 mbedtls_platform_zeroize( salt, sizeof( salt ) );
1930
1931 exit:
1932 mbedtls_md_free( &md_ctx );
1933
1934 if( ret != 0 )
1935 return( ret );
1936
1937 return( ( mode == MBEDTLS_RSA_PUBLIC )
1938 ? mbedtls_rsa_public( ctx, sig, sig )
1939 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1940 }
1941 #endif /* MBEDTLS_PKCS1_V21 */
1942
1943 #if defined(MBEDTLS_PKCS1_V15)
1944 /*
1945 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1946 */
1947
1948 /* Construct a PKCS v1.5 encoding of a hashed message
1949 *
1950 * This is used both for signature generation and verification.
1951 *
1952 * Parameters:
1953 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1954 * MBEDTLS_MD_NONE if raw data is signed.
1955 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
1956 * - hash: Buffer containing the hashed message or the raw data.
1957 * - dst_len: Length of the encoded message.
1958 * - dst: Buffer to hold the encoded message.
1959 *
1960 * Assumptions:
1961 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
1962 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
1963 * - dst points to a buffer of size at least dst_len.
1964 *
1965 */
rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,size_t dst_len,unsigned char * dst)1966 static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
1967 unsigned int hashlen,
1968 const unsigned char *hash,
1969 size_t dst_len,
1970 unsigned char *dst )
1971 {
1972 size_t oid_size = 0;
1973 size_t nb_pad = dst_len;
1974 unsigned char *p = dst;
1975 const char *oid = NULL;
1976
1977 /* Are we signing hashed or raw data? */
1978 if( md_alg != MBEDTLS_MD_NONE )
1979 {
1980 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
1981 if( md_info == NULL )
1982 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1983
1984 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1985 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1986
1987 hashlen = mbedtls_md_get_size( md_info );
1988
1989 /* Double-check that 8 + hashlen + oid_size can be used as a
1990 * 1-byte ASN.1 length encoding and that there's no overflow. */
1991 if( 8 + hashlen + oid_size >= 0x80 ||
1992 10 + hashlen < hashlen ||
1993 10 + hashlen + oid_size < 10 + hashlen )
1994 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1995
1996 /*
1997 * Static bounds check:
1998 * - Need 10 bytes for five tag-length pairs.
1999 * (Insist on 1-byte length encodings to protect against variants of
2000 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
2001 * - Need hashlen bytes for hash
2002 * - Need oid_size bytes for hash alg OID.
2003 */
2004 if( nb_pad < 10 + hashlen + oid_size )
2005 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2006 nb_pad -= 10 + hashlen + oid_size;
2007 }
2008 else
2009 {
2010 if( nb_pad < hashlen )
2011 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2012
2013 nb_pad -= hashlen;
2014 }
2015
2016 /* Need space for signature header and padding delimiter (3 bytes),
2017 * and 8 bytes for the minimal padding */
2018 if( nb_pad < 3 + 8 )
2019 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2020 nb_pad -= 3;
2021
2022 /* Now nb_pad is the amount of memory to be filled
2023 * with padding, and at least 8 bytes long. */
2024
2025 /* Write signature header and padding */
2026 *p++ = 0;
2027 *p++ = MBEDTLS_RSA_SIGN;
2028 memset( p, 0xFF, nb_pad );
2029 p += nb_pad;
2030 *p++ = 0;
2031
2032 /* Are we signing raw data? */
2033 if( md_alg == MBEDTLS_MD_NONE )
2034 {
2035 memcpy( p, hash, hashlen );
2036 return( 0 );
2037 }
2038
2039 /* Signing hashed data, add corresponding ASN.1 structure
2040 *
2041 * DigestInfo ::= SEQUENCE {
2042 * digestAlgorithm DigestAlgorithmIdentifier,
2043 * digest Digest }
2044 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
2045 * Digest ::= OCTET STRING
2046 *
2047 * Schematic:
2048 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
2049 * TAG-NULL + LEN [ NULL ] ]
2050 * TAG-OCTET + LEN [ HASH ] ]
2051 */
2052 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
2053 *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
2054 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
2055 *p++ = (unsigned char)( 0x04 + oid_size );
2056 *p++ = MBEDTLS_ASN1_OID;
2057 *p++ = (unsigned char) oid_size;
2058 memcpy( p, oid, oid_size );
2059 p += oid_size;
2060 *p++ = MBEDTLS_ASN1_NULL;
2061 *p++ = 0x00;
2062 *p++ = MBEDTLS_ASN1_OCTET_STRING;
2063 *p++ = (unsigned char) hashlen;
2064 memcpy( p, hash, hashlen );
2065 p += hashlen;
2066
2067 /* Just a sanity-check, should be automatic
2068 * after the initial bounds check. */
2069 if( p != dst + dst_len )
2070 {
2071 mbedtls_platform_zeroize( dst, dst_len );
2072 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2073 }
2074
2075 return( 0 );
2076 }
2077
2078 /*
2079 * Do an RSA operation to sign the message digest
2080 */
mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)2081 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
2082 int (*f_rng)(void *, unsigned char *, size_t),
2083 void *p_rng,
2084 int mode,
2085 mbedtls_md_type_t md_alg,
2086 unsigned int hashlen,
2087 const unsigned char *hash,
2088 unsigned char *sig )
2089 {
2090 int ret;
2091 unsigned char *sig_try = NULL, *verif = NULL;
2092
2093 RSA_VALIDATE_RET( ctx != NULL );
2094 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2095 mode == MBEDTLS_RSA_PUBLIC );
2096 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2097 hashlen == 0 ) ||
2098 hash != NULL );
2099 RSA_VALIDATE_RET( sig != NULL );
2100
2101 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
2102 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2103
2104 /*
2105 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
2106 */
2107
2108 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
2109 ctx->len, sig ) ) != 0 )
2110 return( ret );
2111
2112 /*
2113 * Call respective RSA primitive
2114 */
2115
2116 if( mode == MBEDTLS_RSA_PUBLIC )
2117 {
2118 /* Skip verification on a public key operation */
2119 return( mbedtls_rsa_public( ctx, sig, sig ) );
2120 }
2121
2122 /* Private key operation
2123 *
2124 * In order to prevent Lenstra's attack, make the signature in a
2125 * temporary buffer and check it before returning it.
2126 */
2127
2128 sig_try = mbedtls_calloc( 1, ctx->len );
2129 if( sig_try == NULL )
2130 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
2131
2132 verif = mbedtls_calloc( 1, ctx->len );
2133 if( verif == NULL )
2134 {
2135 mbedtls_free( sig_try );
2136 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
2137 }
2138
2139 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
2140 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
2141
2142 if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )
2143 {
2144 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
2145 goto cleanup;
2146 }
2147
2148 memcpy( sig, sig_try, ctx->len );
2149
2150 cleanup:
2151 mbedtls_free( sig_try );
2152 mbedtls_free( verif );
2153
2154 return( ret );
2155 }
2156 #endif /* MBEDTLS_PKCS1_V15 */
2157
2158 /*
2159 * Do an RSA operation to sign the message digest
2160 */
mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)2161 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
2162 int (*f_rng)(void *, unsigned char *, size_t),
2163 void *p_rng,
2164 int mode,
2165 mbedtls_md_type_t md_alg,
2166 unsigned int hashlen,
2167 const unsigned char *hash,
2168 unsigned char *sig )
2169 {
2170 RSA_VALIDATE_RET( ctx != NULL );
2171 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2172 mode == MBEDTLS_RSA_PUBLIC );
2173 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2174 hashlen == 0 ) ||
2175 hash != NULL );
2176 RSA_VALIDATE_RET( sig != NULL );
2177
2178 switch( ctx->padding )
2179 {
2180 #if defined(MBEDTLS_PKCS1_V15)
2181 case MBEDTLS_RSA_PKCS_V15:
2182 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
2183 hashlen, hash, sig );
2184 #endif
2185
2186 #if defined(MBEDTLS_PKCS1_V21)
2187 case MBEDTLS_RSA_PKCS_V21:
2188 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
2189 hashlen, hash, sig );
2190 #endif
2191
2192 default:
2193 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2194 }
2195 }
2196
2197 #if defined(MBEDTLS_PKCS1_V21)
2198 /*
2199 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2200 */
mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,mbedtls_md_type_t mgf1_hash_id,int expected_salt_len,const unsigned char * sig)2201 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
2202 int (*f_rng)(void *, unsigned char *, size_t),
2203 void *p_rng,
2204 int mode,
2205 mbedtls_md_type_t md_alg,
2206 unsigned int hashlen,
2207 const unsigned char *hash,
2208 mbedtls_md_type_t mgf1_hash_id,
2209 int expected_salt_len,
2210 const unsigned char *sig )
2211 {
2212 int ret;
2213 size_t siglen;
2214 unsigned char *p;
2215 unsigned char *hash_start;
2216 unsigned char result[MBEDTLS_MD_MAX_SIZE];
2217 unsigned char zeros[8];
2218 unsigned int hlen;
2219 size_t observed_salt_len, msb;
2220 const mbedtls_md_info_t *md_info;
2221 mbedtls_md_context_t md_ctx;
2222 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
2223
2224 RSA_VALIDATE_RET( ctx != NULL );
2225 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2226 mode == MBEDTLS_RSA_PUBLIC );
2227 RSA_VALIDATE_RET( sig != NULL );
2228 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2229 hashlen == 0 ) ||
2230 hash != NULL );
2231
2232 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
2233 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2234
2235 siglen = ctx->len;
2236
2237 if( siglen < 16 || siglen > sizeof( buf ) )
2238 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2239
2240 ret = ( mode == MBEDTLS_RSA_PUBLIC )
2241 ? mbedtls_rsa_public( ctx, sig, buf )
2242 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
2243
2244 if( ret != 0 )
2245 return( ret );
2246
2247 p = buf;
2248
2249 if( buf[siglen - 1] != 0xBC )
2250 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2251
2252 if( md_alg != MBEDTLS_MD_NONE )
2253 {
2254 /* Gather length of hash to sign */
2255 md_info = mbedtls_md_info_from_type( md_alg );
2256 if( md_info == NULL )
2257 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2258
2259 hashlen = mbedtls_md_get_size( md_info );
2260 }
2261
2262 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
2263 if( md_info == NULL )
2264 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2265
2266 hlen = mbedtls_md_get_size( md_info );
2267
2268 memset( zeros, 0, 8 );
2269
2270 /*
2271 * Note: EMSA-PSS verification is over the length of N - 1 bits
2272 */
2273 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
2274
2275 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
2276 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2277
2278 /* Compensate for boundary condition when applying mask */
2279 if( msb % 8 == 0 )
2280 {
2281 p++;
2282 siglen -= 1;
2283 }
2284
2285 if( siglen < hlen + 2 )
2286 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2287 hash_start = p + siglen - hlen - 1;
2288
2289 mbedtls_md_init( &md_ctx );
2290 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
2291 goto exit;
2292
2293 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
2294 if( ret != 0 )
2295 goto exit;
2296
2297 buf[0] &= 0xFF >> ( siglen * 8 - msb );
2298
2299 while( p < hash_start - 1 && *p == 0 )
2300 p++;
2301
2302 if( *p++ != 0x01 )
2303 {
2304 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2305 goto exit;
2306 }
2307
2308 observed_salt_len = hash_start - p;
2309
2310 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
2311 observed_salt_len != (size_t) expected_salt_len )
2312 {
2313 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2314 goto exit;
2315 }
2316
2317 /*
2318 * Generate H = Hash( M' )
2319 */
2320 ret = mbedtls_md_starts( &md_ctx );
2321 if ( ret != 0 )
2322 goto exit;
2323 ret = mbedtls_md_update( &md_ctx, zeros, 8 );
2324 if ( ret != 0 )
2325 goto exit;
2326 ret = mbedtls_md_update( &md_ctx, hash, hashlen );
2327 if ( ret != 0 )
2328 goto exit;
2329 ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
2330 if ( ret != 0 )
2331 goto exit;
2332 ret = mbedtls_md_finish( &md_ctx, result );
2333 if ( ret != 0 )
2334 goto exit;
2335
2336 if( memcmp( hash_start, result, hlen ) != 0 )
2337 {
2338 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2339 goto exit;
2340 }
2341
2342 exit:
2343 mbedtls_md_free( &md_ctx );
2344
2345 return( ret );
2346 }
2347
2348 /*
2349 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2350 */
mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2351 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
2352 int (*f_rng)(void *, unsigned char *, size_t),
2353 void *p_rng,
2354 int mode,
2355 mbedtls_md_type_t md_alg,
2356 unsigned int hashlen,
2357 const unsigned char *hash,
2358 const unsigned char *sig )
2359 {
2360 mbedtls_md_type_t mgf1_hash_id;
2361 RSA_VALIDATE_RET( ctx != NULL );
2362 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2363 mode == MBEDTLS_RSA_PUBLIC );
2364 RSA_VALIDATE_RET( sig != NULL );
2365 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2366 hashlen == 0 ) ||
2367 hash != NULL );
2368
2369 mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
2370 ? (mbedtls_md_type_t) ctx->hash_id
2371 : md_alg;
2372
2373 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
2374 md_alg, hashlen, hash,
2375 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
2376 sig ) );
2377
2378 }
2379 #endif /* MBEDTLS_PKCS1_V21 */
2380
2381 #if defined(MBEDTLS_PKCS1_V15)
2382 /*
2383 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2384 */
mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2385 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
2386 int (*f_rng)(void *, unsigned char *, size_t),
2387 void *p_rng,
2388 int mode,
2389 mbedtls_md_type_t md_alg,
2390 unsigned int hashlen,
2391 const unsigned char *hash,
2392 const unsigned char *sig )
2393 {
2394 int ret = 0;
2395 size_t sig_len;
2396 unsigned char *encoded = NULL, *encoded_expected = NULL;
2397
2398 RSA_VALIDATE_RET( ctx != NULL );
2399 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2400 mode == MBEDTLS_RSA_PUBLIC );
2401 RSA_VALIDATE_RET( sig != NULL );
2402 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2403 hashlen == 0 ) ||
2404 hash != NULL );
2405
2406 sig_len = ctx->len;
2407
2408 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
2409 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2410
2411 /*
2412 * Prepare expected PKCS1 v1.5 encoding of hash.
2413 */
2414
2415 if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL ||
2416 ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
2417 {
2418 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2419 goto cleanup;
2420 }
2421
2422 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
2423 encoded_expected ) ) != 0 )
2424 goto cleanup;
2425
2426 /*
2427 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2428 */
2429
2430 ret = ( mode == MBEDTLS_RSA_PUBLIC )
2431 ? mbedtls_rsa_public( ctx, sig, encoded )
2432 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
2433 if( ret != 0 )
2434 goto cleanup;
2435
2436 /*
2437 * Compare
2438 */
2439
2440 if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,
2441 sig_len ) ) != 0 )
2442 {
2443 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2444 goto cleanup;
2445 }
2446
2447 cleanup:
2448
2449 if( encoded != NULL )
2450 {
2451 mbedtls_platform_zeroize( encoded, sig_len );
2452 mbedtls_free( encoded );
2453 }
2454
2455 if( encoded_expected != NULL )
2456 {
2457 mbedtls_platform_zeroize( encoded_expected, sig_len );
2458 mbedtls_free( encoded_expected );
2459 }
2460
2461 return( ret );
2462 }
2463 #endif /* MBEDTLS_PKCS1_V15 */
2464
2465 /*
2466 * Do an RSA operation and check the message digest
2467 */
mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2468 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
2469 int (*f_rng)(void *, unsigned char *, size_t),
2470 void *p_rng,
2471 int mode,
2472 mbedtls_md_type_t md_alg,
2473 unsigned int hashlen,
2474 const unsigned char *hash,
2475 const unsigned char *sig )
2476 {
2477 RSA_VALIDATE_RET( ctx != NULL );
2478 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2479 mode == MBEDTLS_RSA_PUBLIC );
2480 RSA_VALIDATE_RET( sig != NULL );
2481 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2482 hashlen == 0 ) ||
2483 hash != NULL );
2484
2485 switch( ctx->padding )
2486 {
2487 #if defined(MBEDTLS_PKCS1_V15)
2488 case MBEDTLS_RSA_PKCS_V15:
2489 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
2490 hashlen, hash, sig );
2491 #endif
2492
2493 #if defined(MBEDTLS_PKCS1_V21)
2494 case MBEDTLS_RSA_PKCS_V21:
2495 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
2496 hashlen, hash, sig );
2497 #endif
2498
2499 default:
2500 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2501 }
2502 }
2503
2504 /*
2505 * Copy the components of an RSA key
2506 */
mbedtls_rsa_copy(mbedtls_rsa_context * dst,const mbedtls_rsa_context * src)2507 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
2508 {
2509 int ret;
2510 RSA_VALIDATE_RET( dst != NULL );
2511 RSA_VALIDATE_RET( src != NULL );
2512
2513 dst->len = src->len;
2514
2515 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
2516 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
2517
2518 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
2519 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
2520 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
2521
2522 #if !defined(MBEDTLS_RSA_NO_CRT)
2523 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
2524 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
2525 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
2526 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
2527 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
2528 #endif
2529
2530 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
2531
2532 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
2533 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
2534
2535 dst->padding = src->padding;
2536 dst->hash_id = src->hash_id;
2537
2538 cleanup:
2539 if( ret != 0 )
2540 mbedtls_rsa_free( dst );
2541
2542 return( ret );
2543 }
2544
2545 /*
2546 * Free the components of an RSA key
2547 */
mbedtls_rsa_free(mbedtls_rsa_context * ctx)2548 void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
2549 {
2550 if( ctx == NULL )
2551 return;
2552
2553 mbedtls_mpi_free( &ctx->Vi );
2554 mbedtls_mpi_free( &ctx->Vf );
2555 mbedtls_mpi_free( &ctx->RN );
2556 mbedtls_mpi_free( &ctx->D );
2557 mbedtls_mpi_free( &ctx->Q );
2558 mbedtls_mpi_free( &ctx->P );
2559 mbedtls_mpi_free( &ctx->E );
2560 mbedtls_mpi_free( &ctx->N );
2561
2562 #if !defined(MBEDTLS_RSA_NO_CRT)
2563 mbedtls_mpi_free( &ctx->RQ );
2564 mbedtls_mpi_free( &ctx->RP );
2565 mbedtls_mpi_free( &ctx->QP );
2566 mbedtls_mpi_free( &ctx->DQ );
2567 mbedtls_mpi_free( &ctx->DP );
2568 #endif /* MBEDTLS_RSA_NO_CRT */
2569
2570 #if defined(MBEDTLS_THREADING_C)
2571 /* Free the mutex, but only if it hasn't been freed already. */
2572 if( ctx->ver != 0 )
2573 {
2574 mbedtls_mutex_free( &ctx->mutex );
2575 ctx->ver = 0;
2576 }
2577 #endif
2578 }
2579
2580 #endif /* !MBEDTLS_RSA_ALT */
2581
2582 #if defined(MBEDTLS_SELF_TEST)
2583
2584 #include "mbedtls/sha1.h"
2585
2586 /*
2587 * Example RSA-1024 keypair, for test purposes
2588 */
2589 #define KEY_LEN 128
2590
2591 #define RSA_N "9292758453063D803DD603D5E777D788" \
2592 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2593 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2594 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2595 "93A89813FBF3C4F8066D2D800F7C38A8" \
2596 "1AE31942917403FF4946B0A83D3D3E05" \
2597 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2598 "5E94BB77B07507233A0BC7BAC8F90F79"
2599
2600 #define RSA_E "10001"
2601
2602 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2603 "66CA472BC44D253102F8B4A9D3BFA750" \
2604 "91386C0077937FE33FA3252D28855837" \
2605 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2606 "DF79C5CE07EE72C7F123142198164234" \
2607 "CABB724CF78B8173B9F880FC86322407" \
2608 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2609 "071513A1E85B5DFA031F21ECAE91A34D"
2610
2611 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2612 "2C01CAD19EA484A87EA4377637E75500" \
2613 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2614 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2615
2616 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2617 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2618 "910E4168387E3C30AA1E00C339A79508" \
2619 "8452DD96A9A5EA5D9DCA68DA636032AF"
2620
2621 #define PT_LEN 24
2622 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2623 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2624
2625 #if defined(MBEDTLS_PKCS1_V15)
myrand(void * rng_state,unsigned char * output,size_t len)2626 static int myrand( void *rng_state, unsigned char *output, size_t len )
2627 {
2628 #if !defined(__OpenBSD__) && !defined(__NetBSD__)
2629 size_t i;
2630
2631 if( rng_state != NULL )
2632 rng_state = NULL;
2633
2634 for( i = 0; i < len; ++i )
2635 output[i] = rand();
2636 #else
2637 if( rng_state != NULL )
2638 rng_state = NULL;
2639
2640 arc4random_buf( output, len );
2641 #endif /* !OpenBSD && !NetBSD */
2642
2643 return( 0 );
2644 }
2645 #endif /* MBEDTLS_PKCS1_V15 */
2646
2647 /*
2648 * Checkup routine
2649 */
mbedtls_rsa_self_test(int verbose)2650 int mbedtls_rsa_self_test( int verbose )
2651 {
2652 int ret = 0;
2653 #if defined(MBEDTLS_PKCS1_V15)
2654 size_t len;
2655 mbedtls_rsa_context rsa;
2656 unsigned char rsa_plaintext[PT_LEN];
2657 unsigned char rsa_decrypted[PT_LEN];
2658 unsigned char rsa_ciphertext[KEY_LEN];
2659 #if defined(MBEDTLS_SHA1_C)
2660 unsigned char sha1sum[20];
2661 #endif
2662
2663 mbedtls_mpi K;
2664
2665 mbedtls_mpi_init( &K );
2666 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
2667
2668 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );
2669 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
2670 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );
2671 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
2672 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );
2673 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
2674 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );
2675 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
2676 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );
2677 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
2678
2679 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
2680
2681 if( verbose != 0 )
2682 mbedtls_printf( " RSA key validation: " );
2683
2684 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
2685 mbedtls_rsa_check_privkey( &rsa ) != 0 )
2686 {
2687 if( verbose != 0 )
2688 mbedtls_printf( "failed\n" );
2689
2690 ret = 1;
2691 goto cleanup;
2692 }
2693
2694 if( verbose != 0 )
2695 mbedtls_printf( "passed\n PKCS#1 encryption : " );
2696
2697 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
2698
2699 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
2700 PT_LEN, rsa_plaintext,
2701 rsa_ciphertext ) != 0 )
2702 {
2703 if( verbose != 0 )
2704 mbedtls_printf( "failed\n" );
2705
2706 ret = 1;
2707 goto cleanup;
2708 }
2709
2710 if( verbose != 0 )
2711 mbedtls_printf( "passed\n PKCS#1 decryption : " );
2712
2713 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
2714 &len, rsa_ciphertext, rsa_decrypted,
2715 sizeof(rsa_decrypted) ) != 0 )
2716 {
2717 if( verbose != 0 )
2718 mbedtls_printf( "failed\n" );
2719
2720 ret = 1;
2721 goto cleanup;
2722 }
2723
2724 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
2725 {
2726 if( verbose != 0 )
2727 mbedtls_printf( "failed\n" );
2728
2729 ret = 1;
2730 goto cleanup;
2731 }
2732
2733 if( verbose != 0 )
2734 mbedtls_printf( "passed\n" );
2735
2736 #if defined(MBEDTLS_SHA1_C)
2737 if( verbose != 0 )
2738 mbedtls_printf( " PKCS#1 data sign : " );
2739
2740 if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
2741 {
2742 if( verbose != 0 )
2743 mbedtls_printf( "failed\n" );
2744
2745 return( 1 );
2746 }
2747
2748 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
2749 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
2750 sha1sum, rsa_ciphertext ) != 0 )
2751 {
2752 if( verbose != 0 )
2753 mbedtls_printf( "failed\n" );
2754
2755 ret = 1;
2756 goto cleanup;
2757 }
2758
2759 if( verbose != 0 )
2760 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
2761
2762 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
2763 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
2764 sha1sum, rsa_ciphertext ) != 0 )
2765 {
2766 if( verbose != 0 )
2767 mbedtls_printf( "failed\n" );
2768
2769 ret = 1;
2770 goto cleanup;
2771 }
2772
2773 if( verbose != 0 )
2774 mbedtls_printf( "passed\n" );
2775 #endif /* MBEDTLS_SHA1_C */
2776
2777 if( verbose != 0 )
2778 mbedtls_printf( "\n" );
2779
2780 cleanup:
2781 mbedtls_mpi_free( &K );
2782 mbedtls_rsa_free( &rsa );
2783 #else /* MBEDTLS_PKCS1_V15 */
2784 ((void) verbose);
2785 #endif /* MBEDTLS_PKCS1_V15 */
2786 return( ret );
2787 }
2788
2789 #endif /* MBEDTLS_SELF_TEST */
2790
2791 #endif /* MBEDTLS_RSA_C */
2792