TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 8bfc3de4e3aa12fed64575b37b5d0d9108b56e20 / . / lib / libmbedtls / mbedtls / library / rsa.c
blob: 25e05e44b511ccd9e4c46c9eea59ca45c542ad96 [file] [log] [blame]
Edison Aic6672fd2018-02-28 15:01:47 +0800[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2/*
3 * The RSA public-key cryptosystem
4 *
5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21/*
22 * The following sources were referenced in the design of this implementation
23 * of the RSA algorithm:
24 *
25 * [1] A method for obtaining digital signatures and public-key cryptosystems
26 * R Rivest, A Shamir, and L Adleman
27 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
28 *
29 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
30 * Menezes, van Oorschot and Vanstone
31 *
32 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
33 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
34 * Stefan Mangard
35 * https://arxiv.org/abs/1702.08719v2
36 *
37 */
38
39#if !defined(MBEDTLS_CONFIG_FILE)
40#include "mbedtls/config.h"
41#else
42#include MBEDTLS_CONFIG_FILE
43#endif
44
45#if defined(MBEDTLS_RSA_C)
46
47#include "mbedtls/rsa.h"
48#include "mbedtls/oid.h"
49
50#include <string.h>
51
52#if defined(MBEDTLS_PKCS1_V21)
53#include "mbedtls/md.h"
54#endif
55
56#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
57#include <stdlib.h>
58#endif
59
60#if defined(MBEDTLS_PLATFORM_C)
61#include "mbedtls/platform.h"
62#else
63#include <stdio.h>
64#define mbedtls_printf printf
65#define mbedtls_calloc calloc
66#define mbedtls_free free
67#endif
68
69/* Implementation that should never be optimized out by the compiler */
70static void mbedtls_zeroize( void *v, size_t n ) {
71 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
72}
73
74/*
75 * Initialize an RSA context
76 */
77void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
78 int padding,
79 int hash_id )
80{
81 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
82
83 mbedtls_rsa_set_padding( ctx, padding, hash_id );
84
85#if defined(MBEDTLS_THREADING_C)
86 mbedtls_mutex_init( &ctx->mutex );
87#endif
88}
89
90/*
91 * Set padding for an existing RSA context
92 */
93void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
94{
95 ctx->padding = padding;
96 ctx->hash_id = hash_id;
97}
98
99#if defined(MBEDTLS_GENPRIME)
100
101/*
102 * Generate an RSA keypair
103 */
104int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
105 int (*f_rng)(void *, unsigned char *, size_t),
106 void *p_rng,
107 unsigned int nbits, int exponent )
108{
109 int ret;
110 mbedtls_mpi P1, Q1, H, G;
111
112 if( f_rng == NULL || nbits < 128 || exponent < 3 )
113 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
114
115 if( nbits % 2 )
116 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
117
118 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
119 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
120
121 /*
122 * find primes P and Q with Q < P so that:
123 * GCD( E, (P-1)*(Q-1) ) == 1
124 */
125 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
126
127 do
128 {
129 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
130 f_rng, p_rng ) );
131
132 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
133 f_rng, p_rng ) );
134
135 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
136 continue;
137
138 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
139 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
140 continue;
141
142 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
143 mbedtls_mpi_swap( &ctx->P, &ctx->Q );
144
145 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
146 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
147 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
148 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
149 }
150 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
151
152 /*
153 * D = E^-1 mod ((P-1)*(Q-1))
154 * DP = D mod (P - 1)
155 * DQ = D mod (Q - 1)
156 * QP = Q^-1 mod P
157 */
158 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
159 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
160 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
161 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
162
163 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
164
165cleanup:
166
167 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
168
169 if( ret != 0 )
170 {
171 mbedtls_rsa_free( ctx );
172 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
173 }
174
175 return( 0 );
176}
177
178#endif /* MBEDTLS_GENPRIME */
179
180/*
181 * Check a public RSA key
182 */
183int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
184{
185 if( !ctx->N.p || !ctx->E.p )
186 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
187
188 if( ( ctx->N.p[0] & 1 ) == 0 ||
189 ( ctx->E.p[0] & 1 ) == 0 )
190 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
191
192 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
193 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
194 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
195
196 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
197 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
198 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
199
200 return( 0 );
201}
202
203/*
204 * Check a private RSA key
205 */
206int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
207{
208 int ret;
209 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
210
211 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
212 return( ret );
213
214 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
215 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
216
217 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
218 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
219 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
220 mbedtls_mpi_init( &QP );
221
222 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
223 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
224 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
225 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
226 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
227 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
228
229 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
230 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
231 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
232
233 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
234 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
235 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
236 /*
237 * Check for a valid PKCS1v2 private key
238 */
239 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
240 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
241 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
242 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
243 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 ||
244 mbedtls_mpi_cmp_int( &I, 1 ) != 0 ||
245 mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
246 {
247 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
248 }
249
250cleanup:
251 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
252 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
253 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
254 mbedtls_mpi_free( &QP );
255
256 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
257 return( ret );
258
259 if( ret != 0 )
260 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
261
262 return( 0 );
263}
264
265/*
266 * Check if contexts holding a public and private key match
267 */
268int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv )
269{
270 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
271 mbedtls_rsa_check_privkey( prv ) != 0 )
272 {
273 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
274 }
275
276 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
277 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
278 {
279 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
280 }
281
282 return( 0 );
283}
284
285/*
286 * Do an RSA public key operation
287 */
288int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
289 const unsigned char *input,
290 unsigned char *output )
291{
292 int ret;
293 size_t olen;
294 mbedtls_mpi T;
295
296 mbedtls_mpi_init( &T );
297
298#if defined(MBEDTLS_THREADING_C)
299 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
300 return( ret );
301#endif
302
303 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
304
305 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
306 {
307 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
308 goto cleanup;
309 }
310
311 olen = ctx->len;
312 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
313 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
314
315cleanup:
316#if defined(MBEDTLS_THREADING_C)
317 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
318 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
319#endif
320
321 mbedtls_mpi_free( &T );
322
323 if( ret != 0 )
324 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
325
326 return( 0 );
327}
328
329/*
330 * Generate or update blinding values, see section 10 of:
331 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
332 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
333 * Berlin Heidelberg, 1996. p. 104-113.
334 */
335static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
336 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
337{
338 int ret, count = 0;
339
340 if( ctx->Vf.p != NULL )
341 {
342 /* We already have blinding values, just update them by squaring */
343 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
344 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
345 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
346 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
347
348 goto cleanup;
349 }
350
351 /* Unblinding value: Vf = random number, invertible mod N */
352 do {
353 if( count++ > 10 )
354 return( MBEDTLS_ERR_RSA_RNG_FAILED );
355
356 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
357 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
358 } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
359
360 /* Blinding value: Vi = Vf^(-e) mod N */
361 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
362 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
363
364
365cleanup:
366 return( ret );
367}
368
369/*
370 * Exponent blinding supposed to prevent side-channel attacks using multiple
371 * traces of measurements to recover the RSA key. The more collisions are there,
372 * the more bits of the key can be recovered. See [3].
373 *
374 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
375 * observations on avarage.
376 *
377 * For example with 28 byte blinding to achieve 2 collisions the adversary has
378 * to make 2^112 observations on avarage.
379 *
380 * (With the currently (as of 2017 April) known best algorithms breaking 2048
381 * bit RSA requires approximately as much time as trying out 2^112 random keys.
382 * Thus in this sense with 28 byte blinding the security is not reduced by
383 * side-channel attacks like the one in [3])
384 *
385 * This countermeasure does not help if the key recovery is possible with a
386 * single trace.
387 */
388#define RSA_EXPONENT_BLINDING 28
389
390/*
391 * Do an RSA private key operation
392 */
393int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
394 int (*f_rng)(void *, unsigned char *, size_t),
395 void *p_rng,
396 const unsigned char *input,
397 unsigned char *output )
398{
399 int ret;
400 size_t olen;
401 mbedtls_mpi T, T1, T2;
402 mbedtls_mpi P1, Q1, R;
403#if defined(MBEDTLS_RSA_NO_CRT)
404 mbedtls_mpi D_blind;
405 mbedtls_mpi *D = &ctx->D;
406#else
407 mbedtls_mpi DP_blind, DQ_blind;
408 mbedtls_mpi *DP = &ctx->DP;
409 mbedtls_mpi *DQ = &ctx->DQ;
410#endif
411
412 /* Make sure we have private key info, prevent possible misuse */
413 if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
414 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
415
416 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
417 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );
418
419
420 if( f_rng != NULL )
421 {
422#if defined(MBEDTLS_RSA_NO_CRT)
423 mbedtls_mpi_init( &D_blind );
424#else
425 mbedtls_mpi_init( &DP_blind );
426 mbedtls_mpi_init( &DQ_blind );
427#endif
428 }
429
430
431#if defined(MBEDTLS_THREADING_C)
432 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
433 return( ret );
434#endif
435
436 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
437 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
438 {
439 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
440 goto cleanup;
441 }
442
443 if( f_rng != NULL )
444 {
445 /*
446 * Blinding
447 * T = T * Vi mod N
448 */
449 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
450 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
451 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
452
453 /*
454 * Exponent blinding
455 */
456 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
457 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
458
459#if defined(MBEDTLS_RSA_NO_CRT)
460 /*
461 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
462 */
463 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
464 f_rng, p_rng ) );
465 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
466 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
467 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
468
469 D = &D_blind;
470#else
471 /*
472 * DP_blind = ( P - 1 ) * R + DP
473 */
474 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
475 f_rng, p_rng ) );
476 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
477 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
478 &ctx->DP ) );
479
480 DP = &DP_blind;
481
482 /*
483 * DQ_blind = ( Q - 1 ) * R + DQ
484 */
485 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
486 f_rng, p_rng ) );
487 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
488 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
489 &ctx->DQ ) );
490
491 DQ = &DQ_blind;
492#endif /* MBEDTLS_RSA_NO_CRT */
493 }
494
495#if defined(MBEDTLS_RSA_NO_CRT)
496 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
497#else
498 /*
499 * Faster decryption using the CRT
500 *
501 * T1 = input ^ dP mod P
502 * T2 = input ^ dQ mod Q
503 */
504 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );
505 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );
506
507 /*
508 * T = (T1 - T2) * (Q^-1 mod P) mod P
509 */
510 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
511 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
512 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
513
514 /*
515 * T = T2 + T * Q
516 */
517 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
518 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
519#endif /* MBEDTLS_RSA_NO_CRT */
520
521 if( f_rng != NULL )
522 {
523 /*
524 * Unblind
525 * T = T * Vf mod N
526 */
527 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
528 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
529 }
530
531 olen = ctx->len;
532 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
533
534cleanup:
535#if defined(MBEDTLS_THREADING_C)
536 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
537 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
538#endif
539
540 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
541 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );
542
543 if( f_rng != NULL )
544 {
545#if defined(MBEDTLS_RSA_NO_CRT)
546 mbedtls_mpi_free( &D_blind );
547#else
548 mbedtls_mpi_free( &DP_blind );
549 mbedtls_mpi_free( &DQ_blind );
550#endif
551 }
552
553 if( ret != 0 )
554 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
555
556 return( 0 );
557}
558
559#if defined(MBEDTLS_PKCS1_V21)
560/**
561 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
562 *
563 * \param dst buffer to mask
564 * \param dlen length of destination buffer
565 * \param src source of the mask generation
566 * \param slen length of the source buffer
567 * \param md_ctx message digest context to use
568 */
569static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
570 size_t slen, mbedtls_md_context_t *md_ctx )
571{
572 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
573 unsigned char counter[4];
574 unsigned char *p;
575 unsigned int hlen;
576 size_t i, use_len;
577
578 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
579 memset( counter, 0, 4 );
580
581 hlen = mbedtls_md_get_size( md_ctx->md_info );
582
583 /* Generate and apply dbMask */
584 p = dst;
585
586 while( dlen > 0 )
587 {
588 use_len = hlen;
589 if( dlen < hlen )
590 use_len = dlen;
591
592 mbedtls_md_starts( md_ctx );
593 mbedtls_md_update( md_ctx, src, slen );
594 mbedtls_md_update( md_ctx, counter, 4 );
595 mbedtls_md_finish( md_ctx, mask );
596
597 for( i = 0; i < use_len; ++i )
598 *p++ ^= mask[i];
599
600 counter[3]++;
601
602 dlen -= use_len;
603 }
604
605 mbedtls_zeroize( mask, sizeof( mask ) );
606}
607#endif /* MBEDTLS_PKCS1_V21 */
608
609#if defined(MBEDTLS_PKCS1_V21)
610/*
611 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
612 */
613int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
614 int (*f_rng)(void *, unsigned char *, size_t),
615 void *p_rng,
616 int mode,
617 const unsigned char *label, size_t label_len,
618 size_t ilen,
619 const unsigned char *input,
620 unsigned char *output )
621{
622 size_t olen;
623 int ret;
624 unsigned char *p = output;
625 unsigned int hlen;
626 const mbedtls_md_info_t *md_info;
627 mbedtls_md_context_t md_ctx;
628
629 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
630 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
631
632 if( f_rng == NULL )
633 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
634
635 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
636 if( md_info == NULL )
637 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
638
639 olen = ctx->len;
640 hlen = mbedtls_md_get_size( md_info );
641
642 /* first comparison checks for overflow */
643 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
644 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
645
646 memset( output, 0, olen );
647
648 *p++ = 0;
649
650 /* Generate a random octet string seed */
651 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
652 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
653
654 p += hlen;
655
656 /* Construct DB */
657 mbedtls_md( md_info, label, label_len, p );
658 p += hlen;
659 p += olen - 2 * hlen - 2 - ilen;
660 *p++ = 1;
661 memcpy( p, input, ilen );
662
663 mbedtls_md_init( &md_ctx );
664 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
665 {
666 mbedtls_md_free( &md_ctx );
667 return( ret );
668 }
669
670 /* maskedDB: Apply dbMask to DB */
671 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
672 &md_ctx );
673
674 /* maskedSeed: Apply seedMask to seed */
675 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
676 &md_ctx );
677
678 mbedtls_md_free( &md_ctx );
679
680 return( ( mode == MBEDTLS_RSA_PUBLIC )
681 ? mbedtls_rsa_public( ctx, output, output )
682 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
683}
684#endif /* MBEDTLS_PKCS1_V21 */
685
686#if defined(MBEDTLS_PKCS1_V15)
687/*
688 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
689 */
690int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
691 int (*f_rng)(void *, unsigned char *, size_t),
692 void *p_rng,
693 int mode, size_t ilen,
694 const unsigned char *input,
695 unsigned char *output )
696{
697 size_t nb_pad, olen;
698 int ret;
699 unsigned char *p = output;
700
701 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
702 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
703
704 // We don't check p_rng because it won't be dereferenced here
705 if( f_rng == NULL || input == NULL || output == NULL )
706 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
707
708 olen = ctx->len;
709
710 /* first comparison checks for overflow */
711 if( ilen + 11 < ilen || olen < ilen + 11 )
712 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
713
714 nb_pad = olen - 3 - ilen;
715
716 *p++ = 0;
717 if( mode == MBEDTLS_RSA_PUBLIC )
718 {
719 *p++ = MBEDTLS_RSA_CRYPT;
720
721 while( nb_pad-- > 0 )
722 {
723 int rng_dl = 100;
724
725 do {
726 ret = f_rng( p_rng, p, 1 );
727 } while( *p == 0 && --rng_dl && ret == 0 );
728
729 /* Check if RNG failed to generate data */
730 if( rng_dl == 0 || ret != 0 )
731 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
732
733 p++;
734 }
735 }
736 else
737 {
738 *p++ = MBEDTLS_RSA_SIGN;
739
740 while( nb_pad-- > 0 )
741 *p++ = 0xFF;
742 }
743
744 *p++ = 0;
745 memcpy( p, input, ilen );
746
747 return( ( mode == MBEDTLS_RSA_PUBLIC )
748 ? mbedtls_rsa_public( ctx, output, output )
749 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
750}
751#endif /* MBEDTLS_PKCS1_V15 */
752
753/*
754 * Add the message padding, then do an RSA operation
755 */
756int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
757 int (*f_rng)(void *, unsigned char *, size_t),
758 void *p_rng,
759 int mode, size_t ilen,
760 const unsigned char *input,
761 unsigned char *output )
762{
763 switch( ctx->padding )
764 {
765#if defined(MBEDTLS_PKCS1_V15)
766 case MBEDTLS_RSA_PKCS_V15:
767 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
768 input, output );
769#endif
770
771#if defined(MBEDTLS_PKCS1_V21)
772 case MBEDTLS_RSA_PKCS_V21:
773 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
774 ilen, input, output );
775#endif
776
777 default:
778 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
779 }
780}
781
782#if defined(MBEDTLS_PKCS1_V21)
783/*
784 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
785 */
786int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
787 int (*f_rng)(void *, unsigned char *, size_t),
788 void *p_rng,
789 int mode,
790 const unsigned char *label, size_t label_len,
791 size_t *olen,
792 const unsigned char *input,
793 unsigned char *output,
794 size_t output_max_len )
795{
796 int ret;
797 size_t ilen, i, pad_len;
798 unsigned char *p, bad, pad_done;
799 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
800 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
801 unsigned int hlen;
802 const mbedtls_md_info_t *md_info;
803 mbedtls_md_context_t md_ctx;
804
805 /*
806 * Parameters sanity checks
807 */
808 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
809 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
810
811 ilen = ctx->len;
812
813 if( ilen < 16 || ilen > sizeof( buf ) )
814 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
815
816 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
817 if( md_info == NULL )
818 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
819
820 hlen = mbedtls_md_get_size( md_info );
821
822 // checking for integer underflow
823 if( 2 * hlen + 2 > ilen )
824 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
825
826 /*
827 * RSA operation
828 */
829 ret = ( mode == MBEDTLS_RSA_PUBLIC )
830 ? mbedtls_rsa_public( ctx, input, buf )
831 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
832
833 if( ret != 0 )
834 goto cleanup;
835
836 /*
837 * Unmask data and generate lHash
838 */
839 mbedtls_md_init( &md_ctx );
840 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
841 {
842 mbedtls_md_free( &md_ctx );
843 goto cleanup;
844 }
845
846
847 /* Generate lHash */
848 mbedtls_md( md_info, label, label_len, lhash );
849
850 /* seed: Apply seedMask to maskedSeed */
851 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
852 &md_ctx );
853
854 /* DB: Apply dbMask to maskedDB */
855 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
856 &md_ctx );
857
858 mbedtls_md_free( &md_ctx );
859
860 /*
861 * Check contents, in "constant-time"
862 */
863 p = buf;
864 bad = 0;
865
866 bad |= *p++; /* First byte must be 0 */
867
868 p += hlen; /* Skip seed */
869
870 /* Check lHash */
871 for( i = 0; i < hlen; i++ )
872 bad |= lhash[i] ^ *p++;
873
874 /* Get zero-padding len, but always read till end of buffer
875 * (minus one, for the 01 byte) */
876 pad_len = 0;
877 pad_done = 0;
878 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
879 {
880 pad_done |= p[i];
881 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
882 }
883
884 p += pad_len;
885 bad |= *p++ ^ 0x01;
886
887 /*
888 * The only information "leaked" is whether the padding was correct or not
889 * (eg, no data is copied if it was not correct). This meets the
890 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
891 * the different error conditions.
892 */
893 if( bad != 0 )
894 {
895 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
896 goto cleanup;
897 }
898
899 if( ilen - ( p - buf ) > output_max_len )
900 {
901 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
902 goto cleanup;
903 }
904
905 *olen = ilen - (p - buf);
906 memcpy( output, p, *olen );
907 ret = 0;
908
909cleanup:
910 mbedtls_zeroize( buf, sizeof( buf ) );
911 mbedtls_zeroize( lhash, sizeof( lhash ) );
912
913 return( ret );
914}
915#endif /* MBEDTLS_PKCS1_V21 */
916
917#if defined(MBEDTLS_PKCS1_V15)
918/*
919 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
920 */
921int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
922 int (*f_rng)(void *, unsigned char *, size_t),
923 void *p_rng,
924 int mode, size_t *olen,
925 const unsigned char *input,
926 unsigned char *output,
927 size_t output_max_len)
928{
929 int ret;
930 size_t ilen, pad_count = 0, i;
931 unsigned char *p, bad, pad_done = 0;
932 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
933
934 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
935 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
936
937 ilen = ctx->len;
938
939 if( ilen < 16 || ilen > sizeof( buf ) )
940 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
941
942 ret = ( mode == MBEDTLS_RSA_PUBLIC )
943 ? mbedtls_rsa_public( ctx, input, buf )
944 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
945
946 if( ret != 0 )
947 goto cleanup;
948
949 p = buf;
950 bad = 0;
951
952 /*
953 * Check and get padding len in "constant-time"
954 */
955 bad |= *p++; /* First byte must be 0 */
956
957 /* This test does not depend on secret data */
958 if( mode == MBEDTLS_RSA_PRIVATE )
959 {
960 bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
961
962 /* Get padding len, but always read till end of buffer
963 * (minus one, for the 00 byte) */
964 for( i = 0; i < ilen - 3; i++ )
965 {
966 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
967 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
968 }
969
970 p += pad_count;
971 bad |= *p++; /* Must be zero */
972 }
973 else
974 {
975 bad |= *p++ ^ MBEDTLS_RSA_SIGN;
976
977 /* Get padding len, but always read till end of buffer
978 * (minus one, for the 00 byte) */
979 for( i = 0; i < ilen - 3; i++ )
980 {
981 pad_done |= ( p[i] != 0xFF );
982 pad_count += ( pad_done == 0 );
983 }
984
985 p += pad_count;
986 bad |= *p++; /* Must be zero */
987 }
988
989 bad |= ( pad_count < 8 );
990
991 if( bad )
992 {
993 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
994 goto cleanup;
995 }
996
997 if( ilen - ( p - buf ) > output_max_len )
998 {
999 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1000 goto cleanup;
1001 }
1002
1003 *olen = ilen - (p - buf);
1004 memcpy( output, p, *olen );
1005 ret = 0;
1006
1007cleanup:
1008 mbedtls_zeroize( buf, sizeof( buf ) );
1009
1010 return( ret );
1011}
1012#endif /* MBEDTLS_PKCS1_V15 */
1013
1014/*
1015 * Do an RSA operation, then remove the message padding
1016 */
1017int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
1018 int (*f_rng)(void *, unsigned char *, size_t),
1019 void *p_rng,
1020 int mode, size_t *olen,
1021 const unsigned char *input,
1022 unsigned char *output,
1023 size_t output_max_len)
1024{
1025 switch( ctx->padding )
1026 {
1027#if defined(MBEDTLS_PKCS1_V15)
1028 case MBEDTLS_RSA_PKCS_V15:
1029 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
1030 input, output, output_max_len );
1031#endif
1032
1033#if defined(MBEDTLS_PKCS1_V21)
1034 case MBEDTLS_RSA_PKCS_V21:
1035 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1036 olen, input, output,
1037 output_max_len );
1038#endif
1039
1040 default:
1041 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1042 }
1043}
1044
1045#if defined(MBEDTLS_PKCS1_V21)
1046/*
1047 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1048 */
1049int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
1050 int (*f_rng)(void *, unsigned char *, size_t),
1051 void *p_rng,
1052 int mode,
1053 mbedtls_md_type_t md_alg,
1054 unsigned int hashlen,
1055 const unsigned char *hash,
1056 unsigned char *sig )
1057{
1058 size_t olen;
1059 unsigned char *p = sig;
1060 unsigned char salt[MBEDTLS_MD_MAX_SIZE];
1061 unsigned int slen, hlen, offset = 0;
1062 int ret;
1063 size_t msb;
1064 const mbedtls_md_info_t *md_info;
1065 mbedtls_md_context_t md_ctx;
1066
1067 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1068 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1069
1070 if( f_rng == NULL )
1071 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1072
1073 olen = ctx->len;
1074
1075 if( md_alg != MBEDTLS_MD_NONE )
1076 {
1077 /* Gather length of hash to sign */
1078 md_info = mbedtls_md_info_from_type( md_alg );
1079 if( md_info == NULL )
1080 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1081
1082 hashlen = mbedtls_md_get_size( md_info );
1083 }
1084
1085 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1086 if( md_info == NULL )
1087 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1088
1089 hlen = mbedtls_md_get_size( md_info );
1090 slen = hlen;
1091
1092 if( olen < hlen + slen + 2 )
1093 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1094
1095 memset( sig, 0, olen );
1096
1097 /* Generate salt of length slen */
1098 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
1099 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1100
1101 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1102 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1103 p += olen - hlen * 2 - 2;
1104 *p++ = 0x01;
1105 memcpy( p, salt, slen );
1106 p += slen;
1107
1108 mbedtls_md_init( &md_ctx );
1109 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1110 {
1111 mbedtls_md_free( &md_ctx );
1112 /* No need to zeroize salt: we didn't use it. */
1113 return( ret );
1114 }
1115
1116 /* Generate H = Hash( M' ) */
1117 mbedtls_md_starts( &md_ctx );
1118 mbedtls_md_update( &md_ctx, p, 8 );
1119 mbedtls_md_update( &md_ctx, hash, hashlen );
1120 mbedtls_md_update( &md_ctx, salt, slen );
1121 mbedtls_md_finish( &md_ctx, p );
1122 mbedtls_zeroize( salt, sizeof( salt ) );
1123
1124 /* Compensate for boundary condition when applying mask */
1125 if( msb % 8 == 0 )
1126 offset = 1;
1127
1128 /* maskedDB: Apply dbMask to DB */
1129 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
1130
1131 mbedtls_md_free( &md_ctx );
1132
1133 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1134 sig[0] &= 0xFF >> ( olen * 8 - msb );
1135
1136 p += hlen;
1137 *p++ = 0xBC;
1138
1139 return( ( mode == MBEDTLS_RSA_PUBLIC )
1140 ? mbedtls_rsa_public( ctx, sig, sig )
1141 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1142}
1143#endif /* MBEDTLS_PKCS1_V21 */
1144
1145#if defined(MBEDTLS_PKCS1_V15)
1146/*
1147 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1148 */
1149/*
1150 * Do an RSA operation to sign the message digest
1151 */
1152int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
1153 int (*f_rng)(void *, unsigned char *, size_t),
1154 void *p_rng,
1155 int mode,
1156 mbedtls_md_type_t md_alg,
1157 unsigned int hashlen,
1158 const unsigned char *hash,
1159 unsigned char *sig )
1160{
1161 size_t nb_pad, olen, oid_size = 0;
1162 unsigned char *p = sig;
1163 const char *oid = NULL;
1164 unsigned char *sig_try = NULL, *verif = NULL;
1165 size_t i;
1166 unsigned char diff;
1167 volatile unsigned char diff_no_optimize;
1168 int ret;
1169
1170 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1171 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1172
1173 olen = ctx->len;
1174 nb_pad = olen - 3;
1175
1176 if( md_alg != MBEDTLS_MD_NONE )
1177 {
1178 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
1179 if( md_info == NULL )
1180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1181
1182 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1183 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1184
1185 nb_pad -= 10 + oid_size;
1186
1187 hashlen = mbedtls_md_get_size( md_info );
1188 }
1189
1190 nb_pad -= hashlen;
1191
1192 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
1193 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1194
1195 *p++ = 0;
1196 *p++ = MBEDTLS_RSA_SIGN;
1197 memset( p, 0xFF, nb_pad );
1198 p += nb_pad;
1199 *p++ = 0;
1200
1201 if( md_alg == MBEDTLS_MD_NONE )
1202 {
1203 memcpy( p, hash, hashlen );
1204 }
1205 else
1206 {
1207 /*
1208 * DigestInfo ::= SEQUENCE {
1209 * digestAlgorithm DigestAlgorithmIdentifier,
1210 * digest Digest }
1211 *
1212 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1213 *
1214 * Digest ::= OCTET STRING
1215 */
1216 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1217 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
1218 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1219 *p++ = (unsigned char) ( 0x04 + oid_size );
1220 *p++ = MBEDTLS_ASN1_OID;
1221 *p++ = oid_size & 0xFF;
1222 memcpy( p, oid, oid_size );
1223 p += oid_size;
1224 *p++ = MBEDTLS_ASN1_NULL;
1225 *p++ = 0x00;
1226 *p++ = MBEDTLS_ASN1_OCTET_STRING;
1227 *p++ = hashlen;
1228 memcpy( p, hash, hashlen );
1229 }
1230
1231 if( mode == MBEDTLS_RSA_PUBLIC )
1232 return( mbedtls_rsa_public( ctx, sig, sig ) );
1233
1234 /*
1235 * In order to prevent Lenstra's attack, make the signature in a
1236 * temporary buffer and check it before returning it.
1237 */
1238 sig_try = mbedtls_calloc( 1, ctx->len );
1239 if( sig_try == NULL )
1240 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1241
1242 verif = mbedtls_calloc( 1, ctx->len );
1243 if( verif == NULL )
1244 {
1245 mbedtls_free( sig_try );
1246 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1247 }
1248
1249 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1250 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
1251
1252 /* Compare in constant time just in case */
1253 for( diff = 0, i = 0; i < ctx->len; i++ )
1254 diff |= verif[i] ^ sig[i];
1255 diff_no_optimize = diff;
1256
1257 if( diff_no_optimize != 0 )
1258 {
1259 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1260 goto cleanup;
1261 }
1262
1263 memcpy( sig, sig_try, ctx->len );
1264
1265cleanup:
1266 mbedtls_free( sig_try );
1267 mbedtls_free( verif );
1268
1269 return( ret );
1270}
1271#endif /* MBEDTLS_PKCS1_V15 */
1272
1273/*
1274 * Do an RSA operation to sign the message digest
1275 */
1276int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
1277 int (*f_rng)(void *, unsigned char *, size_t),
1278 void *p_rng,
1279 int mode,
1280 mbedtls_md_type_t md_alg,
1281 unsigned int hashlen,
1282 const unsigned char *hash,
1283 unsigned char *sig )
1284{
1285 switch( ctx->padding )
1286 {
1287#if defined(MBEDTLS_PKCS1_V15)
1288 case MBEDTLS_RSA_PKCS_V15:
1289 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
1290 hashlen, hash, sig );
1291#endif
1292
1293#if defined(MBEDTLS_PKCS1_V21)
1294 case MBEDTLS_RSA_PKCS_V21:
1295 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
1296 hashlen, hash, sig );
1297#endif
1298
1299 default:
1300 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1301 }
1302}
1303
1304#if defined(MBEDTLS_PKCS1_V21)
1305/*
1306 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1307 */
1308int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
1309 int (*f_rng)(void *, unsigned char *, size_t),
1310 void *p_rng,
1311 int mode,
1312 mbedtls_md_type_t md_alg,
1313 unsigned int hashlen,
1314 const unsigned char *hash,
1315 mbedtls_md_type_t mgf1_hash_id,
1316 int expected_salt_len,
1317 const unsigned char *sig )
1318{
1319 int ret;
1320 size_t siglen;
1321 unsigned char *p;
1322 unsigned char result[MBEDTLS_MD_MAX_SIZE];
1323 unsigned char zeros[8];
1324 unsigned int hlen;
1325 size_t slen, msb;
1326 const mbedtls_md_info_t *md_info;
1327 mbedtls_md_context_t md_ctx;
1328 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1329
1330 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1331 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1332
1333 siglen = ctx->len;
1334
1335 if( siglen < 16 || siglen > sizeof( buf ) )
1336 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1337
1338 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1339 ? mbedtls_rsa_public( ctx, sig, buf )
1340 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
1341
1342 if( ret != 0 )
1343 return( ret );
1344
1345 p = buf;
1346
1347 if( buf[siglen - 1] != 0xBC )
1348 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1349
1350 if( md_alg != MBEDTLS_MD_NONE )
1351 {
1352 /* Gather length of hash to sign */
1353 md_info = mbedtls_md_info_from_type( md_alg );
1354 if( md_info == NULL )
1355 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1356
1357 hashlen = mbedtls_md_get_size( md_info );
1358 }
1359
1360 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
1361 if( md_info == NULL )
1362 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1363
1364 hlen = mbedtls_md_get_size( md_info );
1365 slen = siglen - hlen - 1; /* Currently length of salt + padding */
1366
1367 memset( zeros, 0, 8 );
1368
1369 /*
1370 * Note: EMSA-PSS verification is over the length of N - 1 bits
1371 */
1372 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1373
1374 /* Compensate for boundary condition when applying mask */
1375 if( msb % 8 == 0 )
1376 {
1377 p++;
1378 siglen -= 1;
1379 }
1380 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1381 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1382
1383 mbedtls_md_init( &md_ctx );
1384 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1385 {
1386 mbedtls_md_free( &md_ctx );
1387 return( ret );
1388 }
1389
1390 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
1391
1392 buf[0] &= 0xFF >> ( siglen * 8 - msb );
1393
1394 while( p < buf + siglen && *p == 0 )
1395 p++;
1396
1397 if( p == buf + siglen ||
1398 *p++ != 0x01 )
1399 {
1400 mbedtls_md_free( &md_ctx );
1401 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1402 }
1403
1404 /* Actual salt len */
1405 slen -= p - buf;
1406
1407 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
1408 slen != (size_t) expected_salt_len )
1409 {
1410 mbedtls_md_free( &md_ctx );
1411 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1412 }
1413
1414 /*
1415 * Generate H = Hash( M' )
1416 */
1417 mbedtls_md_starts( &md_ctx );
1418 mbedtls_md_update( &md_ctx, zeros, 8 );
1419 mbedtls_md_update( &md_ctx, hash, hashlen );
1420 mbedtls_md_update( &md_ctx, p, slen );
1421 mbedtls_md_finish( &md_ctx, result );
1422
1423 mbedtls_md_free( &md_ctx );
1424
1425 if( memcmp( p + slen, result, hlen ) == 0 )
1426 return( 0 );
1427 else
1428 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1429}
1430
1431/*
1432 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1433 */
1434int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
1435 int (*f_rng)(void *, unsigned char *, size_t),
1436 void *p_rng,
1437 int mode,
1438 mbedtls_md_type_t md_alg,
1439 unsigned int hashlen,
1440 const unsigned char *hash,
1441 const unsigned char *sig )
1442{
1443 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
1444 ? (mbedtls_md_type_t) ctx->hash_id
1445 : md_alg;
1446
1447 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
1448 md_alg, hashlen, hash,
1449 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
1450 sig ) );
1451
1452}
1453#endif /* MBEDTLS_PKCS1_V21 */
1454
1455#if defined(MBEDTLS_PKCS1_V15)
1456/*
1457 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1458 */
1459int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
1460 int (*f_rng)(void *, unsigned char *, size_t),
1461 void *p_rng,
1462 int mode,
1463 mbedtls_md_type_t md_alg,
1464 unsigned int hashlen,
1465 const unsigned char *hash,
1466 const unsigned char *sig )
1467{
1468 int ret;
1469 size_t len, siglen, asn1_len;
1470 unsigned char *p, *p0, *end;
1471 mbedtls_md_type_t msg_md_alg;
1472 const mbedtls_md_info_t *md_info;
1473 mbedtls_asn1_buf oid;
1474 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1475
1476 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1477 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1478
1479 siglen = ctx->len;
1480
1481 if( siglen < 16 || siglen > sizeof( buf ) )
1482 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1483
1484 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1485 ? mbedtls_rsa_public( ctx, sig, buf )
1486 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
1487
1488 if( ret != 0 )
1489 return( ret );
1490
1491 p = buf;
1492
1493 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )
1494 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1495
1496 while( *p != 0 )
1497 {
1498 if( p >= buf + siglen - 1 || *p != 0xFF )
1499 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1500 p++;
1501 }
1502 p++; /* skip 00 byte */
1503
1504 /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
1505 if( p - buf < 11 )
1506 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1507
1508 len = siglen - ( p - buf );
1509
1510 if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
1511 {
1512 if( memcmp( p, hash, hashlen ) == 0 )
1513 return( 0 );
1514 else
1515 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1516 }
1517
1518 md_info = mbedtls_md_info_from_type( md_alg );
1519 if( md_info == NULL )
1520 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1521 hashlen = mbedtls_md_get_size( md_info );
1522
1523 end = p + len;
1524
1525 /*
1526 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.
1527 * Insist on 2-byte length tags, to protect against variants of
1528 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.
1529 */
1530 p0 = p;
1531 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
1532 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1533 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1534 if( p != p0 + 2 || asn1_len + 2 != len )
1535 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1536
1537 p0 = p;
1538 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
1539 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1540 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1541 if( p != p0 + 2 || asn1_len + 6 + hashlen != len )
1542 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1543
1544 p0 = p;
1545 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
1546 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1547 if( p != p0 + 2 )
1548 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1549
1550 oid.p = p;
1551 p += oid.len;
1552
1553 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
1554 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1555
1556 if( md_alg != msg_md_alg )
1557 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1558
1559 /*
1560 * assume the algorithm parameters must be NULL
1561 */
1562 p0 = p;
1563 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
1564 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1565 if( p != p0 + 2 )
1566 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1567
1568 p0 = p;
1569 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1570 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1571 if( p != p0 + 2 || asn1_len != hashlen )
1572 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1573
1574 if( memcmp( p, hash, hashlen ) != 0 )
1575 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1576
1577 p += hashlen;
1578
1579 if( p != end )
1580 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1581
1582 return( 0 );
1583}
1584#endif /* MBEDTLS_PKCS1_V15 */
1585
1586/*
1587 * Do an RSA operation and check the message digest
1588 */
1589int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
1590 int (*f_rng)(void *, unsigned char *, size_t),
1591 void *p_rng,
1592 int mode,
1593 mbedtls_md_type_t md_alg,
1594 unsigned int hashlen,
1595 const unsigned char *hash,
1596 const unsigned char *sig )
1597{
1598 switch( ctx->padding )
1599 {
1600#if defined(MBEDTLS_PKCS1_V15)
1601 case MBEDTLS_RSA_PKCS_V15:
1602 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
1603 hashlen, hash, sig );
1604#endif
1605
1606#if defined(MBEDTLS_PKCS1_V21)
1607 case MBEDTLS_RSA_PKCS_V21:
1608 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
1609 hashlen, hash, sig );
1610#endif
1611
1612 default:
1613 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1614 }
1615}
1616
1617/*
1618 * Copy the components of an RSA key
1619 */
1620int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
1621{
1622 int ret;
1623
1624 dst->ver = src->ver;
1625 dst->len = src->len;
1626
1627 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
1628 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
1629
1630 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
1631 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
1632 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
1633 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
1634 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
1635 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
1636
1637 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
1638 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
1639 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
1640
1641 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
1642 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
1643
1644 dst->padding = src->padding;
1645 dst->hash_id = src->hash_id;
1646
1647cleanup:
1648 if( ret != 0 )
1649 mbedtls_rsa_free( dst );
1650
1651 return( ret );
1652}
1653
1654/*
1655 * Free the components of an RSA key
1656 */
1657void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
1658{
1659 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
1660 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
1661 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
1662 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
1663 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
1664
1665#if defined(MBEDTLS_THREADING_C)
1666 mbedtls_mutex_free( &ctx->mutex );
1667#endif
1668}
1669
1670#if defined(MBEDTLS_SELF_TEST)
1671
1672#include "mbedtls/sha1.h"
1673
1674/*
1675 * Example RSA-1024 keypair, for test purposes
1676 */
1677#define KEY_LEN 128
1678
1679#define RSA_N "9292758453063D803DD603D5E777D788" \
1680 "8ED1D5BF35786190FA2F23EBC0848AEA" \
1681 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1682 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1683 "93A89813FBF3C4F8066D2D800F7C38A8" \
1684 "1AE31942917403FF4946B0A83D3D3E05" \
1685 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1686 "5E94BB77B07507233A0BC7BAC8F90F79"
1687
1688#define RSA_E "10001"
1689
1690#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1691 "66CA472BC44D253102F8B4A9D3BFA750" \
1692 "91386C0077937FE33FA3252D28855837" \
1693 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1694 "DF79C5CE07EE72C7F123142198164234" \
1695 "CABB724CF78B8173B9F880FC86322407" \
1696 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1697 "071513A1E85B5DFA031F21ECAE91A34D"
1698
1699#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1700 "2C01CAD19EA484A87EA4377637E75500" \
1701 "FCB2005C5C7DD6EC4AC023CDA285D796" \
1702 "C3D9E75E1EFC42488BB4F1D13AC30A57"
1703
1704#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1705 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1706 "910E4168387E3C30AA1E00C339A79508" \
1707 "8452DD96A9A5EA5D9DCA68DA636032AF"
1708
1709#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1710 "3C94D22288ACD763FD8E5600ED4A702D" \
1711 "F84198A5F06C2E72236AE490C93F07F8" \
1712 "3CC559CD27BC2D1CA488811730BB5725"
1713
1714#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1715 "D8AAEA56749EA28623272E4F7D0592AF" \
1716 "7C1F1313CAC9471B5C523BFE592F517B" \
1717 "407A1BD76C164B93DA2D32A383E58357"
1718
1719#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1720 "F38D18D2B2F0E2DD275AA977E2BF4411" \
1721 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1722 "A74206CEC169D74BF5A8C50D6F48EA08"
1723
1724#define PT_LEN 24
1725#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1726 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1727
1728#if defined(MBEDTLS_PKCS1_V15)
1729static int myrand( void *rng_state, unsigned char *output, size_t len )
1730{
1731#if !defined(__OpenBSD__)
1732 size_t i;
1733
1734 if( rng_state != NULL )
1735 rng_state = NULL;
1736
1737 for( i = 0; i < len; ++i )
1738 output[i] = rand();
1739#else
1740 if( rng_state != NULL )
1741 rng_state = NULL;
1742
1743 arc4random_buf( output, len );
1744#endif /* !OpenBSD */
1745
1746 return( 0 );
1747}
1748#endif /* MBEDTLS_PKCS1_V15 */
1749
1750/*
1751 * Checkup routine
1752 */
1753int mbedtls_rsa_self_test( int verbose )
1754{
1755 int ret = 0;
1756#if defined(MBEDTLS_PKCS1_V15)
1757 size_t len;
1758 mbedtls_rsa_context rsa;
1759 unsigned char rsa_plaintext[PT_LEN];
1760 unsigned char rsa_decrypted[PT_LEN];
1761 unsigned char rsa_ciphertext[KEY_LEN];
1762#if defined(MBEDTLS_SHA1_C)
1763 unsigned char sha1sum[20];
1764#endif
1765
1766 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
1767
1768 rsa.len = KEY_LEN;
1769 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
1770 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
1771 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
1772 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
1773 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
1774 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
1775 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
1776 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
1777
1778 if( verbose != 0 )
1779 mbedtls_printf( " RSA key validation: " );
1780
1781 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
1782 mbedtls_rsa_check_privkey( &rsa ) != 0 )
1783 {
1784 if( verbose != 0 )
1785 mbedtls_printf( "failed\n" );
1786
1787 return( 1 );
1788 }
1789
1790 if( verbose != 0 )
1791 mbedtls_printf( "passed\n PKCS#1 encryption : " );
1792
1793 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1794
1795 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
1796 rsa_plaintext, rsa_ciphertext ) != 0 )
1797 {
1798 if( verbose != 0 )
1799 mbedtls_printf( "failed\n" );
1800
1801 return( 1 );
1802 }
1803
1804 if( verbose != 0 )
1805 mbedtls_printf( "passed\n PKCS#1 decryption : " );
1806
1807 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
1808 rsa_ciphertext, rsa_decrypted,
1809 sizeof(rsa_decrypted) ) != 0 )
1810 {
1811 if( verbose != 0 )
1812 mbedtls_printf( "failed\n" );
1813
1814 return( 1 );
1815 }
1816
1817 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1818 {
1819 if( verbose != 0 )
1820 mbedtls_printf( "failed\n" );
1821
1822 return( 1 );
1823 }
1824
1825 if( verbose != 0 )
1826 mbedtls_printf( "passed\n" );
1827
1828#if defined(MBEDTLS_SHA1_C)
1829 if( verbose != 0 )
1830 mbedtls_printf( " PKCS#1 data sign : " );
1831
1832 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
1833
1834 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
1835 sha1sum, rsa_ciphertext ) != 0 )
1836 {
1837 if( verbose != 0 )
1838 mbedtls_printf( "failed\n" );
1839
1840 return( 1 );
1841 }
1842
1843 if( verbose != 0 )
1844 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
1845
1846 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
1847 sha1sum, rsa_ciphertext ) != 0 )
1848 {
1849 if( verbose != 0 )
1850 mbedtls_printf( "failed\n" );
1851
1852 return( 1 );
1853 }
1854
1855 if( verbose != 0 )
1856 mbedtls_printf( "passed\n" );
1857#endif /* MBEDTLS_SHA1_C */
1858
1859 if( verbose != 0 )
1860 mbedtls_printf( "\n" );
1861
1862cleanup:
1863 mbedtls_rsa_free( &rsa );
1864#else /* MBEDTLS_PKCS1_V15 */
1865 ((void) verbose);
1866#endif /* MBEDTLS_PKCS1_V15 */
1867 return( ret );
1868}
1869
1870#endif /* MBEDTLS_SELF_TEST */
1871
1872#endif /* MBEDTLS_RSA_C */