TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / refs/heads/dev/mbed-crypto-0.1.0-alpha / . / library / rsa.c
blob: 698d1b132747c069f2073b3bbe0c1554c45d0eeb [file] [log] [blame]
Jaeden Ameroe54e6932018-08-06 16:19:58 +0100[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of Mbed Crypto (https://tls.mbed.org)
20 */
21
22/*
23 * The following sources were referenced in the design of this implementation
24 * of the RSA algorithm:
25 *
26 * [1] A method for obtaining digital signatures and public-key cryptosystems
27 * R Rivest, A Shamir, and L Adleman
28 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
29 *
30 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
31 * Menezes, van Oorschot and Vanstone
32 *
33 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
34 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
35 * Stefan Mangard
36 * https://arxiv.org/abs/1702.08719v2
37 *
38 */
39
40#if !defined(MBEDCRYPTO_CONFIG_FILE)
41#include "mbedcrypto/config.h"
42#else
43#include MBEDCRYPTO_CONFIG_FILE
44#endif
45
46#if defined(MBEDCRYPTO_RSA_C)
47
48#include "mbedcrypto/rsa.h"
49#include "mbedcrypto/rsa_internal.h"
50#include "mbedcrypto/oid.h"
51#include "mbedcrypto/platform_util.h"
52
53#include <string.h>
54
55#if defined(MBEDCRYPTO_PKCS1_V21)
56#include "mbedcrypto/md.h"
57#endif
58
59#if defined(MBEDCRYPTO_PKCS1_V15) && !defined(__OpenBSD__)
60#include <stdlib.h>
61#endif
62
63#if defined(MBEDCRYPTO_PLATFORM_C)
64#include "mbedcrypto/platform.h"
65#else
66#include <stdio.h>
67#define mbedcrypto_printf printf
68#define mbedcrypto_calloc calloc
69#define mbedcrypto_free free
70#endif
71
72#if !defined(MBEDCRYPTO_RSA_ALT)
73
74#if defined(MBEDCRYPTO_PKCS1_V15)
75/* constant-time buffer comparison */
76static inline int mbedcrypto_safer_memcmp( const void *a, const void *b, size_t n )
77{
78 size_t i;
79 const unsigned char *A = (const unsigned char *) a;
80 const unsigned char *B = (const unsigned char *) b;
81 unsigned char diff = 0;
82
83 for( i = 0; i < n; i++ )
84 diff |= A[i] ^ B[i];
85
86 return( diff );
87}
88#endif /* MBEDCRYPTO_PKCS1_V15 */
89
90int mbedcrypto_rsa_import( mbedcrypto_rsa_context *ctx,
91 const mbedcrypto_mpi *N,
92 const mbedcrypto_mpi *P, const mbedcrypto_mpi *Q,
93 const mbedcrypto_mpi *D, const mbedcrypto_mpi *E )
94{
95 int ret;
96
97 if( ( N != NULL && ( ret = mbedcrypto_mpi_copy( &ctx->N, N ) ) != 0 ) ||
98 ( P != NULL && ( ret = mbedcrypto_mpi_copy( &ctx->P, P ) ) != 0 ) ||
99 ( Q != NULL && ( ret = mbedcrypto_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
100 ( D != NULL && ( ret = mbedcrypto_mpi_copy( &ctx->D, D ) ) != 0 ) ||
101 ( E != NULL && ( ret = mbedcrypto_mpi_copy( &ctx->E, E ) ) != 0 ) )
102 {
103 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA + ret );
104 }
105
106 if( N != NULL )
107 ctx->len = mbedcrypto_mpi_size( &ctx->N );
108
109 return( 0 );
110}
111
112int mbedcrypto_rsa_import_raw( mbedcrypto_rsa_context *ctx,
113 unsigned char const *N, size_t N_len,
114 unsigned char const *P, size_t P_len,
115 unsigned char const *Q, size_t Q_len,
116 unsigned char const *D, size_t D_len,
117 unsigned char const *E, size_t E_len )
118{
119 int ret = 0;
120
121 if( N != NULL )
122 {
123 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &ctx->N, N, N_len ) );
124 ctx->len = mbedcrypto_mpi_size( &ctx->N );
125 }
126
127 if( P != NULL )
128 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &ctx->P, P, P_len ) );
129
130 if( Q != NULL )
131 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &ctx->Q, Q, Q_len ) );
132
133 if( D != NULL )
134 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &ctx->D, D, D_len ) );
135
136 if( E != NULL )
137 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &ctx->E, E, E_len ) );
138
139cleanup:
140
141 if( ret != 0 )
142 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA + ret );
143
144 return( 0 );
145}
146
147/*
148 * Checks whether the context fields are set in such a way
149 * that the RSA primitives will be able to execute without error.
150 * It does *not* make guarantees for consistency of the parameters.
151 */
152static int rsa_check_context( mbedcrypto_rsa_context const *ctx, int is_priv,
153 int blinding_needed )
154{
155#if !defined(MBEDCRYPTO_RSA_NO_CRT)
156 /* blinding_needed is only used for NO_CRT to decide whether
157 * P,Q need to be present or not. */
158 ((void) blinding_needed);
159#endif
160
161 if( ctx->len != mbedcrypto_mpi_size( &ctx->N ) ||
162 ctx->len > MBEDCRYPTO_MPI_MAX_SIZE )
163 {
164 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
165 }
166
167 /*
168 * 1. Modular exponentiation needs positive, odd moduli.
169 */
170
171 /* Modular exponentiation wrt. N is always used for
172 * RSA public key operations. */
173 if( mbedcrypto_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
174 mbedcrypto_mpi_get_bit( &ctx->N, 0 ) == 0 )
175 {
176 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
177 }
178
179#if !defined(MBEDCRYPTO_RSA_NO_CRT)
180 /* Modular exponentiation for P and Q is only
181 * used for private key operations and if CRT
182 * is used. */
183 if( is_priv &&
184 ( mbedcrypto_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
185 mbedcrypto_mpi_get_bit( &ctx->P, 0 ) == 0 ||
186 mbedcrypto_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
187 mbedcrypto_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
188 {
189 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
190 }
191#endif /* !MBEDCRYPTO_RSA_NO_CRT */
192
193 /*
194 * 2. Exponents must be positive
195 */
196
197 /* Always need E for public key operations */
198 if( mbedcrypto_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
199 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
200
201#if defined(MBEDCRYPTO_RSA_NO_CRT)
202 /* For private key operations, use D or DP & DQ
203 * as (unblinded) exponents. */
204 if( is_priv && mbedcrypto_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
205 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
206#else
207 if( is_priv &&
208 ( mbedcrypto_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
209 mbedcrypto_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
210 {
211 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
212 }
213#endif /* MBEDCRYPTO_RSA_NO_CRT */
214
215 /* Blinding shouldn't make exponents negative either,
216 * so check that P, Q >= 1 if that hasn't yet been
217 * done as part of 1. */
218#if defined(MBEDCRYPTO_RSA_NO_CRT)
219 if( is_priv && blinding_needed &&
220 ( mbedcrypto_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
221 mbedcrypto_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
222 {
223 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
224 }
225#endif
226
227 /* It wouldn't lead to an error if it wasn't satisfied,
228 * but check for QP >= 1 nonetheless. */
229#if !defined(MBEDCRYPTO_RSA_NO_CRT)
230 if( is_priv &&
231 mbedcrypto_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
232 {
233 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
234 }
235#endif
236
237 return( 0 );
238}
239
240int mbedcrypto_rsa_complete( mbedcrypto_rsa_context *ctx )
241{
242 int ret = 0;
243
244 const int have_N = ( mbedcrypto_mpi_cmp_int( &ctx->N, 0 ) != 0 );
245 const int have_P = ( mbedcrypto_mpi_cmp_int( &ctx->P, 0 ) != 0 );
246 const int have_Q = ( mbedcrypto_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
247 const int have_D = ( mbedcrypto_mpi_cmp_int( &ctx->D, 0 ) != 0 );
248 const int have_E = ( mbedcrypto_mpi_cmp_int( &ctx->E, 0 ) != 0 );
249
250 /*
251 * Check whether provided parameters are enough
252 * to deduce all others. The following incomplete
253 * parameter sets for private keys are supported:
254 *
255 * (1) P, Q missing.
256 * (2) D and potentially N missing.
257 *
258 */
259
260 const int n_missing = have_P && have_Q && have_D && have_E;
261 const int pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
262 const int d_missing = have_P && have_Q && !have_D && have_E;
263 const int is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
264
265 /* These three alternatives are mutually exclusive */
266 const int is_priv = n_missing || pq_missing || d_missing;
267
268 if( !is_priv && !is_pub )
269 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
270
271 /*
272 * Step 1: Deduce N if P, Q are provided.
273 */
274
275 if( !have_N && have_P && have_Q )
276 {
277 if( ( ret = mbedcrypto_mpi_mul_mpi( &ctx->N, &ctx->P,
278 &ctx->Q ) ) != 0 )
279 {
280 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA + ret );
281 }
282
283 ctx->len = mbedcrypto_mpi_size( &ctx->N );
284 }
285
286 /*
287 * Step 2: Deduce and verify all remaining core parameters.
288 */
289
290 if( pq_missing )
291 {
292 ret = mbedcrypto_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
293 &ctx->P, &ctx->Q );
294 if( ret != 0 )
295 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA + ret );
296
297 }
298 else if( d_missing )
299 {
300 if( ( ret = mbedcrypto_rsa_deduce_private_exponent( &ctx->P,
301 &ctx->Q,
302 &ctx->E,
303 &ctx->D ) ) != 0 )
304 {
305 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA + ret );
306 }
307 }
308
309 /*
310 * Step 3: Deduce all additional parameters specific
311 * to our current RSA implementation.
312 */
313
314#if !defined(MBEDCRYPTO_RSA_NO_CRT)
315 if( is_priv )
316 {
317 ret = mbedcrypto_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
318 &ctx->DP, &ctx->DQ, &ctx->QP );
319 if( ret != 0 )
320 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA + ret );
321 }
322#endif /* MBEDCRYPTO_RSA_NO_CRT */
323
324 /*
325 * Step 3: Basic sanity checks
326 */
327
328 return( rsa_check_context( ctx, is_priv, 1 ) );
329}
330
331int mbedcrypto_rsa_export_raw( const mbedcrypto_rsa_context *ctx,
332 unsigned char *N, size_t N_len,
333 unsigned char *P, size_t P_len,
334 unsigned char *Q, size_t Q_len,
335 unsigned char *D, size_t D_len,
336 unsigned char *E, size_t E_len )
337{
338 int ret = 0;
339
340 /* Check if key is private or public */
341 const int is_priv =
342 mbedcrypto_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
343 mbedcrypto_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
344 mbedcrypto_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
345 mbedcrypto_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
346 mbedcrypto_mpi_cmp_int( &ctx->E, 0 ) != 0;
347
348 if( !is_priv )
349 {
350 /* If we're trying to export private parameters for a public key,
351 * something must be wrong. */
352 if( P != NULL || Q != NULL || D != NULL )
353 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
354
355 }
356
357 if( N != NULL )
358 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &ctx->N, N, N_len ) );
359
360 if( P != NULL )
361 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &ctx->P, P, P_len ) );
362
363 if( Q != NULL )
364 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &ctx->Q, Q, Q_len ) );
365
366 if( D != NULL )
367 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &ctx->D, D, D_len ) );
368
369 if( E != NULL )
370 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &ctx->E, E, E_len ) );
371
372cleanup:
373
374 return( ret );
375}
376
377int mbedcrypto_rsa_export( const mbedcrypto_rsa_context *ctx,
378 mbedcrypto_mpi *N, mbedcrypto_mpi *P, mbedcrypto_mpi *Q,
379 mbedcrypto_mpi *D, mbedcrypto_mpi *E )
380{
381 int ret;
382
383 /* Check if key is private or public */
384 int is_priv =
385 mbedcrypto_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
386 mbedcrypto_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
387 mbedcrypto_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
388 mbedcrypto_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
389 mbedcrypto_mpi_cmp_int( &ctx->E, 0 ) != 0;
390
391 if( !is_priv )
392 {
393 /* If we're trying to export private parameters for a public key,
394 * something must be wrong. */
395 if( P != NULL || Q != NULL || D != NULL )
396 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
397
398 }
399
400 /* Export all requested core parameters. */
401
402 if( ( N != NULL && ( ret = mbedcrypto_mpi_copy( N, &ctx->N ) ) != 0 ) ||
403 ( P != NULL && ( ret = mbedcrypto_mpi_copy( P, &ctx->P ) ) != 0 ) ||
404 ( Q != NULL && ( ret = mbedcrypto_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
405 ( D != NULL && ( ret = mbedcrypto_mpi_copy( D, &ctx->D ) ) != 0 ) ||
406 ( E != NULL && ( ret = mbedcrypto_mpi_copy( E, &ctx->E ) ) != 0 ) )
407 {
408 return( ret );
409 }
410
411 return( 0 );
412}
413
414/*
415 * Export CRT parameters
416 * This must also be implemented if CRT is not used, for being able to
417 * write DER encoded RSA keys. The helper function mbedcrypto_rsa_deduce_crt
418 * can be used in this case.
419 */
420int mbedcrypto_rsa_export_crt( const mbedcrypto_rsa_context *ctx,
421 mbedcrypto_mpi *DP, mbedcrypto_mpi *DQ, mbedcrypto_mpi *QP )
422{
423 int ret;
424
425 /* Check if key is private or public */
426 int is_priv =
427 mbedcrypto_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
428 mbedcrypto_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
429 mbedcrypto_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
430 mbedcrypto_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
431 mbedcrypto_mpi_cmp_int( &ctx->E, 0 ) != 0;
432
433 if( !is_priv )
434 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
435
436#if !defined(MBEDCRYPTO_RSA_NO_CRT)
437 /* Export all requested blinding parameters. */
438 if( ( DP != NULL && ( ret = mbedcrypto_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
439 ( DQ != NULL && ( ret = mbedcrypto_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
440 ( QP != NULL && ( ret = mbedcrypto_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
441 {
442 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA + ret );
443 }
444#else
445 if( ( ret = mbedcrypto_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
446 DP, DQ, QP ) ) != 0 )
447 {
448 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA + ret );
449 }
450#endif
451
452 return( 0 );
453}
454
455/*
456 * Initialize an RSA context
457 */
458void mbedcrypto_rsa_init( mbedcrypto_rsa_context *ctx,
459 int padding,
460 int hash_id )
461{
462 memset( ctx, 0, sizeof( mbedcrypto_rsa_context ) );
463
464 mbedcrypto_rsa_set_padding( ctx, padding, hash_id );
465
466#if defined(MBEDCRYPTO_THREADING_C)
467 mbedcrypto_mutex_init( &ctx->mutex );
468#endif
469}
470
471/*
472 * Set padding for an existing RSA context
473 */
474void mbedcrypto_rsa_set_padding( mbedcrypto_rsa_context *ctx, int padding, int hash_id )
475{
476 ctx->padding = padding;
477 ctx->hash_id = hash_id;
478}
479
480/*
481 * Get length in bytes of RSA modulus
482 */
483size_t mbedcrypto_rsa_get_len( const mbedcrypto_rsa_context *ctx )
484{
485 return( ctx->len );
486}
487
488/*
489 * Get length in bits of RSA modulus
490 */
491size_t mbedcrypto_rsa_get_bitlen( const mbedcrypto_rsa_context *ctx )
492{
493 return( mbedcrypto_mpi_bitlen( &ctx->N ) );
494}
495
496
497#if defined(MBEDCRYPTO_GENPRIME)
498
499/*
500 * Generate an RSA keypair
501 *
502 * This generation method follows the RSA key pair generation procedure of
503 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
504 */
505int mbedcrypto_rsa_gen_key( mbedcrypto_rsa_context *ctx,
506 int (*f_rng)(void *, unsigned char *, size_t),
507 void *p_rng,
508 unsigned int nbits, int exponent )
509{
510 int ret;
511 mbedcrypto_mpi H, G, L;
512
513 if( f_rng == NULL || nbits < 128 || exponent < 3 )
514 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
515
516 if( nbits % 2 )
517 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
518
519 mbedcrypto_mpi_init( &H );
520 mbedcrypto_mpi_init( &G );
521 mbedcrypto_mpi_init( &L );
522
523 /*
524 * find primes P and Q with Q < P so that:
525 * 1. |P-Q| > 2^( nbits / 2 - 100 )
526 * 2. GCD( E, (P-1)*(Q-1) ) == 1
527 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
528 */
529 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_lset( &ctx->E, exponent ) );
530
531 do
532 {
533 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
534 f_rng, p_rng ) );
535
536 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
537 f_rng, p_rng ) );
538
539 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
540 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
541 if( mbedcrypto_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
542 continue;
543
544 /* not required by any standards, but some users rely on the fact that P > Q */
545 if( H.s < 0 )
546 mbedcrypto_mpi_swap( &ctx->P, &ctx->Q );
547
548 /* Temporarily replace P,Q by P-1, Q-1 */
549 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
550 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
551 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
552
553 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
554 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_gcd( &G, &ctx->E, &H ) );
555 if( mbedcrypto_mpi_cmp_int( &G, 1 ) != 0 )
556 continue;
557
558 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
559 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
560 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_div_mpi( &L, NULL, &H, &G ) );
561 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
562
563 if( mbedcrypto_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
564 continue;
565
566 break;
567 }
568 while( 1 );
569
570 /* Restore P,Q */
571 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
572 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
573
574 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
575
576 ctx->len = mbedcrypto_mpi_size( &ctx->N );
577
578#if !defined(MBEDCRYPTO_RSA_NO_CRT)
579 /*
580 * DP = D mod (P - 1)
581 * DQ = D mod (Q - 1)
582 * QP = Q^-1 mod P
583 */
584 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
585 &ctx->DP, &ctx->DQ, &ctx->QP ) );
586#endif /* MBEDCRYPTO_RSA_NO_CRT */
587
588 /* Double-check */
589 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_check_privkey( ctx ) );
590
591cleanup:
592
593 mbedcrypto_mpi_free( &H );
594 mbedcrypto_mpi_free( &G );
595 mbedcrypto_mpi_free( &L );
596
597 if( ret != 0 )
598 {
599 mbedcrypto_rsa_free( ctx );
600 return( MBEDCRYPTO_ERR_RSA_KEY_GEN_FAILED + ret );
601 }
602
603 return( 0 );
604}
605
606#endif /* MBEDCRYPTO_GENPRIME */
607
608/*
609 * Check a public RSA key
610 */
611int mbedcrypto_rsa_check_pubkey( const mbedcrypto_rsa_context *ctx )
612{
613 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
614 return( MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED );
615
616 if( mbedcrypto_mpi_bitlen( &ctx->N ) < 128 )
617 {
618 return( MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED );
619 }
620
621 if( mbedcrypto_mpi_get_bit( &ctx->E, 0 ) == 0 ||
622 mbedcrypto_mpi_bitlen( &ctx->E ) < 2 ||
623 mbedcrypto_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
624 {
625 return( MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED );
626 }
627
628 return( 0 );
629}
630
631/*
632 * Check for the consistency of all fields in an RSA private key context
633 */
634int mbedcrypto_rsa_check_privkey( const mbedcrypto_rsa_context *ctx )
635{
636 if( mbedcrypto_rsa_check_pubkey( ctx ) != 0 ||
637 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
638 {
639 return( MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED );
640 }
641
642 if( mbedcrypto_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
643 &ctx->D, &ctx->E, NULL, NULL ) != 0 )
644 {
645 return( MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED );
646 }
647
648#if !defined(MBEDCRYPTO_RSA_NO_CRT)
649 else if( mbedcrypto_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
650 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
651 {
652 return( MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED );
653 }
654#endif
655
656 return( 0 );
657}
658
659/*
660 * Check if contexts holding a public and private key match
661 */
662int mbedcrypto_rsa_check_pub_priv( const mbedcrypto_rsa_context *pub,
663 const mbedcrypto_rsa_context *prv )
664{
665 if( mbedcrypto_rsa_check_pubkey( pub ) != 0 ||
666 mbedcrypto_rsa_check_privkey( prv ) != 0 )
667 {
668 return( MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED );
669 }
670
671 if( mbedcrypto_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
672 mbedcrypto_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
673 {
674 return( MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED );
675 }
676
677 return( 0 );
678}
679
680/*
681 * Do an RSA public key operation
682 */
683int mbedcrypto_rsa_public( mbedcrypto_rsa_context *ctx,
684 const unsigned char *input,
685 unsigned char *output )
686{
687 int ret;
688 size_t olen;
689 mbedcrypto_mpi T;
690
691 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
692 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
693
694 mbedcrypto_mpi_init( &T );
695
696#if defined(MBEDCRYPTO_THREADING_C)
697 if( ( ret = mbedcrypto_mutex_lock( &ctx->mutex ) ) != 0 )
698 return( ret );
699#endif
700
701 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &T, input, ctx->len ) );
702
703 if( mbedcrypto_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
704 {
705 ret = MBEDCRYPTO_ERR_MPI_BAD_INPUT_DATA;
706 goto cleanup;
707 }
708
709 olen = ctx->len;
710 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
711 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &T, output, olen ) );
712
713cleanup:
714#if defined(MBEDCRYPTO_THREADING_C)
715 if( mbedcrypto_mutex_unlock( &ctx->mutex ) != 0 )
716 return( MBEDCRYPTO_ERR_THREADING_MUTEX_ERROR );
717#endif
718
719 mbedcrypto_mpi_free( &T );
720
721 if( ret != 0 )
722 return( MBEDCRYPTO_ERR_RSA_PUBLIC_FAILED + ret );
723
724 return( 0 );
725}
726
727/*
728 * Generate or update blinding values, see section 10 of:
729 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
730 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
731 * Berlin Heidelberg, 1996. p. 104-113.
732 */
733static int rsa_prepare_blinding( mbedcrypto_rsa_context *ctx,
734 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
735{
736 int ret, count = 0;
737
738 if( ctx->Vf.p != NULL )
739 {
740 /* We already have blinding values, just update them by squaring */
741 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
742 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
743 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
744 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
745
746 goto cleanup;
747 }
748
749 /* Unblinding value: Vf = random number, invertible mod N */
750 do {
751 if( count++ > 10 )
752 return( MBEDCRYPTO_ERR_RSA_RNG_FAILED );
753
754 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
755 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
756 } while( mbedcrypto_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
757
758 /* Blinding value: Vi = Vf^(-e) mod N */
759 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
760 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
761
762
763cleanup:
764 return( ret );
765}
766
767/*
768 * Exponent blinding supposed to prevent side-channel attacks using multiple
769 * traces of measurements to recover the RSA key. The more collisions are there,
770 * the more bits of the key can be recovered. See [3].
771 *
772 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
773 * observations on avarage.
774 *
775 * For example with 28 byte blinding to achieve 2 collisions the adversary has
776 * to make 2^112 observations on avarage.
777 *
778 * (With the currently (as of 2017 April) known best algorithms breaking 2048
779 * bit RSA requires approximately as much time as trying out 2^112 random keys.
780 * Thus in this sense with 28 byte blinding the security is not reduced by
781 * side-channel attacks like the one in [3])
782 *
783 * This countermeasure does not help if the key recovery is possible with a
784 * single trace.
785 */
786#define RSA_EXPONENT_BLINDING 28
787
788/*
789 * Do an RSA private key operation
790 */
791int mbedcrypto_rsa_private( mbedcrypto_rsa_context *ctx,
792 int (*f_rng)(void *, unsigned char *, size_t),
793 void *p_rng,
794 const unsigned char *input,
795 unsigned char *output )
796{
797 int ret;
798 size_t olen;
799
800 /* Temporary holding the result */
801 mbedcrypto_mpi T;
802
803 /* Temporaries holding P-1, Q-1 and the
804 * exponent blinding factor, respectively. */
805 mbedcrypto_mpi P1, Q1, R;
806
807#if !defined(MBEDCRYPTO_RSA_NO_CRT)
808 /* Temporaries holding the results mod p resp. mod q. */
809 mbedcrypto_mpi TP, TQ;
810
811 /* Temporaries holding the blinded exponents for
812 * the mod p resp. mod q computation (if used). */
813 mbedcrypto_mpi DP_blind, DQ_blind;
814
815 /* Pointers to actual exponents to be used - either the unblinded
816 * or the blinded ones, depending on the presence of a PRNG. */
817 mbedcrypto_mpi *DP = &ctx->DP;
818 mbedcrypto_mpi *DQ = &ctx->DQ;
819#else
820 /* Temporary holding the blinded exponent (if used). */
821 mbedcrypto_mpi D_blind;
822
823 /* Pointer to actual exponent to be used - either the unblinded
824 * or the blinded one, depending on the presence of a PRNG. */
825 mbedcrypto_mpi *D = &ctx->D;
826#endif /* MBEDCRYPTO_RSA_NO_CRT */
827
828 /* Temporaries holding the initial input and the double
829 * checked result; should be the same in the end. */
830 mbedcrypto_mpi I, C;
831
832 if( rsa_check_context( ctx, 1 /* private key checks */,
833 f_rng != NULL /* blinding y/n */ ) != 0 )
834 {
835 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
836 }
837
838#if defined(MBEDCRYPTO_THREADING_C)
839 if( ( ret = mbedcrypto_mutex_lock( &ctx->mutex ) ) != 0 )
840 return( ret );
841#endif
842
843 /* MPI Initialization */
844 mbedcrypto_mpi_init( &T );
845
846 mbedcrypto_mpi_init( &P1 );
847 mbedcrypto_mpi_init( &Q1 );
848 mbedcrypto_mpi_init( &R );
849
850 if( f_rng != NULL )
851 {
852#if defined(MBEDCRYPTO_RSA_NO_CRT)
853 mbedcrypto_mpi_init( &D_blind );
854#else
855 mbedcrypto_mpi_init( &DP_blind );
856 mbedcrypto_mpi_init( &DQ_blind );
857#endif
858 }
859
860#if !defined(MBEDCRYPTO_RSA_NO_CRT)
861 mbedcrypto_mpi_init( &TP ); mbedcrypto_mpi_init( &TQ );
862#endif
863
864 mbedcrypto_mpi_init( &I );
865 mbedcrypto_mpi_init( &C );
866
867 /* End of MPI initialization */
868
869 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &T, input, ctx->len ) );
870 if( mbedcrypto_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
871 {
872 ret = MBEDCRYPTO_ERR_MPI_BAD_INPUT_DATA;
873 goto cleanup;
874 }
875
876 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &I, &T ) );
877
878 if( f_rng != NULL )
879 {
880 /*
881 * Blinding
882 * T = T * Vi mod N
883 */
884 MBEDCRYPTO_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
885 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
886 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( &T, &T, &ctx->N ) );
887
888 /*
889 * Exponent blinding
890 */
891 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_sub_int( &P1, &ctx->P, 1 ) );
892 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
893
894#if defined(MBEDCRYPTO_RSA_NO_CRT)
895 /*
896 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
897 */
898 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
899 f_rng, p_rng ) );
900 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
901 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
902 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
903
904 D = &D_blind;
905#else
906 /*
907 * DP_blind = ( P - 1 ) * R + DP
908 */
909 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
910 f_rng, p_rng ) );
911 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &DP_blind, &P1, &R ) );
912 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_add_mpi( &DP_blind, &DP_blind,
913 &ctx->DP ) );
914
915 DP = &DP_blind;
916
917 /*
918 * DQ_blind = ( Q - 1 ) * R + DQ
919 */
920 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
921 f_rng, p_rng ) );
922 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
923 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_add_mpi( &DQ_blind, &DQ_blind,
924 &ctx->DQ ) );
925
926 DQ = &DQ_blind;
927#endif /* MBEDCRYPTO_RSA_NO_CRT */
928 }
929
930#if defined(MBEDCRYPTO_RSA_NO_CRT)
931 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
932#else
933 /*
934 * Faster decryption using the CRT
935 *
936 * TP = input ^ dP mod P
937 * TQ = input ^ dQ mod Q
938 */
939
940 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
941 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
942
943 /*
944 * T = (TP - TQ) * (Q^-1 mod P) mod P
945 */
946 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_sub_mpi( &T, &TP, &TQ ) );
947 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
948 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( &T, &TP, &ctx->P ) );
949
950 /*
951 * T = TQ + T * Q
952 */
953 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
954 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_add_mpi( &T, &TQ, &TP ) );
955#endif /* MBEDCRYPTO_RSA_NO_CRT */
956
957 if( f_rng != NULL )
958 {
959 /*
960 * Unblind
961 * T = T * Vf mod N
962 */
963 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
964 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_mod_mpi( &T, &T, &ctx->N ) );
965 }
966
967 /* Verify the result to prevent glitching attacks. */
968 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_exp_mod( &C, &T, &ctx->E,
969 &ctx->N, &ctx->RN ) );
970 if( mbedcrypto_mpi_cmp_mpi( &C, &I ) != 0 )
971 {
972 ret = MBEDCRYPTO_ERR_RSA_VERIFY_FAILED;
973 goto cleanup;
974 }
975
976 olen = ctx->len;
977 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &T, output, olen ) );
978
979cleanup:
980#if defined(MBEDCRYPTO_THREADING_C)
981 if( mbedcrypto_mutex_unlock( &ctx->mutex ) != 0 )
982 return( MBEDCRYPTO_ERR_THREADING_MUTEX_ERROR );
983#endif
984
985 mbedcrypto_mpi_free( &P1 );
986 mbedcrypto_mpi_free( &Q1 );
987 mbedcrypto_mpi_free( &R );
988
989 if( f_rng != NULL )
990 {
991#if defined(MBEDCRYPTO_RSA_NO_CRT)
992 mbedcrypto_mpi_free( &D_blind );
993#else
994 mbedcrypto_mpi_free( &DP_blind );
995 mbedcrypto_mpi_free( &DQ_blind );
996#endif
997 }
998
999 mbedcrypto_mpi_free( &T );
1000
1001#if !defined(MBEDCRYPTO_RSA_NO_CRT)
1002 mbedcrypto_mpi_free( &TP ); mbedcrypto_mpi_free( &TQ );
1003#endif
1004
1005 mbedcrypto_mpi_free( &C );
1006 mbedcrypto_mpi_free( &I );
1007
1008 if( ret != 0 )
1009 return( MBEDCRYPTO_ERR_RSA_PRIVATE_FAILED + ret );
1010
1011 return( 0 );
1012}
1013
1014#if defined(MBEDCRYPTO_PKCS1_V21)
1015/**
1016 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1017 *
1018 * \param dst buffer to mask
1019 * \param dlen length of destination buffer
1020 * \param src source of the mask generation
1021 * \param slen length of the source buffer
1022 * \param md_ctx message digest context to use
1023 */
1024static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
1025 size_t slen, mbedcrypto_md_context_t *md_ctx )
1026{
1027 unsigned char mask[MBEDCRYPTO_MD_MAX_SIZE];
1028 unsigned char counter[4];
1029 unsigned char *p;
1030 unsigned int hlen;
1031 size_t i, use_len;
1032 int ret = 0;
1033
1034 memset( mask, 0, MBEDCRYPTO_MD_MAX_SIZE );
1035 memset( counter, 0, 4 );
1036
1037 hlen = mbedcrypto_md_get_size( md_ctx->md_info );
1038
1039 /* Generate and apply dbMask */
1040 p = dst;
1041
1042 while( dlen > 0 )
1043 {
1044 use_len = hlen;
1045 if( dlen < hlen )
1046 use_len = dlen;
1047
1048 if( ( ret = mbedcrypto_md_starts( md_ctx ) ) != 0 )
1049 goto exit;
1050 if( ( ret = mbedcrypto_md_update( md_ctx, src, slen ) ) != 0 )
1051 goto exit;
1052 if( ( ret = mbedcrypto_md_update( md_ctx, counter, 4 ) ) != 0 )
1053 goto exit;
1054 if( ( ret = mbedcrypto_md_finish( md_ctx, mask ) ) != 0 )
1055 goto exit;
1056
1057 for( i = 0; i < use_len; ++i )
1058 *p++ ^= mask[i];
1059
1060 counter[3]++;
1061
1062 dlen -= use_len;
1063 }
1064
1065exit:
1066 mbedcrypto_platform_zeroize( mask, sizeof( mask ) );
1067
1068 return( ret );
1069}
1070#endif /* MBEDCRYPTO_PKCS1_V21 */
1071
1072#if defined(MBEDCRYPTO_PKCS1_V21)
1073/*
1074 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1075 */
1076int mbedcrypto_rsa_rsaes_oaep_encrypt( mbedcrypto_rsa_context *ctx,
1077 int (*f_rng)(void *, unsigned char *, size_t),
1078 void *p_rng,
1079 int mode,
1080 const unsigned char *label, size_t label_len,
1081 size_t ilen,
1082 const unsigned char *input,
1083 unsigned char *output )
1084{
1085 size_t olen;
1086 int ret;
1087 unsigned char *p = output;
1088 unsigned int hlen;
1089 const mbedcrypto_md_info_t *md_info;
1090 mbedcrypto_md_context_t md_ctx;
1091
1092 if( mode == MBEDCRYPTO_RSA_PRIVATE && ctx->padding != MBEDCRYPTO_RSA_PKCS_V21 )
1093 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1094
1095 if( f_rng == NULL )
1096 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1097
1098 md_info = mbedcrypto_md_info_from_type( (mbedcrypto_md_type_t) ctx->hash_id );
1099 if( md_info == NULL )
1100 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1101
1102 olen = ctx->len;
1103 hlen = mbedcrypto_md_get_size( md_info );
1104
1105 /* first comparison checks for overflow */
1106 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
1107 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1108
1109 memset( output, 0, olen );
1110
1111 *p++ = 0;
1112
1113 /* Generate a random octet string seed */
1114 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
1115 return( MBEDCRYPTO_ERR_RSA_RNG_FAILED + ret );
1116
1117 p += hlen;
1118
1119 /* Construct DB */
1120 if( ( ret = mbedcrypto_md( md_info, label, label_len, p ) ) != 0 )
1121 return( ret );
1122 p += hlen;
1123 p += olen - 2 * hlen - 2 - ilen;
1124 *p++ = 1;
1125 if( ilen != 0 )
1126 memcpy( p, input, ilen );
1127
1128 mbedcrypto_md_init( &md_ctx );
1129 if( ( ret = mbedcrypto_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1130 goto exit;
1131
1132 /* maskedDB: Apply dbMask to DB */
1133 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1134 &md_ctx ) ) != 0 )
1135 goto exit;
1136
1137 /* maskedSeed: Apply seedMask to seed */
1138 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1139 &md_ctx ) ) != 0 )
1140 goto exit;
1141
1142exit:
1143 mbedcrypto_md_free( &md_ctx );
1144
1145 if( ret != 0 )
1146 return( ret );
1147
1148 return( ( mode == MBEDCRYPTO_RSA_PUBLIC )
1149 ? mbedcrypto_rsa_public( ctx, output, output )
1150 : mbedcrypto_rsa_private( ctx, f_rng, p_rng, output, output ) );
1151}
1152#endif /* MBEDCRYPTO_PKCS1_V21 */
1153
1154#if defined(MBEDCRYPTO_PKCS1_V15)
1155/*
1156 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1157 */
1158int mbedcrypto_rsa_rsaes_pkcs1_v15_encrypt( mbedcrypto_rsa_context *ctx,
1159 int (*f_rng)(void *, unsigned char *, size_t),
1160 void *p_rng,
1161 int mode, size_t ilen,
1162 const unsigned char *input,
1163 unsigned char *output )
1164{
1165 size_t nb_pad, olen;
1166 int ret;
1167 unsigned char *p = output;
1168
1169 if( mode == MBEDCRYPTO_RSA_PRIVATE && ctx->padding != MBEDCRYPTO_RSA_PKCS_V15 )
1170 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1171
1172 // We don't check p_rng because it won't be dereferenced here
1173 if( f_rng == NULL || output == NULL )
1174 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1175 if( ilen != 0 && input == NULL )
1176 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1177
1178 olen = ctx->len;
1179
1180 /* first comparison checks for overflow */
1181 if( ilen + 11 < ilen || olen < ilen + 11 )
1182 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1183
1184 nb_pad = olen - 3 - ilen;
1185
1186 *p++ = 0;
1187 if( mode == MBEDCRYPTO_RSA_PUBLIC )
1188 {
1189 *p++ = MBEDCRYPTO_RSA_CRYPT;
1190
1191 while( nb_pad-- > 0 )
1192 {
1193 int rng_dl = 100;
1194
1195 do {
1196 ret = f_rng( p_rng, p, 1 );
1197 } while( *p == 0 && --rng_dl && ret == 0 );
1198
1199 /* Check if RNG failed to generate data */
1200 if( rng_dl == 0 || ret != 0 )
1201 return( MBEDCRYPTO_ERR_RSA_RNG_FAILED + ret );
1202
1203 p++;
1204 }
1205 }
1206 else
1207 {
1208 *p++ = MBEDCRYPTO_RSA_SIGN;
1209
1210 while( nb_pad-- > 0 )
1211 *p++ = 0xFF;
1212 }
1213
1214 *p++ = 0;
1215 if( ilen != 0 )
1216 memcpy( p, input, ilen );
1217
1218 return( ( mode == MBEDCRYPTO_RSA_PUBLIC )
1219 ? mbedcrypto_rsa_public( ctx, output, output )
1220 : mbedcrypto_rsa_private( ctx, f_rng, p_rng, output, output ) );
1221}
1222#endif /* MBEDCRYPTO_PKCS1_V15 */
1223
1224/*
1225 * Add the message padding, then do an RSA operation
1226 */
1227int mbedcrypto_rsa_pkcs1_encrypt( mbedcrypto_rsa_context *ctx,
1228 int (*f_rng)(void *, unsigned char *, size_t),
1229 void *p_rng,
1230 int mode, size_t ilen,
1231 const unsigned char *input,
1232 unsigned char *output )
1233{
1234 switch( ctx->padding )
1235 {
1236#if defined(MBEDCRYPTO_PKCS1_V15)
1237 case MBEDCRYPTO_RSA_PKCS_V15:
1238 return mbedcrypto_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
1239 input, output );
1240#endif
1241
1242#if defined(MBEDCRYPTO_PKCS1_V21)
1243 case MBEDCRYPTO_RSA_PKCS_V21:
1244 return mbedcrypto_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1245 ilen, input, output );
1246#endif
1247
1248 default:
1249 return( MBEDCRYPTO_ERR_RSA_INVALID_PADDING );
1250 }
1251}
1252
1253#if defined(MBEDCRYPTO_PKCS1_V21)
1254/*
1255 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1256 */
1257int mbedcrypto_rsa_rsaes_oaep_decrypt( mbedcrypto_rsa_context *ctx,
1258 int (*f_rng)(void *, unsigned char *, size_t),
1259 void *p_rng,
1260 int mode,
1261 const unsigned char *label, size_t label_len,
1262 size_t *olen,
1263 const unsigned char *input,
1264 unsigned char *output,
1265 size_t output_max_len )
1266{
1267 int ret;
1268 size_t ilen, i, pad_len;
1269 unsigned char *p, bad, pad_done;
1270 unsigned char buf[MBEDCRYPTO_MPI_MAX_SIZE];
1271 unsigned char lhash[MBEDCRYPTO_MD_MAX_SIZE];
1272 unsigned int hlen;
1273 const mbedcrypto_md_info_t *md_info;
1274 mbedcrypto_md_context_t md_ctx;
1275
1276 /*
1277 * Parameters sanity checks
1278 */
1279 if( mode == MBEDCRYPTO_RSA_PRIVATE && ctx->padding != MBEDCRYPTO_RSA_PKCS_V21 )
1280 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1281
1282 ilen = ctx->len;
1283
1284 if( ilen < 16 || ilen > sizeof( buf ) )
1285 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1286
1287 md_info = mbedcrypto_md_info_from_type( (mbedcrypto_md_type_t) ctx->hash_id );
1288 if( md_info == NULL )
1289 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1290
1291 hlen = mbedcrypto_md_get_size( md_info );
1292
1293 // checking for integer underflow
1294 if( 2 * hlen + 2 > ilen )
1295 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1296
1297 /*
1298 * RSA operation
1299 */
1300 ret = ( mode == MBEDCRYPTO_RSA_PUBLIC )
1301 ? mbedcrypto_rsa_public( ctx, input, buf )
1302 : mbedcrypto_rsa_private( ctx, f_rng, p_rng, input, buf );
1303
1304 if( ret != 0 )
1305 goto cleanup;
1306
1307 /*
1308 * Unmask data and generate lHash
1309 */
1310 mbedcrypto_md_init( &md_ctx );
1311 if( ( ret = mbedcrypto_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1312 {
1313 mbedcrypto_md_free( &md_ctx );
1314 goto cleanup;
1315 }
1316
1317 /* seed: Apply seedMask to maskedSeed */
1318 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1319 &md_ctx ) ) != 0 ||
1320 /* DB: Apply dbMask to maskedDB */
1321 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1322 &md_ctx ) ) != 0 )
1323 {
1324 mbedcrypto_md_free( &md_ctx );
1325 goto cleanup;
1326 }
1327
1328 mbedcrypto_md_free( &md_ctx );
1329
1330 /* Generate lHash */
1331 if( ( ret = mbedcrypto_md( md_info, label, label_len, lhash ) ) != 0 )
1332 goto cleanup;
1333
1334 /*
1335 * Check contents, in "constant-time"
1336 */
1337 p = buf;
1338 bad = 0;
1339
1340 bad |= *p++; /* First byte must be 0 */
1341
1342 p += hlen; /* Skip seed */
1343
1344 /* Check lHash */
1345 for( i = 0; i < hlen; i++ )
1346 bad |= lhash[i] ^ *p++;
1347
1348 /* Get zero-padding len, but always read till end of buffer
1349 * (minus one, for the 01 byte) */
1350 pad_len = 0;
1351 pad_done = 0;
1352 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
1353 {
1354 pad_done |= p[i];
1355 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1356 }
1357
1358 p += pad_len;
1359 bad |= *p++ ^ 0x01;
1360
1361 /*
1362 * The only information "leaked" is whether the padding was correct or not
1363 * (eg, no data is copied if it was not correct). This meets the
1364 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1365 * the different error conditions.
1366 */
1367 if( bad != 0 )
1368 {
1369 ret = MBEDCRYPTO_ERR_RSA_INVALID_PADDING;
1370 goto cleanup;
1371 }
1372
1373 if( ilen - ( p - buf ) > output_max_len )
1374 {
1375 ret = MBEDCRYPTO_ERR_RSA_OUTPUT_TOO_LARGE;
1376 goto cleanup;
1377 }
1378
1379 *olen = ilen - (p - buf);
1380 if( *olen != 0 )
1381 memcpy( output, p, *olen );
1382 ret = 0;
1383
1384cleanup:
1385 mbedcrypto_platform_zeroize( buf, sizeof( buf ) );
1386 mbedcrypto_platform_zeroize( lhash, sizeof( lhash ) );
1387
1388 return( ret );
1389}
1390#endif /* MBEDCRYPTO_PKCS1_V21 */
1391
1392#if defined(MBEDCRYPTO_PKCS1_V15)
1393/*
1394 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1395 */
1396int mbedcrypto_rsa_rsaes_pkcs1_v15_decrypt( mbedcrypto_rsa_context *ctx,
1397 int (*f_rng)(void *, unsigned char *, size_t),
1398 void *p_rng,
1399 int mode, size_t *olen,
1400 const unsigned char *input,
1401 unsigned char *output,
1402 size_t output_max_len)
1403{
1404 int ret;
1405 size_t ilen, pad_count = 0, i;
1406 unsigned char *p, bad, pad_done = 0;
1407 unsigned char buf[MBEDCRYPTO_MPI_MAX_SIZE];
1408
1409 if( mode == MBEDCRYPTO_RSA_PRIVATE && ctx->padding != MBEDCRYPTO_RSA_PKCS_V15 )
1410 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1411
1412 ilen = ctx->len;
1413
1414 if( ilen < 16 || ilen > sizeof( buf ) )
1415 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1416
1417 ret = ( mode == MBEDCRYPTO_RSA_PUBLIC )
1418 ? mbedcrypto_rsa_public( ctx, input, buf )
1419 : mbedcrypto_rsa_private( ctx, f_rng, p_rng, input, buf );
1420
1421 if( ret != 0 )
1422 goto cleanup;
1423
1424 p = buf;
1425 bad = 0;
1426
1427 /*
1428 * Check and get padding len in "constant-time"
1429 */
1430 bad |= *p++; /* First byte must be 0 */
1431
1432 /* This test does not depend on secret data */
1433 if( mode == MBEDCRYPTO_RSA_PRIVATE )
1434 {
1435 bad |= *p++ ^ MBEDCRYPTO_RSA_CRYPT;
1436
1437 /* Get padding len, but always read till end of buffer
1438 * (minus one, for the 00 byte) */
1439 for( i = 0; i < ilen - 3; i++ )
1440 {
1441 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
1442 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1443 }
1444
1445 p += pad_count;
1446 bad |= *p++; /* Must be zero */
1447 }
1448 else
1449 {
1450 bad |= *p++ ^ MBEDCRYPTO_RSA_SIGN;
1451
1452 /* Get padding len, but always read till end of buffer
1453 * (minus one, for the 00 byte) */
1454 for( i = 0; i < ilen - 3; i++ )
1455 {
1456 pad_done |= ( p[i] != 0xFF );
1457 pad_count += ( pad_done == 0 );
1458 }
1459
1460 p += pad_count;
1461 bad |= *p++; /* Must be zero */
1462 }
1463
1464 bad |= ( pad_count < 8 );
1465
1466 if( bad )
1467 {
1468 ret = MBEDCRYPTO_ERR_RSA_INVALID_PADDING;
1469 goto cleanup;
1470 }
1471
1472 if( ilen - ( p - buf ) > output_max_len )
1473 {
1474 ret = MBEDCRYPTO_ERR_RSA_OUTPUT_TOO_LARGE;
1475 goto cleanup;
1476 }
1477
1478 *olen = ilen - (p - buf);
1479 if( *olen != 0 )
1480 memcpy( output, p, *olen );
1481 ret = 0;
1482
1483cleanup:
1484 mbedcrypto_platform_zeroize( buf, sizeof( buf ) );
1485
1486 return( ret );
1487}
1488#endif /* MBEDCRYPTO_PKCS1_V15 */
1489
1490/*
1491 * Do an RSA operation, then remove the message padding
1492 */
1493int mbedcrypto_rsa_pkcs1_decrypt( mbedcrypto_rsa_context *ctx,
1494 int (*f_rng)(void *, unsigned char *, size_t),
1495 void *p_rng,
1496 int mode, size_t *olen,
1497 const unsigned char *input,
1498 unsigned char *output,
1499 size_t output_max_len)
1500{
1501 switch( ctx->padding )
1502 {
1503#if defined(MBEDCRYPTO_PKCS1_V15)
1504 case MBEDCRYPTO_RSA_PKCS_V15:
1505 return mbedcrypto_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
1506 input, output, output_max_len );
1507#endif
1508
1509#if defined(MBEDCRYPTO_PKCS1_V21)
1510 case MBEDCRYPTO_RSA_PKCS_V21:
1511 return mbedcrypto_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1512 olen, input, output,
1513 output_max_len );
1514#endif
1515
1516 default:
1517 return( MBEDCRYPTO_ERR_RSA_INVALID_PADDING );
1518 }
1519}
1520
1521#if defined(MBEDCRYPTO_PKCS1_V21)
1522/*
1523 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1524 */
1525int mbedcrypto_rsa_rsassa_pss_sign( mbedcrypto_rsa_context *ctx,
1526 int (*f_rng)(void *, unsigned char *, size_t),
1527 void *p_rng,
1528 int mode,
1529 mbedcrypto_md_type_t md_alg,
1530 unsigned int hashlen,
1531 const unsigned char *hash,
1532 unsigned char *sig )
1533{
1534 size_t olen;
1535 unsigned char *p = sig;
1536 unsigned char salt[MBEDCRYPTO_MD_MAX_SIZE];
1537 unsigned int slen, hlen, offset = 0;
1538 int ret;
1539 size_t msb;
1540 const mbedcrypto_md_info_t *md_info;
1541 mbedcrypto_md_context_t md_ctx;
1542
1543 if( mode == MBEDCRYPTO_RSA_PRIVATE && ctx->padding != MBEDCRYPTO_RSA_PKCS_V21 )
1544 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1545
1546 if( f_rng == NULL )
1547 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1548
1549 olen = ctx->len;
1550
1551 if( md_alg != MBEDCRYPTO_MD_NONE )
1552 {
1553 /* Gather length of hash to sign */
1554 md_info = mbedcrypto_md_info_from_type( md_alg );
1555 if( md_info == NULL )
1556 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1557
1558 hashlen = mbedcrypto_md_get_size( md_info );
1559 }
1560
1561 md_info = mbedcrypto_md_info_from_type( (mbedcrypto_md_type_t) ctx->hash_id );
1562 if( md_info == NULL )
1563 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1564
1565 hlen = mbedcrypto_md_get_size( md_info );
1566 slen = hlen;
1567
1568 if( olen < hlen + slen + 2 )
1569 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1570
1571 memset( sig, 0, olen );
1572
1573 /* Generate salt of length slen */
1574 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
1575 return( MBEDCRYPTO_ERR_RSA_RNG_FAILED + ret );
1576
1577 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1578 msb = mbedcrypto_mpi_bitlen( &ctx->N ) - 1;
1579 p += olen - hlen * 2 - 2;
1580 *p++ = 0x01;
1581 memcpy( p, salt, slen );
1582 p += slen;
1583
1584 mbedcrypto_md_init( &md_ctx );
1585 if( ( ret = mbedcrypto_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1586 goto exit;
1587
1588 /* Generate H = Hash( M' ) */
1589 if( ( ret = mbedcrypto_md_starts( &md_ctx ) ) != 0 )
1590 goto exit;
1591 if( ( ret = mbedcrypto_md_update( &md_ctx, p, 8 ) ) != 0 )
1592 goto exit;
1593 if( ( ret = mbedcrypto_md_update( &md_ctx, hash, hashlen ) ) != 0 )
1594 goto exit;
1595 if( ( ret = mbedcrypto_md_update( &md_ctx, salt, slen ) ) != 0 )
1596 goto exit;
1597 if( ( ret = mbedcrypto_md_finish( &md_ctx, p ) ) != 0 )
1598 goto exit;
1599
1600 /* Compensate for boundary condition when applying mask */
1601 if( msb % 8 == 0 )
1602 offset = 1;
1603
1604 /* maskedDB: Apply dbMask to DB */
1605 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
1606 &md_ctx ) ) != 0 )
1607 goto exit;
1608
1609 msb = mbedcrypto_mpi_bitlen( &ctx->N ) - 1;
1610 sig[0] &= 0xFF >> ( olen * 8 - msb );
1611
1612 p += hlen;
1613 *p++ = 0xBC;
1614
1615 mbedcrypto_platform_zeroize( salt, sizeof( salt ) );
1616
1617exit:
1618 mbedcrypto_md_free( &md_ctx );
1619
1620 if( ret != 0 )
1621 return( ret );
1622
1623 return( ( mode == MBEDCRYPTO_RSA_PUBLIC )
1624 ? mbedcrypto_rsa_public( ctx, sig, sig )
1625 : mbedcrypto_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1626}
1627#endif /* MBEDCRYPTO_PKCS1_V21 */
1628
1629#if defined(MBEDCRYPTO_PKCS1_V15)
1630/*
1631 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1632 */
1633
1634/* Construct a PKCS v1.5 encoding of a hashed message
1635 *
1636 * This is used both for signature generation and verification.
1637 *
1638 * Parameters:
1639 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1640 * MBEDCRYPTO_MD_NONE if raw data is signed.
1641 * - hashlen: Length of hash in case hashlen is MBEDCRYPTO_MD_NONE.
1642 * - hash: Buffer containing the hashed message or the raw data.
1643 * - dst_len: Length of the encoded message.
1644 * - dst: Buffer to hold the encoded message.
1645 *
1646 * Assumptions:
1647 * - hash has size hashlen if md_alg == MBEDCRYPTO_MD_NONE.
1648 * - hash has size corresponding to md_alg if md_alg != MBEDCRYPTO_MD_NONE.
1649 * - dst points to a buffer of size at least dst_len.
1650 *
1651 */
1652static int rsa_rsassa_pkcs1_v15_encode( mbedcrypto_md_type_t md_alg,
1653 unsigned int hashlen,
1654 const unsigned char *hash,
1655 size_t dst_len,
1656 unsigned char *dst )
1657{
1658 size_t oid_size = 0;
1659 size_t nb_pad = dst_len;
1660 unsigned char *p = dst;
1661 const char *oid = NULL;
1662
1663 /* Are we signing hashed or raw data? */
1664 if( md_alg != MBEDCRYPTO_MD_NONE )
1665 {
1666 const mbedcrypto_md_info_t *md_info = mbedcrypto_md_info_from_type( md_alg );
1667 if( md_info == NULL )
1668 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1669
1670 if( mbedcrypto_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1671 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1672
1673 hashlen = mbedcrypto_md_get_size( md_info );
1674
1675 /* Double-check that 8 + hashlen + oid_size can be used as a
1676 * 1-byte ASN.1 length encoding and that there's no overflow. */
1677 if( 8 + hashlen + oid_size >= 0x80 ||
1678 10 + hashlen < hashlen ||
1679 10 + hashlen + oid_size < 10 + hashlen )
1680 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1681
1682 /*
1683 * Static bounds check:
1684 * - Need 10 bytes for five tag-length pairs.
1685 * (Insist on 1-byte length encodings to protect against variants of
1686 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1687 * - Need hashlen bytes for hash
1688 * - Need oid_size bytes for hash alg OID.
1689 */
1690 if( nb_pad < 10 + hashlen + oid_size )
1691 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1692 nb_pad -= 10 + hashlen + oid_size;
1693 }
1694 else
1695 {
1696 if( nb_pad < hashlen )
1697 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1698
1699 nb_pad -= hashlen;
1700 }
1701
1702 /* Need space for signature header and padding delimiter (3 bytes),
1703 * and 8 bytes for the minimal padding */
1704 if( nb_pad < 3 + 8 )
1705 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1706 nb_pad -= 3;
1707
1708 /* Now nb_pad is the amount of memory to be filled
1709 * with padding, and at least 8 bytes long. */
1710
1711 /* Write signature header and padding */
1712 *p++ = 0;
1713 *p++ = MBEDCRYPTO_RSA_SIGN;
1714 memset( p, 0xFF, nb_pad );
1715 p += nb_pad;
1716 *p++ = 0;
1717
1718 /* Are we signing raw data? */
1719 if( md_alg == MBEDCRYPTO_MD_NONE )
1720 {
1721 memcpy( p, hash, hashlen );
1722 return( 0 );
1723 }
1724
1725 /* Signing hashed data, add corresponding ASN.1 structure
1726 *
1727 * DigestInfo ::= SEQUENCE {
1728 * digestAlgorithm DigestAlgorithmIdentifier,
1729 * digest Digest }
1730 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1731 * Digest ::= OCTET STRING
1732 *
1733 * Schematic:
1734 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1735 * TAG-NULL + LEN [ NULL ] ]
1736 * TAG-OCTET + LEN [ HASH ] ]
1737 */
1738 *p++ = MBEDCRYPTO_ASN1_SEQUENCE | MBEDCRYPTO_ASN1_CONSTRUCTED;
1739 *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
1740 *p++ = MBEDCRYPTO_ASN1_SEQUENCE | MBEDCRYPTO_ASN1_CONSTRUCTED;
1741 *p++ = (unsigned char)( 0x04 + oid_size );
1742 *p++ = MBEDCRYPTO_ASN1_OID;
1743 *p++ = (unsigned char) oid_size;
1744 memcpy( p, oid, oid_size );
1745 p += oid_size;
1746 *p++ = MBEDCRYPTO_ASN1_NULL;
1747 *p++ = 0x00;
1748 *p++ = MBEDCRYPTO_ASN1_OCTET_STRING;
1749 *p++ = (unsigned char) hashlen;
1750 memcpy( p, hash, hashlen );
1751 p += hashlen;
1752
1753 /* Just a sanity-check, should be automatic
1754 * after the initial bounds check. */
1755 if( p != dst + dst_len )
1756 {
1757 mbedcrypto_platform_zeroize( dst, dst_len );
1758 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1759 }
1760
1761 return( 0 );
1762}
1763
1764/*
1765 * Do an RSA operation to sign the message digest
1766 */
1767int mbedcrypto_rsa_rsassa_pkcs1_v15_sign( mbedcrypto_rsa_context *ctx,
1768 int (*f_rng)(void *, unsigned char *, size_t),
1769 void *p_rng,
1770 int mode,
1771 mbedcrypto_md_type_t md_alg,
1772 unsigned int hashlen,
1773 const unsigned char *hash,
1774 unsigned char *sig )
1775{
1776 int ret;
1777 unsigned char *sig_try = NULL, *verif = NULL;
1778
1779 if( mode == MBEDCRYPTO_RSA_PRIVATE && ctx->padding != MBEDCRYPTO_RSA_PKCS_V15 )
1780 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1781
1782 /*
1783 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
1784 */
1785
1786 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
1787 ctx->len, sig ) ) != 0 )
1788 return( ret );
1789
1790 /*
1791 * Call respective RSA primitive
1792 */
1793
1794 if( mode == MBEDCRYPTO_RSA_PUBLIC )
1795 {
1796 /* Skip verification on a public key operation */
1797 return( mbedcrypto_rsa_public( ctx, sig, sig ) );
1798 }
1799
1800 /* Private key operation
1801 *
1802 * In order to prevent Lenstra's attack, make the signature in a
1803 * temporary buffer and check it before returning it.
1804 */
1805
1806 sig_try = mbedcrypto_calloc( 1, ctx->len );
1807 if( sig_try == NULL )
1808 return( MBEDCRYPTO_ERR_MPI_ALLOC_FAILED );
1809
1810 verif = mbedcrypto_calloc( 1, ctx->len );
1811 if( verif == NULL )
1812 {
1813 mbedcrypto_free( sig_try );
1814 return( MBEDCRYPTO_ERR_MPI_ALLOC_FAILED );
1815 }
1816
1817 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1818 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_public( ctx, sig_try, verif ) );
1819
1820 if( mbedcrypto_safer_memcmp( verif, sig, ctx->len ) != 0 )
1821 {
1822 ret = MBEDCRYPTO_ERR_RSA_PRIVATE_FAILED;
1823 goto cleanup;
1824 }
1825
1826 memcpy( sig, sig_try, ctx->len );
1827
1828cleanup:
1829 mbedcrypto_free( sig_try );
1830 mbedcrypto_free( verif );
1831
1832 return( ret );
1833}
1834#endif /* MBEDCRYPTO_PKCS1_V15 */
1835
1836/*
1837 * Do an RSA operation to sign the message digest
1838 */
1839int mbedcrypto_rsa_pkcs1_sign( mbedcrypto_rsa_context *ctx,
1840 int (*f_rng)(void *, unsigned char *, size_t),
1841 void *p_rng,
1842 int mode,
1843 mbedcrypto_md_type_t md_alg,
1844 unsigned int hashlen,
1845 const unsigned char *hash,
1846 unsigned char *sig )
1847{
1848 switch( ctx->padding )
1849 {
1850#if defined(MBEDCRYPTO_PKCS1_V15)
1851 case MBEDCRYPTO_RSA_PKCS_V15:
1852 return mbedcrypto_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
1853 hashlen, hash, sig );
1854#endif
1855
1856#if defined(MBEDCRYPTO_PKCS1_V21)
1857 case MBEDCRYPTO_RSA_PKCS_V21:
1858 return mbedcrypto_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
1859 hashlen, hash, sig );
1860#endif
1861
1862 default:
1863 return( MBEDCRYPTO_ERR_RSA_INVALID_PADDING );
1864 }
1865}
1866
1867#if defined(MBEDCRYPTO_PKCS1_V21)
1868/*
1869 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1870 */
1871int mbedcrypto_rsa_rsassa_pss_verify_ext( mbedcrypto_rsa_context *ctx,
1872 int (*f_rng)(void *, unsigned char *, size_t),
1873 void *p_rng,
1874 int mode,
1875 mbedcrypto_md_type_t md_alg,
1876 unsigned int hashlen,
1877 const unsigned char *hash,
1878 mbedcrypto_md_type_t mgf1_hash_id,
1879 int expected_salt_len,
1880 const unsigned char *sig )
1881{
1882 int ret;
1883 size_t siglen;
1884 unsigned char *p;
1885 unsigned char *hash_start;
1886 unsigned char result[MBEDCRYPTO_MD_MAX_SIZE];
1887 unsigned char zeros[8];
1888 unsigned int hlen;
1889 size_t observed_salt_len, msb;
1890 const mbedcrypto_md_info_t *md_info;
1891 mbedcrypto_md_context_t md_ctx;
1892 unsigned char buf[MBEDCRYPTO_MPI_MAX_SIZE];
1893
1894 if( mode == MBEDCRYPTO_RSA_PRIVATE && ctx->padding != MBEDCRYPTO_RSA_PKCS_V21 )
1895 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1896
1897 siglen = ctx->len;
1898
1899 if( siglen < 16 || siglen > sizeof( buf ) )
1900 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1901
1902 ret = ( mode == MBEDCRYPTO_RSA_PUBLIC )
1903 ? mbedcrypto_rsa_public( ctx, sig, buf )
1904 : mbedcrypto_rsa_private( ctx, f_rng, p_rng, sig, buf );
1905
1906 if( ret != 0 )
1907 return( ret );
1908
1909 p = buf;
1910
1911 if( buf[siglen - 1] != 0xBC )
1912 return( MBEDCRYPTO_ERR_RSA_INVALID_PADDING );
1913
1914 if( md_alg != MBEDCRYPTO_MD_NONE )
1915 {
1916 /* Gather length of hash to sign */
1917 md_info = mbedcrypto_md_info_from_type( md_alg );
1918 if( md_info == NULL )
1919 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1920
1921 hashlen = mbedcrypto_md_get_size( md_info );
1922 }
1923
1924 md_info = mbedcrypto_md_info_from_type( mgf1_hash_id );
1925 if( md_info == NULL )
1926 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1927
1928 hlen = mbedcrypto_md_get_size( md_info );
1929
1930 memset( zeros, 0, 8 );
1931
1932 /*
1933 * Note: EMSA-PSS verification is over the length of N - 1 bits
1934 */
1935 msb = mbedcrypto_mpi_bitlen( &ctx->N ) - 1;
1936
1937 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1938 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1939
1940 /* Compensate for boundary condition when applying mask */
1941 if( msb % 8 == 0 )
1942 {
1943 p++;
1944 siglen -= 1;
1945 }
1946
1947 if( siglen < hlen + 2 )
1948 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
1949 hash_start = p + siglen - hlen - 1;
1950
1951 mbedcrypto_md_init( &md_ctx );
1952 if( ( ret = mbedcrypto_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1953 goto exit;
1954
1955 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
1956 if( ret != 0 )
1957 goto exit;
1958
1959 buf[0] &= 0xFF >> ( siglen * 8 - msb );
1960
1961 while( p < hash_start - 1 && *p == 0 )
1962 p++;
1963
1964 if( *p++ != 0x01 )
1965 {
1966 ret = MBEDCRYPTO_ERR_RSA_INVALID_PADDING;
1967 goto exit;
1968 }
1969
1970 observed_salt_len = hash_start - p;
1971
1972 if( expected_salt_len != MBEDCRYPTO_RSA_SALT_LEN_ANY &&
1973 observed_salt_len != (size_t) expected_salt_len )
1974 {
1975 ret = MBEDCRYPTO_ERR_RSA_INVALID_PADDING;
1976 goto exit;
1977 }
1978
1979 /*
1980 * Generate H = Hash( M' )
1981 */
1982 ret = mbedcrypto_md_starts( &md_ctx );
1983 if ( ret != 0 )
1984 goto exit;
1985 ret = mbedcrypto_md_update( &md_ctx, zeros, 8 );
1986 if ( ret != 0 )
1987 goto exit;
1988 ret = mbedcrypto_md_update( &md_ctx, hash, hashlen );
1989 if ( ret != 0 )
1990 goto exit;
1991 ret = mbedcrypto_md_update( &md_ctx, p, observed_salt_len );
1992 if ( ret != 0 )
1993 goto exit;
1994 ret = mbedcrypto_md_finish( &md_ctx, result );
1995 if ( ret != 0 )
1996 goto exit;
1997
1998 if( memcmp( hash_start, result, hlen ) != 0 )
1999 {
2000 ret = MBEDCRYPTO_ERR_RSA_VERIFY_FAILED;
2001 goto exit;
2002 }
2003
2004exit:
2005 mbedcrypto_md_free( &md_ctx );
2006
2007 return( ret );
2008}
2009
2010/*
2011 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2012 */
2013int mbedcrypto_rsa_rsassa_pss_verify( mbedcrypto_rsa_context *ctx,
2014 int (*f_rng)(void *, unsigned char *, size_t),
2015 void *p_rng,
2016 int mode,
2017 mbedcrypto_md_type_t md_alg,
2018 unsigned int hashlen,
2019 const unsigned char *hash,
2020 const unsigned char *sig )
2021{
2022 mbedcrypto_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDCRYPTO_MD_NONE )
2023 ? (mbedcrypto_md_type_t) ctx->hash_id
2024 : md_alg;
2025
2026 return( mbedcrypto_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
2027 md_alg, hashlen, hash,
2028 mgf1_hash_id, MBEDCRYPTO_RSA_SALT_LEN_ANY,
2029 sig ) );
2030
2031}
2032#endif /* MBEDCRYPTO_PKCS1_V21 */
2033
2034#if defined(MBEDCRYPTO_PKCS1_V15)
2035/*
2036 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2037 */
2038int mbedcrypto_rsa_rsassa_pkcs1_v15_verify( mbedcrypto_rsa_context *ctx,
2039 int (*f_rng)(void *, unsigned char *, size_t),
2040 void *p_rng,
2041 int mode,
2042 mbedcrypto_md_type_t md_alg,
2043 unsigned int hashlen,
2044 const unsigned char *hash,
2045 const unsigned char *sig )
2046{
2047 int ret = 0;
2048 const size_t sig_len = ctx->len;
2049 unsigned char *encoded = NULL, *encoded_expected = NULL;
2050
2051 if( mode == MBEDCRYPTO_RSA_PRIVATE && ctx->padding != MBEDCRYPTO_RSA_PKCS_V15 )
2052 return( MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA );
2053
2054 /*
2055 * Prepare expected PKCS1 v1.5 encoding of hash.
2056 */
2057
2058 if( ( encoded = mbedcrypto_calloc( 1, sig_len ) ) == NULL ||
2059 ( encoded_expected = mbedcrypto_calloc( 1, sig_len ) ) == NULL )
2060 {
2061 ret = MBEDCRYPTO_ERR_MPI_ALLOC_FAILED;
2062 goto cleanup;
2063 }
2064
2065 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
2066 encoded_expected ) ) != 0 )
2067 goto cleanup;
2068
2069 /*
2070 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2071 */
2072
2073 ret = ( mode == MBEDCRYPTO_RSA_PUBLIC )
2074 ? mbedcrypto_rsa_public( ctx, sig, encoded )
2075 : mbedcrypto_rsa_private( ctx, f_rng, p_rng, sig, encoded );
2076 if( ret != 0 )
2077 goto cleanup;
2078
2079 /*
2080 * Compare
2081 */
2082
2083 if( ( ret = mbedcrypto_safer_memcmp( encoded, encoded_expected,
2084 sig_len ) ) != 0 )
2085 {
2086 ret = MBEDCRYPTO_ERR_RSA_VERIFY_FAILED;
2087 goto cleanup;
2088 }
2089
2090cleanup:
2091
2092 if( encoded != NULL )
2093 {
2094 mbedcrypto_platform_zeroize( encoded, sig_len );
2095 mbedcrypto_free( encoded );
2096 }
2097
2098 if( encoded_expected != NULL )
2099 {
2100 mbedcrypto_platform_zeroize( encoded_expected, sig_len );
2101 mbedcrypto_free( encoded_expected );
2102 }
2103
2104 return( ret );
2105}
2106#endif /* MBEDCRYPTO_PKCS1_V15 */
2107
2108/*
2109 * Do an RSA operation and check the message digest
2110 */
2111int mbedcrypto_rsa_pkcs1_verify( mbedcrypto_rsa_context *ctx,
2112 int (*f_rng)(void *, unsigned char *, size_t),
2113 void *p_rng,
2114 int mode,
2115 mbedcrypto_md_type_t md_alg,
2116 unsigned int hashlen,
2117 const unsigned char *hash,
2118 const unsigned char *sig )
2119{
2120 switch( ctx->padding )
2121 {
2122#if defined(MBEDCRYPTO_PKCS1_V15)
2123 case MBEDCRYPTO_RSA_PKCS_V15:
2124 return mbedcrypto_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
2125 hashlen, hash, sig );
2126#endif
2127
2128#if defined(MBEDCRYPTO_PKCS1_V21)
2129 case MBEDCRYPTO_RSA_PKCS_V21:
2130 return mbedcrypto_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
2131 hashlen, hash, sig );
2132#endif
2133
2134 default:
2135 return( MBEDCRYPTO_ERR_RSA_INVALID_PADDING );
2136 }
2137}
2138
2139/*
2140 * Copy the components of an RSA key
2141 */
2142int mbedcrypto_rsa_copy( mbedcrypto_rsa_context *dst, const mbedcrypto_rsa_context *src )
2143{
2144 int ret;
2145
2146 dst->ver = src->ver;
2147 dst->len = src->len;
2148
2149 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->N, &src->N ) );
2150 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->E, &src->E ) );
2151
2152 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->D, &src->D ) );
2153 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->P, &src->P ) );
2154 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->Q, &src->Q ) );
2155
2156#if !defined(MBEDCRYPTO_RSA_NO_CRT)
2157 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->DP, &src->DP ) );
2158 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->DQ, &src->DQ ) );
2159 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->QP, &src->QP ) );
2160 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->RP, &src->RP ) );
2161 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->RQ, &src->RQ ) );
2162#endif
2163
2164 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->RN, &src->RN ) );
2165
2166 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->Vi, &src->Vi ) );
2167 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_copy( &dst->Vf, &src->Vf ) );
2168
2169 dst->padding = src->padding;
2170 dst->hash_id = src->hash_id;
2171
2172cleanup:
2173 if( ret != 0 )
2174 mbedcrypto_rsa_free( dst );
2175
2176 return( ret );
2177}
2178
2179/*
2180 * Free the components of an RSA key
2181 */
2182void mbedcrypto_rsa_free( mbedcrypto_rsa_context *ctx )
2183{
2184 mbedcrypto_mpi_free( &ctx->Vi ); mbedcrypto_mpi_free( &ctx->Vf );
2185 mbedcrypto_mpi_free( &ctx->RN ); mbedcrypto_mpi_free( &ctx->D );
2186 mbedcrypto_mpi_free( &ctx->Q ); mbedcrypto_mpi_free( &ctx->P );
2187 mbedcrypto_mpi_free( &ctx->E ); mbedcrypto_mpi_free( &ctx->N );
2188
2189#if !defined(MBEDCRYPTO_RSA_NO_CRT)
2190 mbedcrypto_mpi_free( &ctx->RQ ); mbedcrypto_mpi_free( &ctx->RP );
2191 mbedcrypto_mpi_free( &ctx->QP ); mbedcrypto_mpi_free( &ctx->DQ );
2192 mbedcrypto_mpi_free( &ctx->DP );
2193#endif /* MBEDCRYPTO_RSA_NO_CRT */
2194
2195#if defined(MBEDCRYPTO_THREADING_C)
2196 mbedcrypto_mutex_free( &ctx->mutex );
2197#endif
2198}
2199
2200#endif /* !MBEDCRYPTO_RSA_ALT */
2201
2202#if defined(MBEDCRYPTO_SELF_TEST)
2203
2204#include "mbedcrypto/sha1.h"
2205
2206/*
2207 * Example RSA-1024 keypair, for test purposes
2208 */
2209#define KEY_LEN 128
2210
2211#define RSA_N "9292758453063D803DD603D5E777D788" \
2212 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2213 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2214 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2215 "93A89813FBF3C4F8066D2D800F7C38A8" \
2216 "1AE31942917403FF4946B0A83D3D3E05" \
2217 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2218 "5E94BB77B07507233A0BC7BAC8F90F79"
2219
2220#define RSA_E "10001"
2221
2222#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2223 "66CA472BC44D253102F8B4A9D3BFA750" \
2224 "91386C0077937FE33FA3252D28855837" \
2225 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2226 "DF79C5CE07EE72C7F123142198164234" \
2227 "CABB724CF78B8173B9F880FC86322407" \
2228 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2229 "071513A1E85B5DFA031F21ECAE91A34D"
2230
2231#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2232 "2C01CAD19EA484A87EA4377637E75500" \
2233 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2234 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2235
2236#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2237 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2238 "910E4168387E3C30AA1E00C339A79508" \
2239 "8452DD96A9A5EA5D9DCA68DA636032AF"
2240
2241#define PT_LEN 24
2242#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2243 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2244
2245#if defined(MBEDCRYPTO_PKCS1_V15)
2246static int myrand( void *rng_state, unsigned char *output, size_t len )
2247{
2248#if !defined(__OpenBSD__)
2249 size_t i;
2250
2251 if( rng_state != NULL )
2252 rng_state = NULL;
2253
2254 for( i = 0; i < len; ++i )
2255 output[i] = rand();
2256#else
2257 if( rng_state != NULL )
2258 rng_state = NULL;
2259
2260 arc4random_buf( output, len );
2261#endif /* !OpenBSD */
2262
2263 return( 0 );
2264}
2265#endif /* MBEDCRYPTO_PKCS1_V15 */
2266
2267/*
2268 * Checkup routine
2269 */
2270int mbedcrypto_rsa_self_test( int verbose )
2271{
2272 int ret = 0;
2273#if defined(MBEDCRYPTO_PKCS1_V15)
2274 size_t len;
2275 mbedcrypto_rsa_context rsa;
2276 unsigned char rsa_plaintext[PT_LEN];
2277 unsigned char rsa_decrypted[PT_LEN];
2278 unsigned char rsa_ciphertext[KEY_LEN];
2279#if defined(MBEDCRYPTO_SHA1_C)
2280 unsigned char sha1sum[20];
2281#endif
2282
2283 mbedcrypto_mpi K;
2284
2285 mbedcrypto_mpi_init( &K );
2286 mbedcrypto_rsa_init( &rsa, MBEDCRYPTO_RSA_PKCS_V15, 0 );
2287
2288 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_string( &K, 16, RSA_N ) );
2289 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
2290 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_string( &K, 16, RSA_P ) );
2291 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
2292 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_string( &K, 16, RSA_Q ) );
2293 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
2294 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_string( &K, 16, RSA_D ) );
2295 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
2296 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_string( &K, 16, RSA_E ) );
2297 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
2298
2299 MBEDCRYPTO_MPI_CHK( mbedcrypto_rsa_complete( &rsa ) );
2300
2301 if( verbose != 0 )
2302 mbedcrypto_printf( " RSA key validation: " );
2303
2304 if( mbedcrypto_rsa_check_pubkey( &rsa ) != 0 ||
2305 mbedcrypto_rsa_check_privkey( &rsa ) != 0 )
2306 {
2307 if( verbose != 0 )
2308 mbedcrypto_printf( "failed\n" );
2309
2310 ret = 1;
2311 goto cleanup;
2312 }
2313
2314 if( verbose != 0 )
2315 mbedcrypto_printf( "passed\n PKCS#1 encryption : " );
2316
2317 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
2318
2319 if( mbedcrypto_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDCRYPTO_RSA_PUBLIC,
2320 PT_LEN, rsa_plaintext,
2321 rsa_ciphertext ) != 0 )
2322 {
2323 if( verbose != 0 )
2324 mbedcrypto_printf( "failed\n" );
2325
2326 ret = 1;
2327 goto cleanup;
2328 }
2329
2330 if( verbose != 0 )
2331 mbedcrypto_printf( "passed\n PKCS#1 decryption : " );
2332
2333 if( mbedcrypto_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDCRYPTO_RSA_PRIVATE,
2334 &len, rsa_ciphertext, rsa_decrypted,
2335 sizeof(rsa_decrypted) ) != 0 )
2336 {
2337 if( verbose != 0 )
2338 mbedcrypto_printf( "failed\n" );
2339
2340 ret = 1;
2341 goto cleanup;
2342 }
2343
2344 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
2345 {
2346 if( verbose != 0 )
2347 mbedcrypto_printf( "failed\n" );
2348
2349 ret = 1;
2350 goto cleanup;
2351 }
2352
2353 if( verbose != 0 )
2354 mbedcrypto_printf( "passed\n" );
2355
2356#if defined(MBEDCRYPTO_SHA1_C)
2357 if( verbose != 0 )
2358 mbedcrypto_printf( " PKCS#1 data sign : " );
2359
2360 if( mbedcrypto_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
2361 {
2362 if( verbose != 0 )
2363 mbedcrypto_printf( "failed\n" );
2364
2365 return( 1 );
2366 }
2367
2368 if( mbedcrypto_rsa_pkcs1_sign( &rsa, myrand, NULL,
2369 MBEDCRYPTO_RSA_PRIVATE, MBEDCRYPTO_MD_SHA1, 0,
2370 sha1sum, rsa_ciphertext ) != 0 )
2371 {
2372 if( verbose != 0 )
2373 mbedcrypto_printf( "failed\n" );
2374
2375 ret = 1;
2376 goto cleanup;
2377 }
2378
2379 if( verbose != 0 )
2380 mbedcrypto_printf( "passed\n PKCS#1 sig. verify: " );
2381
2382 if( mbedcrypto_rsa_pkcs1_verify( &rsa, NULL, NULL,
2383 MBEDCRYPTO_RSA_PUBLIC, MBEDCRYPTO_MD_SHA1, 0,
2384 sha1sum, rsa_ciphertext ) != 0 )
2385 {
2386 if( verbose != 0 )
2387 mbedcrypto_printf( "failed\n" );
2388
2389 ret = 1;
2390 goto cleanup;
2391 }
2392
2393 if( verbose != 0 )
2394 mbedcrypto_printf( "passed\n" );
2395#endif /* MBEDCRYPTO_SHA1_C */
2396
2397 if( verbose != 0 )
2398 mbedcrypto_printf( "\n" );
2399
2400cleanup:
2401 mbedcrypto_mpi_free( &K );
2402 mbedcrypto_rsa_free( &rsa );
2403#else /* MBEDCRYPTO_PKCS1_V15 */
2404 ((void) verbose);
2405#endif /* MBEDCRYPTO_PKCS1_V15 */
2406 return( ret );
2407}
2408
2409#endif /* MBEDCRYPTO_SELF_TEST */
2410
2411#endif /* MBEDCRYPTO_RSA_C */