Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 5e7cbcc8d6badd50c87acfbebe8edb7052c928cf [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* The RSA public-key cryptosystem
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	18	*/
Hanno Becker	7471631	2017-10-02 10:00:37 +0100	[diff] [blame]	19
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	20	/*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	21	* The following sources were referenced in the design of this implementation
				22	* of the RSA algorithm:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23	*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	24	* [1] A method for obtaining digital signatures and public-key cryptosystems
				25	* R Rivest, A Shamir, and L Adleman
				26	* http://people.csail.mit.edu/rivest/pubs.html#RSA78
				27	*
				28	* [2] Handbook of Applied Cryptography - 1997, Chapter 8
				29	* Menezes, van Oorschot and Vanstone
				30	*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	31	* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
				32	* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
				33	* Stefan Mangard
				34	* https://arxiv.org/abs/1702.08719v2
				35	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	36	*/
				37
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	38	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	39
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	40	#if defined(MBEDTLS_RSA_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	41
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	42	#include "mbedtls/rsa.h"
Chris Jones	66a4cd4	2021-03-09 16:04:12 +0000	[diff] [blame]	43	#include "rsa_alt_helpers.h"
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	44	#include "mbedtls/oid.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	45	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	46	#include "mbedtls/error.h"
Gabor Mezei	22c9a6f	2021-10-20 12:09:35 +0200	[diff] [blame]	47	#include "constant_time_internal.h"
Gabor Mezei	765862c	2021-10-19 12:22:25 +0200	[diff] [blame]	48	#include "mbedtls/constant_time.h"
Manuel Pégourié-Gonnard	4772884	2022-07-18 13:00:40 +0200	[diff] [blame]	49	#include "hash_info.h"
Paul Bakker	bb51f0c	2012-08-23 07:46:58 +0000	[diff] [blame]	50
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	51	#include <string.h>
				52
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	53	#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	54	#include <stdlib.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	55	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	56
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	57	/* We use MD first if it's available (for compatibility reasons)
				58	* and "fall back" to PSA otherwise (which needs psa_crypto_init()). */
				59	#if defined(MBEDTLS_PKCS1_V21)
				60	#if defined(MBEDTLS_MD_C)
				61	#define HASH_MAX_SIZE MBEDTLS_MD_MAX_SIZE
				62	#else /* MBEDTLS_MD_C */
				63	#include "psa/crypto.h"
				64	#include "mbedtls/psa_util.h"
				65	#define HASH_MAX_SIZE PSA_HASH_MAX_SIZE
				66	#endif /* MBEDTLS_MD_C */
				67	#endif /* MBEDTLS_PKCS1_V21 */
				68
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	69	#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	70	#include "mbedtls/platform.h"
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	71	#else
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	72	#include <stdio.h>
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	73	#define mbedtls_printf printf
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	74	#define mbedtls_calloc calloc
				75	#define mbedtls_free free
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	76	#endif
				77
Hanno Becker	a565f54	2017-10-11 11:00:19 +0100	[diff] [blame]	78	#if !defined(MBEDTLS_RSA_ALT)
				79
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	80	/* Parameter validation macros */
				81	#define RSA_VALIDATE_RET( cond ) \
				82	MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
				83	#define RSA_VALIDATE( cond ) \
				84	MBEDTLS_INTERNAL_VALIDATE( cond )
				85
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	86	int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
				87	const mbedtls_mpi *N,
				88	const mbedtls_mpi P, const mbedtls_mpi Q,
				89	const mbedtls_mpi D, const mbedtls_mpi E )
				90	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	91	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	92	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	93
				94	if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) \|\|
				95	( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) \|\|
				96	( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) \|\|
				97	( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) \|\|
				98	( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
				99	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	100	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	101	}
				102
				103	if( N != NULL )
				104	ctx->len = mbedtls_mpi_size( &ctx->N );
				105
				106	return( 0 );
				107	}
				108
				109	int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
Hanno Becker	7471631	2017-10-02 10:00:37 +0100	[diff] [blame]	110	unsigned char const *N, size_t N_len,
				111	unsigned char const *P, size_t P_len,
				112	unsigned char const *Q, size_t Q_len,
				113	unsigned char const *D, size_t D_len,
				114	unsigned char const *E, size_t E_len )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	115	{
Hanno Becker	d4d6057	2018-01-10 07:12:01 +0000	[diff] [blame]	116	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	117	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	118
				119	if( N != NULL )
				120	{
				121	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
				122	ctx->len = mbedtls_mpi_size( &ctx->N );
				123	}
				124
				125	if( P != NULL )
				126	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
				127
				128	if( Q != NULL )
				129	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
				130
				131	if( D != NULL )
				132	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
				133
				134	if( E != NULL )
				135	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
				136
				137	cleanup:
				138
				139	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	140	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	141
				142	return( 0 );
				143	}
				144
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	145	/*
				146	* Checks whether the context fields are set in such a way
				147	* that the RSA primitives will be able to execute without error.
				148	* It does not make guarantees for consistency of the parameters.
				149	*/
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	150	static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
				151	int blinding_needed )
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	152	{
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	153	#if !defined(MBEDTLS_RSA_NO_CRT)
				154	/* blinding_needed is only used for NO_CRT to decide whether
				155	* P,Q need to be present or not. */
				156	((void) blinding_needed);
				157	#endif
				158
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	159	if( ctx->len != mbedtls_mpi_size( &ctx->N ) \|\|
				160	ctx->len > MBEDTLS_MPI_MAX_SIZE )
				161	{
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	162	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	163	}
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	164
				165	/*
				166	* 1. Modular exponentiation needs positive, odd moduli.
				167	*/
				168
				169	/* Modular exponentiation wrt. N is always used for
				170	* RSA public key operations. */
				171	if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 \|\|
				172	mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )
				173	{
				174	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				175	}
				176
				177	#if !defined(MBEDTLS_RSA_NO_CRT)
				178	/* Modular exponentiation for P and Q is only
				179	* used for private key operations and if CRT
				180	* is used. */
				181	if( is_priv &&
				182	( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 \|\|
				183	mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 \|\|
				184	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 \|\|
				185	mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
				186	{
				187	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				188	}
				189	#endif /* !MBEDTLS_RSA_NO_CRT */
				190
				191	/*
				192	* 2. Exponents must be positive
				193	*/
				194
				195	/* Always need E for public key operations */
				196	if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
				197	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				198
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	199	#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	200	/* For private key operations, use D or DP & DQ
				201	* as (unblinded) exponents. */
				202	if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
				203	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				204	#else
				205	if( is_priv &&
				206	( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 \|\|
				207	mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
				208	{
				209	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				210	}
				211	#endif /* MBEDTLS_RSA_NO_CRT */
				212
				213	/* Blinding shouldn't make exponents negative either,
				214	* so check that P, Q >= 1 if that hasn't yet been
				215	* done as part of 1. */
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	216	#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	217	if( is_priv && blinding_needed &&
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	218	( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 \|\|
				219	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
				220	{
				221	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				222	}
				223	#endif
				224
				225	/* It wouldn't lead to an error if it wasn't satisfied,
Hanno Becker	f8c028a	2017-10-17 09:20:57 +0100	[diff] [blame]	226	* but check for QP >= 1 nonetheless. */
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	227	#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	228	if( is_priv &&
				229	mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
				230	{
				231	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				232	}
				233	#endif
				234
				235	return( 0 );
				236	}
				237
Hanno Becker	f9e184b	2017-10-10 16:49:26 +0100	[diff] [blame]	238	int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	239	{
				240	int ret = 0;
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	241	int have_N, have_P, have_Q, have_D, have_E;
				242	#if !defined(MBEDTLS_RSA_NO_CRT)
				243	int have_DP, have_DQ, have_QP;
				244	#endif
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	245	int n_missing, pq_missing, d_missing, is_pub, is_priv;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	246
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	247	RSA_VALIDATE_RET( ctx != NULL );
				248
				249	have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
				250	have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
				251	have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
				252	have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
				253	have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	254
				255	#if !defined(MBEDTLS_RSA_NO_CRT)
Jack Lloyd	80cc811	2020-01-22 17:34:29 -0500	[diff] [blame]	256	have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
				257	have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
				258	have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	259	#endif
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	260
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	261	/*
				262	* Check whether provided parameters are enough
				263	* to deduce all others. The following incomplete
				264	* parameter sets for private keys are supported:
				265	*
				266	* (1) P, Q missing.
				267	* (2) D and potentially N missing.
				268	*
				269	*/
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	270
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	271	n_missing = have_P && have_Q && have_D && have_E;
				272	pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
				273	d_missing = have_P && have_Q && !have_D && have_E;
				274	is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	275
				276	/* These three alternatives are mutually exclusive */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	277	is_priv = n_missing \|\| pq_missing \|\| d_missing;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	278
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	279	if( !is_priv && !is_pub )
				280	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				281
				282	/*
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	283	* Step 1: Deduce N if P, Q are provided.
				284	*/
				285
				286	if( !have_N && have_P && have_Q )
				287	{
				288	if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
				289	&ctx->Q ) ) != 0 )
				290	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	291	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	292	}
				293
				294	ctx->len = mbedtls_mpi_size( &ctx->N );
				295	}
				296
				297	/*
				298	* Step 2: Deduce and verify all remaining core parameters.
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	299	*/
				300
				301	if( pq_missing )
				302	{
Hanno Becker	c36aab6	2017-10-17 09:15:06 +0100	[diff] [blame]	303	ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	304	&ctx->P, &ctx->Q );
				305	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	306	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	307
				308	}
				309	else if( d_missing )
				310	{
Hanno Becker	8ba6ce4	2017-10-03 14:36:26 +0100	[diff] [blame]	311	if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
				312	&ctx->Q,
				313	&ctx->E,
				314	&ctx->D ) ) != 0 )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	315	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	316	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	317	}
				318	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	319
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	320	/*
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	321	* Step 3: Deduce all additional parameters specific
Hanno Becker	e867489	2017-10-10 17:56:14 +0100	[diff] [blame]	322	* to our current RSA implementation.
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	323	*/
				324
Hanno Becker	23344b5	2017-08-23 07:43:27 +0100	[diff] [blame]	325	#if !defined(MBEDTLS_RSA_NO_CRT)
Jack Lloyd	2e9eef4	2020-01-28 14:43:52 -0500	[diff] [blame]	326	if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	327	{
				328	ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				329	&ctx->DP, &ctx->DQ, &ctx->QP );
				330	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	331	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	332	}
Hanno Becker	23344b5	2017-08-23 07:43:27 +0100	[diff] [blame]	333	#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	334
				335	/*
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	336	* Step 3: Basic sanity checks
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	337	*/
				338
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	339	return( rsa_check_context( ctx, is_priv, 1 ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	340	}
				341
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	342	int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
				343	unsigned char *N, size_t N_len,
				344	unsigned char *P, size_t P_len,
				345	unsigned char *Q, size_t Q_len,
				346	unsigned char *D, size_t D_len,
				347	unsigned char *E, size_t E_len )
				348	{
				349	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	350	int is_priv;
				351	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	352
				353	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	354	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	355	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				356	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				357	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				358	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				359	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				360
				361	if( !is_priv )
				362	{
				363	/* If we're trying to export private parameters for a public key,
				364	* something must be wrong. */
				365	if( P != NULL \|\| Q != NULL \|\| D != NULL )
				366	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				367
				368	}
				369
				370	if( N != NULL )
				371	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
				372
				373	if( P != NULL )
				374	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
				375
				376	if( Q != NULL )
				377	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
				378
				379	if( D != NULL )
				380	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
				381
				382	if( E != NULL )
				383	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	384
				385	cleanup:
				386
				387	return( ret );
				388	}
				389
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	390	int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
				391	mbedtls_mpi N, mbedtls_mpi P, mbedtls_mpi *Q,
				392	mbedtls_mpi D, mbedtls_mpi E )
				393	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	394	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	395	int is_priv;
				396	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	397
				398	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	399	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	400	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				401	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				402	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				403	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				404	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				405
				406	if( !is_priv )
				407	{
				408	/* If we're trying to export private parameters for a public key,
				409	* something must be wrong. */
				410	if( P != NULL \|\| Q != NULL \|\| D != NULL )
				411	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				412
				413	}
				414
				415	/* Export all requested core parameters. */
				416
				417	if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) \|\|
				418	( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) \|\|
				419	( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) \|\|
				420	( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) \|\|
				421	( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
				422	{
				423	return( ret );
				424	}
				425
				426	return( 0 );
				427	}
				428
				429	/*
				430	* Export CRT parameters
				431	* This must also be implemented if CRT is not used, for being able to
				432	* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
				433	* can be used in this case.
				434	*/
				435	int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
				436	mbedtls_mpi DP, mbedtls_mpi DQ, mbedtls_mpi *QP )
				437	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	438	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	439	int is_priv;
				440	RSA_VALIDATE_RET( ctx != NULL );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	441
				442	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	443	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	444	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				445	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				446	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				447	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				448	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				449
				450	if( !is_priv )
				451	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				452
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	453	#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	454	/* Export all requested blinding parameters. */
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	455	if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) \|\|
				456	( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) \|\|
				457	( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
				458	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	459	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	460	}
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	461	#else
				462	if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				463	DP, DQ, QP ) ) != 0 )
				464	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	465	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	466	}
				467	#endif
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	468
				469	return( 0 );
				470	}
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	471
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	472	/*
				473	* Initialize an RSA context
				474	*/
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	475	void mbedtls_rsa_init( mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	476	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	477	RSA_VALIDATE( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	478
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	479	memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	480
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	481	ctx->padding = MBEDTLS_RSA_PKCS_V15;
				482	ctx->hash_id = MBEDTLS_MD_NONE;
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	483
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	484	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	485	/* Set ctx->ver to nonzero to indicate that the mutex has been
				486	* initialized and will need to be freed. */
				487	ctx->ver = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	488	mbedtls_mutex_init( &ctx->mutex );
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	489	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	490	}
				491
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	492	/*
				493	* Set padding for an existing RSA context
				494	*/
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	495	int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
				496	mbedtls_md_type_t hash_id )
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	497	{
Ronald Cron	3a0375f	2021-06-08 10:22:28 +0200	[diff] [blame]	498	switch( padding )
				499	{
				500	#if defined(MBEDTLS_PKCS1_V15)
				501	case MBEDTLS_RSA_PKCS_V15:
				502	break;
				503	#endif
				504
				505	#if defined(MBEDTLS_PKCS1_V21)
				506	case MBEDTLS_RSA_PKCS_V21:
				507	break;
				508	#endif
				509	default:
				510	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
				511	}
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	512
Manuel Pégourié-Gonnard	3356b89	2022-07-05 10:25:06 +0200	[diff] [blame]	513	#if defined(MBEDTLS_PKCS1_V21)
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	514	if( ( padding == MBEDTLS_RSA_PKCS_V21 ) &&
				515	( hash_id != MBEDTLS_MD_NONE ) )
				516	{
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	517	/* Just make sure this hash is supported in this build. */
				518	if( mbedtls_hash_info_get_size( hash_id ) == 0 )
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	519	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
				520	}
Manuel Pégourié-Gonnard	3356b89	2022-07-05 10:25:06 +0200	[diff] [blame]	521	#endif /* MBEDTLS_PKCS1_V21 */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	522
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	523	ctx->padding = padding;
				524	ctx->hash_id = hash_id;
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	525
				526	return( 0 );
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	527	}
				528
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	529	/*
				530	* Get length in bytes of RSA modulus
				531	*/
				532
				533	size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
				534	{
Hanno Becker	2f8f06a	2017-09-29 11:47:26 +0100	[diff] [blame]	535	return( ctx->len );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	536	}
				537
				538
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	539	#if defined(MBEDTLS_GENPRIME)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	540
				541	/*
				542	* Generate an RSA keypair
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	543	*
				544	* This generation method follows the RSA key pair generation procedure of
				545	* FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	546	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	547	int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	548	int (f_rng)(void , unsigned char *, size_t),
				549	void *p_rng,
				550	unsigned int nbits, int exponent )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	551	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	552	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	553	mbedtls_mpi H, G, L;
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	554	int prime_quality = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	555	RSA_VALIDATE_RET( ctx != NULL );
				556	RSA_VALIDATE_RET( f_rng != NULL );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	557
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	558	/*
				559	* If the modulus is 1024 bit long or shorter, then the security strength of
				560	* the RSA algorithm is less than or equal to 80 bits and therefore an error
				561	* rate of 2^-80 is sufficient.
				562	*/
				563	if( nbits > 1024 )
				564	prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
				565
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	566	mbedtls_mpi_init( &H );
				567	mbedtls_mpi_init( &G );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	568	mbedtls_mpi_init( &L );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	569
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	570	if( nbits < 128 \|\| exponent < 3 \|\| nbits % 2 != 0 )
				571	{
				572	ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				573	goto cleanup;
				574	}
				575
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	576	/*
				577	* find primes P and Q with Q < P so that:
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	578	* 1. \|P-Q\| > 2^( nbits / 2 - 100 )
				579	* 2. GCD( E, (P-1)*(Q-1) ) == 1
				580	* 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	581	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	582	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	583
				584	do
				585	{
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	586	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
				587	prime_quality, f_rng, p_rng ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	588
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	589	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
				590	prime_quality, f_rng, p_rng ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	591
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	592	/* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
				593	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
				594	if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	595	continue;
				596
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	597	/* not required by any standards, but some users rely on the fact that P > Q */
				598	if( H.s < 0 )
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	599	mbedtls_mpi_swap( &ctx->P, &ctx->Q );
Janos Follath	ef44178	2016-09-21 13:18:12 +0100	[diff] [blame]	600
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	601	/* Temporarily replace P,Q by P-1, Q-1 */
				602	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
				603	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
				604	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	605
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	606	/* check GCD( E, (P-1)(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) /
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	607	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	608	if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
				609	continue;
				610
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	611	/* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	612	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
				613	MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
				614	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
				615
				616	if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
				617	continue;
				618
				619	break;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	620	}
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	621	while( 1 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	622
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	623	/* Restore P,Q */
				624	MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
				625	MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
				626
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	627	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
				628
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	629	ctx->len = mbedtls_mpi_size( &ctx->N );
				630
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	631	#if !defined(MBEDTLS_RSA_NO_CRT)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	632	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	633	* DP = D mod (P - 1)
				634	* DQ = D mod (Q - 1)
				635	* QP = Q^-1 mod P
				636	*/
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	637	MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				638	&ctx->DP, &ctx->DQ, &ctx->QP ) );
				639	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	640
Hanno Becker	83aad1f	2017-08-23 06:45:10 +0100	[diff] [blame]	641	/* Double-check */
				642	MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	643
				644	cleanup:
				645
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	646	mbedtls_mpi_free( &H );
				647	mbedtls_mpi_free( &G );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	648	mbedtls_mpi_free( &L );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	649
				650	if( ret != 0 )
				651	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	652	mbedtls_rsa_free( ctx );
Chris Jones	7439209	2021-04-01 16:00:01 +0100	[diff] [blame]	653
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	654	if( ( -ret & ~0x7f ) == 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	655	ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret );
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	656	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	657	}
				658
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	659	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	660	}
				661
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	662	#endif /* MBEDTLS_GENPRIME */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	663
				664	/*
				665	* Check a public RSA key
				666	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	667	int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	668	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	669	RSA_VALIDATE_RET( ctx != NULL );
				670
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	671	if( rsa_check_context( ctx, 0 /* public /, 0 / no blinding */ ) != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	672	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	37940d9f	2009-07-10 22:38:58 +0000	[diff] [blame]	673
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	674	if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	675	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	676	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	677	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	678
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	679	if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 \|\|
				680	mbedtls_mpi_bitlen( &ctx->E ) < 2 \|\|
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	681	mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	682	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	683	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	684	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	685
				686	return( 0 );
				687	}
				688
				689	/*
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	690	* Check for the consistency of all fields in an RSA private key context
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	691	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	692	int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	693	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	694	RSA_VALIDATE_RET( ctx != NULL );
				695
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	696	if( mbedtls_rsa_check_pubkey( ctx ) != 0 \|\|
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	697	rsa_check_context( ctx, 1 /* private /, 1 / blinding */ ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	698	{
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	699	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	700	}
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	701
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	702	if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	703	&ctx->D, &ctx->E, NULL, NULL ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	704	{
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	705	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	706	}
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	707
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	708	#if !defined(MBEDTLS_RSA_NO_CRT)
				709	else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
				710	&ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
				711	{
				712	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
				713	}
				714	#endif
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	715
				716	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	717	}
				718
				719	/*
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	720	* Check if contexts holding a public and private key match
				721	*/
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	722	int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
				723	const mbedtls_rsa_context *prv )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	724	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	725	RSA_VALIDATE_RET( pub != NULL );
				726	RSA_VALIDATE_RET( prv != NULL );
				727
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	728	if( mbedtls_rsa_check_pubkey( pub ) != 0 \|\|
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	729	mbedtls_rsa_check_privkey( prv ) != 0 )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	730	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	731	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	732	}
				733
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	734	if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 \|\|
				735	mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	736	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	737	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	738	}
				739
				740	return( 0 );
				741	}
				742
				743	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	744	* Do an RSA public key operation
				745	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	746	int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	747	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	748	unsigned char *output )
				749	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	750	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	751	size_t olen;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	752	mbedtls_mpi T;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	753	RSA_VALIDATE_RET( ctx != NULL );
				754	RSA_VALIDATE_RET( input != NULL );
				755	RSA_VALIDATE_RET( output != NULL );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	756
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	757	if( rsa_check_context( ctx, 0 /* public /, 0 / no blinding */ ) )
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	758	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				759
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	760	mbedtls_mpi_init( &T );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	761
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	762	#if defined(MBEDTLS_THREADING_C)
				763	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				764	return( ret );
				765	#endif
				766
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	767	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	768
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	769	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	770	{
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	771	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				772	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	773	}
				774
				775	olen = ctx->len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	776	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
				777	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	778
				779	cleanup:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	780	#if defined(MBEDTLS_THREADING_C)
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	781	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				782	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard	88fca3e	2015-03-27 15:06:07 +0100	[diff] [blame]	783	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	784
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	785	mbedtls_mpi_free( &T );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	786
				787	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	788	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	789
				790	return( 0 );
				791	}
				792
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	793	/*
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	794	* Generate or update blinding values, see section 10 of:
				795	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard	998930a	2015-04-03 13:48:06 +0200	[diff] [blame]	796	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	797	* Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	798	*/
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	799	static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	800	int (f_rng)(void , unsigned char , size_t), void p_rng )
				801	{
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	802	int ret, count = 0;
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	803	mbedtls_mpi R;
				804
				805	mbedtls_mpi_init( &R );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	806
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	807	if( ctx->Vf.p != NULL )
				808	{
				809	/* We already have blinding values, just update them by squaring */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	810	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
				811	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
				812	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
				813	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	814
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	815	goto cleanup;
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	816	}
				817
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	818	/* Unblinding value: Vf = random number, invertible mod N */
				819	do {
				820	if( count++ > 10 )
Manuel Pégourié-Gonnard	e288ec0	2020-07-16 09:23:30 +0200	[diff] [blame]	821	{
				822	ret = MBEDTLS_ERR_RSA_RNG_FAILED;
				823	goto cleanup;
				824	}
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	825
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	826	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	827
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	828	/* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	829	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
				830	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
				831	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
				832
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	833	/* At this point, Vi is invertible mod N if and only if both Vf and R
				834	* are invertible mod N. If one of them isn't, we don't need to know
				835	* which one, we just loop and choose new values for both of them.
				836	* (Each iteration succeeds with overwhelming probability.) */
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	837	ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
Peter Kolbus	ca8b8e7	2020-09-24 11:11:50 -0500	[diff] [blame]	838	if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
Manuel Pégourié-Gonnard	b3e3d79	2020-06-26 11:03:19 +0200	[diff] [blame]	839	goto cleanup;
				840
Peter Kolbus	ca8b8e7	2020-09-24 11:11:50 -0500	[diff] [blame]	841	} while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
				842
				843	/* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
				844	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
				845	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	846
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	847	/* Blinding value: Vi = Vf^(-e) mod N
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	848	* (Vi already contains Vf^-1 at this point) */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	849	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	850
Manuel Pégourié-Gonnard	ae10299	2013-10-04 17:07:12 +0200	[diff] [blame]	851
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	852	cleanup:
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	853	mbedtls_mpi_free( &R );
				854
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	855	return( ret );
				856	}
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	857
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	858	/*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	859	* Exponent blinding supposed to prevent side-channel attacks using multiple
				860	* traces of measurements to recover the RSA key. The more collisions are there,
				861	* the more bits of the key can be recovered. See [3].
				862	*
				863	* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	864	* observations on average.
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	865	*
				866	* For example with 28 byte blinding to achieve 2 collisions the adversary has
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	867	* to make 2^112 observations on average.
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	868	*
				869	* (With the currently (as of 2017 April) known best algorithms breaking 2048
				870	* bit RSA requires approximately as much time as trying out 2^112 random keys.
				871	* Thus in this sense with 28 byte blinding the security is not reduced by
				872	* side-channel attacks like the one in [3])
				873	*
				874	* This countermeasure does not help if the key recovery is possible with a
				875	* single trace.
				876	*/
				877	#define RSA_EXPONENT_BLINDING 28
				878
				879	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	880	* Do an RSA private key operation
				881	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	882	int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	883	int (f_rng)(void , unsigned char *, size_t),
				884	void *p_rng,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	885	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	886	unsigned char *output )
				887	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	888	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	889	size_t olen;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	890
				891	/* Temporary holding the result */
				892	mbedtls_mpi T;
				893
				894	/* Temporaries holding P-1, Q-1 and the
				895	* exponent blinding factor, respectively. */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	896	mbedtls_mpi P1, Q1, R;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	897
				898	#if !defined(MBEDTLS_RSA_NO_CRT)
				899	/* Temporaries holding the results mod p resp. mod q. */
				900	mbedtls_mpi TP, TQ;
				901
				902	/* Temporaries holding the blinded exponents for
				903	* the mod p resp. mod q computation (if used). */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	904	mbedtls_mpi DP_blind, DQ_blind;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	905
				906	/* Pointers to actual exponents to be used - either the unblinded
				907	* or the blinded ones, depending on the presence of a PRNG. */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	908	mbedtls_mpi *DP = &ctx->DP;
				909	mbedtls_mpi *DQ = &ctx->DQ;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	910	#else
				911	/* Temporary holding the blinded exponent (if used). */
				912	mbedtls_mpi D_blind;
				913
				914	/* Pointer to actual exponent to be used - either the unblinded
				915	* or the blinded one, depending on the presence of a PRNG. */
				916	mbedtls_mpi *D = &ctx->D;
Hanno Becker	43f9472	2017-08-25 11:50:00 +0100	[diff] [blame]	917	#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	918
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	919	/* Temporaries holding the initial input and the double
				920	* checked result; should be the same in the end. */
				921	mbedtls_mpi I, C;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	922
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	923	RSA_VALIDATE_RET( ctx != NULL );
				924	RSA_VALIDATE_RET( input != NULL );
				925	RSA_VALIDATE_RET( output != NULL );
				926
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	927	if( f_rng == NULL )
				928	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				929
				930	if( rsa_check_context( ctx, 1 /* private key checks */,
				931	1 /* blinding on */ ) != 0 )
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	932	{
Manuel Pégourié-Gonnard	fb84d38	2015-10-30 10:56:25 +0100	[diff] [blame]	933	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	934	}
Manuel Pégourié-Gonnard	fb84d38	2015-10-30 10:56:25 +0100	[diff] [blame]	935
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	936	#if defined(MBEDTLS_THREADING_C)
				937	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				938	return( ret );
				939	#endif
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	940
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	941	/* MPI Initialization */
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	942	mbedtls_mpi_init( &T );
				943
				944	mbedtls_mpi_init( &P1 );
				945	mbedtls_mpi_init( &Q1 );
				946	mbedtls_mpi_init( &R );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	947
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	948	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	949	mbedtls_mpi_init( &D_blind );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	950	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	951	mbedtls_mpi_init( &DP_blind );
				952	mbedtls_mpi_init( &DQ_blind );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	953	#endif
				954
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	955	#if !defined(MBEDTLS_RSA_NO_CRT)
				956	mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	957	#endif
				958
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	959	mbedtls_mpi_init( &I );
				960	mbedtls_mpi_init( &C );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	961
				962	/* End of MPI initialization */
				963
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	964	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
				965	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	966	{
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	967	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				968	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	969	}
				970
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	971	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	972
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	973	/*
				974	* Blinding
				975	* T = T * Vi mod N
				976	*/
				977	MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
				978	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
				979	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	980
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	981	/*
				982	* Exponent blinding
				983	*/
				984	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
				985	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	986
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	987	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	988	/*
				989	* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
				990	*/
				991	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				992	f_rng, p_rng ) );
				993	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
				994	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
				995	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	996
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	997	D = &D_blind;
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	998	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	999	/*
				1000	* DP_blind = ( P - 1 ) * R + DP
				1001	*/
				1002	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				1003	f_rng, p_rng ) );
				1004	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
				1005	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
				1006	&ctx->DP ) );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1007
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1008	DP = &DP_blind;
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1009
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1010	/*
				1011	* DQ_blind = ( Q - 1 ) * R + DQ
				1012	*/
				1013	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				1014	f_rng, p_rng ) );
				1015	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
				1016	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
				1017	&ctx->DQ ) );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1018
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1019	DQ = &DQ_blind;
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1020	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	1021
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1022	#if defined(MBEDTLS_RSA_NO_CRT)
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1023	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnard	e10e06d	2014-11-06 18:15:12 +0100	[diff] [blame]	1024	#else
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	1025	/*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1026	* Faster decryption using the CRT
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1027	*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1028	* TP = input ^ dP mod P
				1029	* TQ = input ^ dQ mod Q
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1030	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1031
				1032	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
				1033	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1034
				1035	/*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1036	* T = (TP - TQ) * (Q^-1 mod P) mod P
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1037	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1038	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
				1039	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
				1040	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1041
				1042	/*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1043	* T = TQ + T * Q
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1044	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1045	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
				1046	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1047	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	1048
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1049	/*
				1050	* Unblind
				1051	* T = T * Vf mod N
				1052	*/
				1053	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
				1054	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1055
Hanno Becker	2dec5e8	2017-10-03 07:49:52 +0100	[diff] [blame]	1056	/* Verify the result to prevent glitching attacks. */
				1057	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
				1058	&ctx->N, &ctx->RN ) );
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	1059	if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1060	{
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1061	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
				1062	goto cleanup;
				1063	}
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1064
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1065	olen = ctx->len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1066	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1067
				1068	cleanup:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1069	#if defined(MBEDTLS_THREADING_C)
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	1070	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				1071	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard	ae10299	2013-10-04 17:07:12 +0200	[diff] [blame]	1072	#endif
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	1073
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1074	mbedtls_mpi_free( &P1 );
				1075	mbedtls_mpi_free( &Q1 );
				1076	mbedtls_mpi_free( &R );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1077
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1078	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1079	mbedtls_mpi_free( &D_blind );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1080	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1081	mbedtls_mpi_free( &DP_blind );
				1082	mbedtls_mpi_free( &DQ_blind );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1083	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1084
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1085	mbedtls_mpi_free( &T );
				1086
				1087	#if !defined(MBEDTLS_RSA_NO_CRT)
				1088	mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
				1089	#endif
				1090
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	1091	mbedtls_mpi_free( &C );
				1092	mbedtls_mpi_free( &I );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1093
Gilles Peskine	ae3741e	2020-11-25 00:10:31 +0100	[diff] [blame]	1094	if( ret != 0 && ret >= -0x007f )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1095	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1096
Gilles Peskine	ae3741e	2020-11-25 00:10:31 +0100	[diff] [blame]	1097	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1098	}
				1099
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1100	#if defined(MBEDTLS_PKCS1_V21)
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1101	#if !defined(MBEDTLS_MD_C)
				1102	static int ret_from_status( psa_status_t status )
				1103	{
				1104	switch( status )
				1105	{
				1106	case PSA_SUCCESS:
				1107	return( 0 );
				1108	case PSA_ERROR_NOT_SUPPORTED:
				1109	return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
				1110	case PSA_ERROR_INVALID_ARGUMENT:
				1111	return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
				1112	case PSA_ERROR_INSUFFICIENT_MEMORY:
				1113	return( MBEDTLS_ERR_MD_ALLOC_FAILED );
				1114	default:
				1115	return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
				1116	}
				1117	}
				1118	#endif /* !MBEDTLS_MD_C */
				1119
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1120	/**
				1121	* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
				1122	*
Paul Bakker	b125ed8	2011-11-10 13:33:51 +0000	[diff] [blame]	1123	* \param dst buffer to mask
				1124	* \param dlen length of destination buffer
				1125	* \param src source of the mask generation
				1126	* \param slen length of the source buffer
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1127	* \param md_alg message digest to use
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1128	*/
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1129	static int mgf_mask( unsigned char dst, size_t dlen, unsigned char src,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1130	size_t slen, mbedtls_md_type_t md_alg )
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1131	{
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1132	unsigned char counter[4];
				1133	unsigned char *p;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1134	unsigned int hlen;
				1135	size_t i, use_len;
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1136	unsigned char mask[HASH_MAX_SIZE];
				1137	#if defined(MBEDTLS_MD_C)
Andres Amaya Garcia	94682d1	2017-07-20 14:26:37 +0100	[diff] [blame]	1138	int ret = 0;
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1139	const mbedtls_md_info_t *md_info;
				1140	mbedtls_md_context_t md_ctx;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1141
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1142	mbedtls_md_init( &md_ctx );
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1143	md_info = mbedtls_md_info_from_type( md_alg );
				1144	if( md_info == NULL )
				1145	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1146
				1147	mbedtls_md_init( &md_ctx );
				1148	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
				1149	goto exit;
				1150
				1151	hlen = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1152	#else
				1153	psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
				1154	psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
				1155	psa_status_t status = PSA_SUCCESS;
				1156	size_t out_len;
				1157
				1158	hlen = PSA_HASH_LENGTH( alg );
				1159	#endif
				1160
				1161	memset( mask, 0, sizeof( mask ) );
				1162	memset( counter, 0, 4 );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1163
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1164	/* Generate and apply dbMask */
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1165	p = dst;
				1166
				1167	while( dlen > 0 )
				1168	{
				1169	use_len = hlen;
				1170	if( dlen < hlen )
				1171	use_len = dlen;
				1172
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1173	#if defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1174	if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1175	goto exit;
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1176	if( ( ret = mbedtls_md_update( &md_ctx, src, slen ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1177	goto exit;
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1178	if( ( ret = mbedtls_md_update( &md_ctx, counter, 4 ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1179	goto exit;
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1180	if( ( ret = mbedtls_md_finish( &md_ctx, mask ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1181	goto exit;
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1182	#else
				1183	if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS )
				1184	goto exit;
				1185	if( ( status = psa_hash_update( &op, src, slen ) ) != PSA_SUCCESS )
				1186	goto exit;
				1187	if( ( status = psa_hash_update( &op, counter, 4 ) ) != PSA_SUCCESS )
				1188	goto exit;
				1189	status = psa_hash_finish( &op, mask, sizeof( mask ), &out_len );
				1190	if( status != PSA_SUCCESS )
				1191	goto exit;
				1192	#endif
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1193
				1194	for( i = 0; i < use_len; ++i )
				1195	*p++ ^= mask[i];
				1196
				1197	counter[3]++;
				1198
				1199	dlen -= use_len;
				1200	}
Gilles Peskine	18ac716	2017-05-05 19:24:06 +0200	[diff] [blame]	1201
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1202	exit:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1203	mbedtls_platform_zeroize( mask, sizeof( mask ) );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1204	#if defined(MBEDTLS_MD_C)
				1205	mbedtls_md_free( &md_ctx );
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1206
				1207	return( ret );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1208	#else
				1209	psa_hash_abort( &op );
				1210
				1211	return( ret_from_status( status ) );
				1212	#endif
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1213	}
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1214
				1215	/**
				1216	* Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
				1217	*
				1218	* \param hash the input hash
				1219	* \param hlen length of the input hash
				1220	* \param salt the input salt
				1221	* \param slen length of the input salt
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1222	* \param out the output buffer - must be large enough for \p md_alg
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1223	* \param md_alg message digest to use
				1224	*/
				1225	static int hash_mprime( const unsigned char *hash, size_t hlen,
				1226	const unsigned char *salt, size_t slen,
				1227	unsigned char *out, mbedtls_md_type_t md_alg )
				1228	{
				1229	const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1230
				1231	#if defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1232	mbedtls_md_context_t md_ctx;
				1233	int ret;
				1234
				1235	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
				1236	if( md_info == NULL )
				1237	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1238
				1239	mbedtls_md_init( &md_ctx );
				1240	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
				1241	goto exit;
				1242	if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
				1243	goto exit;
				1244	if( ( ret = mbedtls_md_update( &md_ctx, zeros, sizeof( zeros ) ) ) != 0 )
				1245	goto exit;
				1246	if( ( ret = mbedtls_md_update( &md_ctx, hash, hlen ) ) != 0 )
				1247	goto exit;
				1248	if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
				1249	goto exit;
				1250	if( ( ret = mbedtls_md_finish( &md_ctx, out ) ) != 0 )
				1251	goto exit;
				1252
				1253	exit:
				1254	mbedtls_md_free( &md_ctx );
				1255
				1256	return( ret );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1257	#else
				1258	psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
				1259	psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
				1260	psa_status_t status = PSA_SUCCESS;
				1261	size_t out_size = PSA_HASH_LENGTH( alg );
				1262	size_t out_len;
				1263
				1264	if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS )
				1265	goto exit;
				1266	if( ( status = psa_hash_update( &op, zeros, sizeof( zeros ) ) ) != PSA_SUCCESS )
				1267	goto exit;
				1268	if( ( status = psa_hash_update( &op, hash, hlen ) ) != PSA_SUCCESS )
				1269	goto exit;
				1270	if( ( status = psa_hash_update( &op, salt, slen ) ) != PSA_SUCCESS )
				1271	goto exit;
				1272	status = psa_hash_finish( &op, out, out_size, &out_len );
				1273	if( status != PSA_SUCCESS )
				1274	goto exit;
				1275
				1276	exit:
				1277	psa_hash_abort( &op );
				1278
				1279	return( ret_from_status( status ) );
				1280	#endif /* !MBEDTLS_MD_C */
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1281	}
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1282
				1283	/**
				1284	* Compute a hash.
				1285	*
				1286	* \param md_alg algorithm to use
				1287	* \param input input message to hash
				1288	* \param ilen input length
				1289	* \param output the output buffer - must be large enough for \p md_alg
				1290	*/
				1291	static int compute_hash( mbedtls_md_type_t md_alg,
				1292	const unsigned char *input, size_t ilen,
				1293	unsigned char *output )
				1294	{
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1295	#if defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1296	const mbedtls_md_info_t *md_info;
				1297
				1298	md_info = mbedtls_md_info_from_type( md_alg );
				1299	if( md_info == NULL )
				1300	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1301
				1302	return( mbedtls_md( md_info, input, ilen, output ) );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1303	#else
				1304	psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
				1305	psa_status_t status;
				1306	size_t out_size = PSA_HASH_LENGTH( alg );
				1307	size_t out_len;
				1308
				1309	status = psa_hash_compute( alg, input, ilen, output, out_size, &out_len );
				1310
				1311	return( ret_from_status( status ) );
				1312	#endif /* !MBEDTLS_MD_C */
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1313	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1314	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1315
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1316	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1317	/*
				1318	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
				1319	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1320	int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1321	int (f_rng)(void , unsigned char *, size_t),
				1322	void *p_rng,
Paul Bakker	a43231c	2013-02-28 17:33:49 +0100	[diff] [blame]	1323	const unsigned char *label, size_t label_len,
				1324	size_t ilen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1325	const unsigned char *input,
				1326	unsigned char *output )
				1327	{
				1328	size_t olen;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1329	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1330	unsigned char *p = output;
				1331	unsigned int hlen;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1332
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1333	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1334	RSA_VALIDATE_RET( output != NULL );
Jaeden Amero	fb23673	2019-02-08 13:11:59 +0000	[diff] [blame]	1335	RSA_VALIDATE_RET( ilen == 0 \|\| input != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1336	RSA_VALIDATE_RET( label_len == 0 \|\| label != NULL );
				1337
Manuel Pégourié-Gonnard	e6d1d82	2014-06-02 16:47:02 +0200	[diff] [blame]	1338	if( f_rng == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1339	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1340
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1341	hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
				1342	if( hlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1343	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1344
				1345	olen = ctx->len;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1346
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1347	/* first comparison checks for overflow */
Janos Follath	eddfe8f	2016-02-08 14:52:29 +0000	[diff] [blame]	1348	if( ilen + 2 * hlen + 2 < ilen \|\| olen < ilen + 2 * hlen + 2 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1349	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1350
				1351	memset( output, 0, olen );
				1352
				1353	*p++ = 0;
				1354
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1355	/* Generate a random octet string seed */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1356	if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1357	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1358
				1359	p += hlen;
				1360
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1361	/* Construct DB */
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1362	ret = compute_hash( (mbedtls_md_type_t) ctx->hash_id, label, label_len, p );
				1363	if( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1364	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1365	p += hlen;
				1366	p += olen - 2 * hlen - 2 - ilen;
				1367	*p++ = 1;
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1368	if( ilen != 0 )
				1369	memcpy( p, input, ilen );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1370
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1371	/* maskedDB: Apply dbMask to DB */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1372	if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1373	ctx->hash_id ) ) != 0 )
Manuel Pégourié-Gonnard	f3a6755	2022-07-15 12:16:42 +0200	[diff] [blame]	1374	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1375
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1376	/* maskedSeed: Apply seedMask to seed */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1377	if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1378	ctx->hash_id ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1379	return( ret );
				1380
Thomas Daubney	141700f	2021-05-13 19:06:10 +0100	[diff] [blame]	1381	return( mbedtls_rsa_public( ctx, output, output ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1382	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1383	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1384
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1385	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1386	/*
				1387	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
				1388	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1389	int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1390	int (f_rng)(void , unsigned char *, size_t),
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1391	void *p_rng, size_t ilen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1392	const unsigned char *input,
				1393	unsigned char *output )
				1394	{
				1395	size_t nb_pad, olen;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1396	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1397	unsigned char *p = output;
				1398
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1399	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1400	RSA_VALIDATE_RET( output != NULL );
Jaeden Amero	fb23673	2019-02-08 13:11:59 +0000	[diff] [blame]	1401	RSA_VALIDATE_RET( ilen == 0 \|\| input != NULL );
Manuel Pégourié-Gonnard	e6d1d82	2014-06-02 16:47:02 +0200	[diff] [blame]	1402
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1403	olen = ctx->len;
Manuel Pégourié-Gonnard	370717b	2016-02-11 10:35:13 +0100	[diff] [blame]	1404
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1405	/* first comparison checks for overflow */
Janos Follath	eddfe8f	2016-02-08 14:52:29 +0000	[diff] [blame]	1406	if( ilen + 11 < ilen \|\| olen < ilen + 11 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1407	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1408
				1409	nb_pad = olen - 3 - ilen;
				1410
				1411	*p++ = 0;
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1412
				1413	if( f_rng == NULL )
				1414	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1415
				1416	*p++ = MBEDTLS_RSA_CRYPT;
				1417
				1418	while( nb_pad-- > 0 )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1419	{
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1420	int rng_dl = 100;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1421
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1422	do {
				1423	ret = f_rng( p_rng, p, 1 );
				1424	} while( *p == 0 && --rng_dl && ret == 0 );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1425
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1426	/* Check if RNG failed to generate data */
				1427	if( rng_dl == 0 \|\| ret != 0 )
				1428	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1429
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1430	p++;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1431	}
				1432
				1433	*p++ = 0;
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1434	if( ilen != 0 )
				1435	memcpy( p, input, ilen );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1436
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1437	return( mbedtls_rsa_public( ctx, output, output ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1438	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1439	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1440
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1441	/*
				1442	* Add the message padding, then do an RSA operation
				1443	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1444	int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	1445	int (f_rng)(void , unsigned char *, size_t),
Paul Bakker	21eb280	2010-08-16 11:10:02 +0000	[diff] [blame]	1446	void *p_rng,
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1447	size_t ilen,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	1448	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1449	unsigned char *output )
				1450	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1451	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1452	RSA_VALIDATE_RET( output != NULL );
Jaeden Amero	fb23673	2019-02-08 13:11:59 +0000	[diff] [blame]	1453	RSA_VALIDATE_RET( ilen == 0 \|\| input != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1454
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1455	switch( ctx->padding )
				1456	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1457	#if defined(MBEDTLS_PKCS1_V15)
				1458	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1459	return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng,
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1460	ilen, input, output );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1461	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1462
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1463	#if defined(MBEDTLS_PKCS1_V21)
				1464	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	141700f	2021-05-13 19:06:10 +0100	[diff] [blame]	1465	return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, NULL, 0,
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1466	ilen, input, output );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1467	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1468
				1469	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1470	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1471	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1472	}
				1473
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1474	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1475	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1476	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1477	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1478	int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1479	int (f_rng)(void , unsigned char *, size_t),
				1480	void *p_rng,
Paul Bakker	a43231c	2013-02-28 17:33:49 +0100	[diff] [blame]	1481	const unsigned char *label, size_t label_len,
				1482	size_t *olen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1483	const unsigned char *input,
				1484	unsigned char *output,
				1485	size_t output_max_len )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1486	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1487	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1488	size_t ilen, i, pad_len;
				1489	unsigned char *p, bad, pad_done;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1490	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	1491	unsigned char lhash[HASH_MAX_SIZE];
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1492	unsigned int hlen;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1493
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1494	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1495	RSA_VALIDATE_RET( output_max_len == 0 \|\| output != NULL );
				1496	RSA_VALIDATE_RET( label_len == 0 \|\| label != NULL );
				1497	RSA_VALIDATE_RET( input != NULL );
				1498	RSA_VALIDATE_RET( olen != NULL );
				1499
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1500	/*
				1501	* Parameters sanity checks
				1502	*/
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1503	if( ctx->padding != MBEDTLS_RSA_PKCS_V21 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1504	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1505
				1506	ilen = ctx->len;
				1507
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	1508	if( ilen < 16 \|\| ilen > sizeof( buf ) )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1509	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1510
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1511	hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
				1512	if( hlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1513	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1514
Janos Follath	c17cda1	2016-02-11 11:08:18 +0000	[diff] [blame]	1515	// checking for integer underflow
				1516	if( 2 * hlen + 2 > ilen )
				1517	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1518
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1519	/*
				1520	* RSA operation
				1521	*/
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1522	ret = mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1523
				1524	if( ret != 0 )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1525	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1526
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1527	/*
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1528	* Unmask data and generate lHash
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1529	*/
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1530	/* seed: Apply seedMask to maskedSeed */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1531	if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1532	ctx->hash_id ) ) != 0 \|\|
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1533	/* DB: Apply dbMask to maskedDB */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1534	( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1535	ctx->hash_id ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1536	{
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1537	goto cleanup;
				1538	}
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1539
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1540	/* Generate lHash */
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1541	ret = compute_hash( (mbedtls_md_type_t) ctx->hash_id,
				1542	label, label_len, lhash );
				1543	if( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1544	goto cleanup;
				1545
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1546	/*
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1547	* Check contents, in "constant-time"
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1548	*/
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1549	p = buf;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1550	bad = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1551
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1552	bad \|= p++; / First byte must be 0 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1553
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1554	p += hlen; /* Skip seed */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1555
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1556	/* Check lHash */
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1557	for( i = 0; i < hlen; i++ )
				1558	bad \|= lhash[i] ^ *p++;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1559
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1560	/* Get zero-padding len, but always read till end of buffer
				1561	* (minus one, for the 01 byte) */
				1562	pad_len = 0;
				1563	pad_done = 0;
				1564	for( i = 0; i < ilen - 2 * hlen - 2; i++ )
				1565	{
				1566	pad_done \|= p[i];
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	1567	pad_len += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1568	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1569
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1570	p += pad_len;
				1571	bad \|= *p++ ^ 0x01;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1572
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1573	/*
				1574	* The only information "leaked" is whether the padding was correct or not
				1575	* (eg, no data is copied if it was not correct). This meets the
				1576	* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
				1577	* the different error conditions.
				1578	*/
				1579	if( bad != 0 )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1580	{
				1581	ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
				1582	goto cleanup;
				1583	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1584
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1585	if( ilen - ( p - buf ) > output_max_len )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1586	{
				1587	ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
				1588	goto cleanup;
				1589	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1590
				1591	*olen = ilen - (p - buf);
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1592	if( *olen != 0 )
				1593	memcpy( output, p, *olen );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1594	ret = 0;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1595
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1596	cleanup:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1597	mbedtls_platform_zeroize( buf, sizeof( buf ) );
				1598	mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1599
				1600	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1601	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1602	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1603
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1604	#if defined(MBEDTLS_PKCS1_V15)
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1605	/*
				1606	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
				1607	*/
				1608	int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
				1609	int (f_rng)(void , unsigned char *, size_t),
				1610	void *p_rng,
				1611	size_t *olen,
				1612	const unsigned char *input,
				1613	unsigned char *output,
				1614	size_t output_max_len )
				1615	{
				1616	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				1617	size_t ilen;
				1618	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
				1619
				1620	RSA_VALIDATE_RET( ctx != NULL );
				1621	RSA_VALIDATE_RET( output_max_len == 0 \|\| output != NULL );
				1622	RSA_VALIDATE_RET( input != NULL );
				1623	RSA_VALIDATE_RET( olen != NULL );
				1624
				1625	ilen = ctx->len;
				1626
				1627	if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
				1628	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1629
				1630	if( ilen < 16 \|\| ilen > sizeof( buf ) )
				1631	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1632
				1633	ret = mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
				1634
				1635	if( ret != 0 )
				1636	goto cleanup;
				1637
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	1638	ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding( buf, ilen,
Gabor Mezei	63bbba5	2021-10-18 16:17:57 +0200	[diff] [blame]	1639	output, output_max_len, olen );
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1640
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1641	cleanup:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1642	mbedtls_platform_zeroize( buf, sizeof( buf ) );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1643
				1644	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1645	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1646	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1647
				1648	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1649	* Do an RSA operation, then remove the message padding
				1650	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1651	int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1652	int (f_rng)(void , unsigned char *, size_t),
				1653	void *p_rng,
Thomas Daubney	c7feaf3	2021-05-07 14:02:43 +0100	[diff] [blame]	1654	size_t *olen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1655	const unsigned char *input,
				1656	unsigned char *output,
				1657	size_t output_max_len)
				1658	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1659	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1660	RSA_VALIDATE_RET( output_max_len == 0 \|\| output != NULL );
				1661	RSA_VALIDATE_RET( input != NULL );
				1662	RSA_VALIDATE_RET( olen != NULL );
				1663
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1664	switch( ctx->padding )
				1665	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1666	#if defined(MBEDTLS_PKCS1_V15)
				1667	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	3473308	2021-05-12 09:24:29 +0100	[diff] [blame]	1668	return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, olen,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1669	input, output, output_max_len );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1670	#endif
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1671
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1672	#if defined(MBEDTLS_PKCS1_V21)
				1673	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1674	return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, NULL, 0,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1675	olen, input, output,
				1676	output_max_len );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1677	#endif
				1678
				1679	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1680	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1681	}
				1682	}
				1683
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1684	#if defined(MBEDTLS_PKCS1_V21)
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1685	static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1686	int (f_rng)(void , unsigned char *, size_t),
				1687	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1688	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1689	unsigned int hashlen,
				1690	const unsigned char *hash,
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1691	int saltlen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1692	unsigned char *sig )
				1693	{
				1694	size_t olen;
				1695	unsigned char *p = sig;
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1696	unsigned char *salt = NULL;
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1697	size_t slen, min_slen, hlen, offset = 0;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1698	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1699	size_t msb;
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1700
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1701	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1702	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				1703	hashlen == 0 ) \|\|
				1704	hash != NULL );
				1705	RSA_VALIDATE_RET( sig != NULL );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1706
Thomas Daubney	d58ed58	2021-05-21 11:50:39 +0100	[diff] [blame]	1707	if( ctx->padding != MBEDTLS_RSA_PKCS_V21 )
				1708	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1709
Manuel Pégourié-Gonnard	e6d1d82	2014-06-02 16:47:02 +0200	[diff] [blame]	1710	if( f_rng == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1711	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1712
				1713	olen = ctx->len;
				1714
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1715	if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1716	{
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1717	/* Gather length of hash to sign */
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1718	size_t exp_hashlen = mbedtls_hash_info_get_size( md_alg );
				1719	if( exp_hashlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1720	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	1721
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1722	if( hashlen != exp_hashlen )
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1723	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1724	}
				1725
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1726	hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
				1727	if( hlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1728	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1729
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1730	if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY)
				1731	{
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1732	/* Calculate the largest possible salt length, up to the hash size.
				1733	* Normally this is the hash length, which is the maximum salt length
				1734	* according to FIPS 185-4 §5.5 (e) and common practice. If there is not
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1735	* enough room, use the maximum salt length that fits. The constraint is
				1736	* that the hash length plus the salt length plus 2 bytes must be at most
				1737	* the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
				1738	* (PKCS#1 v2.2) §9.1.1 step 3. */
				1739	min_slen = hlen - 2;
				1740	if( olen < hlen + min_slen + 2 )
				1741	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1742	else if( olen >= hlen + hlen + 2 )
				1743	slen = hlen;
				1744	else
				1745	slen = olen - hlen - 2;
				1746	}
Cédric Meuter	46bad33	2021-01-10 12:57:19 +0100	[diff] [blame]	1747	else if ( (saltlen < 0) \|\| (saltlen + hlen + 2 > olen) )
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1748	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1749	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1750	}
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1751	else
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1752	{
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1753	slen = (size_t) saltlen;
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1754	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1755
				1756	memset( sig, 0, olen );
				1757
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1758	/* Note: EMSA-PSS encoding is over the length of N - 1 bits */
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	1759	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1760	p += olen - hlen - slen - 2;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1761	*p++ = 0x01;
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1762
				1763	/* Generate salt of length slen in place in the encoded message */
				1764	salt = p;
				1765	if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1766	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1767
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1768	p += slen;
				1769
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1770	/* Generate H = Hash( M' ) */
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1771	ret = hash_mprime( hash, hashlen, salt, slen, p, ctx->hash_id );
				1772	if( ret != 0 )
				1773	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1774
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1775	/* Compensate for boundary condition when applying mask */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1776	if( msb % 8 == 0 )
				1777	offset = 1;
				1778
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1779	/* maskedDB: Apply dbMask to DB */
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1780	ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
				1781	ctx->hash_id );
				1782	if( ret != 0 )
				1783	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1784
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	1785	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1786	sig[0] &= 0xFF >> ( olen * 8 - msb );
				1787
				1788	p += hlen;
				1789	*p++ = 0xBC;
				1790
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1791	return mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1792	}
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1793
				1794	/*
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1795	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
				1796	* the option to pass in the salt length.
				1797	*/
				1798	int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx,
				1799	int (f_rng)(void , unsigned char *, size_t),
				1800	void *p_rng,
				1801	mbedtls_md_type_t md_alg,
				1802	unsigned int hashlen,
				1803	const unsigned char *hash,
				1804	int saltlen,
				1805	unsigned char *sig )
				1806	{
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1807	return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1808	hashlen, hash, saltlen, sig );
				1809	}
				1810
				1811
				1812	/*
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1813	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
				1814	*/
				1815	int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
				1816	int (f_rng)(void , unsigned char *, size_t),
				1817	void *p_rng,
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1818	mbedtls_md_type_t md_alg,
				1819	unsigned int hashlen,
				1820	const unsigned char *hash,
				1821	unsigned char *sig )
				1822	{
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1823	return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1824	hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig );
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1825	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1826	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1827
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1828	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1829	/*
				1830	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
				1831	*/
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1832
				1833	/* Construct a PKCS v1.5 encoding of a hashed message
				1834	*
				1835	* This is used both for signature generation and verification.
				1836	*
				1837	* Parameters:
				1838	* - md_alg: Identifies the hash algorithm used to generate the given hash;
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1839	* MBEDTLS_MD_NONE if raw data is signed.
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1840	* - hashlen: Length of hash. Must match md_alg if that's not NONE.
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1841	* - hash: Buffer containing the hashed message or the raw data.
				1842	* - dst_len: Length of the encoded message.
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1843	* - dst: Buffer to hold the encoded message.
				1844	*
				1845	* Assumptions:
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1846	* - hash has size hashlen.
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1847	* - dst points to a buffer of size at least dst_len.
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1848	*
				1849	*/
				1850	static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
				1851	unsigned int hashlen,
				1852	const unsigned char *hash,
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1853	size_t dst_len,
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1854	unsigned char *dst )
				1855	{
				1856	size_t oid_size = 0;
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1857	size_t nb_pad = dst_len;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1858	unsigned char *p = dst;
				1859	const char *oid = NULL;
				1860
				1861	/* Are we signing hashed or raw data? */
				1862	if( md_alg != MBEDTLS_MD_NONE )
				1863	{
Manuel Pégourié-Gonnard	4772884	2022-07-18 13:00:40 +0200	[diff] [blame]	1864	unsigned char md_size = mbedtls_hash_info_get_size( md_alg );
Manuel Pégourié-Gonnard	f493f2a	2022-07-05 17:41:05 +0200	[diff] [blame]	1865	if( md_size == 0 )
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1866	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1867
				1868	if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
				1869	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1870
Manuel Pégourié-Gonnard	f493f2a	2022-07-05 17:41:05 +0200	[diff] [blame]	1871	if( hashlen != md_size )
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1872	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1873
				1874	/* Double-check that 8 + hashlen + oid_size can be used as a
				1875	* 1-byte ASN.1 length encoding and that there's no overflow. */
				1876	if( 8 + hashlen + oid_size >= 0x80 \|\|
				1877	10 + hashlen < hashlen \|\|
				1878	10 + hashlen + oid_size < 10 + hashlen )
				1879	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1880
				1881	/*
				1882	* Static bounds check:
				1883	* - Need 10 bytes for five tag-length pairs.
				1884	* (Insist on 1-byte length encodings to protect against variants of
				1885	* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
				1886	* - Need hashlen bytes for hash
				1887	* - Need oid_size bytes for hash alg OID.
				1888	*/
				1889	if( nb_pad < 10 + hashlen + oid_size )
				1890	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1891	nb_pad -= 10 + hashlen + oid_size;
				1892	}
				1893	else
				1894	{
				1895	if( nb_pad < hashlen )
				1896	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1897
				1898	nb_pad -= hashlen;
				1899	}
				1900
Hanno Becker	2b2f898	2017-09-27 17:10:03 +0100	[diff] [blame]	1901	/* Need space for signature header and padding delimiter (3 bytes),
				1902	* and 8 bytes for the minimal padding */
				1903	if( nb_pad < 3 + 8 )
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1904	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1905	nb_pad -= 3;
				1906
				1907	/* Now nb_pad is the amount of memory to be filled
Hanno Becker	2b2f898	2017-09-27 17:10:03 +0100	[diff] [blame]	1908	* with padding, and at least 8 bytes long. */
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1909
				1910	/* Write signature header and padding */
				1911	*p++ = 0;
				1912	*p++ = MBEDTLS_RSA_SIGN;
				1913	memset( p, 0xFF, nb_pad );
				1914	p += nb_pad;
				1915	*p++ = 0;
				1916
				1917	/* Are we signing raw data? */
				1918	if( md_alg == MBEDTLS_MD_NONE )
				1919	{
				1920	memcpy( p, hash, hashlen );
				1921	return( 0 );
				1922	}
				1923
				1924	/* Signing hashed data, add corresponding ASN.1 structure
				1925	*
				1926	* DigestInfo ::= SEQUENCE {
				1927	* digestAlgorithm DigestAlgorithmIdentifier,
				1928	* digest Digest }
				1929	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
				1930	* Digest ::= OCTET STRING
				1931	*
				1932	* Schematic:
				1933	* TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
				1934	* TAG-NULL + LEN [ NULL ] ]
				1935	* TAG-OCTET + LEN [ HASH ] ]
				1936	*/
				1937	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1938	*p++ = (unsigned char)( 0x08 + oid_size + hashlen );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1939	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1940	*p++ = (unsigned char)( 0x04 + oid_size );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1941	*p++ = MBEDTLS_ASN1_OID;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1942	*p++ = (unsigned char) oid_size;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1943	memcpy( p, oid, oid_size );
				1944	p += oid_size;
				1945	*p++ = MBEDTLS_ASN1_NULL;
				1946	*p++ = 0x00;
				1947	*p++ = MBEDTLS_ASN1_OCTET_STRING;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1948	*p++ = (unsigned char) hashlen;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1949	memcpy( p, hash, hashlen );
				1950	p += hashlen;
				1951
				1952	/* Just a sanity-check, should be automatic
				1953	* after the initial bounds check. */
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1954	if( p != dst + dst_len )
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1955	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1956	mbedtls_platform_zeroize( dst, dst_len );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1957	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1958	}
				1959
				1960	return( 0 );
				1961	}
				1962
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1963	/*
				1964	* Do an RSA operation to sign the message digest
				1965	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1966	int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1967	int (f_rng)(void , unsigned char *, size_t),
				1968	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1969	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1970	unsigned int hashlen,
				1971	const unsigned char *hash,
				1972	unsigned char *sig )
				1973	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1974	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1975	unsigned char sig_try = NULL, verif = NULL;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1976
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1977	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1978	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				1979	hashlen == 0 ) \|\|
				1980	hash != NULL );
				1981	RSA_VALIDATE_RET( sig != NULL );
				1982
Thomas Daubney	d58ed58	2021-05-21 11:50:39 +0100	[diff] [blame]	1983	if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
				1984	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1985
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1986	/*
				1987	* Prepare PKCS1-v1.5 encoding (padding and hash identifier)
				1988	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1989
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1990	if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
				1991	ctx->len, sig ) ) != 0 )
				1992	return( ret );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1993
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1994	/* Private key operation
				1995	*
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1996	* In order to prevent Lenstra's attack, make the signature in a
				1997	* temporary buffer and check it before returning it.
				1998	*/
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1999
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	2000	sig_try = mbedtls_calloc( 1, ctx->len );
Simon Butcher	1285ab5	2016-01-01 21:42:47 +0000	[diff] [blame]	2001	if( sig_try == NULL )
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	2002	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
				2003
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	2004	verif = mbedtls_calloc( 1, ctx->len );
Simon Butcher	1285ab5	2016-01-01 21:42:47 +0000	[diff] [blame]	2005	if( verif == NULL )
				2006	{
				2007	mbedtls_free( sig_try );
				2008	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
				2009	}
				2010
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	2011	MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
				2012	MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
				2013
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	2014	if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 )
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	2015	{
				2016	ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
				2017	goto cleanup;
				2018	}
				2019
				2020	memcpy( sig, sig_try, ctx->len );
				2021
				2022	cleanup:
Gilles Peskine	14d5fef	2021-12-13 12:37:55 +0100	[diff] [blame]	2023	mbedtls_platform_zeroize( sig_try, ctx->len );
				2024	mbedtls_platform_zeroize( verif, ctx->len );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	2025	mbedtls_free( sig_try );
				2026	mbedtls_free( verif );
				2027
Gilles Peskine	14d5fef	2021-12-13 12:37:55 +0100	[diff] [blame]	2028	if( ret != 0 )
				2029	memset( sig, '!', ctx->len );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	2030	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2031	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2032	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2033
				2034	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2035	* Do an RSA operation to sign the message digest
				2036	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2037	int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2038	int (f_rng)(void , unsigned char *, size_t),
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2039	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2040	mbedtls_md_type_t md_alg,
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2041	unsigned int hashlen,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	2042	const unsigned char *hash,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2043	unsigned char *sig )
				2044	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2045	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2046	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2047	hashlen == 0 ) \|\|
				2048	hash != NULL );
				2049	RSA_VALIDATE_RET( sig != NULL );
				2050
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2051	switch( ctx->padding )
				2052	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2053	#if defined(MBEDTLS_PKCS1_V15)
				2054	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	5265498	2021-05-18 16:54:00 +0100	[diff] [blame]	2055	return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng,
Thomas Daubney	140184d	2021-05-18 16:04:07 +0100	[diff] [blame]	2056	md_alg, hashlen, hash, sig );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2057	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2058
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2059	#if defined(MBEDTLS_PKCS1_V21)
				2060	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	de9fdc4	2021-05-18 17:10:04 +0100	[diff] [blame]	2061	return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
				2062	hashlen, hash, sig );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2063	#endif
				2064
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2065	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2066	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2067	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2068	}
				2069
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2070	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2071	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2072	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2073	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2074	int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2075	mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2076	unsigned int hashlen,
				2077	const unsigned char *hash,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2078	mbedtls_md_type_t mgf1_hash_id,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2079	int expected_salt_len,
				2080	const unsigned char *sig )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2081	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2082	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2083	size_t siglen;
				2084	unsigned char *p;
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2085	unsigned char *hash_start;
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame^]	2086	unsigned char result[HASH_MAX_SIZE];
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2087	unsigned int hlen;
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2088	size_t observed_salt_len, msb;
Leonid Rozenboim	a3008e7	2022-04-21 17:28:18 -0700	[diff] [blame]	2089	unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = {0};
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2090
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2091	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2092	RSA_VALIDATE_RET( sig != NULL );
				2093	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2094	hashlen == 0 ) \|\|
				2095	hash != NULL );
				2096
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2097	siglen = ctx->len;
				2098
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	2099	if( siglen < 16 \|\| siglen > sizeof( buf ) )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2100	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2101
Thomas Daubney	782a7f5	2021-05-19 12:27:35 +0100	[diff] [blame]	2102	ret = mbedtls_rsa_public( ctx, sig, buf );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2103
				2104	if( ret != 0 )
				2105	return( ret );
				2106
				2107	p = buf;
				2108
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2109	if( buf[siglen - 1] != 0xBC )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2110	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2111
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2112	if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2113	{
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2114	/* Gather length of hash to sign */
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	2115	size_t exp_hashlen = mbedtls_hash_info_get_size( md_alg );
				2116	if( exp_hashlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2117	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2118
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	2119	if( hashlen != exp_hashlen )
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2120	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2121	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2122
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	2123	hlen = mbedtls_hash_info_get_size( mgf1_hash_id );
				2124	if( hlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2125	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2126
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2127	/*
				2128	* Note: EMSA-PSS verification is over the length of N - 1 bits
				2129	*/
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	2130	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2131
Gilles Peskine	b00b0da	2017-10-19 15:23:49 +0200	[diff] [blame]	2132	if( buf[0] >> ( 8 - siglen * 8 + msb ) )
				2133	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				2134
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2135	/* Compensate for boundary condition when applying mask */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2136	if( msb % 8 == 0 )
				2137	{
				2138	p++;
				2139	siglen -= 1;
				2140	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2141
Gilles Peskine	139108a	2017-10-18 19:03:42 +0200	[diff] [blame]	2142	if( siglen < hlen + 2 )
				2143	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				2144	hash_start = p + siglen - hlen - 1;
				2145
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	2146	ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id );
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2147	if( ret != 0 )
Manuel Pégourié-Gonnard	f3a6755	2022-07-15 12:16:42 +0200	[diff] [blame]	2148	return( ret );
Paul Bakker	02303e8	2013-01-03 11:08:31 +0100	[diff] [blame]	2149
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2150	buf[0] &= 0xFF >> ( siglen * 8 - msb );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2151
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2152	while( p < hash_start - 1 && *p == 0 )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2153	p++;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2154
Gilles Peskine	91048a3	2017-10-19 17:46:14 +0200	[diff] [blame]	2155	if( *p++ != 0x01 )
Manuel Pégourié-Gonnard	f3a6755	2022-07-15 12:16:42 +0200	[diff] [blame]	2156	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2157
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2158	observed_salt_len = hash_start - p;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2159
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2160	if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2161	observed_salt_len != (size_t) expected_salt_len )
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2162	{
Manuel Pégourié-Gonnard	f3a6755	2022-07-15 12:16:42 +0200	[diff] [blame]	2163	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2164	}
				2165
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2166	/*
				2167	* Generate H = Hash( M' )
				2168	*/
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	2169	ret = hash_mprime( hash, hashlen, p, observed_salt_len,
				2170	result, mgf1_hash_id );
				2171	if( ret != 0 )
				2172	return( ret );
Paul Bakker	53019ae	2011-03-25 13:58:48 +0000	[diff] [blame]	2173
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2174	if( memcmp( hash_start, result, hlen ) != 0 )
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	2175	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2176
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	2177	return( 0 );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2178	}
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2179
				2180	/*
				2181	* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
				2182	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2183	int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2184	mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2185	unsigned int hashlen,
				2186	const unsigned char *hash,
				2187	const unsigned char *sig )
				2188	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2189	mbedtls_md_type_t mgf1_hash_id;
				2190	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2191	RSA_VALIDATE_RET( sig != NULL );
				2192	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2193	hashlen == 0 ) \|\|
				2194	hash != NULL );
				2195
				2196	mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2197	? (mbedtls_md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2198	: md_alg;
				2199
Thomas Daubney	9e65f79	2021-05-19 12:18:58 +0100	[diff] [blame]	2200	return( mbedtls_rsa_rsassa_pss_verify_ext( ctx,
Thomas Daubney	5ee4cc0	2021-05-19 12:07:42 +0100	[diff] [blame]	2201	md_alg, hashlen, hash,
				2202	mgf1_hash_id,
				2203	MBEDTLS_RSA_SALT_LEN_ANY,
				2204	sig ) );
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2205
				2206	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2207	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	40628ba	2013-01-03 10:50:31 +0100	[diff] [blame]	2208
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2209	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2210	/*
				2211	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
				2212	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2213	int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2214	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2215	unsigned int hashlen,
				2216	const unsigned char *hash,
Manuel Pégourié-Gonnard	cc0a9d0	2013-08-12 11:34:35 +0200	[diff] [blame]	2217	const unsigned char *sig )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2218	{
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2219	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2220	size_t sig_len;
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2221	unsigned char encoded = NULL, encoded_expected = NULL;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2222
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2223	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2224	RSA_VALIDATE_RET( sig != NULL );
				2225	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2226	hashlen == 0 ) \|\|
				2227	hash != NULL );
				2228
				2229	sig_len = ctx->len;
				2230
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2231	/*
				2232	* Prepare expected PKCS1 v1.5 encoding of hash.
				2233	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2234
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2235	if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL \|\|
				2236	( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
				2237	{
				2238	ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
				2239	goto cleanup;
				2240	}
				2241
				2242	if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
				2243	encoded_expected ) ) != 0 )
				2244	goto cleanup;
				2245
				2246	/*
				2247	* Apply RSA primitive to get what should be PKCS1 encoded hash.
				2248	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2249
Thomas Daubney	41e4ce4	2021-05-19 15:10:05 +0100	[diff] [blame]	2250	ret = mbedtls_rsa_public( ctx, sig, encoded );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2251	if( ret != 0 )
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2252	goto cleanup;
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2253
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2254	/*
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2255	* Compare
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2256	*/
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2257
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	2258	if( ( ret = mbedtls_ct_memcmp( encoded, encoded_expected,
gabor-mezei-arm	4602564	2021-07-19 15:19:19 +0200	[diff] [blame]	2259	sig_len ) ) != 0 )
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2260	{
				2261	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
				2262	goto cleanup;
				2263	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2264
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2265	cleanup:
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2266
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2267	if( encoded != NULL )
				2268	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	2269	mbedtls_platform_zeroize( encoded, sig_len );
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2270	mbedtls_free( encoded );
				2271	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2272
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2273	if( encoded_expected != NULL )
				2274	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	2275	mbedtls_platform_zeroize( encoded_expected, sig_len );
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2276	mbedtls_free( encoded_expected );
				2277	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2278
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2279	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2280	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2281	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2282
				2283	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2284	* Do an RSA operation and check the message digest
				2285	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2286	int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2287	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2288	unsigned int hashlen,
				2289	const unsigned char *hash,
Manuel Pégourié-Gonnard	cc0a9d0	2013-08-12 11:34:35 +0200	[diff] [blame]	2290	const unsigned char *sig )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2291	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2292	RSA_VALIDATE_RET( ctx != NULL );
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2293	RSA_VALIDATE_RET( sig != NULL );
				2294	RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
				2295	hashlen == 0 ) \|\|
				2296	hash != NULL );
				2297
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2298	switch( ctx->padding )
				2299	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2300	#if defined(MBEDTLS_PKCS1_V15)
				2301	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	2e12625	2021-05-19 11:48:53 +0100	[diff] [blame]	2302	return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, md_alg,
				2303	hashlen, hash, sig );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2304	#endif
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2305
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2306	#if defined(MBEDTLS_PKCS1_V21)
				2307	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	5ee4cc0	2021-05-19 12:07:42 +0100	[diff] [blame]	2308	return mbedtls_rsa_rsassa_pss_verify( ctx, md_alg,
				2309	hashlen, hash, sig );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2310	#endif
				2311
				2312	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2313	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2314	}
				2315	}
				2316
				2317	/*
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2318	* Copy the components of an RSA key
				2319	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2320	int mbedtls_rsa_copy( mbedtls_rsa_context dst, const mbedtls_rsa_context src )
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2321	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2322	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2323	RSA_VALIDATE_RET( dst != NULL );
				2324	RSA_VALIDATE_RET( src != NULL );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2325
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2326	dst->len = src->len;
				2327
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2328	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
				2329	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2330
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2331	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
				2332	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
				2333	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2334
				2335	#if !defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2336	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
				2337	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
				2338	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2339	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
				2340	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2341	#endif
				2342
				2343	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2344
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2345	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
				2346	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	2347
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2348	dst->padding = src->padding;
Manuel Pégourié-Gonnard	fdddac9	2014-03-25 15:58:35 +0100	[diff] [blame]	2349	dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2350
				2351	cleanup:
				2352	if( ret != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2353	mbedtls_rsa_free( dst );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2354
				2355	return( ret );
				2356	}
				2357
				2358	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2359	* Free the components of an RSA key
				2360	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2361	void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2362	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2363	if( ctx == NULL )
				2364	return;
				2365
				2366	mbedtls_mpi_free( &ctx->Vi );
				2367	mbedtls_mpi_free( &ctx->Vf );
				2368	mbedtls_mpi_free( &ctx->RN );
				2369	mbedtls_mpi_free( &ctx->D );
				2370	mbedtls_mpi_free( &ctx->Q );
				2371	mbedtls_mpi_free( &ctx->P );
				2372	mbedtls_mpi_free( &ctx->E );
				2373	mbedtls_mpi_free( &ctx->N );
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	2374
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2375	#if !defined(MBEDTLS_RSA_NO_CRT)
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2376	mbedtls_mpi_free( &ctx->RQ );
				2377	mbedtls_mpi_free( &ctx->RP );
				2378	mbedtls_mpi_free( &ctx->QP );
				2379	mbedtls_mpi_free( &ctx->DQ );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2380	mbedtls_mpi_free( &ctx->DP );
				2381	#endif /* MBEDTLS_RSA_NO_CRT */
				2382
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2383	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	2384	/* Free the mutex, but only if it hasn't been freed already. */
				2385	if( ctx->ver != 0 )
				2386	{
				2387	mbedtls_mutex_free( &ctx->mutex );
				2388	ctx->ver = 0;
				2389	}
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	2390	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2391	}
				2392
Hanno Becker	ab37731	2017-08-23 16:24:51 +0100	[diff] [blame]	2393	#endif /* !MBEDTLS_RSA_ALT */
				2394
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2395	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2396
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	2397	#include "mbedtls/sha1.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2398
				2399	/*
				2400	* Example RSA-1024 keypair, for test purposes
				2401	*/
				2402	#define KEY_LEN 128
				2403
				2404	#define RSA_N "9292758453063D803DD603D5E777D788" \
				2405	"8ED1D5BF35786190FA2F23EBC0848AEA" \
				2406	"DDA92CA6C3D80B32C4D109BE0F36D6AE" \
				2407	"7130B9CED7ACDF54CFC7555AC14EEBAB" \
				2408	"93A89813FBF3C4F8066D2D800F7C38A8" \
				2409	"1AE31942917403FF4946B0A83D3D3E05" \
				2410	"EE57C6F5F5606FB5D4BC6CD34EE0801A" \
				2411	"5E94BB77B07507233A0BC7BAC8F90F79"
				2412
				2413	#define RSA_E "10001"
				2414
				2415	#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
				2416	"66CA472BC44D253102F8B4A9D3BFA750" \
				2417	"91386C0077937FE33FA3252D28855837" \
				2418	"AE1B484A8A9A45F7EE8C0C634F99E8CD" \
				2419	"DF79C5CE07EE72C7F123142198164234" \
				2420	"CABB724CF78B8173B9F880FC86322407" \
				2421	"AF1FEDFDDE2BEB674CA15F3E81A1521E" \
				2422	"071513A1E85B5DFA031F21ECAE91A34D"
				2423
				2424	#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
				2425	"2C01CAD19EA484A87EA4377637E75500" \
				2426	"FCB2005C5C7DD6EC4AC023CDA285D796" \
				2427	"C3D9E75E1EFC42488BB4F1D13AC30A57"
				2428
				2429	#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
				2430	"E211C2B9E5DB1ED0BF61D0D9899620F4" \
				2431	"910E4168387E3C30AA1E00C339A79508" \
				2432	"8452DD96A9A5EA5D9DCA68DA636032AF"
				2433
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2434	#define PT_LEN 24
				2435	#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
				2436	"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
				2437
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2438	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2439	static int myrand( void rng_state, unsigned char output, size_t len )
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2440	{
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	2441	#if !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2442	size_t i;
				2443
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2444	if( rng_state != NULL )
				2445	rng_state = NULL;
				2446
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2447	for( i = 0; i < len; ++i )
				2448	output[i] = rand();
Paul Bakker	f96f7b6	2014-04-30 16:02:38 +0200	[diff] [blame]	2449	#else
				2450	if( rng_state != NULL )
				2451	rng_state = NULL;
				2452
				2453	arc4random_buf( output, len );
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	2454	#endif /* !OpenBSD && !NetBSD */
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2455
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2456	return( 0 );
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2457	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2458	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2459
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2460	/*
				2461	* Checkup routine
				2462	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2463	int mbedtls_rsa_self_test( int verbose )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2464	{
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2465	int ret = 0;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2466	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2467	size_t len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2468	mbedtls_rsa_context rsa;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2469	unsigned char rsa_plaintext[PT_LEN];
				2470	unsigned char rsa_decrypted[PT_LEN];
				2471	unsigned char rsa_ciphertext[KEY_LEN];
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2472	#if defined(MBEDTLS_SHA1_C)
Paul Bakker	5690efc	2011-05-26 13:16:06 +0000	[diff] [blame]	2473	unsigned char sha1sum[20];
				2474	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2475
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2476	mbedtls_mpi K;
				2477
				2478	mbedtls_mpi_init( &K );
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	2479	mbedtls_rsa_init( &rsa );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2480
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2481	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );
				2482	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
				2483	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );
				2484	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
				2485	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );
				2486	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
				2487	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );
				2488	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
				2489	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );
				2490	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
				2491
Hanno Becker	7f25f85	2017-10-10 16:56:22 +0100	[diff] [blame]	2492	MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2493
				2494	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2495	mbedtls_printf( " RSA key validation: " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2496
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2497	if( mbedtls_rsa_check_pubkey( &rsa ) != 0 \|\|
				2498	mbedtls_rsa_check_privkey( &rsa ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2499	{
				2500	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2501	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2502
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2503	ret = 1;
				2504	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2505	}
				2506
				2507	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2508	mbedtls_printf( "passed\n PKCS#1 encryption : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2509
				2510	memcpy( rsa_plaintext, RSA_PT, PT_LEN );
				2511
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	2512	if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2513	PT_LEN, rsa_plaintext,
				2514	rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2515	{
				2516	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2517	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2518
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2519	ret = 1;
				2520	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2521	}
				2522
				2523	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2524	mbedtls_printf( "passed\n PKCS#1 decryption : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2525
Thomas Daubney	c7feaf3	2021-05-07 14:02:43 +0100	[diff] [blame]	2526	if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2527	&len, rsa_ciphertext, rsa_decrypted,
				2528	sizeof(rsa_decrypted) ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2529	{
				2530	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2531	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2532
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2533	ret = 1;
				2534	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2535	}
				2536
				2537	if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
				2538	{
				2539	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2540	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2541
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2542	ret = 1;
				2543	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2544	}
				2545
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2546	if( verbose != 0 )
				2547	mbedtls_printf( "passed\n" );
				2548
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2549	#if defined(MBEDTLS_SHA1_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2550	if( verbose != 0 )
Brian Murray	930a370	2016-05-18 14:38:02 -0700	[diff] [blame]	2551	mbedtls_printf( " PKCS#1 data sign : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2552
TRodziewicz	26371e4	2021-06-08 16:45:41 +0200	[diff] [blame]	2553	if( mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2554	{
				2555	if( verbose != 0 )
				2556	mbedtls_printf( "failed\n" );
				2557
				2558	return( 1 );
				2559	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2560
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2561	if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2562	MBEDTLS_MD_SHA1, 20,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2563	sha1sum, rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2564	{
				2565	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2566	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2567
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2568	ret = 1;
				2569	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2570	}
				2571
				2572	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2573	mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2574
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2575	if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA1, 20,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2576	sha1sum, rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2577	{
				2578	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2579	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2580
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2581	ret = 1;
				2582	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2583	}
				2584
				2585	if( verbose != 0 )
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2586	mbedtls_printf( "passed\n" );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2587	#endif /* MBEDTLS_SHA1_C */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2588
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2589	if( verbose != 0 )
				2590	mbedtls_printf( "\n" );
				2591
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2592	cleanup:
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2593	mbedtls_mpi_free( &K );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2594	mbedtls_rsa_free( &rsa );
				2595	#else /* MBEDTLS_PKCS1_V15 */
Paul Bakker	3e41fe8	2013-09-15 17:42:50 +0200	[diff] [blame]	2596	((void) verbose);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2597	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2598	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2599	}
				2600
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2601	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2602
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2603	#endif /* MBEDTLS_RSA_C */