blob: e185faee4cef9da55ce27cdfa0e0aa83985a310f [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * The RSA public-key cryptosystem
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +02004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +000018 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +000019 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +000020 */
Hanno Becker74716312017-10-02 10:00:37 +010021
Paul Bakker5121ce52009-01-03 21:22:43 +000022/*
Simon Butcherbdae02c2016-01-20 00:44:42 +000023 * The following sources were referenced in the design of this implementation
24 * of the RSA algorithm:
Paul Bakker5121ce52009-01-03 21:22:43 +000025 *
Simon Butcherbdae02c2016-01-20 00:44:42 +000026 * [1] A method for obtaining digital signatures and public-key cryptosystems
27 * R Rivest, A Shamir, and L Adleman
28 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
29 *
30 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
31 * Menezes, van Oorschot and Vanstone
32 *
Janos Follathe81102e2017-03-22 13:38:28 +000033 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
34 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
35 * Stefan Mangard
36 * https://arxiv.org/abs/1702.08719v2
37 *
Paul Bakker5121ce52009-01-03 21:22:43 +000038 */
39
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020040#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000041#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020042#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020043#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020044#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020046#if defined(MBEDTLS_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000047
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000048#include "mbedtls/rsa.h"
Hanno Beckera565f542017-10-11 11:00:19 +010049#include "mbedtls/rsa_internal.h"
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000050#include "mbedtls/oid.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +000051
Rich Evans00ab4702015-02-06 13:43:58 +000052#include <string.h>
53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020054#if defined(MBEDTLS_PKCS1_V21)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000055#include "mbedtls/md.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +000056#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000057
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020058#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
Paul Bakker5121ce52009-01-03 21:22:43 +000059#include <stdlib.h>
Rich Evans00ab4702015-02-06 13:43:58 +000060#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020062#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000063#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +010064#else
Rich Evans00ab4702015-02-06 13:43:58 +000065#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020066#define mbedtls_printf printf
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +020067#define mbedtls_calloc calloc
68#define mbedtls_free free
Paul Bakker7dc4c442014-02-01 22:50:26 +010069#endif
70
Hanno Beckera565f542017-10-11 11:00:19 +010071#if !defined(MBEDTLS_RSA_ALT)
72
Gilles Peskine4a7f6a02017-03-23 14:37:37 +010073/* Implementation that should never be optimized out by the compiler */
74static void mbedtls_zeroize( void *v, size_t n ) {
75 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
76}
77
Manuel Pégourié-Gonnardb0ba5bc2018-03-13 13:27:14 +010078#if defined(MBEDTLS_PKCS1_V15)
Hanno Becker171a8f12017-09-06 12:32:16 +010079/* constant-time buffer comparison */
80static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
81{
82 size_t i;
83 const unsigned char *A = (const unsigned char *) a;
84 const unsigned char *B = (const unsigned char *) b;
85 unsigned char diff = 0;
86
87 for( i = 0; i < n; i++ )
88 diff |= A[i] ^ B[i];
89
90 return( diff );
91}
Manuel Pégourié-Gonnardb0ba5bc2018-03-13 13:27:14 +010092#endif /* MBEDTLS_PKCS1_V15 */
Hanno Becker171a8f12017-09-06 12:32:16 +010093
Hanno Becker617c1ae2017-08-23 14:11:24 +010094int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
95 const mbedtls_mpi *N,
96 const mbedtls_mpi *P, const mbedtls_mpi *Q,
97 const mbedtls_mpi *D, const mbedtls_mpi *E )
98{
99 int ret;
100
101 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
102 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
103 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
104 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
105 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
106 {
107 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
108 }
109
110 if( N != NULL )
111 ctx->len = mbedtls_mpi_size( &ctx->N );
112
113 return( 0 );
114}
115
116int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
Hanno Becker74716312017-10-02 10:00:37 +0100117 unsigned char const *N, size_t N_len,
118 unsigned char const *P, size_t P_len,
119 unsigned char const *Q, size_t Q_len,
120 unsigned char const *D, size_t D_len,
121 unsigned char const *E, size_t E_len )
Hanno Becker617c1ae2017-08-23 14:11:24 +0100122{
Hanno Beckerd4d60572018-01-10 07:12:01 +0000123 int ret = 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100124
125 if( N != NULL )
126 {
127 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
128 ctx->len = mbedtls_mpi_size( &ctx->N );
129 }
130
131 if( P != NULL )
132 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
133
134 if( Q != NULL )
135 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
136
137 if( D != NULL )
138 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
139
140 if( E != NULL )
141 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
142
143cleanup:
144
145 if( ret != 0 )
146 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
147
148 return( 0 );
149}
150
Hanno Becker705fc682017-10-10 17:57:02 +0100151/*
152 * Checks whether the context fields are set in such a way
153 * that the RSA primitives will be able to execute without error.
154 * It does *not* make guarantees for consistency of the parameters.
155 */
Hanno Beckerebd2c022017-10-12 10:54:53 +0100156static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
157 int blinding_needed )
Hanno Becker705fc682017-10-10 17:57:02 +0100158{
Hanno Beckerebd2c022017-10-12 10:54:53 +0100159#if !defined(MBEDTLS_RSA_NO_CRT)
160 /* blinding_needed is only used for NO_CRT to decide whether
161 * P,Q need to be present or not. */
162 ((void) blinding_needed);
163#endif
164
Hanno Becker3a760a12018-01-05 08:14:49 +0000165 if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
166 ctx->len > MBEDTLS_MPI_MAX_SIZE )
167 {
Hanno Becker705fc682017-10-10 17:57:02 +0100168 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker3a760a12018-01-05 08:14:49 +0000169 }
Hanno Becker705fc682017-10-10 17:57:02 +0100170
171 /*
172 * 1. Modular exponentiation needs positive, odd moduli.
173 */
174
175 /* Modular exponentiation wrt. N is always used for
176 * RSA public key operations. */
177 if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
178 mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )
179 {
180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
181 }
182
183#if !defined(MBEDTLS_RSA_NO_CRT)
184 /* Modular exponentiation for P and Q is only
185 * used for private key operations and if CRT
186 * is used. */
187 if( is_priv &&
188 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
189 mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||
190 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
191 mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
192 {
193 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
194 }
195#endif /* !MBEDTLS_RSA_NO_CRT */
196
197 /*
198 * 2. Exponents must be positive
199 */
200
201 /* Always need E for public key operations */
202 if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
203 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
204
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100205#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker705fc682017-10-10 17:57:02 +0100206 /* For private key operations, use D or DP & DQ
207 * as (unblinded) exponents. */
208 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
209 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
210#else
211 if( is_priv &&
212 ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
213 mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
214 {
215 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
216 }
217#endif /* MBEDTLS_RSA_NO_CRT */
218
219 /* Blinding shouldn't make exponents negative either,
220 * so check that P, Q >= 1 if that hasn't yet been
221 * done as part of 1. */
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100222#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Beckerebd2c022017-10-12 10:54:53 +0100223 if( is_priv && blinding_needed &&
Hanno Becker705fc682017-10-10 17:57:02 +0100224 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
225 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
226 {
227 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
228 }
229#endif
230
231 /* It wouldn't lead to an error if it wasn't satisfied,
Hanno Beckerf8c028a2017-10-17 09:20:57 +0100232 * but check for QP >= 1 nonetheless. */
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100233#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker705fc682017-10-10 17:57:02 +0100234 if( is_priv &&
235 mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
236 {
237 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
238 }
239#endif
240
241 return( 0 );
242}
243
Hanno Beckerf9e184b2017-10-10 16:49:26 +0100244int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100245{
246 int ret = 0;
247
Hanno Becker617c1ae2017-08-23 14:11:24 +0100248 const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
249 const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
250 const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
251 const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
252 const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100253
Hanno Becker617c1ae2017-08-23 14:11:24 +0100254 /*
255 * Check whether provided parameters are enough
256 * to deduce all others. The following incomplete
257 * parameter sets for private keys are supported:
258 *
259 * (1) P, Q missing.
260 * (2) D and potentially N missing.
261 *
262 */
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100263
Hanno Becker2cca6f32017-09-29 11:46:40 +0100264 const int n_missing = have_P && have_Q && have_D && have_E;
265 const int pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
266 const int d_missing = have_P && have_Q && !have_D && have_E;
267 const int is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
268
269 /* These three alternatives are mutually exclusive */
270 const int is_priv = n_missing || pq_missing || d_missing;
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100271
Hanno Becker617c1ae2017-08-23 14:11:24 +0100272 if( !is_priv && !is_pub )
273 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
274
275 /*
Hanno Becker2cca6f32017-09-29 11:46:40 +0100276 * Step 1: Deduce N if P, Q are provided.
277 */
278
279 if( !have_N && have_P && have_Q )
280 {
281 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
282 &ctx->Q ) ) != 0 )
283 {
284 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
285 }
286
287 ctx->len = mbedtls_mpi_size( &ctx->N );
288 }
289
290 /*
291 * Step 2: Deduce and verify all remaining core parameters.
Hanno Becker617c1ae2017-08-23 14:11:24 +0100292 */
293
294 if( pq_missing )
295 {
Hanno Beckerc36aab62017-10-17 09:15:06 +0100296 ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
Hanno Becker617c1ae2017-08-23 14:11:24 +0100297 &ctx->P, &ctx->Q );
298 if( ret != 0 )
299 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
300
301 }
302 else if( d_missing )
303 {
Hanno Becker8ba6ce42017-10-03 14:36:26 +0100304 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
305 &ctx->Q,
306 &ctx->E,
307 &ctx->D ) ) != 0 )
Hanno Becker617c1ae2017-08-23 14:11:24 +0100308 {
309 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
310 }
311 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100312
Hanno Becker617c1ae2017-08-23 14:11:24 +0100313 /*
Hanno Becker2cca6f32017-09-29 11:46:40 +0100314 * Step 3: Deduce all additional parameters specific
Hanno Beckere8674892017-10-10 17:56:14 +0100315 * to our current RSA implementation.
Hanno Becker617c1ae2017-08-23 14:11:24 +0100316 */
317
Hanno Becker23344b52017-08-23 07:43:27 +0100318#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100319 if( is_priv )
320 {
321 ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
322 &ctx->DP, &ctx->DQ, &ctx->QP );
323 if( ret != 0 )
324 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
325 }
Hanno Becker23344b52017-08-23 07:43:27 +0100326#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker617c1ae2017-08-23 14:11:24 +0100327
328 /*
Hanno Becker705fc682017-10-10 17:57:02 +0100329 * Step 3: Basic sanity checks
Hanno Becker617c1ae2017-08-23 14:11:24 +0100330 */
331
Hanno Beckerebd2c022017-10-12 10:54:53 +0100332 return( rsa_check_context( ctx, is_priv, 1 ) );
Hanno Becker617c1ae2017-08-23 14:11:24 +0100333}
334
Hanno Becker617c1ae2017-08-23 14:11:24 +0100335int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
336 unsigned char *N, size_t N_len,
337 unsigned char *P, size_t P_len,
338 unsigned char *Q, size_t Q_len,
339 unsigned char *D, size_t D_len,
340 unsigned char *E, size_t E_len )
341{
342 int ret = 0;
343
344 /* Check if key is private or public */
345 const int is_priv =
346 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
347 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
348 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
349 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
350 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
351
352 if( !is_priv )
353 {
354 /* If we're trying to export private parameters for a public key,
355 * something must be wrong. */
356 if( P != NULL || Q != NULL || D != NULL )
357 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
358
359 }
360
361 if( N != NULL )
362 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
363
364 if( P != NULL )
365 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
366
367 if( Q != NULL )
368 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
369
370 if( D != NULL )
371 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
372
373 if( E != NULL )
374 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100375
376cleanup:
377
378 return( ret );
379}
380
Hanno Becker617c1ae2017-08-23 14:11:24 +0100381int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
382 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
383 mbedtls_mpi *D, mbedtls_mpi *E )
384{
385 int ret;
386
387 /* Check if key is private or public */
388 int is_priv =
389 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
390 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
391 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
392 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
393 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
394
395 if( !is_priv )
396 {
397 /* If we're trying to export private parameters for a public key,
398 * something must be wrong. */
399 if( P != NULL || Q != NULL || D != NULL )
400 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
401
402 }
403
404 /* Export all requested core parameters. */
405
406 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||
407 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||
408 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
409 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||
410 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
411 {
412 return( ret );
413 }
414
415 return( 0 );
416}
417
418/*
419 * Export CRT parameters
420 * This must also be implemented if CRT is not used, for being able to
421 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
422 * can be used in this case.
423 */
424int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
425 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
426{
427 int ret;
428
429 /* Check if key is private or public */
430 int is_priv =
431 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
432 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
433 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
434 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
435 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
436
437 if( !is_priv )
438 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
439
Hanno Beckerdc95c892017-08-23 06:57:02 +0100440#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100441 /* Export all requested blinding parameters. */
Hanno Becker617c1ae2017-08-23 14:11:24 +0100442 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
443 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
444 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
445 {
Hanno Beckerdc95c892017-08-23 06:57:02 +0100446 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
Hanno Becker617c1ae2017-08-23 14:11:24 +0100447 }
Hanno Beckerdc95c892017-08-23 06:57:02 +0100448#else
449 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
450 DP, DQ, QP ) ) != 0 )
451 {
452 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
453 }
454#endif
Hanno Becker617c1ae2017-08-23 14:11:24 +0100455
456 return( 0 );
457}
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100458
Paul Bakker5121ce52009-01-03 21:22:43 +0000459/*
460 * Initialize an RSA context
461 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200462void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000463 int padding,
Paul Bakker21eb2802010-08-16 11:10:02 +0000464 int hash_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000465{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200466 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000467
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200468 mbedtls_rsa_set_padding( ctx, padding, hash_id );
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200470#if defined(MBEDTLS_THREADING_C)
471 mbedtls_mutex_init( &ctx->mutex );
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200472#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000473}
474
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100475/*
476 * Set padding for an existing RSA context
477 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200478void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100479{
480 ctx->padding = padding;
481 ctx->hash_id = hash_id;
482}
483
Hanno Becker617c1ae2017-08-23 14:11:24 +0100484/*
485 * Get length in bytes of RSA modulus
486 */
487
488size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
489{
Hanno Becker2f8f06a2017-09-29 11:47:26 +0100490 return( ctx->len );
Hanno Becker617c1ae2017-08-23 14:11:24 +0100491}
492
493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200494#if defined(MBEDTLS_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000495
496/*
497 * Generate an RSA keypair
498 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200499int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000500 int (*f_rng)(void *, unsigned char *, size_t),
501 void *p_rng,
502 unsigned int nbits, int exponent )
Paul Bakker5121ce52009-01-03 21:22:43 +0000503{
504 int ret;
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100505 mbedtls_mpi H, G;
Paul Bakker5121ce52009-01-03 21:22:43 +0000506
Paul Bakker21eb2802010-08-16 11:10:02 +0000507 if( f_rng == NULL || nbits < 128 || exponent < 3 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200508 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000509
Janos Follathef441782016-09-21 13:18:12 +0100510 if( nbits % 2 )
511 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
512
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100513 mbedtls_mpi_init( &H );
514 mbedtls_mpi_init( &G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000515
516 /*
517 * find primes P and Q with Q < P so that:
518 * GCD( E, (P-1)*(Q-1) ) == 1
519 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200520 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000521
522 do
523 {
Janos Follath10c575b2016-02-23 14:42:48 +0000524 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100525 f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000526
Janos Follathef441782016-09-21 13:18:12 +0100527 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100528 f_rng, p_rng ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000529
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200530 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000531 continue;
532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200533 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +0200534 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000535 continue;
536
Janos Follathef441782016-09-21 13:18:12 +0100537 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100538 mbedtls_mpi_swap( &ctx->P, &ctx->Q );
Janos Follathef441782016-09-21 13:18:12 +0100539
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100540 /* Temporarily replace P,Q by P-1, Q-1 */
541 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
542 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
543 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200544 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000545 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200546 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000547
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100548 /* Restore P,Q */
549 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
550 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
551
552 ctx->len = mbedtls_mpi_size( &ctx->N );
553
Paul Bakker5121ce52009-01-03 21:22:43 +0000554 /*
555 * D = E^-1 mod ((P-1)*(Q-1))
556 * DP = D mod (P - 1)
557 * DQ = D mod (Q - 1)
558 * QP = Q^-1 mod P
559 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000560
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100561 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &H ) );
562
563#if !defined(MBEDTLS_RSA_NO_CRT)
564 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
565 &ctx->DP, &ctx->DQ, &ctx->QP ) );
566#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000567
Hanno Becker83aad1f2017-08-23 06:45:10 +0100568 /* Double-check */
569 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000570
571cleanup:
572
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100573 mbedtls_mpi_free( &H );
574 mbedtls_mpi_free( &G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000575
576 if( ret != 0 )
577 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200578 mbedtls_rsa_free( ctx );
579 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000580 }
581
Paul Bakker48377d92013-08-30 12:06:24 +0200582 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000583}
584
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200585#endif /* MBEDTLS_GENPRIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000586
587/*
588 * Check a public RSA key
589 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200590int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000591{
Hanno Beckerebd2c022017-10-12 10:54:53 +0100592 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200593 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker37940d9f2009-07-10 22:38:58 +0000594
Hanno Becker3a760a12018-01-05 08:14:49 +0000595 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
Hanno Becker98838b02017-10-02 13:16:10 +0100596 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200597 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Hanno Becker98838b02017-10-02 13:16:10 +0100598 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000599
Hanno Becker705fc682017-10-10 17:57:02 +0100600 if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||
601 mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200602 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
Hanno Becker98838b02017-10-02 13:16:10 +0100603 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200604 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Hanno Becker98838b02017-10-02 13:16:10 +0100605 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000606
607 return( 0 );
608}
609
610/*
Hanno Becker705fc682017-10-10 17:57:02 +0100611 * Check for the consistency of all fields in an RSA private key context
Paul Bakker5121ce52009-01-03 21:22:43 +0000612 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200613int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +0000614{
Hanno Becker705fc682017-10-10 17:57:02 +0100615 if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
Hanno Beckerebd2c022017-10-12 10:54:53 +0100616 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000617 {
Hanno Becker98838b02017-10-02 13:16:10 +0100618 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000619 }
Paul Bakker48377d92013-08-30 12:06:24 +0200620
Hanno Becker98838b02017-10-02 13:16:10 +0100621 if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
Hanno Beckerb269a852017-08-25 08:03:21 +0100622 &ctx->D, &ctx->E, NULL, NULL ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000623 {
Hanno Beckerb269a852017-08-25 08:03:21 +0100624 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000625 }
Paul Bakker6c591fa2011-05-05 11:49:20 +0000626
Hanno Beckerb269a852017-08-25 08:03:21 +0100627#if !defined(MBEDTLS_RSA_NO_CRT)
628 else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
629 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
630 {
631 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
632 }
633#endif
Paul Bakker6c591fa2011-05-05 11:49:20 +0000634
635 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000636}
637
638/*
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100639 * Check if contexts holding a public and private key match
640 */
Hanno Becker98838b02017-10-02 13:16:10 +0100641int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
642 const mbedtls_rsa_context *prv )
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100643{
Hanno Becker98838b02017-10-02 13:16:10 +0100644 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200645 mbedtls_rsa_check_privkey( prv ) != 0 )
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100646 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200647 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100648 }
649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200650 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
651 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100652 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200653 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100654 }
655
656 return( 0 );
657}
658
659/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000660 * Do an RSA public key operation
661 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200662int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000663 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000664 unsigned char *output )
665{
Paul Bakker23986e52011-04-24 08:57:21 +0000666 int ret;
667 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200668 mbedtls_mpi T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000669
Hanno Beckerebd2c022017-10-12 10:54:53 +0100670 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
Hanno Becker705fc682017-10-10 17:57:02 +0100671 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200673 mbedtls_mpi_init( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000674
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200675#if defined(MBEDTLS_THREADING_C)
676 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
677 return( ret );
678#endif
679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200680 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200682 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000683 {
Manuel Pégourié-Gonnard4d04cdc2015-08-28 10:32:21 +0200684 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
685 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000686 }
687
688 olen = ctx->len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200689 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
690 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000691
692cleanup:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200693#if defined(MBEDTLS_THREADING_C)
Manuel Pégourié-Gonnard4d04cdc2015-08-28 10:32:21 +0200694 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
695 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100696#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200698 mbedtls_mpi_free( &T );
Paul Bakker5121ce52009-01-03 21:22:43 +0000699
700 if( ret != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200701 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000702
703 return( 0 );
704}
705
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200706/*
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200707 * Generate or update blinding values, see section 10 of:
708 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard998930a2015-04-03 13:48:06 +0200709 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200710 * Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200711 */
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200712static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200713 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
714{
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200715 int ret, count = 0;
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200716
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200717 if( ctx->Vf.p != NULL )
718 {
719 /* We already have blinding values, just update them by squaring */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200720 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
721 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
722 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
723 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200724
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200725 goto cleanup;
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200726 }
727
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200728 /* Unblinding value: Vf = random number, invertible mod N */
729 do {
730 if( count++ > 10 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200731 return( MBEDTLS_ERR_RSA_RNG_FAILED );
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200733 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
734 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
735 } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200736
737 /* Blinding value: Vi = Vf^(-e) mod N */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200738 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
739 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200740
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200741
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200742cleanup:
743 return( ret );
744}
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200745
Paul Bakker5121ce52009-01-03 21:22:43 +0000746/*
Janos Follathe81102e2017-03-22 13:38:28 +0000747 * Exponent blinding supposed to prevent side-channel attacks using multiple
748 * traces of measurements to recover the RSA key. The more collisions are there,
749 * the more bits of the key can be recovered. See [3].
750 *
751 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
752 * observations on avarage.
753 *
754 * For example with 28 byte blinding to achieve 2 collisions the adversary has
755 * to make 2^112 observations on avarage.
756 *
757 * (With the currently (as of 2017 April) known best algorithms breaking 2048
758 * bit RSA requires approximately as much time as trying out 2^112 random keys.
759 * Thus in this sense with 28 byte blinding the security is not reduced by
760 * side-channel attacks like the one in [3])
761 *
762 * This countermeasure does not help if the key recovery is possible with a
763 * single trace.
764 */
765#define RSA_EXPONENT_BLINDING 28
766
767/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000768 * Do an RSA private key operation
769 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200770int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200771 int (*f_rng)(void *, unsigned char *, size_t),
772 void *p_rng,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000773 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000774 unsigned char *output )
775{
Paul Bakker23986e52011-04-24 08:57:21 +0000776 int ret;
777 size_t olen;
Hanno Beckera5fa0792018-03-09 10:42:23 +0000778
779 /* Temporary holding the result */
780 mbedtls_mpi T;
781
782 /* Temporaries holding P-1, Q-1 and the
783 * exponent blinding factor, respectively. */
Janos Follathf9203b42017-03-22 15:13:15 +0000784 mbedtls_mpi P1, Q1, R;
Hanno Beckera5fa0792018-03-09 10:42:23 +0000785
786#if !defined(MBEDTLS_RSA_NO_CRT)
787 /* Temporaries holding the results mod p resp. mod q. */
788 mbedtls_mpi TP, TQ;
789
790 /* Temporaries holding the blinded exponents for
791 * the mod p resp. mod q computation (if used). */
Janos Follathf9203b42017-03-22 15:13:15 +0000792 mbedtls_mpi DP_blind, DQ_blind;
Hanno Beckera5fa0792018-03-09 10:42:23 +0000793
794 /* Pointers to actual exponents to be used - either the unblinded
795 * or the blinded ones, depending on the presence of a PRNG. */
Janos Follathf9203b42017-03-22 15:13:15 +0000796 mbedtls_mpi *DP = &ctx->DP;
797 mbedtls_mpi *DQ = &ctx->DQ;
Hanno Beckera5fa0792018-03-09 10:42:23 +0000798#else
799 /* Temporary holding the blinded exponent (if used). */
800 mbedtls_mpi D_blind;
801
802 /* Pointer to actual exponent to be used - either the unblinded
803 * or the blinded one, depending on the presence of a PRNG. */
804 mbedtls_mpi *D = &ctx->D;
805#endif /* MBEDTLS_RSA_NO_CRT */
806
807 /* Temporaries holding the initial input and the double
808 * checked result; should be the same in the end. */
809 mbedtls_mpi I, C;
Paul Bakker5121ce52009-01-03 21:22:43 +0000810
Hanno Beckerebd2c022017-10-12 10:54:53 +0100811 if( rsa_check_context( ctx, 1 /* private key checks */,
812 f_rng != NULL /* blinding y/n */ ) != 0 )
813 {
Manuel Pégourié-Gonnardfb84d382015-10-30 10:56:25 +0100814 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Beckerebd2c022017-10-12 10:54:53 +0100815 }
Manuel Pégourié-Gonnardfb84d382015-10-30 10:56:25 +0100816
Hanno Beckera5fa0792018-03-09 10:42:23 +0000817#if defined(MBEDTLS_THREADING_C)
818 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
819 return( ret );
820#endif
821
822 /* MPI Initialization */
823 mbedtls_mpi_init( &T );
824
825 mbedtls_mpi_init( &P1 );
826 mbedtls_mpi_init( &Q1 );
827 mbedtls_mpi_init( &R );
Janos Follathf9203b42017-03-22 15:13:15 +0000828
Janos Follathf9203b42017-03-22 15:13:15 +0000829 if( f_rng != NULL )
830 {
Janos Follathe81102e2017-03-22 13:38:28 +0000831#if defined(MBEDTLS_RSA_NO_CRT)
Janos Follathf9203b42017-03-22 15:13:15 +0000832 mbedtls_mpi_init( &D_blind );
833#else
834 mbedtls_mpi_init( &DP_blind );
835 mbedtls_mpi_init( &DQ_blind );
Janos Follathe81102e2017-03-22 13:38:28 +0000836#endif
Janos Follathf9203b42017-03-22 15:13:15 +0000837 }
Janos Follathe81102e2017-03-22 13:38:28 +0000838
Hanno Beckera5fa0792018-03-09 10:42:23 +0000839#if !defined(MBEDTLS_RSA_NO_CRT)
840 mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200841#endif
842
Hanno Beckera5fa0792018-03-09 10:42:23 +0000843 mbedtls_mpi_init( &I );
844 mbedtls_mpi_init( &C );
845
846 /* End of MPI initialization */
847
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200848 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
849 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000850 {
Manuel Pégourié-Gonnard4d04cdc2015-08-28 10:32:21 +0200851 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
852 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000853 }
854
Hanno Beckera5fa0792018-03-09 10:42:23 +0000855 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
856
Paul Bakkerf451bac2013-08-30 15:37:02 +0200857 if( f_rng != NULL )
858 {
859 /*
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200860 * Blinding
861 * T = T * Vi mod N
Paul Bakkerf451bac2013-08-30 15:37:02 +0200862 */
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200863 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
864 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200865 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Janos Follathe81102e2017-03-22 13:38:28 +0000866
Janos Follathe81102e2017-03-22 13:38:28 +0000867 /*
868 * Exponent blinding
869 */
870 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
871 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
872
Janos Follathf9203b42017-03-22 15:13:15 +0000873#if defined(MBEDTLS_RSA_NO_CRT)
Janos Follathe81102e2017-03-22 13:38:28 +0000874 /*
875 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
876 */
877 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
878 f_rng, p_rng ) );
879 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
880 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
881 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
882
883 D = &D_blind;
Janos Follathf9203b42017-03-22 15:13:15 +0000884#else
885 /*
886 * DP_blind = ( P - 1 ) * R + DP
887 */
888 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
889 f_rng, p_rng ) );
890 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
891 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
892 &ctx->DP ) );
893
894 DP = &DP_blind;
895
896 /*
897 * DQ_blind = ( Q - 1 ) * R + DQ
898 */
899 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
900 f_rng, p_rng ) );
901 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
902 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
903 &ctx->DQ ) );
904
905 DQ = &DQ_blind;
Janos Follathe81102e2017-03-22 13:38:28 +0000906#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakkerf451bac2013-08-30 15:37:02 +0200907 }
Paul Bakkeraab30c12013-08-30 11:00:25 +0200908
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200909#if defined(MBEDTLS_RSA_NO_CRT)
Janos Follathe81102e2017-03-22 13:38:28 +0000910 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100911#else
Paul Bakkeraab30c12013-08-30 11:00:25 +0200912 /*
Janos Follathe81102e2017-03-22 13:38:28 +0000913 * Faster decryption using the CRT
Paul Bakker5121ce52009-01-03 21:22:43 +0000914 *
Hanno Beckera5fa0792018-03-09 10:42:23 +0000915 * TP = input ^ dP mod P
916 * TQ = input ^ dQ mod Q
Paul Bakker5121ce52009-01-03 21:22:43 +0000917 */
Hanno Beckera5fa0792018-03-09 10:42:23 +0000918
919 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
920 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000921
922 /*
Hanno Beckera5fa0792018-03-09 10:42:23 +0000923 * T = (TP - TQ) * (Q^-1 mod P) mod P
Paul Bakker5121ce52009-01-03 21:22:43 +0000924 */
Hanno Beckera5fa0792018-03-09 10:42:23 +0000925 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
926 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
927 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000928
929 /*
Hanno Beckera5fa0792018-03-09 10:42:23 +0000930 * T = TQ + T * Q
Paul Bakker5121ce52009-01-03 21:22:43 +0000931 */
Hanno Beckera5fa0792018-03-09 10:42:23 +0000932 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
933 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200934#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakkeraab30c12013-08-30 11:00:25 +0200935
Paul Bakkerf451bac2013-08-30 15:37:02 +0200936 if( f_rng != NULL )
937 {
938 /*
939 * Unblind
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200940 * T = T * Vf mod N
Paul Bakkerf451bac2013-08-30 15:37:02 +0200941 */
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200942 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200943 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Paul Bakkerf451bac2013-08-30 15:37:02 +0200944 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000945
Hanno Beckera5fa0792018-03-09 10:42:23 +0000946 /* Verify the result to prevent glitching attacks. */
947 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
948 &ctx->N, &ctx->RN ) );
949 if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
950 {
951 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
952 goto cleanup;
953 }
954
Paul Bakker5121ce52009-01-03 21:22:43 +0000955 olen = ctx->len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200956 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000957
958cleanup:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200959#if defined(MBEDTLS_THREADING_C)
Manuel Pégourié-Gonnard4d04cdc2015-08-28 10:32:21 +0200960 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
961 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200962#endif
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200963
Hanno Beckera5fa0792018-03-09 10:42:23 +0000964 mbedtls_mpi_free( &P1 );
965 mbedtls_mpi_free( &Q1 );
966 mbedtls_mpi_free( &R );
Janos Follathf9203b42017-03-22 15:13:15 +0000967
968 if( f_rng != NULL )
969 {
Janos Follathe81102e2017-03-22 13:38:28 +0000970#if defined(MBEDTLS_RSA_NO_CRT)
Janos Follathf9203b42017-03-22 15:13:15 +0000971 mbedtls_mpi_free( &D_blind );
972#else
973 mbedtls_mpi_free( &DP_blind );
974 mbedtls_mpi_free( &DQ_blind );
Janos Follathe81102e2017-03-22 13:38:28 +0000975#endif
Janos Follathf9203b42017-03-22 15:13:15 +0000976 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000977
Hanno Beckera5fa0792018-03-09 10:42:23 +0000978 mbedtls_mpi_free( &T );
979
980#if !defined(MBEDTLS_RSA_NO_CRT)
981 mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
982#endif
983
984 mbedtls_mpi_free( &C );
985 mbedtls_mpi_free( &I );
986
Paul Bakker5121ce52009-01-03 21:22:43 +0000987 if( ret != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200988 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000989
990 return( 0 );
991}
992
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200993#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker9dcc3222011-03-08 14:16:06 +0000994/**
995 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
996 *
Paul Bakkerb125ed82011-11-10 13:33:51 +0000997 * \param dst buffer to mask
998 * \param dlen length of destination buffer
999 * \param src source of the mask generation
1000 * \param slen length of the source buffer
1001 * \param md_ctx message digest context to use
Paul Bakker9dcc3222011-03-08 14:16:06 +00001002 */
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001003static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001004 size_t slen, mbedtls_md_context_t *md_ctx )
Paul Bakker9dcc3222011-03-08 14:16:06 +00001005{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001006 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
Paul Bakker9dcc3222011-03-08 14:16:06 +00001007 unsigned char counter[4];
1008 unsigned char *p;
Paul Bakker23986e52011-04-24 08:57:21 +00001009 unsigned int hlen;
1010 size_t i, use_len;
Andres Amaya Garcia94682d12017-07-20 14:26:37 +01001011 int ret = 0;
Paul Bakker9dcc3222011-03-08 14:16:06 +00001012
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001013 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
Paul Bakker9dcc3222011-03-08 14:16:06 +00001014 memset( counter, 0, 4 );
1015
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001016 hlen = mbedtls_md_get_size( md_ctx->md_info );
Paul Bakker9dcc3222011-03-08 14:16:06 +00001017
Simon Butcher02037452016-03-01 21:19:12 +00001018 /* Generate and apply dbMask */
Paul Bakker9dcc3222011-03-08 14:16:06 +00001019 p = dst;
1020
1021 while( dlen > 0 )
1022 {
1023 use_len = hlen;
1024 if( dlen < hlen )
1025 use_len = dlen;
1026
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001027 if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
1028 goto exit;
1029 if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
1030 goto exit;
1031 if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
1032 goto exit;
1033 if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
1034 goto exit;
Paul Bakker9dcc3222011-03-08 14:16:06 +00001035
1036 for( i = 0; i < use_len; ++i )
1037 *p++ ^= mask[i];
1038
1039 counter[3]++;
1040
1041 dlen -= use_len;
1042 }
Gilles Peskine18ac7162017-05-05 19:24:06 +02001043
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001044exit:
Gilles Peskine18ac7162017-05-05 19:24:06 +02001045 mbedtls_zeroize( mask, sizeof( mask ) );
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001046
1047 return( ret );
Paul Bakker9dcc3222011-03-08 14:16:06 +00001048}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001049#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker9dcc3222011-03-08 14:16:06 +00001050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001051#if defined(MBEDTLS_PKCS1_V21)
Paul Bakkerb3869132013-02-28 17:21:01 +01001052/*
1053 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1054 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001055int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
Paul Bakkerb3869132013-02-28 17:21:01 +01001056 int (*f_rng)(void *, unsigned char *, size_t),
1057 void *p_rng,
Paul Bakkera43231c2013-02-28 17:33:49 +01001058 int mode,
1059 const unsigned char *label, size_t label_len,
1060 size_t ilen,
Paul Bakkerb3869132013-02-28 17:21:01 +01001061 const unsigned char *input,
1062 unsigned char *output )
1063{
1064 size_t olen;
1065 int ret;
1066 unsigned char *p = output;
1067 unsigned int hlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001068 const mbedtls_md_info_t *md_info;
1069 mbedtls_md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +01001070
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001071 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1072 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +02001073
1074 if( f_rng == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001075 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001076
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001077 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +01001078 if( md_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001079 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001080
1081 olen = ctx->len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001082 hlen = mbedtls_md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +01001083
Simon Butcher02037452016-03-01 21:19:12 +00001084 /* first comparison checks for overflow */
Janos Follatheddfe8f2016-02-08 14:52:29 +00001085 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001086 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001087
1088 memset( output, 0, olen );
1089
1090 *p++ = 0;
1091
Simon Butcher02037452016-03-01 21:19:12 +00001092 /* Generate a random octet string seed */
Paul Bakkerb3869132013-02-28 17:21:01 +01001093 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001094 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
Paul Bakkerb3869132013-02-28 17:21:01 +01001095
1096 p += hlen;
1097
Simon Butcher02037452016-03-01 21:19:12 +00001098 /* Construct DB */
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001099 if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
1100 return( ret );
Paul Bakkerb3869132013-02-28 17:21:01 +01001101 p += hlen;
1102 p += olen - 2 * hlen - 2 - ilen;
1103 *p++ = 1;
1104 memcpy( p, input, ilen );
1105
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001106 mbedtls_md_init( &md_ctx );
Brian J Murraye7be5bd2016-06-23 12:57:03 -07001107 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001108 goto exit;
Paul Bakkerb3869132013-02-28 17:21:01 +01001109
Simon Butcher02037452016-03-01 21:19:12 +00001110 /* maskedDB: Apply dbMask to DB */
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001111 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1112 &md_ctx ) ) != 0 )
1113 goto exit;
Paul Bakkerb3869132013-02-28 17:21:01 +01001114
Simon Butcher02037452016-03-01 21:19:12 +00001115 /* maskedSeed: Apply seedMask to seed */
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001116 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1117 &md_ctx ) ) != 0 )
1118 goto exit;
Paul Bakkerb3869132013-02-28 17:21:01 +01001119
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001120exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001121 mbedtls_md_free( &md_ctx );
Paul Bakkerb3869132013-02-28 17:21:01 +01001122
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001123 if( ret != 0 )
1124 return( ret );
1125
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001126 return( ( mode == MBEDTLS_RSA_PUBLIC )
1127 ? mbedtls_rsa_public( ctx, output, output )
1128 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
Paul Bakkerb3869132013-02-28 17:21:01 +01001129}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001130#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001131
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001132#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +01001133/*
1134 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1135 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001136int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
Paul Bakkerb3869132013-02-28 17:21:01 +01001137 int (*f_rng)(void *, unsigned char *, size_t),
1138 void *p_rng,
1139 int mode, size_t ilen,
1140 const unsigned char *input,
1141 unsigned char *output )
1142{
1143 size_t nb_pad, olen;
1144 int ret;
1145 unsigned char *p = output;
1146
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001147 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1148 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +02001149
Janos Follath1ed9f992016-03-18 11:45:44 +00001150 // We don't check p_rng because it won't be dereferenced here
1151 if( f_rng == NULL || input == NULL || output == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001152 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001153
1154 olen = ctx->len;
Manuel Pégourié-Gonnard370717b2016-02-11 10:35:13 +01001155
Simon Butcher02037452016-03-01 21:19:12 +00001156 /* first comparison checks for overflow */
Janos Follatheddfe8f2016-02-08 14:52:29 +00001157 if( ilen + 11 < ilen || olen < ilen + 11 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001158 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001159
1160 nb_pad = olen - 3 - ilen;
1161
1162 *p++ = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001163 if( mode == MBEDTLS_RSA_PUBLIC )
Paul Bakkerb3869132013-02-28 17:21:01 +01001164 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001165 *p++ = MBEDTLS_RSA_CRYPT;
Paul Bakkerb3869132013-02-28 17:21:01 +01001166
1167 while( nb_pad-- > 0 )
1168 {
1169 int rng_dl = 100;
1170
1171 do {
1172 ret = f_rng( p_rng, p, 1 );
1173 } while( *p == 0 && --rng_dl && ret == 0 );
1174
Simon Butcher02037452016-03-01 21:19:12 +00001175 /* Check if RNG failed to generate data */
Paul Bakker66d5d072014-06-17 16:39:18 +02001176 if( rng_dl == 0 || ret != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001177 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
Paul Bakkerb3869132013-02-28 17:21:01 +01001178
1179 p++;
1180 }
1181 }
1182 else
1183 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001184 *p++ = MBEDTLS_RSA_SIGN;
Paul Bakkerb3869132013-02-28 17:21:01 +01001185
1186 while( nb_pad-- > 0 )
1187 *p++ = 0xFF;
1188 }
1189
1190 *p++ = 0;
1191 memcpy( p, input, ilen );
1192
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001193 return( ( mode == MBEDTLS_RSA_PUBLIC )
1194 ? mbedtls_rsa_public( ctx, output, output )
1195 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
Paul Bakkerb3869132013-02-28 17:21:01 +01001196}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001197#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001198
Paul Bakker5121ce52009-01-03 21:22:43 +00001199/*
1200 * Add the message padding, then do an RSA operation
1201 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001202int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +00001203 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker21eb2802010-08-16 11:10:02 +00001204 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +00001205 int mode, size_t ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +00001206 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +00001207 unsigned char *output )
1208{
Paul Bakker5121ce52009-01-03 21:22:43 +00001209 switch( ctx->padding )
1210 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001211#if defined(MBEDTLS_PKCS1_V15)
1212 case MBEDTLS_RSA_PKCS_V15:
1213 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
Paul Bakkerb3869132013-02-28 17:21:01 +01001214 input, output );
Paul Bakker48377d92013-08-30 12:06:24 +02001215#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001217#if defined(MBEDTLS_PKCS1_V21)
1218 case MBEDTLS_RSA_PKCS_V21:
1219 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
Paul Bakkerb3869132013-02-28 17:21:01 +01001220 ilen, input, output );
Paul Bakker9dcc3222011-03-08 14:16:06 +00001221#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001222
1223 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001224 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +00001225 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001226}
1227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001228#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +00001229/*
Paul Bakkerb3869132013-02-28 17:21:01 +01001230 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker5121ce52009-01-03 21:22:43 +00001231 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001232int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +02001233 int (*f_rng)(void *, unsigned char *, size_t),
1234 void *p_rng,
1235 int mode,
Paul Bakkera43231c2013-02-28 17:33:49 +01001236 const unsigned char *label, size_t label_len,
1237 size_t *olen,
Paul Bakkerb3869132013-02-28 17:21:01 +01001238 const unsigned char *input,
1239 unsigned char *output,
1240 size_t output_max_len )
Paul Bakker5121ce52009-01-03 21:22:43 +00001241{
Paul Bakker23986e52011-04-24 08:57:21 +00001242 int ret;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001243 size_t ilen, i, pad_len;
1244 unsigned char *p, bad, pad_done;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001245 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1246 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
Paul Bakker23986e52011-04-24 08:57:21 +00001247 unsigned int hlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001248 const mbedtls_md_info_t *md_info;
1249 mbedtls_md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +01001250
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001251 /*
1252 * Parameters sanity checks
1253 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001254 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1255 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00001256
1257 ilen = ctx->len;
1258
Paul Bakker27fdf462011-06-09 13:55:13 +00001259 if( ilen < 16 || ilen > sizeof( buf ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001260 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00001261
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001262 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001263 if( md_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001264 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001265
Janos Follathc17cda12016-02-11 11:08:18 +00001266 hlen = mbedtls_md_get_size( md_info );
1267
1268 // checking for integer underflow
1269 if( 2 * hlen + 2 > ilen )
1270 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1271
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001272 /*
1273 * RSA operation
1274 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001275 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1276 ? mbedtls_rsa_public( ctx, input, buf )
1277 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00001278
1279 if( ret != 0 )
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001280 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00001281
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001282 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001283 * Unmask data and generate lHash
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001284 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001285 mbedtls_md_init( &md_ctx );
Brian J Murraye7be5bd2016-06-23 12:57:03 -07001286 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1287 {
1288 mbedtls_md_free( &md_ctx );
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001289 goto cleanup;
Brian J Murraye7be5bd2016-06-23 12:57:03 -07001290 }
1291
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001292 /* seed: Apply seedMask to maskedSeed */
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001293 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1294 &md_ctx ) ) != 0 ||
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001295 /* DB: Apply dbMask to maskedDB */
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001296 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1297 &md_ctx ) ) != 0 )
1298 {
1299 mbedtls_md_free( &md_ctx );
1300 goto cleanup;
1301 }
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001302
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001303 mbedtls_md_free( &md_ctx );
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001304
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001305 /* Generate lHash */
1306 if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
1307 goto cleanup;
1308
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001309 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001310 * Check contents, in "constant-time"
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001311 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001312 p = buf;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001313 bad = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001314
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001315 bad |= *p++; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001316
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001317 p += hlen; /* Skip seed */
Paul Bakkerb3869132013-02-28 17:21:01 +01001318
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +01001319 /* Check lHash */
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001320 for( i = 0; i < hlen; i++ )
1321 bad |= lhash[i] ^ *p++;
Paul Bakkerb3869132013-02-28 17:21:01 +01001322
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001323 /* Get zero-padding len, but always read till end of buffer
1324 * (minus one, for the 01 byte) */
1325 pad_len = 0;
1326 pad_done = 0;
1327 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
1328 {
1329 pad_done |= p[i];
Pascal Junodb99183d2015-03-11 16:49:45 +01001330 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001331 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001332
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001333 p += pad_len;
1334 bad |= *p++ ^ 0x01;
Paul Bakkerb3869132013-02-28 17:21:01 +01001335
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +01001336 /*
1337 * The only information "leaked" is whether the padding was correct or not
1338 * (eg, no data is copied if it was not correct). This meets the
1339 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1340 * the different error conditions.
1341 */
1342 if( bad != 0 )
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001343 {
1344 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1345 goto cleanup;
1346 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001347
Paul Bakker66d5d072014-06-17 16:39:18 +02001348 if( ilen - ( p - buf ) > output_max_len )
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001349 {
1350 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1351 goto cleanup;
1352 }
Paul Bakkerb3869132013-02-28 17:21:01 +01001353
1354 *olen = ilen - (p - buf);
1355 memcpy( output, p, *olen );
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001356 ret = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +01001357
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001358cleanup:
1359 mbedtls_zeroize( buf, sizeof( buf ) );
1360 mbedtls_zeroize( lhash, sizeof( lhash ) );
1361
1362 return( ret );
Paul Bakkerb3869132013-02-28 17:21:01 +01001363}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001364#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001366#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001367/** Turn zero-or-nonzero into zero-or-all-bits-one, without branches.
1368 *
1369 * \param value The value to analyze.
Gilles Peskineb4739162018-10-04 18:32:29 +02001370 * \return Zero if \p value is zero, otherwise all-bits-one.
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001371 */
Gilles Peskineb4739162018-10-04 18:32:29 +02001372static unsigned all_or_nothing_int( unsigned value )
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001373{
1374 /* MSVC has a warning about unary minus on unsigned, but this is
1375 * well-defined and precisely what we want to do here */
1376#if defined(_MSC_VER)
1377#pragma warning( push )
1378#pragma warning( disable : 4146 )
1379#endif
1380 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
1381#if defined(_MSC_VER)
1382#pragma warning( pop )
1383#endif
1384}
1385
Gilles Peskinea04f8bb2018-10-04 21:18:30 +02001386/** Check whether a size is out of bounds, without branches.
1387 *
1388 * This is equivalent to `size > max`, but is likely to be compiled to
1389 * to code using bitwise operation rather than a branch.
1390 *
1391 * \param size Size to check.
1392 * \param max Maximum desired value for \p size.
1393 * \return \c 0 if `size <= max`.
1394 * \return \c 1 if `size > max`.
1395 */
1396static unsigned size_greater_than( size_t size, size_t max )
1397{
1398 /* Return the sign bit (1 for negative) of (max - size). */
1399 return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) );
1400}
1401
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001402/** Choose between two integer values, without branches.
1403 *
Gilles Peskineb4739162018-10-04 18:32:29 +02001404 * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled
1405 * to code using bitwise operation rather than a branch.
1406 *
1407 * \param cond Condition to test.
1408 * \param if1 Value to use if \p cond is nonzero.
1409 * \param if0 Value to use if \p cond is zero.
1410 * \return \c if1 if \p cond is nonzero, otherwise \c if0.
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001411 */
Gilles Peskineb4739162018-10-04 18:32:29 +02001412static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 )
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001413{
Gilles Peskineb4739162018-10-04 18:32:29 +02001414 unsigned mask = all_or_nothing_int( cond );
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001415 return( ( mask & if1 ) | (~mask & if0 ) );
1416}
1417
Gilles Peskinea04f8bb2018-10-04 21:18:30 +02001418/** Shift some data towards the left inside a buffer without leaking
1419 * the length of the data through side channels.
1420 *
1421 * `mem_move_to_left(start, total, offset)` is functionally equivalent to
1422 * ```
1423 * memmove(start, start + offset, total - offset);
1424 * memset(start + offset, 0, total - offset);
1425 * ```
1426 * but it strives to use a memory access pattern (and thus total timing)
1427 * that does not depend on \p offset. This timing independence comes at
1428 * the expense of performance.
1429 *
1430 * \param start Pointer to the start of the buffer.
1431 * \param total Total size of the buffer.
1432 * \param offset Offset from which to copy \p total - \p offset bytes.
1433 */
1434static void mem_move_to_left( void *start,
1435 size_t total,
1436 size_t offset )
1437{
1438 volatile unsigned char *buf = start;
1439 size_t i, n;
1440 if( total == 0 )
1441 return;
1442 for( i = 0; i < total; i++ )
1443 {
1444 unsigned no_op = size_greater_than( total - offset, i );
1445 /* The first `total - offset` passes are a no-op. The last
1446 * `offset` passes shift the data one byte to the left and
1447 * zero out the last byte. */
1448 for( n = 0; n < total - 1; n++ )
1449 buf[n] = if_int( no_op, buf[n], buf[n+1] );
1450 buf[total-1] = if_int( no_op, buf[total-1], 0 );
1451 }
1452}
1453
Paul Bakkerb3869132013-02-28 17:21:01 +01001454/*
1455 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1456 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001457int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +02001458 int (*f_rng)(void *, unsigned char *, size_t),
1459 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +01001460 int mode, size_t *olen,
1461 const unsigned char *input,
1462 unsigned char *output,
Gilles Peskinecd500f32018-10-02 22:43:06 +02001463 size_t output_max_len )
Paul Bakkerb3869132013-02-28 17:21:01 +01001464{
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001465 int ret;
Gilles Peskinecd500f32018-10-02 22:43:06 +02001466 size_t ilen = ctx->len;
Gilles Peskinecd500f32018-10-02 22:43:06 +02001467 size_t i;
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001468 size_t plaintext_max_size = ( output_max_len > ilen - 11 ?
1469 ilen - 11 :
1470 output_max_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001471 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001472 /* The following variables take sensitive values: their value must
1473 * not leak into the observable behavior of the function other than
1474 * the designated outputs (output, olen, return value). Otherwise
1475 * this would open the execution of the function to
1476 * side-channel-based variants of the Bleichenbacher padding oracle
1477 * attack. Potential side channels include overall timing, memory
1478 * access patterns (especially visible to an adversary who has access
1479 * to a shared memory cache), and branches (especially visible to
1480 * an adversary who has access to a shared code cache or to a shared
1481 * branch predictor). */
1482 size_t pad_count = 0;
1483 unsigned bad = 0;
1484 unsigned char pad_done = 0;
1485 size_t plaintext_size = 0;
1486 unsigned output_too_large;
Paul Bakkerb3869132013-02-28 17:21:01 +01001487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001488 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1489 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001490
Paul Bakkerb3869132013-02-28 17:21:01 +01001491 if( ilen < 16 || ilen > sizeof( buf ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001492 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001494 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1495 ? mbedtls_rsa_public( ctx, input, buf )
1496 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakkerb3869132013-02-28 17:21:01 +01001497
1498 if( ret != 0 )
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001499 goto cleanup;
Paul Bakkerb3869132013-02-28 17:21:01 +01001500
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001501 /*
1502 * Check and get padding len in "constant-time"
1503 */
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001504 bad |= buf[0]; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001505
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001506 /* This test does not depend on secret data */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001507 if( mode == MBEDTLS_RSA_PRIVATE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001508 {
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001509 bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
Paul Bakker5121ce52009-01-03 21:22:43 +00001510
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001511 /* Get padding len, but always read till end of buffer
1512 * (minus one, for the 00 byte) */
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001513 for( i = 2; i < ilen - 1; i++ )
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001514 {
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001515 pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
Pascal Junodb99183d2015-03-11 16:49:45 +01001516 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001517 }
Paul Bakkere6ee41f2012-05-19 08:43:48 +00001518
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001519 bad |= buf[pad_count + 2];
Paul Bakkerb3869132013-02-28 17:21:01 +01001520 }
1521 else
1522 {
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001523 bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
Paul Bakkerb3869132013-02-28 17:21:01 +01001524
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001525 /* Get padding len, but always read till end of buffer
1526 * (minus one, for the 00 byte) */
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001527 for( i = 2; i < ilen - 1; i++ )
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001528 {
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001529 pad_done |= ( buf[i] != 0xFF );
Manuel Pégourié-Gonnard27290da2013-11-30 13:36:53 +01001530 pad_count += ( pad_done == 0 );
1531 }
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001532 bad |= buf[pad_count + 2];
Paul Bakker5121ce52009-01-03 21:22:43 +00001533 }
1534
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001535 /* There must be at least 8 bytes of padding. */
Gilles Peskinecf1253e2018-10-04 21:24:21 +02001536 bad |= size_greater_than( 8, pad_count );
Janos Follathb6eb1ca2016-02-08 13:59:25 +00001537
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001538 /* If the padding is valid, set plaintext_size to the number of
1539 * remaining bytes after stripping the padding. If the padding
1540 * is invalid, avoid leaking this fact through the size of the
1541 * output: use the maximum message size that fits in the output
1542 * buffer. Do it without branches to avoid leaking the padding
1543 * validity through timing. RSA keys are small enough that all the
1544 * size_t values involved fit in unsigned int. */
Gilles Peskineb4739162018-10-04 18:32:29 +02001545 plaintext_size = if_int( bad,
1546 (unsigned) plaintext_max_size,
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001547 (unsigned) ( ilen - pad_count - 3 ) );
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001548
Gilles Peskinef9dd29e2018-10-04 19:13:43 +02001549 /* Set output_too_large to 0 if the plaintext fits in the output
Gilles Peskinecf1253e2018-10-04 21:24:21 +02001550 * buffer and to 1 otherwise. */
1551 output_too_large = size_greater_than( plaintext_size,
1552 plaintext_max_size );
Paul Bakker060c5682009-01-12 21:48:39 +00001553
Gilles Peskinef9dd29e2018-10-04 19:13:43 +02001554 /* Set ret without branches to avoid timing attacks. Return:
1555 * - INVALID_PADDING if the padding is bad (bad != 0).
1556 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
1557 * plaintext does not fit in the output buffer.
1558 * - 0 if the padding is correct. */
1559 ret = - if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
1560 if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
1561 0 ) );
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001562
Gilles Peskinef9dd29e2018-10-04 19:13:43 +02001563 /* If the padding is bad or the plaintext is too large, zero the
1564 * data that we're about to copy to the output buffer.
1565 * We need to copy the same amount of data
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001566 * from the same buffer whether the padding is good or not to
1567 * avoid leaking the padding validity through overall timing or
1568 * through memory or cache access patterns. */
1569 for( i = 11; i < ilen; i++ )
Gilles Peskinef9dd29e2018-10-04 19:13:43 +02001570 buf[i] &= ~( bad | output_too_large );
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001571
Gilles Peskinef9dd29e2018-10-04 19:13:43 +02001572 /* If the plaintext is too large, truncate it to the buffer size.
1573 * Copy anyway to avoid revealing the length through timing, because
1574 * revealing the length is as bad as revealing the padding validity
1575 * for a Bleichenbacher attack. */
1576 plaintext_size = if_int( output_too_large,
1577 (unsigned) plaintext_max_size,
1578 (unsigned) plaintext_size );
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001579
Gilles Peskine087544b2018-10-04 22:45:13 +02001580 /* Move the plaintext to the leftmost position where it can start in
1581 * the working buffer, i.e. make it start plaintext_max_size from
1582 * the end of the buffer. Do this with a memory access trace that
1583 * does not depend on the plaintext size. After this move, the
1584 * starting location of the plaintext is no longer sensitive
1585 * information. */
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001586 mem_move_to_left( buf + ilen - plaintext_max_size,
1587 plaintext_max_size,
Gilles Peskine087544b2018-10-04 22:45:13 +02001588 plaintext_max_size - plaintext_size );
Gilles Peskinef9dd29e2018-10-04 19:13:43 +02001589
Gilles Peskine087544b2018-10-04 22:45:13 +02001590 /* Finally copy the decrypted plaintext plus trailing zeros
Gilles Peskinef9dd29e2018-10-04 19:13:43 +02001591 * into the output buffer. */
Gilles Peskine03fb3e32018-10-05 14:50:21 +02001592 memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
Gilles Peskinef9dd29e2018-10-04 19:13:43 +02001593
1594 /* Report the amount of data we copied to the output buffer. In case
1595 * of errors (bad padding or output too large), the value of *olen
1596 * when this function returns is not specified. Making it equivalent
1597 * to the good case limits the risks of leaking the padding validity. */
Gilles Peskinedabe87c2018-10-02 22:44:41 +02001598 *olen = plaintext_size;
Paul Bakker5121ce52009-01-03 21:22:43 +00001599
Gilles Peskine4a7f6a02017-03-23 14:37:37 +01001600cleanup:
1601 mbedtls_zeroize( buf, sizeof( buf ) );
1602
1603 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001604}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001605#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001606
1607/*
Paul Bakkerb3869132013-02-28 17:21:01 +01001608 * Do an RSA operation, then remove the message padding
1609 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001610int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +02001611 int (*f_rng)(void *, unsigned char *, size_t),
1612 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +01001613 int mode, size_t *olen,
1614 const unsigned char *input,
1615 unsigned char *output,
1616 size_t output_max_len)
1617{
1618 switch( ctx->padding )
1619 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001620#if defined(MBEDTLS_PKCS1_V15)
1621 case MBEDTLS_RSA_PKCS_V15:
1622 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
Paul Bakker548957d2013-08-30 10:30:02 +02001623 input, output, output_max_len );
Paul Bakker48377d92013-08-30 12:06:24 +02001624#endif
Paul Bakkerb3869132013-02-28 17:21:01 +01001625
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001626#if defined(MBEDTLS_PKCS1_V21)
1627 case MBEDTLS_RSA_PKCS_V21:
1628 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
Paul Bakker548957d2013-08-30 10:30:02 +02001629 olen, input, output,
1630 output_max_len );
Paul Bakkerb3869132013-02-28 17:21:01 +01001631#endif
1632
1633 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001634 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakkerb3869132013-02-28 17:21:01 +01001635 }
1636}
1637
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001638#if defined(MBEDTLS_PKCS1_V21)
Paul Bakkerb3869132013-02-28 17:21:01 +01001639/*
1640 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1641 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001642int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
Paul Bakkerb3869132013-02-28 17:21:01 +01001643 int (*f_rng)(void *, unsigned char *, size_t),
1644 void *p_rng,
1645 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001646 mbedtls_md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +01001647 unsigned int hashlen,
1648 const unsigned char *hash,
1649 unsigned char *sig )
1650{
1651 size_t olen;
1652 unsigned char *p = sig;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001653 unsigned char salt[MBEDTLS_MD_MAX_SIZE];
Paul Bakkerb3869132013-02-28 17:21:01 +01001654 unsigned int slen, hlen, offset = 0;
1655 int ret;
1656 size_t msb;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001657 const mbedtls_md_info_t *md_info;
1658 mbedtls_md_context_t md_ctx;
Paul Bakkerb3869132013-02-28 17:21:01 +01001659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001660 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1661 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +02001662
1663 if( f_rng == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001664 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001665
1666 olen = ctx->len;
1667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001668 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakkerb3869132013-02-28 17:21:01 +01001669 {
Simon Butcher02037452016-03-01 21:19:12 +00001670 /* Gather length of hash to sign */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001671 md_info = mbedtls_md_info_from_type( md_alg );
Paul Bakkerc70b9822013-04-07 22:00:46 +02001672 if( md_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001673 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +02001674
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001675 hashlen = mbedtls_md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +01001676 }
1677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001678 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +01001679 if( md_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001680 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001682 hlen = mbedtls_md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +01001683 slen = hlen;
1684
1685 if( olen < hlen + slen + 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001686 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001687
1688 memset( sig, 0, olen );
1689
Simon Butcher02037452016-03-01 21:19:12 +00001690 /* Generate salt of length slen */
Paul Bakkerb3869132013-02-28 17:21:01 +01001691 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001692 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
Paul Bakkerb3869132013-02-28 17:21:01 +01001693
Simon Butcher02037452016-03-01 21:19:12 +00001694 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +02001695 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakkerb3869132013-02-28 17:21:01 +01001696 p += olen - hlen * 2 - 2;
1697 *p++ = 0x01;
1698 memcpy( p, salt, slen );
1699 p += slen;
1700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001701 mbedtls_md_init( &md_ctx );
Brian J Murraye7be5bd2016-06-23 12:57:03 -07001702 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001703 goto exit;
Paul Bakkerb3869132013-02-28 17:21:01 +01001704
Simon Butcher02037452016-03-01 21:19:12 +00001705 /* Generate H = Hash( M' ) */
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001706 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
1707 goto exit;
1708 if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
1709 goto exit;
1710 if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
1711 goto exit;
1712 if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
1713 goto exit;
1714 if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
1715 goto exit;
Paul Bakkerb3869132013-02-28 17:21:01 +01001716
Simon Butcher02037452016-03-01 21:19:12 +00001717 /* Compensate for boundary condition when applying mask */
Paul Bakkerb3869132013-02-28 17:21:01 +01001718 if( msb % 8 == 0 )
1719 offset = 1;
1720
Simon Butcher02037452016-03-01 21:19:12 +00001721 /* maskedDB: Apply dbMask to DB */
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001722 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
1723 &md_ctx ) ) != 0 )
1724 goto exit;
Paul Bakkerb3869132013-02-28 17:21:01 +01001725
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +02001726 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakkerb3869132013-02-28 17:21:01 +01001727 sig[0] &= 0xFF >> ( olen * 8 - msb );
1728
1729 p += hlen;
1730 *p++ = 0xBC;
1731
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01001732 mbedtls_zeroize( salt, sizeof( salt ) );
1733
1734exit:
1735 mbedtls_md_free( &md_ctx );
1736
1737 if( ret != 0 )
1738 return( ret );
1739
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001740 return( ( mode == MBEDTLS_RSA_PUBLIC )
1741 ? mbedtls_rsa_public( ctx, sig, sig )
1742 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
Paul Bakkerb3869132013-02-28 17:21:01 +01001743}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001744#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001745
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001746#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +01001747/*
1748 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1749 */
Hanno Beckerfdf38032017-09-06 12:35:55 +01001750
1751/* Construct a PKCS v1.5 encoding of a hashed message
1752 *
1753 * This is used both for signature generation and verification.
1754 *
1755 * Parameters:
1756 * - md_alg: Identifies the hash algorithm used to generate the given hash;
Hanno Beckere58d38c2017-09-27 17:09:00 +01001757 * MBEDTLS_MD_NONE if raw data is signed.
Hanno Beckerfdf38032017-09-06 12:35:55 +01001758 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
Hanno Beckere58d38c2017-09-27 17:09:00 +01001759 * - hash: Buffer containing the hashed message or the raw data.
1760 * - dst_len: Length of the encoded message.
Hanno Beckerfdf38032017-09-06 12:35:55 +01001761 * - dst: Buffer to hold the encoded message.
1762 *
1763 * Assumptions:
1764 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
1765 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
Hanno Beckere58d38c2017-09-27 17:09:00 +01001766 * - dst points to a buffer of size at least dst_len.
Hanno Beckerfdf38032017-09-06 12:35:55 +01001767 *
1768 */
1769static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
1770 unsigned int hashlen,
1771 const unsigned char *hash,
Hanno Beckere58d38c2017-09-27 17:09:00 +01001772 size_t dst_len,
Hanno Beckerfdf38032017-09-06 12:35:55 +01001773 unsigned char *dst )
1774{
1775 size_t oid_size = 0;
Hanno Beckere58d38c2017-09-27 17:09:00 +01001776 size_t nb_pad = dst_len;
Hanno Beckerfdf38032017-09-06 12:35:55 +01001777 unsigned char *p = dst;
1778 const char *oid = NULL;
1779
1780 /* Are we signing hashed or raw data? */
1781 if( md_alg != MBEDTLS_MD_NONE )
1782 {
1783 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
1784 if( md_info == NULL )
1785 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1786
1787 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1788 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1789
1790 hashlen = mbedtls_md_get_size( md_info );
1791
1792 /* Double-check that 8 + hashlen + oid_size can be used as a
1793 * 1-byte ASN.1 length encoding and that there's no overflow. */
1794 if( 8 + hashlen + oid_size >= 0x80 ||
1795 10 + hashlen < hashlen ||
1796 10 + hashlen + oid_size < 10 + hashlen )
1797 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1798
1799 /*
1800 * Static bounds check:
1801 * - Need 10 bytes for five tag-length pairs.
1802 * (Insist on 1-byte length encodings to protect against variants of
1803 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1804 * - Need hashlen bytes for hash
1805 * - Need oid_size bytes for hash alg OID.
1806 */
1807 if( nb_pad < 10 + hashlen + oid_size )
1808 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1809 nb_pad -= 10 + hashlen + oid_size;
1810 }
1811 else
1812 {
1813 if( nb_pad < hashlen )
1814 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1815
1816 nb_pad -= hashlen;
1817 }
1818
Hanno Becker2b2f8982017-09-27 17:10:03 +01001819 /* Need space for signature header and padding delimiter (3 bytes),
1820 * and 8 bytes for the minimal padding */
1821 if( nb_pad < 3 + 8 )
Hanno Beckerfdf38032017-09-06 12:35:55 +01001822 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1823 nb_pad -= 3;
1824
1825 /* Now nb_pad is the amount of memory to be filled
Hanno Becker2b2f8982017-09-27 17:10:03 +01001826 * with padding, and at least 8 bytes long. */
Hanno Beckerfdf38032017-09-06 12:35:55 +01001827
1828 /* Write signature header and padding */
1829 *p++ = 0;
1830 *p++ = MBEDTLS_RSA_SIGN;
1831 memset( p, 0xFF, nb_pad );
1832 p += nb_pad;
1833 *p++ = 0;
1834
1835 /* Are we signing raw data? */
1836 if( md_alg == MBEDTLS_MD_NONE )
1837 {
1838 memcpy( p, hash, hashlen );
1839 return( 0 );
1840 }
1841
1842 /* Signing hashed data, add corresponding ASN.1 structure
1843 *
1844 * DigestInfo ::= SEQUENCE {
1845 * digestAlgorithm DigestAlgorithmIdentifier,
1846 * digest Digest }
1847 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1848 * Digest ::= OCTET STRING
1849 *
1850 * Schematic:
1851 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1852 * TAG-NULL + LEN [ NULL ] ]
1853 * TAG-OCTET + LEN [ HASH ] ]
1854 */
1855 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
Hanno Becker87ae1972018-01-15 15:27:56 +00001856 *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
Hanno Beckerfdf38032017-09-06 12:35:55 +01001857 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
Hanno Becker87ae1972018-01-15 15:27:56 +00001858 *p++ = (unsigned char)( 0x04 + oid_size );
Hanno Beckerfdf38032017-09-06 12:35:55 +01001859 *p++ = MBEDTLS_ASN1_OID;
Hanno Becker87ae1972018-01-15 15:27:56 +00001860 *p++ = (unsigned char) oid_size;
Hanno Beckerfdf38032017-09-06 12:35:55 +01001861 memcpy( p, oid, oid_size );
1862 p += oid_size;
1863 *p++ = MBEDTLS_ASN1_NULL;
1864 *p++ = 0x00;
1865 *p++ = MBEDTLS_ASN1_OCTET_STRING;
Hanno Becker87ae1972018-01-15 15:27:56 +00001866 *p++ = (unsigned char) hashlen;
Hanno Beckerfdf38032017-09-06 12:35:55 +01001867 memcpy( p, hash, hashlen );
1868 p += hashlen;
1869
1870 /* Just a sanity-check, should be automatic
1871 * after the initial bounds check. */
Hanno Beckere58d38c2017-09-27 17:09:00 +01001872 if( p != dst + dst_len )
Hanno Beckerfdf38032017-09-06 12:35:55 +01001873 {
Hanno Beckere58d38c2017-09-27 17:09:00 +01001874 mbedtls_zeroize( dst, dst_len );
Hanno Beckerfdf38032017-09-06 12:35:55 +01001875 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1876 }
1877
1878 return( 0 );
1879}
1880
Paul Bakkerb3869132013-02-28 17:21:01 +01001881/*
1882 * Do an RSA operation to sign the message digest
1883 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001884int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +02001885 int (*f_rng)(void *, unsigned char *, size_t),
1886 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +01001887 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001888 mbedtls_md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +01001889 unsigned int hashlen,
1890 const unsigned char *hash,
1891 unsigned char *sig )
1892{
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02001893 int ret;
Hanno Beckerfdf38032017-09-06 12:35:55 +01001894 unsigned char *sig_try = NULL, *verif = NULL;
Paul Bakkerb3869132013-02-28 17:21:01 +01001895
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001896 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1897 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01001898
Hanno Beckerfdf38032017-09-06 12:35:55 +01001899 /*
1900 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
1901 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001902
Hanno Beckerfdf38032017-09-06 12:35:55 +01001903 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
1904 ctx->len, sig ) ) != 0 )
1905 return( ret );
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02001906
1907 /*
Hanno Beckerfdf38032017-09-06 12:35:55 +01001908 * Call respective RSA primitive
1909 */
1910
1911 if( mode == MBEDTLS_RSA_PUBLIC )
1912 {
1913 /* Skip verification on a public key operation */
1914 return( mbedtls_rsa_public( ctx, sig, sig ) );
1915 }
1916
1917 /* Private key operation
1918 *
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02001919 * In order to prevent Lenstra's attack, make the signature in a
1920 * temporary buffer and check it before returning it.
1921 */
Hanno Beckerfdf38032017-09-06 12:35:55 +01001922
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02001923 sig_try = mbedtls_calloc( 1, ctx->len );
Simon Butcher1285ab52016-01-01 21:42:47 +00001924 if( sig_try == NULL )
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02001925 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1926
Hanno Beckerfdf38032017-09-06 12:35:55 +01001927 verif = mbedtls_calloc( 1, ctx->len );
Simon Butcher1285ab52016-01-01 21:42:47 +00001928 if( verif == NULL )
1929 {
1930 mbedtls_free( sig_try );
1931 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1932 }
1933
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02001934 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1935 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
1936
Hanno Becker171a8f12017-09-06 12:32:16 +01001937 if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +02001938 {
1939 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1940 goto cleanup;
1941 }
1942
1943 memcpy( sig, sig_try, ctx->len );
1944
1945cleanup:
1946 mbedtls_free( sig_try );
1947 mbedtls_free( verif );
1948
1949 return( ret );
Paul Bakkerb3869132013-02-28 17:21:01 +01001950}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001951#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +01001952
1953/*
Paul Bakker5121ce52009-01-03 21:22:43 +00001954 * Do an RSA operation to sign the message digest
1955 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001956int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +00001957 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker9dcc3222011-03-08 14:16:06 +00001958 void *p_rng,
Paul Bakker5121ce52009-01-03 21:22:43 +00001959 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001960 mbedtls_md_type_t md_alg,
Paul Bakker23986e52011-04-24 08:57:21 +00001961 unsigned int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +00001962 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +00001963 unsigned char *sig )
1964{
Paul Bakker5121ce52009-01-03 21:22:43 +00001965 switch( ctx->padding )
1966 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001967#if defined(MBEDTLS_PKCS1_V15)
1968 case MBEDTLS_RSA_PKCS_V15:
1969 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +01001970 hashlen, hash, sig );
Paul Bakker48377d92013-08-30 12:06:24 +02001971#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001972
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001973#if defined(MBEDTLS_PKCS1_V21)
1974 case MBEDTLS_RSA_PKCS_V21:
1975 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +01001976 hashlen, hash, sig );
Paul Bakker9dcc3222011-03-08 14:16:06 +00001977#endif
1978
Paul Bakker5121ce52009-01-03 21:22:43 +00001979 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001980 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker5121ce52009-01-03 21:22:43 +00001981 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001982}
1983
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001984#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +00001985/*
Paul Bakkerb3869132013-02-28 17:21:01 +01001986 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker5121ce52009-01-03 21:22:43 +00001987 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001988int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02001989 int (*f_rng)(void *, unsigned char *, size_t),
1990 void *p_rng,
1991 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001992 mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02001993 unsigned int hashlen,
1994 const unsigned char *hash,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001995 mbedtls_md_type_t mgf1_hash_id,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02001996 int expected_salt_len,
1997 const unsigned char *sig )
Paul Bakker5121ce52009-01-03 21:22:43 +00001998{
Paul Bakker23986e52011-04-24 08:57:21 +00001999 int ret;
Paul Bakkerb3869132013-02-28 17:21:01 +01002000 size_t siglen;
2001 unsigned char *p;
Gilles Peskine6a54b022017-10-17 19:02:13 +02002002 unsigned char *hash_start;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002003 unsigned char result[MBEDTLS_MD_MAX_SIZE];
Paul Bakker9dcc3222011-03-08 14:16:06 +00002004 unsigned char zeros[8];
Paul Bakker23986e52011-04-24 08:57:21 +00002005 unsigned int hlen;
Gilles Peskine6a54b022017-10-17 19:02:13 +02002006 size_t observed_salt_len, msb;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002007 const mbedtls_md_info_t *md_info;
2008 mbedtls_md_context_t md_ctx;
Nicholas Wilson409401c2016-04-13 11:48:25 +01002009 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Paul Bakkerb3869132013-02-28 17:21:01 +01002010
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002011 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
2012 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01002013
Paul Bakker5121ce52009-01-03 21:22:43 +00002014 siglen = ctx->len;
2015
Paul Bakker27fdf462011-06-09 13:55:13 +00002016 if( siglen < 16 || siglen > sizeof( buf ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002017 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00002018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002019 ret = ( mode == MBEDTLS_RSA_PUBLIC )
2020 ? mbedtls_rsa_public( ctx, sig, buf )
2021 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00002022
2023 if( ret != 0 )
2024 return( ret );
2025
2026 p = buf;
2027
Paul Bakkerb3869132013-02-28 17:21:01 +01002028 if( buf[siglen - 1] != 0xBC )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002029 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakkerb3869132013-02-28 17:21:01 +01002030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002031 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002032 {
Simon Butcher02037452016-03-01 21:19:12 +00002033 /* Gather length of hash to sign */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002034 md_info = mbedtls_md_info_from_type( md_alg );
Paul Bakkerc70b9822013-04-07 22:00:46 +02002035 if( md_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002036 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerc70b9822013-04-07 22:00:46 +02002037
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002038 hashlen = mbedtls_md_get_size( md_info );
Paul Bakkerb3869132013-02-28 17:21:01 +01002039 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00002040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002041 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
Paul Bakkerb3869132013-02-28 17:21:01 +01002042 if( md_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002043 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker9dcc3222011-03-08 14:16:06 +00002044
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002045 hlen = mbedtls_md_get_size( md_info );
Paul Bakker9dcc3222011-03-08 14:16:06 +00002046
Paul Bakkerb3869132013-02-28 17:21:01 +01002047 memset( zeros, 0, 8 );
Paul Bakker53019ae2011-03-25 13:58:48 +00002048
Simon Butcher02037452016-03-01 21:19:12 +00002049 /*
2050 * Note: EMSA-PSS verification is over the length of N - 1 bits
2051 */
Manuel Pégourié-Gonnardc0696c22015-06-18 16:47:17 +02002052 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakker9dcc3222011-03-08 14:16:06 +00002053
Gilles Peskineb00b0da2017-10-19 15:23:49 +02002054 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
2055 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2056
Simon Butcher02037452016-03-01 21:19:12 +00002057 /* Compensate for boundary condition when applying mask */
Paul Bakkerb3869132013-02-28 17:21:01 +01002058 if( msb % 8 == 0 )
2059 {
2060 p++;
2061 siglen -= 1;
2062 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00002063
Gilles Peskine139108a2017-10-18 19:03:42 +02002064 if( siglen < hlen + 2 )
2065 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2066 hash_start = p + siglen - hlen - 1;
2067
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002068 mbedtls_md_init( &md_ctx );
Brian J Murraye7be5bd2016-06-23 12:57:03 -07002069 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002070 goto exit;
Paul Bakker9dcc3222011-03-08 14:16:06 +00002071
Jaeden Amero66954e12018-01-25 16:05:54 +00002072 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
2073 if( ret != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002074 goto exit;
Paul Bakker02303e82013-01-03 11:08:31 +01002075
Paul Bakkerb3869132013-02-28 17:21:01 +01002076 buf[0] &= 0xFF >> ( siglen * 8 - msb );
Paul Bakker9dcc3222011-03-08 14:16:06 +00002077
Gilles Peskine6a54b022017-10-17 19:02:13 +02002078 while( p < hash_start - 1 && *p == 0 )
Paul Bakkerb3869132013-02-28 17:21:01 +01002079 p++;
Paul Bakker9dcc3222011-03-08 14:16:06 +00002080
Gilles Peskine91048a32017-10-19 17:46:14 +02002081 if( *p++ != 0x01 )
Paul Bakkerb3869132013-02-28 17:21:01 +01002082 {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002083 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2084 goto exit;
Paul Bakkerb3869132013-02-28 17:21:01 +01002085 }
Paul Bakker9dcc3222011-03-08 14:16:06 +00002086
Gilles Peskine6a54b022017-10-17 19:02:13 +02002087 observed_salt_len = hash_start - p;
Paul Bakker9dcc3222011-03-08 14:16:06 +00002088
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002089 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
Gilles Peskine6a54b022017-10-17 19:02:13 +02002090 observed_salt_len != (size_t) expected_salt_len )
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002091 {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002092 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2093 goto exit;
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002094 }
2095
Simon Butcher02037452016-03-01 21:19:12 +00002096 /*
2097 * Generate H = Hash( M' )
2098 */
Jaeden Amero66954e12018-01-25 16:05:54 +00002099 ret = mbedtls_md_starts( &md_ctx );
2100 if ( ret != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002101 goto exit;
Jaeden Amero66954e12018-01-25 16:05:54 +00002102 ret = mbedtls_md_update( &md_ctx, zeros, 8 );
2103 if ( ret != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002104 goto exit;
Jaeden Amero66954e12018-01-25 16:05:54 +00002105 ret = mbedtls_md_update( &md_ctx, hash, hashlen );
2106 if ( ret != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002107 goto exit;
Jaeden Amero66954e12018-01-25 16:05:54 +00002108 ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
2109 if ( ret != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002110 goto exit;
Jaeden Amero66954e12018-01-25 16:05:54 +00002111 ret = mbedtls_md_finish( &md_ctx, result );
2112 if ( ret != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002113 goto exit;
Paul Bakker53019ae2011-03-25 13:58:48 +00002114
Jaeden Amero66954e12018-01-25 16:05:54 +00002115 if( memcmp( hash_start, result, hlen ) != 0 )
Andres Amaya Garciac5c7d762017-07-20 14:42:16 +01002116 {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002117 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
Andres Amaya Garciac5c7d762017-07-20 14:42:16 +01002118 goto exit;
2119 }
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002120
2121exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002122 mbedtls_md_free( &md_ctx );
Paul Bakker9dcc3222011-03-08 14:16:06 +00002123
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002124 return( ret );
Paul Bakkerb3869132013-02-28 17:21:01 +01002125}
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002126
2127/*
2128 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2129 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002130int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002131 int (*f_rng)(void *, unsigned char *, size_t),
2132 void *p_rng,
2133 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002134 mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002135 unsigned int hashlen,
2136 const unsigned char *hash,
2137 const unsigned char *sig )
2138{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002139 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
2140 ? (mbedtls_md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002141 : md_alg;
2142
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002143 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002144 md_alg, hashlen, hash,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002145 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +02002146 sig ) );
2147
2148}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002149#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker40628ba2013-01-03 10:50:31 +01002150
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002151#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +01002152/*
2153 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2154 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002155int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +02002156 int (*f_rng)(void *, unsigned char *, size_t),
2157 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +01002158 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002159 mbedtls_md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +01002160 unsigned int hashlen,
2161 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +02002162 const unsigned char *sig )
Paul Bakkerb3869132013-02-28 17:21:01 +01002163{
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002164 int ret = 0;
2165 const size_t sig_len = ctx->len;
2166 unsigned char *encoded = NULL, *encoded_expected = NULL;
Paul Bakkerb3869132013-02-28 17:21:01 +01002167
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002168 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
2169 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakkerb3869132013-02-28 17:21:01 +01002170
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002171 /*
2172 * Prepare expected PKCS1 v1.5 encoding of hash.
2173 */
Paul Bakkerb3869132013-02-28 17:21:01 +01002174
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002175 if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL ||
2176 ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
2177 {
2178 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2179 goto cleanup;
2180 }
2181
2182 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
2183 encoded_expected ) ) != 0 )
2184 goto cleanup;
2185
2186 /*
2187 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2188 */
Paul Bakkerb3869132013-02-28 17:21:01 +01002189
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002190 ret = ( mode == MBEDTLS_RSA_PUBLIC )
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002191 ? mbedtls_rsa_public( ctx, sig, encoded )
2192 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
Paul Bakkerb3869132013-02-28 17:21:01 +01002193 if( ret != 0 )
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002194 goto cleanup;
Paul Bakkerc70b9822013-04-07 22:00:46 +02002195
Simon Butcher02037452016-03-01 21:19:12 +00002196 /*
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002197 * Compare
Simon Butcher02037452016-03-01 21:19:12 +00002198 */
Paul Bakkerc70b9822013-04-07 22:00:46 +02002199
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002200 if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,
2201 sig_len ) ) != 0 )
2202 {
2203 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2204 goto cleanup;
2205 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002206
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002207cleanup:
Paul Bakkerc70b9822013-04-07 22:00:46 +02002208
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002209 if( encoded != NULL )
2210 {
2211 mbedtls_zeroize( encoded, sig_len );
2212 mbedtls_free( encoded );
2213 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002214
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002215 if( encoded_expected != NULL )
2216 {
2217 mbedtls_zeroize( encoded_expected, sig_len );
2218 mbedtls_free( encoded_expected );
2219 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002220
Hanno Becker64a8c0a2017-09-06 12:39:49 +01002221 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002222}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002223#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002224
2225/*
Paul Bakkerb3869132013-02-28 17:21:01 +01002226 * Do an RSA operation and check the message digest
2227 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002228int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +02002229 int (*f_rng)(void *, unsigned char *, size_t),
2230 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +01002231 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002232 mbedtls_md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +01002233 unsigned int hashlen,
2234 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +02002235 const unsigned char *sig )
Paul Bakkerb3869132013-02-28 17:21:01 +01002236{
2237 switch( ctx->padding )
2238 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002239#if defined(MBEDTLS_PKCS1_V15)
2240 case MBEDTLS_RSA_PKCS_V15:
2241 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +01002242 hashlen, hash, sig );
Paul Bakker48377d92013-08-30 12:06:24 +02002243#endif
Paul Bakkerb3869132013-02-28 17:21:01 +01002244
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002245#if defined(MBEDTLS_PKCS1_V21)
2246 case MBEDTLS_RSA_PKCS_V21:
2247 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +01002248 hashlen, hash, sig );
2249#endif
2250
2251 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002252 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakkerb3869132013-02-28 17:21:01 +01002253 }
2254}
2255
2256/*
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002257 * Copy the components of an RSA key
2258 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002259int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002260{
2261 int ret;
2262
2263 dst->ver = src->ver;
2264 dst->len = src->len;
2265
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002266 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
2267 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002268
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002269 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
2270 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
2271 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
Hanno Becker33c30a02017-08-23 07:00:22 +01002272
2273#if !defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002274 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
2275 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
2276 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002277 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
2278 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
Hanno Becker33c30a02017-08-23 07:00:22 +01002279#endif
2280
2281 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002282
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002283 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
2284 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +02002285
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002286 dst->padding = src->padding;
Manuel Pégourié-Gonnardfdddac92014-03-25 15:58:35 +01002287 dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002288
2289cleanup:
2290 if( ret != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002291 mbedtls_rsa_free( dst );
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +02002292
2293 return( ret );
2294}
2295
2296/*
Paul Bakker5121ce52009-01-03 21:22:43 +00002297 * Free the components of an RSA key
2298 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002299void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
Paul Bakker5121ce52009-01-03 21:22:43 +00002300{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002301 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
Hanno Becker33c30a02017-08-23 07:00:22 +01002302 mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D );
2303 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002304 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
Paul Bakkerc9965dc2013-09-29 14:58:17 +02002305
Hanno Becker33c30a02017-08-23 07:00:22 +01002306#if !defined(MBEDTLS_RSA_NO_CRT)
2307 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );
2308 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );
2309 mbedtls_mpi_free( &ctx->DP );
2310#endif /* MBEDTLS_RSA_NO_CRT */
2311
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002312#if defined(MBEDTLS_THREADING_C)
2313 mbedtls_mutex_free( &ctx->mutex );
Paul Bakkerc9965dc2013-09-29 14:58:17 +02002314#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002315}
2316
Hanno Beckerab377312017-08-23 16:24:51 +01002317#endif /* !MBEDTLS_RSA_ALT */
2318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002319#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +00002320
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +00002321#include "mbedtls/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +00002322
2323/*
2324 * Example RSA-1024 keypair, for test purposes
2325 */
2326#define KEY_LEN 128
2327
2328#define RSA_N "9292758453063D803DD603D5E777D788" \
2329 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2330 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2331 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2332 "93A89813FBF3C4F8066D2D800F7C38A8" \
2333 "1AE31942917403FF4946B0A83D3D3E05" \
2334 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2335 "5E94BB77B07507233A0BC7BAC8F90F79"
2336
2337#define RSA_E "10001"
2338
2339#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2340 "66CA472BC44D253102F8B4A9D3BFA750" \
2341 "91386C0077937FE33FA3252D28855837" \
2342 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2343 "DF79C5CE07EE72C7F123142198164234" \
2344 "CABB724CF78B8173B9F880FC86322407" \
2345 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2346 "071513A1E85B5DFA031F21ECAE91A34D"
2347
2348#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2349 "2C01CAD19EA484A87EA4377637E75500" \
2350 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2351 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2352
2353#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2354 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2355 "910E4168387E3C30AA1E00C339A79508" \
2356 "8452DD96A9A5EA5D9DCA68DA636032AF"
2357
Paul Bakker5121ce52009-01-03 21:22:43 +00002358#define PT_LEN 24
2359#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2360 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2361
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002362#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkera3d195c2011-11-27 21:07:34 +00002363static int myrand( void *rng_state, unsigned char *output, size_t len )
Paul Bakker545570e2010-07-18 09:00:25 +00002364{
Paul Bakkerf96f7b62014-04-30 16:02:38 +02002365#if !defined(__OpenBSD__)
Paul Bakkera3d195c2011-11-27 21:07:34 +00002366 size_t i;
2367
Paul Bakker545570e2010-07-18 09:00:25 +00002368 if( rng_state != NULL )
2369 rng_state = NULL;
2370
Paul Bakkera3d195c2011-11-27 21:07:34 +00002371 for( i = 0; i < len; ++i )
2372 output[i] = rand();
Paul Bakkerf96f7b62014-04-30 16:02:38 +02002373#else
2374 if( rng_state != NULL )
2375 rng_state = NULL;
2376
2377 arc4random_buf( output, len );
2378#endif /* !OpenBSD */
Paul Bakker48377d92013-08-30 12:06:24 +02002379
Paul Bakkera3d195c2011-11-27 21:07:34 +00002380 return( 0 );
Paul Bakker545570e2010-07-18 09:00:25 +00002381}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002382#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker545570e2010-07-18 09:00:25 +00002383
Paul Bakker5121ce52009-01-03 21:22:43 +00002384/*
2385 * Checkup routine
2386 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002387int mbedtls_rsa_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +00002388{
Paul Bakker3d8fb632014-04-17 12:42:41 +02002389 int ret = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002390#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker23986e52011-04-24 08:57:21 +00002391 size_t len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002392 mbedtls_rsa_context rsa;
Paul Bakker5121ce52009-01-03 21:22:43 +00002393 unsigned char rsa_plaintext[PT_LEN];
2394 unsigned char rsa_decrypted[PT_LEN];
2395 unsigned char rsa_ciphertext[KEY_LEN];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002396#if defined(MBEDTLS_SHA1_C)
Paul Bakker5690efc2011-05-26 13:16:06 +00002397 unsigned char sha1sum[20];
2398#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002399
Hanno Becker3a701162017-08-22 13:52:43 +01002400 mbedtls_mpi K;
2401
2402 mbedtls_mpi_init( &K );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002403 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002404
Hanno Becker3a701162017-08-22 13:52:43 +01002405 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );
2406 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
2407 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );
2408 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
2409 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );
2410 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
2411 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );
2412 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
2413 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );
2414 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
2415
Hanno Becker7f25f852017-10-10 16:56:22 +01002416 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002417
2418 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002419 mbedtls_printf( " RSA key validation: " );
Paul Bakker5121ce52009-01-03 21:22:43 +00002420
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002421 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
2422 mbedtls_rsa_check_privkey( &rsa ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002423 {
2424 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002425 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00002426
Hanno Beckera5fa0792018-03-09 10:42:23 +00002427 ret = 1;
2428 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002429 }
2430
2431 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002432 mbedtls_printf( "passed\n PKCS#1 encryption : " );
Paul Bakker5121ce52009-01-03 21:22:43 +00002433
2434 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
2435
Hanno Becker98838b02017-10-02 13:16:10 +01002436 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
2437 PT_LEN, rsa_plaintext,
2438 rsa_ciphertext ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002439 {
2440 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002441 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00002442
Hanno Beckera5fa0792018-03-09 10:42:23 +00002443 ret = 1;
2444 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002445 }
2446
2447 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002448 mbedtls_printf( "passed\n PKCS#1 decryption : " );
Paul Bakker5121ce52009-01-03 21:22:43 +00002449
Hanno Becker98838b02017-10-02 13:16:10 +01002450 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
2451 &len, rsa_ciphertext, rsa_decrypted,
2452 sizeof(rsa_decrypted) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002453 {
2454 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002455 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00002456
Hanno Beckera5fa0792018-03-09 10:42:23 +00002457 ret = 1;
2458 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002459 }
2460
2461 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
2462 {
2463 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002464 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00002465
Hanno Beckera5fa0792018-03-09 10:42:23 +00002466 ret = 1;
2467 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002468 }
2469
Manuel Pégourié-Gonnardd1004f02015-08-07 10:46:54 +02002470 if( verbose != 0 )
2471 mbedtls_printf( "passed\n" );
2472
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002473#if defined(MBEDTLS_SHA1_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00002474 if( verbose != 0 )
Brian Murray930a3702016-05-18 14:38:02 -07002475 mbedtls_printf( " PKCS#1 data sign : " );
Paul Bakker5121ce52009-01-03 21:22:43 +00002476
Gilles Peskine9e4f77c2018-01-22 11:48:08 +01002477 if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
Andres Amaya Garcia698089e2017-06-28 11:46:46 +01002478 {
2479 if( verbose != 0 )
2480 mbedtls_printf( "failed\n" );
2481
2482 return( 1 );
2483 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002484
Hanno Becker98838b02017-10-02 13:16:10 +01002485 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
2486 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
2487 sha1sum, rsa_ciphertext ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002488 {
2489 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002490 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00002491
Hanno Beckera5fa0792018-03-09 10:42:23 +00002492 ret = 1;
2493 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002494 }
2495
2496 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002497 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
Paul Bakker5121ce52009-01-03 21:22:43 +00002498
Hanno Becker98838b02017-10-02 13:16:10 +01002499 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
2500 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
2501 sha1sum, rsa_ciphertext ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002502 {
2503 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002504 mbedtls_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00002505
Hanno Beckera5fa0792018-03-09 10:42:23 +00002506 ret = 1;
2507 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +00002508 }
2509
2510 if( verbose != 0 )
Manuel Pégourié-Gonnardd1004f02015-08-07 10:46:54 +02002511 mbedtls_printf( "passed\n" );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002512#endif /* MBEDTLS_SHA1_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00002513
Manuel Pégourié-Gonnardd1004f02015-08-07 10:46:54 +02002514 if( verbose != 0 )
2515 mbedtls_printf( "\n" );
2516
Paul Bakker3d8fb632014-04-17 12:42:41 +02002517cleanup:
Hanno Becker3a701162017-08-22 13:52:43 +01002518 mbedtls_mpi_free( &K );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002519 mbedtls_rsa_free( &rsa );
2520#else /* MBEDTLS_PKCS1_V15 */
Paul Bakker3e41fe82013-09-15 17:42:50 +02002521 ((void) verbose);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002522#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker3d8fb632014-04-17 12:42:41 +02002523 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002524}
2525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002526#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +00002527
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002528#endif /* MBEDTLS_RSA_C */