Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: aa8cdf6a826e82a161b1ec9a03a5365446a928ef [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* The RSA public-key cryptosystem
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	18	*/
Hanno Becker	7471631	2017-10-02 10:00:37 +0100	[diff] [blame]	19
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	20	/*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	21	* The following sources were referenced in the design of this implementation
				22	* of the RSA algorithm:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23	*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	24	* [1] A method for obtaining digital signatures and public-key cryptosystems
				25	* R Rivest, A Shamir, and L Adleman
				26	* http://people.csail.mit.edu/rivest/pubs.html#RSA78
				27	*
				28	* [2] Handbook of Applied Cryptography - 1997, Chapter 8
				29	* Menezes, van Oorschot and Vanstone
				30	*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	31	* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
				32	* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
				33	* Stefan Mangard
				34	* https://arxiv.org/abs/1702.08719v2
				35	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	36	*/
				37
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	38	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	39
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	40	#if defined(MBEDTLS_RSA_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	41
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	42	#include "mbedtls/rsa.h"
Chris Jones	66a4cd4	2021-03-09 16:04:12 +0000	[diff] [blame]	43	#include "rsa_alt_helpers.h"
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	44	#include "mbedtls/oid.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	45	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	46	#include "mbedtls/error.h"
Gabor Mezei	22c9a6f	2021-10-20 12:09:35 +0200	[diff] [blame]	47	#include "constant_time_internal.h"
Gabor Mezei	765862c	2021-10-19 12:22:25 +0200	[diff] [blame]	48	#include "mbedtls/constant_time.h"
Manuel Pégourié-Gonnard	4772884	2022-07-18 13:00:40 +0200	[diff] [blame]	49	#include "hash_info.h"
Manuel Pégourié-Gonnard	2d6d993	2023-03-28 11:38:08 +0200	[diff] [blame^]	50	#include "md_psa.h"
Paul Bakker	bb51f0c	2012-08-23 07:46:58 +0000	[diff] [blame]	51
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	52	#include <string.h>
				53
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	54	#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	55	#include <stdlib.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	56	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	57
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	58	#include "mbedtls/platform.h"
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	59
Hanno Becker	a565f54	2017-10-11 11:00:19 +0100	[diff] [blame]	60	#if !defined(MBEDTLS_RSA_ALT)
				61
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	62	int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
				63	const mbedtls_mpi *N,
				64	const mbedtls_mpi P, const mbedtls_mpi Q,
				65	const mbedtls_mpi D, const mbedtls_mpi E)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	66	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	67	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	68
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	69	if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) \|\|
				70	(P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) \|\|
				71	(Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) \|\|
				72	(D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) \|\|
				73	(E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
				74	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	75	}
				76
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	77	if (N != NULL) {
				78	ctx->len = mbedtls_mpi_size(&ctx->N);
				79	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	80
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	81	return 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	82	}
				83
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	84	int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
				85	unsigned char const *N, size_t N_len,
				86	unsigned char const *P, size_t P_len,
				87	unsigned char const *Q, size_t Q_len,
				88	unsigned char const *D, size_t D_len,
				89	unsigned char const *E, size_t E_len)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	90	{
Hanno Becker	d4d6057	2018-01-10 07:12:01 +0000	[diff] [blame]	91	int ret = 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	92
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	93	if (N != NULL) {
				94	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
				95	ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	96	}
				97
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	98	if (P != NULL) {
				99	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
				100	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	101
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	102	if (Q != NULL) {
				103	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
				104	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	105
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	106	if (D != NULL) {
				107	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
				108	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	109
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	110	if (E != NULL) {
				111	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
				112	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	113
				114	cleanup:
				115
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	116	if (ret != 0) {
				117	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
				118	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	119
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	120	return 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	121	}
				122
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	123	/*
				124	* Checks whether the context fields are set in such a way
				125	* that the RSA primitives will be able to execute without error.
				126	* It does not make guarantees for consistency of the parameters.
				127	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	128	static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
				129	int blinding_needed)
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	130	{
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	131	#if !defined(MBEDTLS_RSA_NO_CRT)
				132	/* blinding_needed is only used for NO_CRT to decide whether
				133	* P,Q need to be present or not. */
				134	((void) blinding_needed);
				135	#endif
				136
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	137	if (ctx->len != mbedtls_mpi_size(&ctx->N) \|\|
				138	ctx->len > MBEDTLS_MPI_MAX_SIZE) {
				139	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	140	}
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	141
				142	/*
				143	* 1. Modular exponentiation needs positive, odd moduli.
				144	*/
				145
				146	/* Modular exponentiation wrt. N is always used for
				147	* RSA public key operations. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	148	if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 \|\|
				149	mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
				150	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	151	}
				152
				153	#if !defined(MBEDTLS_RSA_NO_CRT)
				154	/* Modular exponentiation for P and Q is only
				155	* used for private key operations and if CRT
				156	* is used. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	157	if (is_priv &&
				158	(mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 \|\|
				159	mbedtls_mpi_get_bit(&ctx->P, 0) == 0 \|\|
				160	mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 \|\|
				161	mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
				162	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	163	}
				164	#endif /* !MBEDTLS_RSA_NO_CRT */
				165
				166	/*
				167	* 2. Exponents must be positive
				168	*/
				169
				170	/* Always need E for public key operations */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	171	if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
				172	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				173	}
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	174
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	175	#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	176	/* For private key operations, use D or DP & DQ
				177	* as (unblinded) exponents. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	178	if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
				179	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				180	}
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	181	#else
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	182	if (is_priv &&
				183	(mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 \|\|
				184	mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
				185	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	186	}
				187	#endif /* MBEDTLS_RSA_NO_CRT */
				188
				189	/* Blinding shouldn't make exponents negative either,
				190	* so check that P, Q >= 1 if that hasn't yet been
				191	* done as part of 1. */
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	192	#if defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	193	if (is_priv && blinding_needed &&
				194	(mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 \|\|
				195	mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
				196	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	197	}
				198	#endif
				199
				200	/* It wouldn't lead to an error if it wasn't satisfied,
Hanno Becker	f8c028a	2017-10-17 09:20:57 +0100	[diff] [blame]	201	* but check for QP >= 1 nonetheless. */
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	202	#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	203	if (is_priv &&
				204	mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
				205	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	206	}
				207	#endif
				208
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	209	return 0;
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	210	}
				211
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	212	int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	213	{
				214	int ret = 0;
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	215	int have_N, have_P, have_Q, have_D, have_E;
				216	#if !defined(MBEDTLS_RSA_NO_CRT)
				217	int have_DP, have_DQ, have_QP;
				218	#endif
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	219	int n_missing, pq_missing, d_missing, is_pub, is_priv;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	220
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	221	have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
				222	have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
				223	have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
				224	have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
				225	have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	226
				227	#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	228	have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
				229	have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
				230	have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	231	#endif
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	232
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	233	/*
				234	* Check whether provided parameters are enough
				235	* to deduce all others. The following incomplete
				236	* parameter sets for private keys are supported:
				237	*
				238	* (1) P, Q missing.
				239	* (2) D and potentially N missing.
				240	*
				241	*/
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	242
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	243	n_missing = have_P && have_Q && have_D && have_E;
				244	pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
				245	d_missing = have_P && have_Q && !have_D && have_E;
				246	is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	247
				248	/* These three alternatives are mutually exclusive */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	249	is_priv = n_missing \|\| pq_missing \|\| d_missing;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	250
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	251	if (!is_priv && !is_pub) {
				252	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				253	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	254
				255	/*
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	256	* Step 1: Deduce N if P, Q are provided.
				257	*/
				258
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	259	if (!have_N && have_P && have_Q) {
				260	if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
				261	&ctx->Q)) != 0) {
				262	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	263	}
				264
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	265	ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	266	}
				267
				268	/*
				269	* Step 2: Deduce and verify all remaining core parameters.
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	270	*/
				271
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	272	if (pq_missing) {
				273	ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
				274	&ctx->P, &ctx->Q);
				275	if (ret != 0) {
				276	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
				277	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	278
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	279	} else if (d_missing) {
				280	if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
				281	&ctx->Q,
				282	&ctx->E,
				283	&ctx->D)) != 0) {
				284	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	285	}
				286	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	287
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	288	/*
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	289	* Step 3: Deduce all additional parameters specific
Hanno Becker	e867489	2017-10-10 17:56:14 +0100	[diff] [blame]	290	* to our current RSA implementation.
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	291	*/
				292
Hanno Becker	23344b5	2017-08-23 07:43:27 +0100	[diff] [blame]	293	#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	294	if (is_priv && !(have_DP && have_DQ && have_QP)) {
				295	ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
				296	&ctx->DP, &ctx->DQ, &ctx->QP);
				297	if (ret != 0) {
				298	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
				299	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	300	}
Hanno Becker	23344b5	2017-08-23 07:43:27 +0100	[diff] [blame]	301	#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	302
				303	/*
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	304	* Step 3: Basic sanity checks
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	305	*/
				306
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	307	return rsa_check_context(ctx, is_priv, 1);
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	308	}
				309
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	310	int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
				311	unsigned char *N, size_t N_len,
				312	unsigned char *P, size_t P_len,
				313	unsigned char *Q, size_t Q_len,
				314	unsigned char *D, size_t D_len,
				315	unsigned char *E, size_t E_len)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	316	{
				317	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	318	int is_priv;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	319
				320	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	321	is_priv =
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	322	mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
				323	mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
				324	mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
				325	mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
				326	mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	327
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	328	if (!is_priv) {
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	329	/* If we're trying to export private parameters for a public key,
				330	* something must be wrong. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	331	if (P != NULL \|\| Q != NULL \|\| D != NULL) {
				332	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				333	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	334
				335	}
				336
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	337	if (N != NULL) {
				338	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
				339	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	340
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	341	if (P != NULL) {
				342	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
				343	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	344
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	345	if (Q != NULL) {
				346	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
				347	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	348
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	349	if (D != NULL) {
				350	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
				351	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	352
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	353	if (E != NULL) {
				354	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
				355	}
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	356
				357	cleanup:
				358
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	359	return ret;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	360	}
				361
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	362	int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
				363	mbedtls_mpi N, mbedtls_mpi P, mbedtls_mpi *Q,
				364	mbedtls_mpi D, mbedtls_mpi E)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	365	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	366	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	367	int is_priv;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	368
				369	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	370	is_priv =
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	371	mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
				372	mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
				373	mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
				374	mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
				375	mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	376
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	377	if (!is_priv) {
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	378	/* If we're trying to export private parameters for a public key,
				379	* something must be wrong. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	380	if (P != NULL \|\| Q != NULL \|\| D != NULL) {
				381	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				382	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	383
				384	}
				385
				386	/* Export all requested core parameters. */
				387
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	388	if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) \|\|
				389	(P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) \|\|
				390	(Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) \|\|
				391	(D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) \|\|
				392	(E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
				393	return ret;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	394	}
				395
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	396	return 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	397	}
				398
				399	/*
				400	* Export CRT parameters
				401	* This must also be implemented if CRT is not used, for being able to
				402	* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
				403	* can be used in this case.
				404	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	405	int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
				406	mbedtls_mpi DP, mbedtls_mpi DQ, mbedtls_mpi *QP)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	407	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	408	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	409	int is_priv;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	410
				411	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	412	is_priv =
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	413	mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
				414	mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
				415	mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
				416	mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
				417	mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	418
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	419	if (!is_priv) {
				420	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				421	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	422
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	423	#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	424	/* Export all requested blinding parameters. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	425	if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) \|\|
				426	(DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) \|\|
				427	(QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
				428	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	429	}
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	430	#else
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	431	if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
				432	DP, DQ, QP)) != 0) {
				433	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	434	}
				435	#endif
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	436
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	437	return 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	438	}
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	439
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	440	/*
				441	* Initialize an RSA context
				442	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	443	void mbedtls_rsa_init(mbedtls_rsa_context *ctx)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	444	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	445	memset(ctx, 0, sizeof(mbedtls_rsa_context));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	446
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	447	ctx->padding = MBEDTLS_RSA_PKCS_V15;
				448	ctx->hash_id = MBEDTLS_MD_NONE;
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	449
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	450	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	451	/* Set ctx->ver to nonzero to indicate that the mutex has been
				452	* initialized and will need to be freed. */
				453	ctx->ver = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	454	mbedtls_mutex_init(&ctx->mutex);
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	455	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	456	}
				457
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	458	/*
				459	* Set padding for an existing RSA context
				460	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	461	int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
				462	mbedtls_md_type_t hash_id)
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	463	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	464	switch (padding) {
Ronald Cron	3a0375f	2021-06-08 10:22:28 +0200	[diff] [blame]	465	#if defined(MBEDTLS_PKCS1_V15)
				466	case MBEDTLS_RSA_PKCS_V15:
				467	break;
				468	#endif
				469
				470	#if defined(MBEDTLS_PKCS1_V21)
				471	case MBEDTLS_RSA_PKCS_V21:
				472	break;
				473	#endif
				474	default:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	475	return MBEDTLS_ERR_RSA_INVALID_PADDING;
Ronald Cron	3a0375f	2021-06-08 10:22:28 +0200	[diff] [blame]	476	}
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	477
Manuel Pégourié-Gonnard	3356b89	2022-07-05 10:25:06 +0200	[diff] [blame]	478	#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	479	if ((padding == MBEDTLS_RSA_PKCS_V21) &&
				480	(hash_id != MBEDTLS_MD_NONE)) {
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	481	/* Just make sure this hash is supported in this build. */
Manuel Pégourié-Gonnard	2d6d993	2023-03-28 11:38:08 +0200	[diff] [blame^]	482	if (mbedtls_md_psa_alg_from_type(hash_id) == PSA_ALG_NONE) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	483	return MBEDTLS_ERR_RSA_INVALID_PADDING;
				484	}
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	485	}
Manuel Pégourié-Gonnard	3356b89	2022-07-05 10:25:06 +0200	[diff] [blame]	486	#endif /* MBEDTLS_PKCS1_V21 */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	487
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	488	ctx->padding = padding;
				489	ctx->hash_id = hash_id;
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	490
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	491	return 0;
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	492	}
				493
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	494	/*
Yanray Wang	83548b5	2023-03-15 16:46:34 +0800	[diff] [blame]	495	* Get padding mode of initialized RSA context
Yanray Wang	a730df6	2023-03-01 10:18:19 +0800	[diff] [blame]	496	*/
				497	int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx)
				498	{
Yanray Wang	644b901	2023-03-15 16:50:31 +0800	[diff] [blame]	499	return ctx->padding;
Yanray Wang	a730df6	2023-03-01 10:18:19 +0800	[diff] [blame]	500	}
				501
				502	/*
Yanray Wang	12cb396	2023-03-01 10:20:02 +0800	[diff] [blame]	503	* Get hash identifier of mbedtls_md_type_t type
				504	*/
Yanray Wang	d41684e	2023-03-17 18:54:22 +0800	[diff] [blame]	505	int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx)
Yanray Wang	12cb396	2023-03-01 10:20:02 +0800	[diff] [blame]	506	{
Yanray Wang	644b901	2023-03-15 16:50:31 +0800	[diff] [blame]	507	return ctx->hash_id;
Yanray Wang	12cb396	2023-03-01 10:20:02 +0800	[diff] [blame]	508	}
				509
				510	/*
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	511	* Get length in bytes of RSA modulus
				512	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	513	size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	514	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	515	return ctx->len;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	516	}
				517
				518
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	519	#if defined(MBEDTLS_GENPRIME)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	520
				521	/*
				522	* Generate an RSA keypair
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	523	*
				524	* This generation method follows the RSA key pair generation procedure of
				525	* FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	526	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	527	int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
				528	int (f_rng)(void , unsigned char *, size_t),
				529	void *p_rng,
				530	unsigned int nbits, int exponent)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	531	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	532	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	533	mbedtls_mpi H, G, L;
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	534	int prime_quality = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	535
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	536	/*
				537	* If the modulus is 1024 bit long or shorter, then the security strength of
				538	* the RSA algorithm is less than or equal to 80 bits and therefore an error
				539	* rate of 2^-80 is sufficient.
				540	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	541	if (nbits > 1024) {
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	542	prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	543	}
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	544
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	545	mbedtls_mpi_init(&H);
				546	mbedtls_mpi_init(&G);
				547	mbedtls_mpi_init(&L);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	548
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	549	if (nbits < 128 \|\| exponent < 3 \|\| nbits % 2 != 0) {
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	550	ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				551	goto cleanup;
				552	}
				553
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	554	/*
				555	* find primes P and Q with Q < P so that:
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	556	* 1. \|P-Q\| > 2^( nbits / 2 - 100 )
				557	* 2. GCD( E, (P-1)*(Q-1) ) == 1
				558	* 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	559	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	560	MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	561
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	562	do {
				563	MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
				564	prime_quality, f_rng, p_rng));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	565
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	566	MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
				567	prime_quality, f_rng, p_rng));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	568
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	569	/* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	570	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
				571	if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	572	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	573	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	574
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	575	/* not required by any standards, but some users rely on the fact that P > Q */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	576	if (H.s < 0) {
				577	mbedtls_mpi_swap(&ctx->P, &ctx->Q);
				578	}
Janos Follath	ef44178	2016-09-21 13:18:12 +0100	[diff] [blame]	579
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	580	/* Temporarily replace P,Q by P-1, Q-1 */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	581	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
				582	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
				583	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	584
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	585	/* check GCD( E, (P-1)(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) /
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	586	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
				587	if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	588	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	589	}
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	590
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	591	/* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	592	MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
				593	MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
				594	MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	595
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	596	if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a))
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	597	continue;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	598	}
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	599
				600	break;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	601	} while (1);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	602
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	603	/* Restore P,Q */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	604	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));
				605	MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	606
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	607	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	608
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	609	ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	610
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	611	#if !defined(MBEDTLS_RSA_NO_CRT)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	612	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	613	* DP = D mod (P - 1)
				614	* DQ = D mod (Q - 1)
				615	* QP = Q^-1 mod P
				616	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	617	MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
				618	&ctx->DP, &ctx->DQ, &ctx->QP));
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	619	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	620
Hanno Becker	83aad1f	2017-08-23 06:45:10 +0100	[diff] [blame]	621	/* Double-check */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	622	MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	623
				624	cleanup:
				625
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	626	mbedtls_mpi_free(&H);
				627	mbedtls_mpi_free(&G);
				628	mbedtls_mpi_free(&L);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	629
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	630	if (ret != 0) {
				631	mbedtls_rsa_free(ctx);
Chris Jones	7439209	2021-04-01 16:00:01 +0100	[diff] [blame]	632
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	633	if ((-ret & ~0x7f) == 0) {
				634	ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
				635	}
				636	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	637	}
				638
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	639	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	640	}
				641
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	642	#endif /* MBEDTLS_GENPRIME */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	643
				644	/*
				645	* Check a public RSA key
				646	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	647	int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	648	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	649	if (rsa_check_context(ctx, 0 /* public /, 0 / no blinding */) != 0) {
				650	return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	651	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	652
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	653	if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
				654	return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	655	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	656
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	657	if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 \|\|
				658	mbedtls_mpi_bitlen(&ctx->E) < 2 \|\|
				659	mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
				660	return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
				661	}
				662
				663	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	664	}
				665
				666	/*
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	667	* Check for the consistency of all fields in an RSA private key context
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	668	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	669	int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	670	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	671	if (mbedtls_rsa_check_pubkey(ctx) != 0 \|\|
				672	rsa_check_context(ctx, 1 /* private /, 1 / blinding */) != 0) {
				673	return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	674	}
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	675
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	676	if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
				677	&ctx->D, &ctx->E, NULL, NULL) != 0) {
				678	return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	679	}
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	680
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	681	#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	682	else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
				683	&ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
				684	return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	685	}
				686	#endif
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	687
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	688	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	689	}
				690
				691	/*
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	692	* Check if contexts holding a public and private key match
				693	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	694	int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
				695	const mbedtls_rsa_context *prv)
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	696	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	697	if (mbedtls_rsa_check_pubkey(pub) != 0 \|\|
				698	mbedtls_rsa_check_privkey(prv) != 0) {
				699	return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	700	}
				701
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	702	if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 \|\|
				703	mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
				704	return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	705	}
				706
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	707	return 0;
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	708	}
				709
				710	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	711	* Do an RSA public key operation
				712	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	713	int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
				714	const unsigned char *input,
				715	unsigned char *output)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	716	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	717	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	718	size_t olen;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	719	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	720
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	721	if (rsa_check_context(ctx, 0 /* public /, 0 / no blinding */)) {
				722	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				723	}
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	724
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	725	mbedtls_mpi_init(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	726
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	727	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	728	if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
				729	return ret;
				730	}
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	731	#endif
				732
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	733	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	734
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	735	if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	736	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				737	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	738	}
				739
				740	olen = ctx->len;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	741	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
				742	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	743
				744	cleanup:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	745	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	746	if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
				747	return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
				748	}
Manuel Pégourié-Gonnard	88fca3e	2015-03-27 15:06:07 +0100	[diff] [blame]	749	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	750
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	751	mbedtls_mpi_free(&T);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	752
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	753	if (ret != 0) {
				754	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
				755	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	756
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	757	return 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	758	}
				759
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	760	/*
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	761	* Generate or update blinding values, see section 10 of:
				762	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard	998930a	2015-04-03 13:48:06 +0200	[diff] [blame]	763	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	764	* Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	765	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	766	static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
				767	int (f_rng)(void , unsigned char , size_t), void p_rng)
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	768	{
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	769	int ret, count = 0;
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	770	mbedtls_mpi R;
				771
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	772	mbedtls_mpi_init(&R);
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	773
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	774	if (ctx->Vf.p != NULL) {
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	775	/* We already have blinding values, just update them by squaring */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	776	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
				777	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
				778	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
				779	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	780
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	781	goto cleanup;
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	782	}
				783
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	784	/* Unblinding value: Vf = random number, invertible mod N */
				785	do {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	786	if (count++ > 10) {
Manuel Pégourié-Gonnard	e288ec0	2020-07-16 09:23:30 +0200	[diff] [blame]	787	ret = MBEDTLS_ERR_RSA_RNG_FAILED;
				788	goto cleanup;
				789	}
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	790
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	791	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	792
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	793	/* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	794	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
				795	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
				796	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	797
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	798	/* At this point, Vi is invertible mod N if and only if both Vf and R
				799	* are invertible mod N. If one of them isn't, we don't need to know
				800	* which one, we just loop and choose new values for both of them.
				801	* (Each iteration succeeds with overwhelming probability.) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	802	ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
				803	if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Manuel Pégourié-Gonnard	b3e3d79	2020-06-26 11:03:19 +0200	[diff] [blame]	804	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	805	}
Manuel Pégourié-Gonnard	b3e3d79	2020-06-26 11:03:19 +0200	[diff] [blame]	806
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	807	} while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
Peter Kolbus	ca8b8e7	2020-09-24 11:11:50 -0500	[diff] [blame]	808
				809	/* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	810	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
				811	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	812
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	813	/* Blinding value: Vi = Vf^(-e) mod N
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	814	* (Vi already contains Vf^-1 at this point) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	815	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	816
Manuel Pégourié-Gonnard	ae10299	2013-10-04 17:07:12 +0200	[diff] [blame]	817
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	818	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	819	mbedtls_mpi_free(&R);
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	820
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	821	return ret;
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	822	}
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	823
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	824	/*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	825	* Exponent blinding supposed to prevent side-channel attacks using multiple
				826	* traces of measurements to recover the RSA key. The more collisions are there,
				827	* the more bits of the key can be recovered. See [3].
				828	*
				829	* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	830	* observations on average.
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	831	*
				832	* For example with 28 byte blinding to achieve 2 collisions the adversary has
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	833	* to make 2^112 observations on average.
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	834	*
				835	* (With the currently (as of 2017 April) known best algorithms breaking 2048
				836	* bit RSA requires approximately as much time as trying out 2^112 random keys.
				837	* Thus in this sense with 28 byte blinding the security is not reduced by
				838	* side-channel attacks like the one in [3])
				839	*
				840	* This countermeasure does not help if the key recovery is possible with a
				841	* single trace.
				842	*/
				843	#define RSA_EXPONENT_BLINDING 28
				844
				845	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	846	* Do an RSA private key operation
				847	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	848	int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
				849	int (f_rng)(void , unsigned char *, size_t),
				850	void *p_rng,
				851	const unsigned char *input,
				852	unsigned char *output)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	853	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	854	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	855	size_t olen;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	856
				857	/* Temporary holding the result */
				858	mbedtls_mpi T;
				859
				860	/* Temporaries holding P-1, Q-1 and the
				861	* exponent blinding factor, respectively. */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	862	mbedtls_mpi P1, Q1, R;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	863
				864	#if !defined(MBEDTLS_RSA_NO_CRT)
				865	/* Temporaries holding the results mod p resp. mod q. */
				866	mbedtls_mpi TP, TQ;
				867
				868	/* Temporaries holding the blinded exponents for
				869	* the mod p resp. mod q computation (if used). */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	870	mbedtls_mpi DP_blind, DQ_blind;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	871
				872	/* Pointers to actual exponents to be used - either the unblinded
				873	* or the blinded ones, depending on the presence of a PRNG. */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	874	mbedtls_mpi *DP = &ctx->DP;
				875	mbedtls_mpi *DQ = &ctx->DQ;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	876	#else
				877	/* Temporary holding the blinded exponent (if used). */
				878	mbedtls_mpi D_blind;
				879
				880	/* Pointer to actual exponent to be used - either the unblinded
				881	* or the blinded one, depending on the presence of a PRNG. */
				882	mbedtls_mpi *D = &ctx->D;
Hanno Becker	43f9472	2017-08-25 11:50:00 +0100	[diff] [blame]	883	#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	884
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	885	/* Temporaries holding the initial input and the double
				886	* checked result; should be the same in the end. */
				887	mbedtls_mpi I, C;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	888
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	889	if (f_rng == NULL) {
				890	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				891	}
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	892
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	893	if (rsa_check_context(ctx, 1 /* private key checks */,
				894	1 /* blinding on */) != 0) {
				895	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	896	}
Manuel Pégourié-Gonnard	fb84d38	2015-10-30 10:56:25 +0100	[diff] [blame]	897
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	898	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	899	if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
				900	return ret;
				901	}
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	902	#endif
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	903
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	904	/* MPI Initialization */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	905	mbedtls_mpi_init(&T);
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	906
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	907	mbedtls_mpi_init(&P1);
				908	mbedtls_mpi_init(&Q1);
				909	mbedtls_mpi_init(&R);
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	910
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	911	#if defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	912	mbedtls_mpi_init(&D_blind);
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	913	#else
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	914	mbedtls_mpi_init(&DP_blind);
				915	mbedtls_mpi_init(&DQ_blind);
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	916	#endif
				917
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	918	#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	919	mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	920	#endif
				921
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	922	mbedtls_mpi_init(&I);
				923	mbedtls_mpi_init(&C);
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	924
				925	/* End of MPI initialization */
				926
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	927	MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
				928	if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	929	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				930	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	931	}
				932
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	933	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	934
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	935	/*
				936	* Blinding
				937	* T = T * Vi mod N
				938	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	939	MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
				940	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
				941	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	942
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	943	/*
				944	* Exponent blinding
				945	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	946	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
				947	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	948
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	949	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	950	/*
				951	* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
				952	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	953	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
				954	f_rng, p_rng));
				955	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
				956	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
				957	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	958
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	959	D = &D_blind;
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	960	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	961	/*
				962	* DP_blind = ( P - 1 ) * R + DP
				963	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	964	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
				965	f_rng, p_rng));
				966	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
				967	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
				968	&ctx->DP));
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	969
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	970	DP = &DP_blind;
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	971
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	972	/*
				973	* DQ_blind = ( Q - 1 ) * R + DQ
				974	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	975	MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
				976	f_rng, p_rng));
				977	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
				978	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
				979	&ctx->DQ));
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	980
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	981	DQ = &DQ_blind;
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	982	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	983
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	984	#if defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	985	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));
Manuel Pégourié-Gonnard	e10e06d	2014-11-06 18:15:12 +0100	[diff] [blame]	986	#else
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	987	/*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	988	* Faster decryption using the CRT
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	989	*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	990	* TP = input ^ dP mod P
				991	* TQ = input ^ dQ mod Q
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	992	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	993
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	994	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));
				995	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	996
				997	/*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	998	* T = (TP - TQ) * (Q^-1 mod P) mod P
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	999	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1000	MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
				1001	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
				1002	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1003
				1004	/*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1005	* T = TQ + T * Q
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1006	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1007	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
				1008	MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1009	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	1010
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1011	/*
				1012	* Unblind
				1013	* T = T * Vf mod N
				1014	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1015	MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vf));
				1016	MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1017
Hanno Becker	2dec5e8	2017-10-03 07:49:52 +0100	[diff] [blame]	1018	/* Verify the result to prevent glitching attacks. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1019	MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
				1020	&ctx->N, &ctx->RN));
				1021	if (mbedtls_mpi_cmp_mpi(&C, &I) != 0) {
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1022	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
				1023	goto cleanup;
				1024	}
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1025
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1026	olen = ctx->len;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1027	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1028
				1029	cleanup:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1030	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1031	if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
				1032	return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
				1033	}
Manuel Pégourié-Gonnard	ae10299	2013-10-04 17:07:12 +0200	[diff] [blame]	1034	#endif
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	1035
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1036	mbedtls_mpi_free(&P1);
				1037	mbedtls_mpi_free(&Q1);
				1038	mbedtls_mpi_free(&R);
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1039
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1040	#if defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1041	mbedtls_mpi_free(&D_blind);
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1042	#else
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1043	mbedtls_mpi_free(&DP_blind);
				1044	mbedtls_mpi_free(&DQ_blind);
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1045	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1046
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1047	mbedtls_mpi_free(&T);
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1048
				1049	#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1050	mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1051	#endif
				1052
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1053	mbedtls_mpi_free(&C);
				1054	mbedtls_mpi_free(&I);
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1055
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1056	if (ret != 0 && ret >= -0x007f) {
				1057	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
				1058	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1059
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1060	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1061	}
				1062
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1063	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1064	/**
				1065	* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
				1066	*
Paul Bakker	b125ed8	2011-11-10 13:33:51 +0000	[diff] [blame]	1067	* \param dst buffer to mask
				1068	* \param dlen length of destination buffer
				1069	* \param src source of the mask generation
				1070	* \param slen length of the source buffer
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1071	* \param md_alg message digest to use
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1072	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1073	static int mgf_mask(unsigned char dst, size_t dlen, unsigned char src,
				1074	size_t slen, mbedtls_md_type_t md_alg)
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1075	{
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1076	unsigned char counter[4];
				1077	unsigned char *p;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1078	unsigned int hlen;
				1079	size_t i, use_len;
Manuel Pégourié-Gonnard	8857984	2023-03-28 11:20:23 +0200	[diff] [blame]	1080	unsigned char mask[MBEDTLS_MD_MAX_SIZE];
Andres Amaya Garcia	94682d1	2017-07-20 14:26:37 +0100	[diff] [blame]	1081	int ret = 0;
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1082	const mbedtls_md_info_t *md_info;
				1083	mbedtls_md_context_t md_ctx;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1084
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1085	mbedtls_md_init(&md_ctx);
				1086	md_info = mbedtls_md_info_from_type(md_alg);
				1087	if (md_info == NULL) {
				1088	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1089	}
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1090
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1091	mbedtls_md_init(&md_ctx);
				1092	if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1093	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1094	}
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1095
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1096	hlen = mbedtls_md_get_size(md_info);
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1097
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1098	memset(mask, 0, sizeof(mask));
				1099	memset(counter, 0, 4);
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1100
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1101	/* Generate and apply dbMask */
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1102	p = dst;
				1103
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1104	while (dlen > 0) {
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1105	use_len = hlen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1106	if (dlen < hlen) {
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1107	use_len = dlen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1108	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1109
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1110	if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1111	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1112	}
				1113	if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) {
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1114	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1115	}
				1116	if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) {
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1117	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1118	}
				1119	if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) {
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1120	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1121	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1122
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1123	for (i = 0; i < use_len; ++i) {
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1124	*p++ ^= mask[i];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1125	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1126
				1127	counter[3]++;
				1128
				1129	dlen -= use_len;
				1130	}
Gilles Peskine	18ac716	2017-05-05 19:24:06 +0200	[diff] [blame]	1131
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1132	exit:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1133	mbedtls_platform_zeroize(mask, sizeof(mask));
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1134	mbedtls_md_free(&md_ctx);
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1135
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1136	return ret;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1137	}
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1138
				1139	/**
				1140	* Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
				1141	*
				1142	* \param hash the input hash
				1143	* \param hlen length of the input hash
				1144	* \param salt the input salt
				1145	* \param slen length of the input salt
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1146	* \param out the output buffer - must be large enough for \p md_alg
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1147	* \param md_alg message digest to use
				1148	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1149	static int hash_mprime(const unsigned char *hash, size_t hlen,
				1150	const unsigned char *salt, size_t slen,
				1151	unsigned char *out, mbedtls_md_type_t md_alg)
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1152	{
				1153	const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1154
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1155	mbedtls_md_context_t md_ctx;
Przemek Stekiel	f98b57f	2022-07-29 11:27:46 +0200	[diff] [blame]	1156	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1157
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1158	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
				1159	if (md_info == NULL) {
				1160	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1161	}
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1162
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1163	mbedtls_md_init(&md_ctx);
				1164	if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1165	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1166	}
				1167	if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1168	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1169	}
				1170	if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) {
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1171	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1172	}
				1173	if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) {
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1174	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1175	}
				1176	if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1177	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1178	}
				1179	if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) {
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1180	goto exit;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1181	}
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1182
				1183	exit:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1184	mbedtls_md_free(&md_ctx);
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1185
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1186	return ret;
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1187	}
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1188
				1189	/**
				1190	* Compute a hash.
				1191	*
				1192	* \param md_alg algorithm to use
				1193	* \param input input message to hash
				1194	* \param ilen input length
				1195	* \param output the output buffer - must be large enough for \p md_alg
				1196	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1197	static int compute_hash(mbedtls_md_type_t md_alg,
				1198	const unsigned char *input, size_t ilen,
				1199	unsigned char *output)
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1200	{
				1201	const mbedtls_md_info_t *md_info;
				1202
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1203	md_info = mbedtls_md_info_from_type(md_alg);
				1204	if (md_info == NULL) {
				1205	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1206	}
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1207
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1208	return mbedtls_md(md_info, input, ilen, output);
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1209	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1210	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1211
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1212	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1213	/*
				1214	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
				1215	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1216	int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
				1217	int (f_rng)(void , unsigned char *, size_t),
				1218	void *p_rng,
				1219	const unsigned char *label, size_t label_len,
				1220	size_t ilen,
				1221	const unsigned char *input,
				1222	unsigned char *output)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1223	{
				1224	size_t olen;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1225	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1226	unsigned char *p = output;
				1227	unsigned int hlen;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1228
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1229	if (f_rng == NULL) {
				1230	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1231	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1232
Manuel Pégourié-Gonnard	9b41eb8	2023-03-28 11:14:24 +0200	[diff] [blame]	1233	hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1234	if (hlen == 0) {
				1235	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1236	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1237
				1238	olen = ctx->len;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1239
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1240	/* first comparison checks for overflow */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1241	if (ilen + 2 * hlen + 2 < ilen \|\| olen < ilen + 2 * hlen + 2) {
				1242	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1243	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1244
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1245	memset(output, 0, olen);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1246
				1247	*p++ = 0;
				1248
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1249	/* Generate a random octet string seed */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1250	if ((ret = f_rng(p_rng, p, hlen)) != 0) {
				1251	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
				1252	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1253
				1254	p += hlen;
				1255
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1256	/* Construct DB */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1257	ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p);
				1258	if (ret != 0) {
				1259	return ret;
				1260	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1261	p += hlen;
				1262	p += olen - 2 * hlen - 2 - ilen;
				1263	*p++ = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1264	if (ilen != 0) {
				1265	memcpy(p, input, ilen);
				1266	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1267
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1268	/* maskedDB: Apply dbMask to DB */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1269	if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
				1270	ctx->hash_id)) != 0) {
				1271	return ret;
				1272	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1273
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1274	/* maskedSeed: Apply seedMask to seed */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1275	if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
				1276	ctx->hash_id)) != 0) {
				1277	return ret;
				1278	}
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1279
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1280	return mbedtls_rsa_public(ctx, output, output);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1281	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1282	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1283
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1284	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1285	/*
				1286	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
				1287	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1288	int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
				1289	int (f_rng)(void , unsigned char *, size_t),
				1290	void *p_rng, size_t ilen,
				1291	const unsigned char *input,
				1292	unsigned char *output)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1293	{
				1294	size_t nb_pad, olen;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1295	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1296	unsigned char *p = output;
				1297
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1298	olen = ctx->len;
Manuel Pégourié-Gonnard	370717b	2016-02-11 10:35:13 +0100	[diff] [blame]	1299
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1300	/* first comparison checks for overflow */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1301	if (ilen + 11 < ilen \|\| olen < ilen + 11) {
				1302	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1303	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1304
				1305	nb_pad = olen - 3 - ilen;
				1306
				1307	*p++ = 0;
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1308
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1309	if (f_rng == NULL) {
				1310	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1311	}
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1312
				1313	*p++ = MBEDTLS_RSA_CRYPT;
				1314
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1315	while (nb_pad-- > 0) {
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1316	int rng_dl = 100;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1317
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1318	do {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1319	ret = f_rng(p_rng, p, 1);
				1320	} while (*p == 0 && --rng_dl && ret == 0);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1321
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1322	/* Check if RNG failed to generate data */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1323	if (rng_dl == 0 \|\| ret != 0) {
				1324	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
				1325	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1326
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1327	p++;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1328	}
				1329
				1330	*p++ = 0;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1331	if (ilen != 0) {
				1332	memcpy(p, input, ilen);
				1333	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1334
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1335	return mbedtls_rsa_public(ctx, output, output);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1336	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1337	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1338
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1339	/*
				1340	* Add the message padding, then do an RSA operation
				1341	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1342	int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
				1343	int (f_rng)(void , unsigned char *, size_t),
				1344	void *p_rng,
				1345	size_t ilen,
				1346	const unsigned char *input,
				1347	unsigned char *output)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1348	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1349	switch (ctx->padding) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1350	#if defined(MBEDTLS_PKCS1_V15)
				1351	case MBEDTLS_RSA_PKCS_V15:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1352	return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng,
				1353	ilen, input, output);
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1354	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1355
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1356	#if defined(MBEDTLS_PKCS1_V21)
				1357	case MBEDTLS_RSA_PKCS_V21:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1358	return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,
				1359	ilen, input, output);
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1360	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1361
				1362	default:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1363	return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1364	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1365	}
				1366
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1367	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1368	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1369	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1370	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1371	int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
				1372	int (f_rng)(void , unsigned char *, size_t),
				1373	void *p_rng,
				1374	const unsigned char *label, size_t label_len,
				1375	size_t *olen,
				1376	const unsigned char *input,
				1377	unsigned char *output,
				1378	size_t output_max_len)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1379	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1380	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1381	size_t ilen, i, pad_len;
				1382	unsigned char *p, bad, pad_done;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1383	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Manuel Pégourié-Gonnard	8857984	2023-03-28 11:20:23 +0200	[diff] [blame]	1384	unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1385	unsigned int hlen;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1386
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1387	/*
				1388	* Parameters sanity checks
				1389	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1390	if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
				1391	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1392	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1393
				1394	ilen = ctx->len;
				1395
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1396	if (ilen < 16 \|\| ilen > sizeof(buf)) {
				1397	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1398	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1399
Manuel Pégourié-Gonnard	9b41eb8	2023-03-28 11:14:24 +0200	[diff] [blame]	1400	hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1401	if (hlen == 0) {
				1402	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1403	}
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1404
Janos Follath	c17cda1	2016-02-11 11:08:18 +0000	[diff] [blame]	1405	// checking for integer underflow
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1406	if (2 * hlen + 2 > ilen) {
				1407	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1408	}
Janos Follath	c17cda1	2016-02-11 11:08:18 +0000	[diff] [blame]	1409
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1410	/*
				1411	* RSA operation
				1412	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1413	ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1414
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1415	if (ret != 0) {
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1416	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1417	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1418
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1419	/*
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1420	* Unmask data and generate lHash
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1421	*/
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1422	/* seed: Apply seedMask to maskedSeed */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1423	if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
				1424	ctx->hash_id)) != 0 \|\|
				1425	/* DB: Apply dbMask to maskedDB */
				1426	(ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
				1427	ctx->hash_id)) != 0) {
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1428	goto cleanup;
				1429	}
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1430
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1431	/* Generate lHash */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1432	ret = compute_hash((mbedtls_md_type_t) ctx->hash_id,
				1433	label, label_len, lhash);
				1434	if (ret != 0) {
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1435	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1436	}
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1437
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1438	/*
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1439	* Check contents, in "constant-time"
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1440	*/
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1441	p = buf;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1442	bad = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1443
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1444	bad \|= p++; / First byte must be 0 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1445
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1446	p += hlen; /* Skip seed */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1447
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1448	/* Check lHash */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1449	for (i = 0; i < hlen; i++) {
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1450	bad \|= lhash[i] ^ *p++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1451	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1452
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1453	/* Get zero-padding len, but always read till end of buffer
				1454	* (minus one, for the 01 byte) */
				1455	pad_len = 0;
				1456	pad_done = 0;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1457	for (i = 0; i < ilen - 2 * hlen - 2; i++) {
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1458	pad_done \|= p[i];
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1459	pad_len += ((pad_done \| (unsigned char) -pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1460	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1461
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1462	p += pad_len;
				1463	bad \|= *p++ ^ 0x01;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1464
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1465	/*
				1466	* The only information "leaked" is whether the padding was correct or not
				1467	* (eg, no data is copied if it was not correct). This meets the
				1468	* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
				1469	* the different error conditions.
				1470	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1471	if (bad != 0) {
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1472	ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
				1473	goto cleanup;
				1474	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1475
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1476	if (ilen - (p - buf) > output_max_len) {
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1477	ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
				1478	goto cleanup;
				1479	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1480
				1481	*olen = ilen - (p - buf);
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1482	if (*olen != 0) {
				1483	memcpy(output, p, *olen);
				1484	}
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1485	ret = 0;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1486
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1487	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1488	mbedtls_platform_zeroize(buf, sizeof(buf));
				1489	mbedtls_platform_zeroize(lhash, sizeof(lhash));
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1490
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1491	return ret;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1492	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1493	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1494
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1495	#if defined(MBEDTLS_PKCS1_V15)
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1496	/*
				1497	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
				1498	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1499	int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
				1500	int (f_rng)(void , unsigned char *, size_t),
				1501	void *p_rng,
				1502	size_t *olen,
				1503	const unsigned char *input,
				1504	unsigned char *output,
				1505	size_t output_max_len)
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1506	{
				1507	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				1508	size_t ilen;
				1509	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
				1510
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1511	ilen = ctx->len;
				1512
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1513	if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
				1514	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1515	}
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1516
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1517	if (ilen < 16 \|\| ilen > sizeof(buf)) {
				1518	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1519	}
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1520
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1521	ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1522
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1523	if (ret != 0) {
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1524	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1525	}
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1526
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1527	ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen,
				1528	output, output_max_len, olen);
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1529
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1530	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1531	mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1532
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1533	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1534	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1535	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1536
				1537	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1538	* Do an RSA operation, then remove the message padding
				1539	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1540	int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
				1541	int (f_rng)(void , unsigned char *, size_t),
				1542	void *p_rng,
				1543	size_t *olen,
				1544	const unsigned char *input,
				1545	unsigned char *output,
				1546	size_t output_max_len)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1547	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1548	switch (ctx->padding) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1549	#if defined(MBEDTLS_PKCS1_V15)
				1550	case MBEDTLS_RSA_PKCS_V15:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1551	return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen,
				1552	input, output, output_max_len);
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1553	#endif
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1554
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1555	#if defined(MBEDTLS_PKCS1_V21)
				1556	case MBEDTLS_RSA_PKCS_V21:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1557	return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,
				1558	olen, input, output,
				1559	output_max_len);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1560	#endif
				1561
				1562	default:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1563	return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1564	}
				1565	}
				1566
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1567	#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1568	static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
				1569	int (f_rng)(void , unsigned char *, size_t),
				1570	void *p_rng,
				1571	mbedtls_md_type_t md_alg,
				1572	unsigned int hashlen,
				1573	const unsigned char *hash,
				1574	int saltlen,
				1575	unsigned char *sig)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1576	{
				1577	size_t olen;
				1578	unsigned char *p = sig;
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1579	unsigned char *salt = NULL;
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1580	size_t slen, min_slen, hlen, offset = 0;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1581	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1582	size_t msb;
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1583
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1584	if ((md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	1585	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1586	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1587
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1588	if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
				1589	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1590	}
Thomas Daubney	d58ed58	2021-05-21 11:50:39 +0100	[diff] [blame]	1591
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1592	if (f_rng == NULL) {
				1593	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1594	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1595
				1596	olen = ctx->len;
				1597
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1598	if (md_alg != MBEDTLS_MD_NONE) {
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1599	/* Gather length of hash to sign */
Manuel Pégourié-Gonnard	9b41eb8	2023-03-28 11:14:24 +0200	[diff] [blame]	1600	size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1601	if (exp_hashlen == 0) {
				1602	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1603	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	1604
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1605	if (hashlen != exp_hashlen) {
				1606	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1607	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1608	}
				1609
Manuel Pégourié-Gonnard	9b41eb8	2023-03-28 11:14:24 +0200	[diff] [blame]	1610	hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1611	if (hlen == 0) {
				1612	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1613	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1614
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1615	if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
				1616	/* Calculate the largest possible salt length, up to the hash size.
				1617	* Normally this is the hash length, which is the maximum salt length
				1618	* according to FIPS 185-4 §5.5 (e) and common practice. If there is not
				1619	* enough room, use the maximum salt length that fits. The constraint is
				1620	* that the hash length plus the salt length plus 2 bytes must be at most
				1621	* the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
				1622	* (PKCS#1 v2.2) §9.1.1 step 3. */
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1623	min_slen = hlen - 2;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1624	if (olen < hlen + min_slen + 2) {
				1625	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1626	} else if (olen >= hlen + hlen + 2) {
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1627	slen = hlen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1628	} else {
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1629	slen = olen - hlen - 2;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1630	}
				1631	} else if ((saltlen < 0) \|\| (saltlen + hlen + 2 > olen)) {
				1632	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1633	} else {
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1634	slen = (size_t) saltlen;
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1635	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1636
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1637	memset(sig, 0, olen);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1638
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1639	/* Note: EMSA-PSS encoding is over the length of N - 1 bits */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1640	msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1641	p += olen - hlen - slen - 2;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1642	*p++ = 0x01;
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1643
				1644	/* Generate salt of length slen in place in the encoded message */
				1645	salt = p;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1646	if ((ret = f_rng(p_rng, salt, slen)) != 0) {
				1647	return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
				1648	}
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1649
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1650	p += slen;
				1651
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1652	/* Generate H = Hash( M' ) */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1653	ret = hash_mprime(hash, hashlen, salt, slen, p, ctx->hash_id);
				1654	if (ret != 0) {
				1655	return ret;
				1656	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1657
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1658	/* Compensate for boundary condition when applying mask */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1659	if (msb % 8 == 0) {
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1660	offset = 1;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1661	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1662
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1663	/* maskedDB: Apply dbMask to DB */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1664	ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen,
				1665	ctx->hash_id);
				1666	if (ret != 0) {
				1667	return ret;
				1668	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1669
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1670	msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
				1671	sig[0] &= 0xFF >> (olen * 8 - msb);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1672
				1673	p += hlen;
				1674	*p++ = 0xBC;
				1675
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1676	return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1677	}
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1678
				1679	/*
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1680	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
				1681	* the option to pass in the salt length.
				1682	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1683	int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
				1684	int (f_rng)(void , unsigned char *, size_t),
				1685	void *p_rng,
				1686	mbedtls_md_type_t md_alg,
				1687	unsigned int hashlen,
				1688	const unsigned char *hash,
				1689	int saltlen,
				1690	unsigned char *sig)
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1691	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1692	return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
				1693	hashlen, hash, saltlen, sig);
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1694	}
				1695
				1696
				1697	/*
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1698	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
				1699	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1700	int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
				1701	int (f_rng)(void , unsigned char *, size_t),
				1702	void *p_rng,
				1703	mbedtls_md_type_t md_alg,
				1704	unsigned int hashlen,
				1705	const unsigned char *hash,
				1706	unsigned char *sig)
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1707	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1708	return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
				1709	hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1710	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1711	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1712
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1713	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1714	/*
				1715	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
				1716	*/
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1717
				1718	/* Construct a PKCS v1.5 encoding of a hashed message
				1719	*
				1720	* This is used both for signature generation and verification.
				1721	*
				1722	* Parameters:
				1723	* - md_alg: Identifies the hash algorithm used to generate the given hash;
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1724	* MBEDTLS_MD_NONE if raw data is signed.
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1725	* - hashlen: Length of hash. Must match md_alg if that's not NONE.
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1726	* - hash: Buffer containing the hashed message or the raw data.
				1727	* - dst_len: Length of the encoded message.
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1728	* - dst: Buffer to hold the encoded message.
				1729	*
				1730	* Assumptions:
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1731	* - hash has size hashlen.
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1732	* - dst points to a buffer of size at least dst_len.
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1733	*
				1734	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1735	static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
				1736	unsigned int hashlen,
				1737	const unsigned char *hash,
				1738	size_t dst_len,
				1739	unsigned char *dst)
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1740	{
				1741	size_t oid_size = 0;
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1742	size_t nb_pad = dst_len;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1743	unsigned char *p = dst;
				1744	const char *oid = NULL;
				1745
				1746	/* Are we signing hashed or raw data? */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1747	if (md_alg != MBEDTLS_MD_NONE) {
Manuel Pégourié-Gonnard	9b41eb8	2023-03-28 11:14:24 +0200	[diff] [blame]	1748	unsigned char md_size = mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1749	if (md_size == 0) {
				1750	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1751	}
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1752
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1753	if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
				1754	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1755	}
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1756
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1757	if (hashlen != md_size) {
				1758	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1759	}
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1760
				1761	/* Double-check that 8 + hashlen + oid_size can be used as a
				1762	* 1-byte ASN.1 length encoding and that there's no overflow. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1763	if (8 + hashlen + oid_size >= 0x80 \|\|
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1764	10 + hashlen < hashlen \|\|
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1765	10 + hashlen + oid_size < 10 + hashlen) {
				1766	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1767	}
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1768
				1769	/*
				1770	* Static bounds check:
				1771	* - Need 10 bytes for five tag-length pairs.
				1772	* (Insist on 1-byte length encodings to protect against variants of
				1773	* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
				1774	* - Need hashlen bytes for hash
				1775	* - Need oid_size bytes for hash alg OID.
				1776	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1777	if (nb_pad < 10 + hashlen + oid_size) {
				1778	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1779	}
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1780	nb_pad -= 10 + hashlen + oid_size;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1781	} else {
				1782	if (nb_pad < hashlen) {
				1783	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1784	}
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1785
				1786	nb_pad -= hashlen;
				1787	}
				1788
Hanno Becker	2b2f898	2017-09-27 17:10:03 +0100	[diff] [blame]	1789	/* Need space for signature header and padding delimiter (3 bytes),
				1790	* and 8 bytes for the minimal padding */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1791	if (nb_pad < 3 + 8) {
				1792	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1793	}
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1794	nb_pad -= 3;
				1795
				1796	/* Now nb_pad is the amount of memory to be filled
Hanno Becker	2b2f898	2017-09-27 17:10:03 +0100	[diff] [blame]	1797	* with padding, and at least 8 bytes long. */
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1798
				1799	/* Write signature header and padding */
				1800	*p++ = 0;
				1801	*p++ = MBEDTLS_RSA_SIGN;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1802	memset(p, 0xFF, nb_pad);
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1803	p += nb_pad;
				1804	*p++ = 0;
				1805
				1806	/* Are we signing raw data? */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1807	if (md_alg == MBEDTLS_MD_NONE) {
				1808	memcpy(p, hash, hashlen);
				1809	return 0;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1810	}
				1811
				1812	/* Signing hashed data, add corresponding ASN.1 structure
				1813	*
				1814	* DigestInfo ::= SEQUENCE {
				1815	* digestAlgorithm DigestAlgorithmIdentifier,
				1816	* digest Digest }
				1817	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
				1818	* Digest ::= OCTET STRING
				1819	*
				1820	* Schematic:
				1821	* TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
				1822	* TAG-NULL + LEN [ NULL ] ]
				1823	* TAG-OCTET + LEN [ HASH ] ]
				1824	*/
				1825	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1826	*p++ = (unsigned char) (0x08 + oid_size + hashlen);
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1827	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1828	*p++ = (unsigned char) (0x04 + oid_size);
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1829	*p++ = MBEDTLS_ASN1_OID;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1830	*p++ = (unsigned char) oid_size;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1831	memcpy(p, oid, oid_size);
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1832	p += oid_size;
				1833	*p++ = MBEDTLS_ASN1_NULL;
				1834	*p++ = 0x00;
				1835	*p++ = MBEDTLS_ASN1_OCTET_STRING;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1836	*p++ = (unsigned char) hashlen;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1837	memcpy(p, hash, hashlen);
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1838	p += hashlen;
				1839
				1840	/* Just a sanity-check, should be automatic
				1841	* after the initial bounds check. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1842	if (p != dst + dst_len) {
				1843	mbedtls_platform_zeroize(dst, dst_len);
				1844	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1845	}
				1846
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1847	return 0;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1848	}
				1849
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1850	/*
				1851	* Do an RSA operation to sign the message digest
				1852	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1853	int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
				1854	int (f_rng)(void , unsigned char *, size_t),
				1855	void *p_rng,
				1856	mbedtls_md_type_t md_alg,
				1857	unsigned int hashlen,
				1858	const unsigned char *hash,
				1859	unsigned char *sig)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1860	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1861	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1862	unsigned char sig_try = NULL, verif = NULL;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1863
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1864	if ((md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	1865	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1866	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1867
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1868	if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
				1869	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1870	}
Thomas Daubney	d58ed58	2021-05-21 11:50:39 +0100	[diff] [blame]	1871
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1872	/*
				1873	* Prepare PKCS1-v1.5 encoding (padding and hash identifier)
				1874	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1875
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1876	if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
				1877	ctx->len, sig)) != 0) {
				1878	return ret;
				1879	}
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1880
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1881	/* Private key operation
				1882	*
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1883	* In order to prevent Lenstra's attack, make the signature in a
				1884	* temporary buffer and check it before returning it.
				1885	*/
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1886
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1887	sig_try = mbedtls_calloc(1, ctx->len);
				1888	if (sig_try == NULL) {
				1889	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
Simon Butcher	1285ab5	2016-01-01 21:42:47 +0000	[diff] [blame]	1890	}
				1891
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1892	verif = mbedtls_calloc(1, ctx->len);
				1893	if (verif == NULL) {
				1894	mbedtls_free(sig_try);
				1895	return MBEDTLS_ERR_MPI_ALLOC_FAILED;
				1896	}
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1897
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1898	MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
				1899	MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
				1900
				1901	if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1902	ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
				1903	goto cleanup;
				1904	}
				1905
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1906	memcpy(sig, sig_try, ctx->len);
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1907
				1908	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1909	mbedtls_platform_zeroize(sig_try, ctx->len);
				1910	mbedtls_platform_zeroize(verif, ctx->len);
				1911	mbedtls_free(sig_try);
				1912	mbedtls_free(verif);
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1913
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1914	if (ret != 0) {
				1915	memset(sig, '!', ctx->len);
				1916	}
				1917	return ret;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1918	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1919	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1920
				1921	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1922	* Do an RSA operation to sign the message digest
				1923	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1924	int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
				1925	int (f_rng)(void , unsigned char *, size_t),
				1926	void *p_rng,
				1927	mbedtls_md_type_t md_alg,
				1928	unsigned int hashlen,
				1929	const unsigned char *hash,
				1930	unsigned char *sig)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1931	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1932	if ((md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	1933	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1934	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1935
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1936	switch (ctx->padding) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1937	#if defined(MBEDTLS_PKCS1_V15)
				1938	case MBEDTLS_RSA_PKCS_V15:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1939	return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng,
				1940	md_alg, hashlen, hash, sig);
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1941	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1942
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1943	#if defined(MBEDTLS_PKCS1_V21)
				1944	case MBEDTLS_RSA_PKCS_V21:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1945	return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
				1946	hashlen, hash, sig);
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1947	#endif
				1948
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1949	default:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1950	return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1951	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1952	}
				1953
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1954	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1955	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1956	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1957	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1958	int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
				1959	mbedtls_md_type_t md_alg,
				1960	unsigned int hashlen,
				1961	const unsigned char *hash,
				1962	mbedtls_md_type_t mgf1_hash_id,
				1963	int expected_salt_len,
				1964	const unsigned char *sig)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1965	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1966	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1967	size_t siglen;
				1968	unsigned char *p;
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	1969	unsigned char *hash_start;
Manuel Pégourié-Gonnard	8857984	2023-03-28 11:20:23 +0200	[diff] [blame]	1970	unsigned char result[MBEDTLS_MD_MAX_SIZE];
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1971	unsigned int hlen;
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	1972	size_t observed_salt_len, msb;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1973	unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1974
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1975	if ((md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	1976	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1977	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1978
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1979	siglen = ctx->len;
				1980
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1981	if (siglen < 16 \|\| siglen > sizeof(buf)) {
				1982	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				1983	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1984
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1985	ret = mbedtls_rsa_public(ctx, sig, buf);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1986
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1987	if (ret != 0) {
				1988	return ret;
				1989	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1990
				1991	p = buf;
				1992
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1993	if (buf[siglen - 1] != 0xBC) {
				1994	return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1995	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1996
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	1997	if (md_alg != MBEDTLS_MD_NONE) {
				1998	/* Gather length of hash to sign */
Manuel Pégourié-Gonnard	9b41eb8	2023-03-28 11:14:24 +0200	[diff] [blame]	1999	size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2000	if (exp_hashlen == 0) {
				2001	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				2002	}
				2003
				2004	if (hashlen != exp_hashlen) {
				2005	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				2006	}
				2007	}
				2008
Manuel Pégourié-Gonnard	9b41eb8	2023-03-28 11:14:24 +0200	[diff] [blame]	2009	hlen = mbedtls_md_get_size_from_type(mgf1_hash_id);
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2010	if (hlen == 0) {
				2011	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				2012	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2013
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2014	/*
				2015	* Note: EMSA-PSS verification is over the length of N - 1 bits
				2016	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2017	msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2018
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2019	if (buf[0] >> (8 - siglen * 8 + msb)) {
				2020	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				2021	}
Gilles Peskine	b00b0da	2017-10-19 15:23:49 +0200	[diff] [blame]	2022
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2023	/* Compensate for boundary condition when applying mask */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2024	if (msb % 8 == 0) {
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2025	p++;
				2026	siglen -= 1;
				2027	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2028
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2029	if (siglen < hlen + 2) {
				2030	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				2031	}
Gilles Peskine	139108a	2017-10-18 19:03:42 +0200	[diff] [blame]	2032	hash_start = p + siglen - hlen - 1;
				2033
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2034	ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id);
				2035	if (ret != 0) {
				2036	return ret;
				2037	}
Paul Bakker	02303e8	2013-01-03 11:08:31 +0100	[diff] [blame]	2038
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2039	buf[0] &= 0xFF >> (siglen * 8 - msb);
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2040
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2041	while (p < hash_start - 1 && *p == 0) {
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2042	p++;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2043	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2044
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2045	if (*p++ != 0x01) {
				2046	return MBEDTLS_ERR_RSA_INVALID_PADDING;
				2047	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2048
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2049	observed_salt_len = hash_start - p;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2050
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2051	if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
				2052	observed_salt_len != (size_t) expected_salt_len) {
				2053	return MBEDTLS_ERR_RSA_INVALID_PADDING;
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2054	}
				2055
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2056	/*
				2057	* Generate H = Hash( M' )
				2058	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2059	ret = hash_mprime(hash, hashlen, p, observed_salt_len,
				2060	result, mgf1_hash_id);
				2061	if (ret != 0) {
				2062	return ret;
				2063	}
Paul Bakker	53019ae	2011-03-25 13:58:48 +0000	[diff] [blame]	2064
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2065	if (memcmp(hash_start, result, hlen) != 0) {
				2066	return MBEDTLS_ERR_RSA_VERIFY_FAILED;
				2067	}
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2068
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2069	return 0;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2070	}
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2071
				2072	/*
				2073	* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
				2074	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2075	int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
				2076	mbedtls_md_type_t md_alg,
				2077	unsigned int hashlen,
				2078	const unsigned char *hash,
				2079	const unsigned char *sig)
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2080	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2081	mbedtls_md_type_t mgf1_hash_id;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2082	if ((md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	2083	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2084	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2085
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2086	mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2087	? (mbedtls_md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2088	: md_alg;
				2089
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2090	return mbedtls_rsa_rsassa_pss_verify_ext(ctx,
				2091	md_alg, hashlen, hash,
				2092	mgf1_hash_id,
				2093	MBEDTLS_RSA_SALT_LEN_ANY,
				2094	sig);
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2095
				2096	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2097	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	40628ba	2013-01-03 10:50:31 +0100	[diff] [blame]	2098
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2099	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2100	/*
				2101	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
				2102	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2103	int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
				2104	mbedtls_md_type_t md_alg,
				2105	unsigned int hashlen,
				2106	const unsigned char *hash,
				2107	const unsigned char *sig)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2108	{
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2109	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2110	size_t sig_len;
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2111	unsigned char encoded = NULL, encoded_expected = NULL;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2112
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2113	if ((md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	2114	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2115	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2116
				2117	sig_len = ctx->len;
				2118
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2119	/*
				2120	* Prepare expected PKCS1 v1.5 encoding of hash.
				2121	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2122
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2123	if ((encoded = mbedtls_calloc(1, sig_len)) == NULL \|\|
				2124	(encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2125	ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
				2126	goto cleanup;
				2127	}
				2128
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2129	if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
				2130	encoded_expected)) != 0) {
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2131	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2132	}
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2133
				2134	/*
				2135	* Apply RSA primitive to get what should be PKCS1 encoded hash.
				2136	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2137
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2138	ret = mbedtls_rsa_public(ctx, sig, encoded);
				2139	if (ret != 0) {
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2140	goto cleanup;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2141	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2142
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2143	/*
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2144	* Compare
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2145	*/
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2146
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2147	if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
				2148	sig_len)) != 0) {
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2149	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
				2150	goto cleanup;
				2151	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2152
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2153	cleanup:
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2154
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2155	if (encoded != NULL) {
				2156	mbedtls_platform_zeroize(encoded, sig_len);
				2157	mbedtls_free(encoded);
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2158	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2159
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2160	if (encoded_expected != NULL) {
				2161	mbedtls_platform_zeroize(encoded_expected, sig_len);
				2162	mbedtls_free(encoded_expected);
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2163	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2164
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2165	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2166	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2167	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2168
				2169	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2170	* Do an RSA operation and check the message digest
				2171	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2172	int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
				2173	mbedtls_md_type_t md_alg,
				2174	unsigned int hashlen,
				2175	const unsigned char *hash,
				2176	const unsigned char *sig)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2177	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2178	if ((md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	2179	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2180	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2181
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2182	switch (ctx->padding) {
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2183	#if defined(MBEDTLS_PKCS1_V15)
				2184	case MBEDTLS_RSA_PKCS_V15:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2185	return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg,
				2186	hashlen, hash, sig);
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2187	#endif
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2188
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2189	#if defined(MBEDTLS_PKCS1_V21)
				2190	case MBEDTLS_RSA_PKCS_V21:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2191	return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg,
				2192	hashlen, hash, sig);
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2193	#endif
				2194
				2195	default:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2196	return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2197	}
				2198	}
				2199
				2200	/*
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2201	* Copy the components of an RSA key
				2202	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2203	int mbedtls_rsa_copy(mbedtls_rsa_context dst, const mbedtls_rsa_context src)
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2204	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2205	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2206
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2207	dst->len = src->len;
				2208
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2209	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
				2210	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2211
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2212	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
				2213	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
				2214	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2215
				2216	#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2217	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
				2218	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
				2219	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
				2220	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
				2221	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2222	#endif
				2223
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2224	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2225
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2226	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
				2227	MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	2228
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2229	dst->padding = src->padding;
Manuel Pégourié-Gonnard	fdddac9	2014-03-25 15:58:35 +0100	[diff] [blame]	2230	dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2231
				2232	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2233	if (ret != 0) {
				2234	mbedtls_rsa_free(dst);
				2235	}
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2236
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2237	return ret;
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2238	}
				2239
				2240	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2241	* Free the components of an RSA key
				2242	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2243	void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2244	{
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2245	if (ctx == NULL) {
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2246	return;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2247	}
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2248
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2249	mbedtls_mpi_free(&ctx->Vi);
				2250	mbedtls_mpi_free(&ctx->Vf);
				2251	mbedtls_mpi_free(&ctx->RN);
				2252	mbedtls_mpi_free(&ctx->D);
				2253	mbedtls_mpi_free(&ctx->Q);
				2254	mbedtls_mpi_free(&ctx->P);
				2255	mbedtls_mpi_free(&ctx->E);
				2256	mbedtls_mpi_free(&ctx->N);
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	2257
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2258	#if !defined(MBEDTLS_RSA_NO_CRT)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2259	mbedtls_mpi_free(&ctx->RQ);
				2260	mbedtls_mpi_free(&ctx->RP);
				2261	mbedtls_mpi_free(&ctx->QP);
				2262	mbedtls_mpi_free(&ctx->DQ);
				2263	mbedtls_mpi_free(&ctx->DP);
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2264	#endif /* MBEDTLS_RSA_NO_CRT */
				2265
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2266	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	2267	/* Free the mutex, but only if it hasn't been freed already. */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2268	if (ctx->ver != 0) {
				2269	mbedtls_mutex_free(&ctx->mutex);
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	2270	ctx->ver = 0;
				2271	}
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	2272	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2273	}
				2274
Hanno Becker	ab37731	2017-08-23 16:24:51 +0100	[diff] [blame]	2275	#endif /* !MBEDTLS_RSA_ALT */
				2276
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2277	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2278
Manuel Pégourié-Gonnard	b33ef74	2023-03-07 00:04:16 +0100	[diff] [blame]	2279	#include "mbedtls/md.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2280
				2281	/*
				2282	* Example RSA-1024 keypair, for test purposes
				2283	*/
				2284	#define KEY_LEN 128
				2285
				2286	#define RSA_N "9292758453063D803DD603D5E777D788" \
				2287	"8ED1D5BF35786190FA2F23EBC0848AEA" \
				2288	"DDA92CA6C3D80B32C4D109BE0F36D6AE" \
				2289	"7130B9CED7ACDF54CFC7555AC14EEBAB" \
				2290	"93A89813FBF3C4F8066D2D800F7C38A8" \
				2291	"1AE31942917403FF4946B0A83D3D3E05" \
				2292	"EE57C6F5F5606FB5D4BC6CD34EE0801A" \
				2293	"5E94BB77B07507233A0BC7BAC8F90F79"
				2294
				2295	#define RSA_E "10001"
				2296
				2297	#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
				2298	"66CA472BC44D253102F8B4A9D3BFA750" \
				2299	"91386C0077937FE33FA3252D28855837" \
				2300	"AE1B484A8A9A45F7EE8C0C634F99E8CD" \
				2301	"DF79C5CE07EE72C7F123142198164234" \
				2302	"CABB724CF78B8173B9F880FC86322407" \
				2303	"AF1FEDFDDE2BEB674CA15F3E81A1521E" \
				2304	"071513A1E85B5DFA031F21ECAE91A34D"
				2305
				2306	#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
				2307	"2C01CAD19EA484A87EA4377637E75500" \
				2308	"FCB2005C5C7DD6EC4AC023CDA285D796" \
				2309	"C3D9E75E1EFC42488BB4F1D13AC30A57"
				2310
				2311	#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
				2312	"E211C2B9E5DB1ED0BF61D0D9899620F4" \
				2313	"910E4168387E3C30AA1E00C339A79508" \
				2314	"8452DD96A9A5EA5D9DCA68DA636032AF"
				2315
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2316	#define PT_LEN 24
				2317	#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
				2318	"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
				2319
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2320	#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2321	static int myrand(void rng_state, unsigned char output, size_t len)
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2322	{
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	2323	#if !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2324	size_t i;
				2325
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2326	if (rng_state != NULL) {
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2327	rng_state = NULL;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2328	}
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2329
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2330	for (i = 0; i < len; ++i) {
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2331	output[i] = rand();
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2332	}
Paul Bakker	f96f7b6	2014-04-30 16:02:38 +0200	[diff] [blame]	2333	#else
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2334	if (rng_state != NULL) {
Paul Bakker	f96f7b6	2014-04-30 16:02:38 +0200	[diff] [blame]	2335	rng_state = NULL;
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2336	}
Paul Bakker	f96f7b6	2014-04-30 16:02:38 +0200	[diff] [blame]	2337
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2338	arc4random_buf(output, len);
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	2339	#endif /* !OpenBSD && !NetBSD */
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2340
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2341	return 0;
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2342	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2343	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2344
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2345	/*
				2346	* Checkup routine
				2347	*/
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2348	int mbedtls_rsa_self_test(int verbose)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2349	{
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2350	int ret = 0;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2351	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2352	size_t len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2353	mbedtls_rsa_context rsa;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2354	unsigned char rsa_plaintext[PT_LEN];
				2355	unsigned char rsa_decrypted[PT_LEN];
				2356	unsigned char rsa_ciphertext[KEY_LEN];
Manuel Pégourié-Gonnard	c1f1044	2023-03-16 10:58:19 +0100	[diff] [blame]	2357	#if defined(MBEDTLS_MD_CAN_SHA1)
Paul Bakker	5690efc	2011-05-26 13:16:06 +0000	[diff] [blame]	2358	unsigned char sha1sum[20];
				2359	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2360
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2361	mbedtls_mpi K;
				2362
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2363	mbedtls_mpi_init(&K);
				2364	mbedtls_rsa_init(&rsa);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2365
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2366	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
				2367	MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
				2368	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
				2369	MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
				2370	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
				2371	MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
				2372	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
				2373	MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
				2374	MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
				2375	MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2376
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2377	MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2378
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2379	if (verbose != 0) {
				2380	mbedtls_printf(" RSA key validation: ");
				2381	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2382
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2383	if (mbedtls_rsa_check_pubkey(&rsa) != 0 \|\|
				2384	mbedtls_rsa_check_privkey(&rsa) != 0) {
				2385	if (verbose != 0) {
				2386	mbedtls_printf("failed\n");
				2387	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2388
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2389	ret = 1;
				2390	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2391	}
				2392
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2393	if (verbose != 0) {
				2394	mbedtls_printf("passed\n PKCS#1 encryption : ");
				2395	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2396
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2397	memcpy(rsa_plaintext, RSA_PT, PT_LEN);
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2398
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2399	if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL,
				2400	PT_LEN, rsa_plaintext,
				2401	rsa_ciphertext) != 0) {
				2402	if (verbose != 0) {
				2403	mbedtls_printf("failed\n");
				2404	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2405
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2406	ret = 1;
				2407	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2408	}
				2409
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2410	if (verbose != 0) {
				2411	mbedtls_printf("passed\n PKCS#1 decryption : ");
				2412	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2413
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2414	if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL,
				2415	&len, rsa_ciphertext, rsa_decrypted,
				2416	sizeof(rsa_decrypted)) != 0) {
				2417	if (verbose != 0) {
				2418	mbedtls_printf("failed\n");
				2419	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2420
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2421	ret = 1;
				2422	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2423	}
				2424
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2425	if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
				2426	if (verbose != 0) {
				2427	mbedtls_printf("failed\n");
				2428	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2429
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2430	ret = 1;
				2431	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2432	}
				2433
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2434	if (verbose != 0) {
				2435	mbedtls_printf("passed\n");
				2436	}
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2437
Manuel Pégourié-Gonnard	c1f1044	2023-03-16 10:58:19 +0100	[diff] [blame]	2438	#if defined(MBEDTLS_MD_CAN_SHA1)
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2439	if (verbose != 0) {
				2440	mbedtls_printf(" PKCS#1 data sign : ");
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2441	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2442
Manuel Pégourié-Gonnard	b33ef74	2023-03-07 00:04:16 +0100	[diff] [blame]	2443	if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
				2444	rsa_plaintext, PT_LEN, sha1sum) != 0) {
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2445	if (verbose != 0) {
				2446	mbedtls_printf("failed\n");
				2447	}
				2448
				2449	return 1;
				2450	}
				2451
				2452	if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
				2453	MBEDTLS_MD_SHA1, 20,
				2454	sha1sum, rsa_ciphertext) != 0) {
				2455	if (verbose != 0) {
				2456	mbedtls_printf("failed\n");
				2457	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2458
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2459	ret = 1;
				2460	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2461	}
				2462
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2463	if (verbose != 0) {
				2464	mbedtls_printf("passed\n PKCS#1 sig. verify: ");
				2465	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2466
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2467	if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20,
				2468	sha1sum, rsa_ciphertext) != 0) {
				2469	if (verbose != 0) {
				2470	mbedtls_printf("failed\n");
				2471	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2472
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2473	ret = 1;
				2474	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2475	}
				2476
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2477	if (verbose != 0) {
				2478	mbedtls_printf("passed\n");
				2479	}
Manuel Pégourié-Gonnard	c1f1044	2023-03-16 10:58:19 +0100	[diff] [blame]	2480	#endif /* MBEDTLS_MD_CAN_SHA1 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2481
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2482	if (verbose != 0) {
				2483	mbedtls_printf("\n");
				2484	}
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2485
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2486	cleanup:
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2487	mbedtls_mpi_free(&K);
				2488	mbedtls_rsa_free(&rsa);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2489	#else /* MBEDTLS_PKCS1_V15 */
Paul Bakker	3e41fe8	2013-09-15 17:42:50 +0200	[diff] [blame]	2490	((void) verbose);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2491	#endif /* MBEDTLS_PKCS1_V15 */
Gilles Peskine	449bd83	2023-01-11 14:50:10 +0100	[diff] [blame]	2492	return ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2493	}
				2494
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2495	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2496
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2497	#endif /* MBEDTLS_RSA_C */