TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 8b6068b69a73c8e84c3e1a93d42cb40f4c7a32fe / . / library / rsa.c
blob: df7d7975cbc0b55cd1e8e2928268c8233d3492ca [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * The RSA public-key cryptosystem
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
Hanno Becker74716312017-10-02 10:00:37 +0100[diff] [blame]19
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20/*
Simon Butcherbdae02c2016-01-20 00:44:42 +0000[diff] [blame]21 * The following sources were referenced in the design of this implementation
22 * of the RSA algorithm:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]23 *
Simon Butcherbdae02c2016-01-20 00:44:42 +0000[diff] [blame]24 * [1] A method for obtaining digital signatures and public-key cryptosystems
25 * R Rivest, A Shamir, and L Adleman
26 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
27 *
28 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
29 * Menezes, van Oorschot and Vanstone
30 *
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]31 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
32 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
33 * Stefan Mangard
34 * https://arxiv.org/abs/1702.08719v2
35 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36 */
37
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]38#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]41
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/rsa.h"
Chris Jones66a4cd42021-03-09 16:04:12 +0000[diff] [blame]43#include "rsa_alt_helpers.h"
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]44#include "mbedtls/oid.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]45#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]46#include "mbedtls/error.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]47#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]48#include "mbedtls/constant_time.h"
Manuel Pégourié-Gonnard47728842022-07-18 13:00:40 +0200[diff] [blame]49#include "hash_info.h"
Paul Bakkerbb51f0c2012-08-23 07:46:58 +0000[diff] [blame]50
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <string.h>
52
gufe44c2620da2020-08-03 17:56:50 +0200[diff] [blame]53#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]54#include <stdlib.h>
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]55#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]57/* We use MD first if it's available (for compatibility reasons)
58 * and "fall back" to PSA otherwise (which needs psa_crypto_init()). */
59#if defined(MBEDTLS_PKCS1_V21)
Przemek Stekiel40afdd22022-09-06 13:08:28 +0200[diff] [blame]60#if !defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]61#include "psa/crypto.h"
62#include "mbedtls/psa_util.h"
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]63#endif /* MBEDTLS_MD_C */
64#endif /* MBEDTLS_PKCS1_V21 */
65
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]66#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]67
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]68#if !defined(MBEDTLS_RSA_ALT)
69
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]70int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
71 const mbedtls_mpi *N,
72 const mbedtls_mpi *P, const mbedtls_mpi *Q,
73 const mbedtls_mpi *D, const mbedtls_mpi *E)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]74{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]75 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]76
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]77 if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
78 (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
79 (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||
80 (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||
81 (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
82 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]83 }
84
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]85 if (N != NULL) {
86 ctx->len = mbedtls_mpi_size(&ctx->N);
87 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]88
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]89 return 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]90}
91
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]92int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
93 unsigned char const *N, size_t N_len,
94 unsigned char const *P, size_t P_len,
95 unsigned char const *Q, size_t Q_len,
96 unsigned char const *D, size_t D_len,
97 unsigned char const *E, size_t E_len)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]98{
Hanno Beckerd4d60572018-01-10 07:12:01 +0000[diff] [blame]99 int ret = 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]100
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]101 if (N != NULL) {
102 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
103 ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]104 }
105
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]106 if (P != NULL) {
107 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
108 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]109
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]110 if (Q != NULL) {
111 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
112 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]113
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]114 if (D != NULL) {
115 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
116 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]117
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]118 if (E != NULL) {
119 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
120 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]121
122cleanup:
123
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]124 if (ret != 0) {
125 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
126 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]127
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]128 return 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]129}
130
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]131/*
132 * Checks whether the context fields are set in such a way
133 * that the RSA primitives will be able to execute without error.
134 * It does *not* make guarantees for consistency of the parameters.
135 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]136static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
137 int blinding_needed)
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]138{
Hanno Beckerebd2c022017-10-12 10:54:53 +0100[diff] [blame]139#if !defined(MBEDTLS_RSA_NO_CRT)
140 /* blinding_needed is only used for NO_CRT to decide whether
141 * P,Q need to be present or not. */
142 ((void) blinding_needed);
143#endif
144
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]145 if (ctx->len != mbedtls_mpi_size(&ctx->N) ||
146 ctx->len > MBEDTLS_MPI_MAX_SIZE) {
147 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker3a760a12018-01-05 08:14:49 +0000[diff] [blame]148 }
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]149
150 /*
151 * 1. Modular exponentiation needs positive, odd moduli.
152 */
153
154 /* Modular exponentiation wrt. N is always used for
155 * RSA public key operations. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]156 if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||
157 mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
158 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]159 }
160
161#if !defined(MBEDTLS_RSA_NO_CRT)
162 /* Modular exponentiation for P and Q is only
163 * used for private key operations and if CRT
164 * is used. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]165 if (is_priv &&
166 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
167 mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||
168 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||
169 mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
170 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]171 }
172#endif /* !MBEDTLS_RSA_NO_CRT */
173
174 /*
175 * 2. Exponents must be positive
176 */
177
178 /* Always need E for public key operations */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]179 if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
180 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
181 }
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]182
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100[diff] [blame]183#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]184 /* For private key operations, use D or DP & DQ
185 * as (unblinded) exponents. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]186 if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
187 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
188 }
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]189#else
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]190 if (is_priv &&
191 (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||
192 mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
193 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]194 }
195#endif /* MBEDTLS_RSA_NO_CRT */
196
197 /* Blinding shouldn't make exponents negative either,
198 * so check that P, Q >= 1 if that hasn't yet been
199 * done as part of 1. */
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100[diff] [blame]200#if defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]201 if (is_priv && blinding_needed &&
202 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
203 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
204 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]205 }
206#endif
207
208 /* It wouldn't lead to an error if it wasn't satisfied,
Hanno Beckerf8c028a2017-10-17 09:20:57 +0100[diff] [blame]209 * but check for QP >= 1 nonetheless. */
Hanno Beckerb82a5b52017-10-11 19:10:23 +0100[diff] [blame]210#if !defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]211 if (is_priv &&
212 mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
213 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]214 }
215#endif
216
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]217 return 0;
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]218}
219
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]220int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100[diff] [blame]221{
222 int ret = 0;
Jack Lloyd8c2631b2020-01-23 17:23:52 -0500[diff] [blame]223 int have_N, have_P, have_Q, have_D, have_E;
224#if !defined(MBEDTLS_RSA_NO_CRT)
225 int have_DP, have_DQ, have_QP;
226#endif
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]227 int n_missing, pq_missing, d_missing, is_pub, is_priv;
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100[diff] [blame]228
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]229 have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
230 have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
231 have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
232 have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
233 have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
Jack Lloyd8c2631b2020-01-23 17:23:52 -0500[diff] [blame]234
235#if !defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]236 have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
237 have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
238 have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
Jack Lloyd8c2631b2020-01-23 17:23:52 -0500[diff] [blame]239#endif
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100[diff] [blame]240
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]241 /*
242 * Check whether provided parameters are enough
243 * to deduce all others. The following incomplete
244 * parameter sets for private keys are supported:
245 *
246 * (1) P, Q missing.
247 * (2) D and potentially N missing.
248 *
249 */
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100[diff] [blame]250
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]251 n_missing = have_P && have_Q && have_D && have_E;
252 pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
253 d_missing = have_P && have_Q && !have_D && have_E;
254 is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
Hanno Becker2cca6f32017-09-29 11:46:40 +0100[diff] [blame]255
256 /* These three alternatives are mutually exclusive */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]257 is_priv = n_missing || pq_missing || d_missing;
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100[diff] [blame]258
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]259 if (!is_priv && !is_pub) {
260 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
261 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]262
263 /*
Hanno Becker2cca6f32017-09-29 11:46:40 +0100[diff] [blame]264 * Step 1: Deduce N if P, Q are provided.
265 */
266
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]267 if (!have_N && have_P && have_Q) {
268 if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
269 &ctx->Q)) != 0) {
270 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker2cca6f32017-09-29 11:46:40 +0100[diff] [blame]271 }
272
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]273 ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Becker2cca6f32017-09-29 11:46:40 +0100[diff] [blame]274 }
275
276 /*
277 * Step 2: Deduce and verify all remaining core parameters.
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]278 */
279
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]280 if (pq_missing) {
281 ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
282 &ctx->P, &ctx->Q);
283 if (ret != 0) {
284 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
285 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]286
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]287 } else if (d_missing) {
288 if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
289 &ctx->Q,
290 &ctx->E,
291 &ctx->D)) != 0) {
292 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]293 }
294 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]295
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]296 /*
Hanno Becker2cca6f32017-09-29 11:46:40 +0100[diff] [blame]297 * Step 3: Deduce all additional parameters specific
Hanno Beckere8674892017-10-10 17:56:14 +0100[diff] [blame]298 * to our current RSA implementation.
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]299 */
300
Hanno Becker23344b52017-08-23 07:43:27 +0100[diff] [blame]301#if !defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]302 if (is_priv && !(have_DP && have_DQ && have_QP)) {
303 ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
304 &ctx->DP, &ctx->DQ, &ctx->QP);
305 if (ret != 0) {
306 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
307 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]308 }
Hanno Becker23344b52017-08-23 07:43:27 +0100[diff] [blame]309#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]310
311 /*
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]312 * Step 3: Basic sanity checks
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]313 */
314
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]315 return rsa_check_context(ctx, is_priv, 1);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]316}
317
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]318int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
319 unsigned char *N, size_t N_len,
320 unsigned char *P, size_t P_len,
321 unsigned char *Q, size_t Q_len,
322 unsigned char *D, size_t D_len,
323 unsigned char *E, size_t E_len)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]324{
325 int ret = 0;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]326 int is_priv;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]327
328 /* Check if key is private or public */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]329 is_priv =
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]330 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
331 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
332 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
333 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
334 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]335
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]336 if (!is_priv) {
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]337 /* If we're trying to export private parameters for a public key,
338 * something must be wrong. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]339 if (P != NULL || Q != NULL || D != NULL) {
340 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
341 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]342
343 }
344
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]345 if (N != NULL) {
346 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
347 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]348
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]349 if (P != NULL) {
350 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
351 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]352
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]353 if (Q != NULL) {
354 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
355 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]356
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]357 if (D != NULL) {
358 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
359 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]360
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]361 if (E != NULL) {
362 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
363 }
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100[diff] [blame]364
365cleanup:
366
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]367 return ret;
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100[diff] [blame]368}
369
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]370int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
371 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
372 mbedtls_mpi *D, mbedtls_mpi *E)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]373{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]374 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]375 int is_priv;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]376
377 /* Check if key is private or public */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]378 is_priv =
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]379 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
380 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
381 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
382 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
383 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]384
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]385 if (!is_priv) {
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]386 /* If we're trying to export private parameters for a public key,
387 * something must be wrong. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]388 if (P != NULL || Q != NULL || D != NULL) {
389 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
390 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]391
392 }
393
394 /* Export all requested core parameters. */
395
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]396 if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||
397 (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||
398 (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||
399 (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||
400 (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
401 return ret;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]402 }
403
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]404 return 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]405}
406
407/*
408 * Export CRT parameters
409 * This must also be implemented if CRT is not used, for being able to
410 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
411 * can be used in this case.
412 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]413int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
414 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]415{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]416 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]417 int is_priv;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]418
419 /* Check if key is private or public */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]420 is_priv =
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]421 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
422 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
423 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
424 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
425 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]426
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]427 if (!is_priv) {
428 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
429 }
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]430
Hanno Beckerdc95c892017-08-23 06:57:02 +0100[diff] [blame]431#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]432 /* Export all requested blinding parameters. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]433 if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||
434 (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||
435 (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
436 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]437 }
Hanno Beckerdc95c892017-08-23 06:57:02 +0100[diff] [blame]438#else
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]439 if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
440 DP, DQ, QP)) != 0) {
441 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
Hanno Beckerdc95c892017-08-23 06:57:02 +0100[diff] [blame]442 }
443#endif
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]444
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]445 return 0;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]446}
Hanno Beckere2e8b8d2017-08-23 14:06:45 +0100[diff] [blame]447
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448/*
449 * Initialize an RSA context
450 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]451void mbedtls_rsa_init(mbedtls_rsa_context *ctx)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]452{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]453 memset(ctx, 0, sizeof(mbedtls_rsa_context));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]454
Ronald Cronc1905a12021-06-05 11:11:14 +0200[diff] [blame]455 ctx->padding = MBEDTLS_RSA_PKCS_V15;
456 ctx->hash_id = MBEDTLS_MD_NONE;
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]458#if defined(MBEDTLS_THREADING_C)
Gilles Peskineeb940592021-02-01 17:57:41 +0100[diff] [blame]459 /* Set ctx->ver to nonzero to indicate that the mutex has been
460 * initialized and will need to be freed. */
461 ctx->ver = 1;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]462 mbedtls_mutex_init(&ctx->mutex);
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]463#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464}
465
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]466/*
467 * Set padding for an existing RSA context
468 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]469int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
470 mbedtls_md_type_t hash_id)
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]471{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]472 switch (padding) {
Ronald Cron3a0375f2021-06-08 10:22:28 +0200[diff] [blame]473#if defined(MBEDTLS_PKCS1_V15)
474 case MBEDTLS_RSA_PKCS_V15:
475 break;
476#endif
477
478#if defined(MBEDTLS_PKCS1_V21)
479 case MBEDTLS_RSA_PKCS_V21:
480 break;
481#endif
482 default:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]483 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Ronald Cron3a0375f2021-06-08 10:22:28 +0200[diff] [blame]484 }
Ronald Cronea7631b2021-06-03 18:51:59 +0200[diff] [blame]485
Manuel Pégourié-Gonnard3356b892022-07-05 10:25:06 +0200[diff] [blame]486#if defined(MBEDTLS_PKCS1_V21)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]487 if ((padding == MBEDTLS_RSA_PKCS_V21) &&
488 (hash_id != MBEDTLS_MD_NONE)) {
Manuel Pégourié-Gonnardfaa3b4e2022-07-15 13:18:15 +0200[diff] [blame]489 /* Just make sure this hash is supported in this build. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]490 if (mbedtls_hash_info_psa_from_md(hash_id) == PSA_ALG_NONE) {
491 return MBEDTLS_ERR_RSA_INVALID_PADDING;
492 }
Ronald Cronea7631b2021-06-03 18:51:59 +0200[diff] [blame]493 }
Manuel Pégourié-Gonnard3356b892022-07-05 10:25:06 +0200[diff] [blame]494#endif /* MBEDTLS_PKCS1_V21 */
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]495
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]496 ctx->padding = padding;
497 ctx->hash_id = hash_id;
Ronald Cronea7631b2021-06-03 18:51:59 +0200[diff] [blame]498
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]499 return 0;
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100[diff] [blame]500}
501
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]502/*
503 * Get length in bytes of RSA modulus
504 */
505
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]506size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]507{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]508 return ctx->len;
Hanno Becker617c1ae2017-08-23 14:11:24 +0100[diff] [blame]509}
510
511
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]512#if defined(MBEDTLS_GENPRIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]513
514/*
515 * Generate an RSA keypair
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800[diff] [blame]516 *
517 * This generation method follows the RSA key pair generation procedure of
518 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]519 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]520int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
521 int (*f_rng)(void *, unsigned char *, size_t),
522 void *p_rng,
523 unsigned int nbits, int exponent)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]525 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jethro Beekman97f95c92018-02-13 15:50:36 -0800[diff] [blame]526 mbedtls_mpi H, G, L;
Janos Follathb8fc1b02018-09-03 15:37:01 +0100[diff] [blame]527 int prime_quality = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]528
Janos Follathb8fc1b02018-09-03 15:37:01 +0100[diff] [blame]529 /*
530 * If the modulus is 1024 bit long or shorter, then the security strength of
531 * the RSA algorithm is less than or equal to 80 bits and therefore an error
532 * rate of 2^-80 is sufficient.
533 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]534 if (nbits > 1024) {
Janos Follathb8fc1b02018-09-03 15:37:01 +0100[diff] [blame]535 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]536 }
Janos Follathb8fc1b02018-09-03 15:37:01 +0100[diff] [blame]537
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]538 mbedtls_mpi_init(&H);
539 mbedtls_mpi_init(&G);
540 mbedtls_mpi_init(&L);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]542 if (nbits < 128 || exponent < 3 || nbits % 2 != 0) {
Gilles Peskine5e40a7c2021-02-02 21:06:10 +0100[diff] [blame]543 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
544 goto cleanup;
545 }
546
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547 /*
548 * find primes P and Q with Q < P so that:
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800[diff] [blame]549 * 1. |P-Q| > 2^( nbits / 2 - 100 )
550 * 2. GCD( E, (P-1)*(Q-1) ) == 1
551 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]553 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]555 do {
556 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
557 prime_quality, f_rng, p_rng));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]559 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
560 prime_quality, f_rng, p_rng));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800[diff] [blame]562 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]563 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
564 if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565 continue;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]566 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800[diff] [blame]568 /* not required by any standards, but some users rely on the fact that P > Q */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]569 if (H.s < 0) {
570 mbedtls_mpi_swap(&ctx->P, &ctx->Q);
571 }
Janos Follathef441782016-09-21 13:18:12 +0100[diff] [blame]572
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100[diff] [blame]573 /* Temporarily replace P,Q by P-1, Q-1 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]574 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
575 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
576 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
Jethro Beekman97f95c92018-02-13 15:50:36 -0800[diff] [blame]577
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800[diff] [blame]578 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]579 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
580 if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
Jethro Beekman97f95c92018-02-13 15:50:36 -0800[diff] [blame]581 continue;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]582 }
Jethro Beekman97f95c92018-02-13 15:50:36 -0800[diff] [blame]583
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800[diff] [blame]584 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]585 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
586 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
587 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
Jethro Beekman97f95c92018-02-13 15:50:36 -0800[diff] [blame]588
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]589 if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a))
Jethro Beekman97f95c92018-02-13 15:50:36 -0800[diff] [blame]590 continue;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]591 }
Jethro Beekman97f95c92018-02-13 15:50:36 -0800[diff] [blame]592
593 break;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]594 } while (1);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]595
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100[diff] [blame]596 /* Restore P,Q */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]597 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));
598 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100[diff] [blame]599
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]600 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
Jethro Beekmanc645bfe2018-02-14 19:27:13 -0800[diff] [blame]601
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]602 ctx->len = mbedtls_mpi_size(&ctx->N);
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100[diff] [blame]603
Jethro Beekman97f95c92018-02-13 15:50:36 -0800[diff] [blame]604#if !defined(MBEDTLS_RSA_NO_CRT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]605 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]606 * DP = D mod (P - 1)
607 * DQ = D mod (Q - 1)
608 * QP = Q^-1 mod P
609 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]610 MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
611 &ctx->DP, &ctx->DQ, &ctx->QP));
Hanno Beckerbee3aae2017-08-23 06:59:15 +0100[diff] [blame]612#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613
Hanno Becker83aad1f2017-08-23 06:45:10 +0100[diff] [blame]614 /* Double-check */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]615 MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]616
617cleanup:
618
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]619 mbedtls_mpi_free(&H);
620 mbedtls_mpi_free(&G);
621 mbedtls_mpi_free(&L);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]622
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]623 if (ret != 0) {
624 mbedtls_rsa_free(ctx);
Chris Jones74392092021-04-01 16:00:01 +0100[diff] [blame]625
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]626 if ((-ret & ~0x7f) == 0) {
627 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
628 }
629 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630 }
631
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]632 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633}
634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635#endif /* MBEDTLS_GENPRIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636
637/*
638 * Check a public RSA key
639 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]640int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]642 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) {
643 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Becker98838b02017-10-02 13:16:10 +0100[diff] [blame]644 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]645
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]646 if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
647 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Becker98838b02017-10-02 13:16:10 +0100[diff] [blame]648 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]650 if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||
651 mbedtls_mpi_bitlen(&ctx->E) < 2 ||
652 mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
653 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
654 }
655
656 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657}
658
659/*
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]660 * Check for the consistency of all fields in an RSA private key context
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]662int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]664 if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
665 rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
666 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667 }
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]668
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]669 if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
670 &ctx->D, &ctx->E, NULL, NULL) != 0) {
671 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672 }
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]673
Hanno Beckerb269a852017-08-25 08:03:21 +0100[diff] [blame]674#if !defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]675 else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
676 &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
677 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Hanno Beckerb269a852017-08-25 08:03:21 +0100[diff] [blame]678 }
679#endif
Paul Bakker6c591fa2011-05-05 11:49:20 +0000[diff] [blame]680
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]681 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]682}
683
684/*
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100[diff] [blame]685 * Check if contexts holding a public and private key match
686 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]687int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
688 const mbedtls_rsa_context *prv)
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100[diff] [blame]689{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]690 if (mbedtls_rsa_check_pubkey(pub) != 0 ||
691 mbedtls_rsa_check_privkey(prv) != 0) {
692 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100[diff] [blame]693 }
694
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]695 if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||
696 mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
697 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100[diff] [blame]698 }
699
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]700 return 0;
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100[diff] [blame]701}
702
703/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]704 * Do an RSA public key operation
705 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]706int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
707 const unsigned char *input,
708 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]710 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]711 size_t olen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]712 mbedtls_mpi T;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]713
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]714 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) {
715 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
716 }
Hanno Becker705fc682017-10-10 17:57:02 +0100[diff] [blame]717
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]718 mbedtls_mpi_init(&T);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200[diff] [blame]720#if defined(MBEDTLS_THREADING_C)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]721 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
722 return ret;
723 }
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200[diff] [blame]724#endif
725
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]726 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]727
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]728 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
Manuel Pégourié-Gonnard4d04cdc2015-08-28 10:32:21 +0200[diff] [blame]729 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
730 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]731 }
732
733 olen = ctx->len;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]734 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
735 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]736
737cleanup:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]738#if defined(MBEDTLS_THREADING_C)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]739 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
740 return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
741 }
Manuel Pégourié-Gonnard88fca3e2015-03-27 15:06:07 +0100[diff] [blame]742#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]743
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]744 mbedtls_mpi_free(&T);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]746 if (ret != 0) {
747 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
748 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]749
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]750 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]751}
752
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]753/*
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]754 * Generate or update blinding values, see section 10 of:
755 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard998930a2015-04-03 13:48:06 +0200[diff] [blame]756 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]757 * Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]758 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]759static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
760 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]761{
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]762 int ret, count = 0;
Manuel Pégourié-Gonnard750d3c72020-06-26 11:19:12 +0200[diff] [blame]763 mbedtls_mpi R;
764
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]765 mbedtls_mpi_init(&R);
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]766
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]767 if (ctx->Vf.p != NULL) {
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]768 /* We already have blinding values, just update them by squaring */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]769 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
770 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
771 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
772 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]773
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200[diff] [blame]774 goto cleanup;
Manuel Pégourié-Gonnard8a109f12013-09-10 13:37:26 +0200[diff] [blame]775 }
776
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]777 /* Unblinding value: Vf = random number, invertible mod N */
778 do {
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]779 if (count++ > 10) {
Manuel Pégourié-Gonnarde288ec02020-07-16 09:23:30 +0200[diff] [blame]780 ret = MBEDTLS_ERR_RSA_RNG_FAILED;
781 goto cleanup;
782 }
Manuel Pégourié-Gonnard4d89c7e2013-10-04 15:18:38 +0200[diff] [blame]783
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]784 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]785
Manuel Pégourié-Gonnard78683962020-07-16 09:48:54 +0200[diff] [blame]786 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]787 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
788 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
789 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
Manuel Pégourié-Gonnard750d3c72020-06-26 11:19:12 +0200[diff] [blame]790
Manuel Pégourié-Gonnard78683962020-07-16 09:48:54 +0200[diff] [blame]791 /* At this point, Vi is invertible mod N if and only if both Vf and R
792 * are invertible mod N. If one of them isn't, we don't need to know
793 * which one, we just loop and choose new values for both of them.
794 * (Each iteration succeeds with overwhelming probability.) */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]795 ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
796 if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
Manuel Pégourié-Gonnardb3e3d792020-06-26 11:03:19 +0200[diff] [blame]797 goto cleanup;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]798 }
Manuel Pégourié-Gonnardb3e3d792020-06-26 11:03:19 +0200[diff] [blame]799
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]800 } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
Peter Kolbusca8b8e72020-09-24 11:11:50 -0500[diff] [blame]801
802 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]803 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
804 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]805
Manuel Pégourié-Gonnard78683962020-07-16 09:48:54 +0200[diff] [blame]806 /* Blinding value: Vi = Vf^(-e) mod N
Manuel Pégourié-Gonnard750d3c72020-06-26 11:19:12 +0200[diff] [blame]807 * (Vi already contains Vf^-1 at this point) */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]808 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]809
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]810
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]811cleanup:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]812 mbedtls_mpi_free(&R);
Manuel Pégourié-Gonnard750d3c72020-06-26 11:19:12 +0200[diff] [blame]813
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]814 return ret;
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]815}
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]816
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]817/*
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]818 * Exponent blinding supposed to prevent side-channel attacks using multiple
819 * traces of measurements to recover the RSA key. The more collisions are there,
820 * the more bits of the key can be recovered. See [3].
821 *
822 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]823 * observations on average.
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]824 *
825 * For example with 28 byte blinding to achieve 2 collisions the adversary has
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]826 * to make 2^112 observations on average.
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]827 *
828 * (With the currently (as of 2017 April) known best algorithms breaking 2048
829 * bit RSA requires approximately as much time as trying out 2^112 random keys.
830 * Thus in this sense with 28 byte blinding the security is not reduced by
831 * side-channel attacks like the one in [3])
832 *
833 * This countermeasure does not help if the key recovery is possible with a
834 * single trace.
835 */
836#define RSA_EXPONENT_BLINDING 28
837
838/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839 * Do an RSA private key operation
840 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]841int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
842 int (*f_rng)(void *, unsigned char *, size_t),
843 void *p_rng,
844 const unsigned char *input,
845 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]846{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]847 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]848 size_t olen;
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]849
850 /* Temporary holding the result */
851 mbedtls_mpi T;
852
853 /* Temporaries holding P-1, Q-1 and the
854 * exponent blinding factor, respectively. */
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]855 mbedtls_mpi P1, Q1, R;
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]856
857#if !defined(MBEDTLS_RSA_NO_CRT)
858 /* Temporaries holding the results mod p resp. mod q. */
859 mbedtls_mpi TP, TQ;
860
861 /* Temporaries holding the blinded exponents for
862 * the mod p resp. mod q computation (if used). */
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]863 mbedtls_mpi DP_blind, DQ_blind;
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]864
865 /* Pointers to actual exponents to be used - either the unblinded
866 * or the blinded ones, depending on the presence of a PRNG. */
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]867 mbedtls_mpi *DP = &ctx->DP;
868 mbedtls_mpi *DQ = &ctx->DQ;
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]869#else
870 /* Temporary holding the blinded exponent (if used). */
871 mbedtls_mpi D_blind;
872
873 /* Pointer to actual exponent to be used - either the unblinded
874 * or the blinded one, depending on the presence of a PRNG. */
875 mbedtls_mpi *D = &ctx->D;
Hanno Becker43f94722017-08-25 11:50:00 +0100[diff] [blame]876#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]877
Hanno Beckerc6075cc2017-08-25 11:45:35 +0100[diff] [blame]878 /* Temporaries holding the initial input and the double
879 * checked result; should be the same in the end. */
880 mbedtls_mpi I, C;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]881
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]882 if (f_rng == NULL) {
883 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
884 }
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]885
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]886 if (rsa_check_context(ctx, 1 /* private key checks */,
887 1 /* blinding on */) != 0) {
888 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Beckerebd2c022017-10-12 10:54:53 +0100[diff] [blame]889 }
Manuel Pégourié-Gonnardfb84d382015-10-30 10:56:25 +0100[diff] [blame]890
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]891#if defined(MBEDTLS_THREADING_C)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]892 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
893 return ret;
894 }
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]895#endif
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]896
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]897 /* MPI Initialization */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]898 mbedtls_mpi_init(&T);
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]899
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]900 mbedtls_mpi_init(&P1);
901 mbedtls_mpi_init(&Q1);
902 mbedtls_mpi_init(&R);
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]903
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]904#if defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]905 mbedtls_mpi_init(&D_blind);
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]906#else
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]907 mbedtls_mpi_init(&DP_blind);
908 mbedtls_mpi_init(&DQ_blind);
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]909#endif
910
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]911#if !defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]912 mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200[diff] [blame]913#endif
914
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]915 mbedtls_mpi_init(&I);
916 mbedtls_mpi_init(&C);
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]917
918 /* End of MPI initialization */
919
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]920 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
921 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
Manuel Pégourié-Gonnard4d04cdc2015-08-28 10:32:21 +0200[diff] [blame]922 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
923 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]924 }
925
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]926 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]927
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]928 /*
929 * Blinding
930 * T = T * Vi mod N
931 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]932 MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
933 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
934 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]935
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]936 /*
937 * Exponent blinding
938 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]939 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
940 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]941
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]942#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]943 /*
944 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
945 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]946 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
947 f_rng, p_rng));
948 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
949 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
950 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]951
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]952 D = &D_blind;
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]953#else
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]954 /*
955 * DP_blind = ( P - 1 ) * R + DP
956 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]957 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
958 f_rng, p_rng));
959 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
960 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
961 &ctx->DP));
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]962
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]963 DP = &DP_blind;
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]964
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]965 /*
966 * DQ_blind = ( Q - 1 ) * R + DQ
967 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]968 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
969 f_rng, p_rng));
970 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
971 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
972 &ctx->DQ));
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]973
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]974 DQ = &DQ_blind;
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]975#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]976
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977#if defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]978 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));
Manuel Pégourié-Gonnarde10e06d2014-11-06 18:15:12 +0100[diff] [blame]979#else
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]980 /*
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]981 * Faster decryption using the CRT
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 *
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]983 * TP = input ^ dP mod P
984 * TQ = input ^ dQ mod Q
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]985 */
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]986
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]987 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));
988 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]989
990 /*
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]991 * T = (TP - TQ) * (Q^-1 mod P) mod P
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]993 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
994 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
995 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996
997 /*
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]998 * T = TQ + T * Q
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1000 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
1001 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakkeraab30c12013-08-30 11:00:25 +0200[diff] [blame]1003
Manuel Pégourié-Gonnardf0359042021-06-15 11:29:26 +0200[diff] [blame]1004 /*
1005 * Unblind
1006 * T = T * Vf mod N
1007 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1008 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vf));
1009 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1010
Hanno Becker2dec5e82017-10-03 07:49:52 +0100[diff] [blame]1011 /* Verify the result to prevent glitching attacks. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1012 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
1013 &ctx->N, &ctx->RN));
1014 if (mbedtls_mpi_cmp_mpi(&C, &I) != 0) {
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]1015 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1016 goto cleanup;
1017 }
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]1018
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1019 olen = ctx->len;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1020 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021
1022cleanup:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023#if defined(MBEDTLS_THREADING_C)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1024 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
1025 return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1026 }
Manuel Pégourié-Gonnardae102992013-10-04 17:07:12 +0200[diff] [blame]1027#endif
Manuel Pégourié-Gonnard1385a282015-08-27 11:30:58 +0200[diff] [blame]1028
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1029 mbedtls_mpi_free(&P1);
1030 mbedtls_mpi_free(&Q1);
1031 mbedtls_mpi_free(&R);
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]1032
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]1033#if defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1034 mbedtls_mpi_free(&D_blind);
Janos Follathf9203b42017-03-22 15:13:15 +0000[diff] [blame]1035#else
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1036 mbedtls_mpi_free(&DP_blind);
1037 mbedtls_mpi_free(&DQ_blind);
Janos Follathe81102e2017-03-22 13:38:28 +0000[diff] [blame]1038#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1040 mbedtls_mpi_free(&T);
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]1041
1042#if !defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1043 mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]1044#endif
1045
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1046 mbedtls_mpi_free(&C);
1047 mbedtls_mpi_free(&I);
Hanno Becker06811ce2017-05-03 15:10:34 +0100[diff] [blame]1048
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1049 if (ret != 0 && ret >= -0x007f) {
1050 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
1051 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1052
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1053 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1054}
1055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1056#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1057/**
1058 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1059 *
Paul Bakkerb125ed82011-11-10 13:33:51 +0000[diff] [blame]1060 * \param dst buffer to mask
1061 * \param dlen length of destination buffer
1062 * \param src source of the mask generation
1063 * \param slen length of the source buffer
Manuel Pégourié-Gonnard259c2132022-07-15 12:09:08 +0200[diff] [blame]1064 * \param md_alg message digest to use
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1065 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1066static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
1067 size_t slen, mbedtls_md_type_t md_alg)
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1068{
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1069 unsigned char counter[4];
1070 unsigned char *p;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1071 unsigned int hlen;
1072 size_t i, use_len;
Przemek Stekiel40afdd22022-09-06 13:08:28 +0200[diff] [blame]1073 unsigned char mask[MBEDTLS_HASH_MAX_SIZE];
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1074#if defined(MBEDTLS_MD_C)
Andres Amaya Garcia94682d12017-07-20 14:26:37 +0100[diff] [blame]1075 int ret = 0;
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1076 const mbedtls_md_info_t *md_info;
1077 mbedtls_md_context_t md_ctx;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1078
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1079 mbedtls_md_init(&md_ctx);
1080 md_info = mbedtls_md_info_from_type(md_alg);
1081 if (md_info == NULL) {
1082 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1083 }
Manuel Pégourié-Gonnard259c2132022-07-15 12:09:08 +0200[diff] [blame]1084
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1085 mbedtls_md_init(&md_ctx);
1086 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
Manuel Pégourié-Gonnard259c2132022-07-15 12:09:08 +0200[diff] [blame]1087 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1088 }
Manuel Pégourié-Gonnard259c2132022-07-15 12:09:08 +0200[diff] [blame]1089
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1090 hlen = mbedtls_md_get_size(md_info);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1091#else
1092 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1093 psa_algorithm_t alg = mbedtls_psa_translate_md(md_alg);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1094 psa_status_t status = PSA_SUCCESS;
1095 size_t out_len;
1096
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1097 hlen = PSA_HASH_LENGTH(alg);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1098#endif
1099
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1100 memset(mask, 0, sizeof(mask));
1101 memset(counter, 0, 4);
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1102
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1103 /* Generate and apply dbMask */
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1104 p = dst;
1105
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1106 while (dlen > 0) {
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1107 use_len = hlen;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1108 if (dlen < hlen) {
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1109 use_len = dlen;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1110 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1111
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1112#if defined(MBEDTLS_MD_C)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1113 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1114 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1115 }
1116 if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1117 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1118 }
1119 if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1120 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1121 }
1122 if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1123 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1124 }
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1125#else
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1126 if ((status = psa_hash_setup(&op, alg)) != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1127 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1128 }
1129 if ((status = psa_hash_update(&op, src, slen)) != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1130 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1131 }
1132 if ((status = psa_hash_update(&op, counter, 4)) != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1133 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1134 }
1135 status = psa_hash_finish(&op, mask, sizeof(mask), &out_len);
1136 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1137 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1138 }
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1139#endif
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1140
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1141 for (i = 0; i < use_len; ++i) {
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1142 *p++ ^= mask[i];
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1143 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1144
1145 counter[3]++;
1146
1147 dlen -= use_len;
1148 }
Gilles Peskine18ac7162017-05-05 19:24:06 +0200[diff] [blame]1149
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1150exit:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1151 mbedtls_platform_zeroize(mask, sizeof(mask));
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1152#if defined(MBEDTLS_MD_C)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1153 mbedtls_md_free(&md_ctx);
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1154
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1155 return ret;
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1156#else
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1157 psa_hash_abort(&op);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1158
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1159 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1160#endif
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1161}
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1162
1163/**
1164 * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
1165 *
1166 * \param hash the input hash
1167 * \param hlen length of the input hash
1168 * \param salt the input salt
1169 * \param slen length of the input salt
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +0200[diff] [blame]1170 * \param out the output buffer - must be large enough for \p md_alg
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1171 * \param md_alg message digest to use
1172 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1173static int hash_mprime(const unsigned char *hash, size_t hlen,
1174 const unsigned char *salt, size_t slen,
1175 unsigned char *out, mbedtls_md_type_t md_alg)
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1176{
1177 const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1178
1179#if defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1180 mbedtls_md_context_t md_ctx;
Przemek Stekielf98b57f2022-07-29 11:27:46 +0200[diff] [blame]1181 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1182
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1183 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
1184 if (md_info == NULL) {
1185 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1186 }
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1187
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1188 mbedtls_md_init(&md_ctx);
1189 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1190 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1191 }
1192 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1193 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1194 }
1195 if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1196 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1197 }
1198 if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1199 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1200 }
1201 if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1202 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1203 }
1204 if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) {
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1205 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1206 }
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1207
1208exit:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1209 mbedtls_md_free(&md_ctx);
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1210
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1211 return ret;
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1212#else
1213 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1214 psa_algorithm_t alg = mbedtls_psa_translate_md(md_alg);
1215 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1216 size_t out_size = PSA_HASH_LENGTH(alg);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1217 size_t out_len;
1218
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1219 if ((status = psa_hash_setup(&op, alg)) != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1220 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1221 }
1222 if ((status = psa_hash_update(&op, zeros, sizeof(zeros))) != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1223 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1224 }
1225 if ((status = psa_hash_update(&op, hash, hlen)) != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1226 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1227 }
1228 if ((status = psa_hash_update(&op, salt, slen)) != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1229 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1230 }
1231 status = psa_hash_finish(&op, out, out_size, &out_len);
1232 if (status != PSA_SUCCESS) {
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1233 goto exit;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1234 }
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1235
1236exit:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1237 psa_hash_abort(&op);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1238
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1239 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1240#endif /* !MBEDTLS_MD_C */
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1241}
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +0200[diff] [blame]1242
1243/**
1244 * Compute a hash.
1245 *
1246 * \param md_alg algorithm to use
1247 * \param input input message to hash
1248 * \param ilen input length
1249 * \param output the output buffer - must be large enough for \p md_alg
1250 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1251static int compute_hash(mbedtls_md_type_t md_alg,
1252 const unsigned char *input, size_t ilen,
1253 unsigned char *output)
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +0200[diff] [blame]1254{
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1255#if defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +0200[diff] [blame]1256 const mbedtls_md_info_t *md_info;
1257
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1258 md_info = mbedtls_md_info_from_type(md_alg);
1259 if (md_info == NULL) {
1260 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1261 }
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +0200[diff] [blame]1262
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1263 return mbedtls_md(md_info, input, ilen, output);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1264#else
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1265 psa_algorithm_t alg = mbedtls_psa_translate_md(md_alg);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1266 psa_status_t status;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1267 size_t out_size = PSA_HASH_LENGTH(alg);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1268 size_t out_len;
1269
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1270 status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1271
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1272 return mbedtls_md_error_from_psa(status);
Manuel Pégourié-Gonnard077ba842022-07-27 10:42:31 +0200[diff] [blame]1273#endif /* !MBEDTLS_MD_C */
Manuel Pégourié-Gonnard35c09e42022-07-15 13:10:54 +0200[diff] [blame]1274}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1275#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1276
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1277#if defined(MBEDTLS_PKCS1_V21)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1278/*
1279 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1280 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1281int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
1282 int (*f_rng)(void *, unsigned char *, size_t),
1283 void *p_rng,
1284 const unsigned char *label, size_t label_len,
1285 size_t ilen,
1286 const unsigned char *input,
1287 unsigned char *output)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1288{
1289 size_t olen;
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1290 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1291 unsigned char *p = output;
1292 unsigned int hlen;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1293
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1294 if (f_rng == NULL) {
1295 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1296 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1297
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1298 hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
1299 if (hlen == 0) {
1300 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1301 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1302
1303 olen = ctx->len;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1304
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1305 /* first comparison checks for overflow */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1306 if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) {
1307 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1308 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1309
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1310 memset(output, 0, olen);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1311
1312 *p++ = 0;
1313
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1314 /* Generate a random octet string seed */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1315 if ((ret = f_rng(p_rng, p, hlen)) != 0) {
1316 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1317 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1318
1319 p += hlen;
1320
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1321 /* Construct DB */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1322 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p);
1323 if (ret != 0) {
1324 return ret;
1325 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1326 p += hlen;
1327 p += olen - 2 * hlen - 2 - ilen;
1328 *p++ = 1;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1329 if (ilen != 0) {
1330 memcpy(p, input, ilen);
1331 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1332
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1333 /* maskedDB: Apply dbMask to DB */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1334 if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1335 ctx->hash_id)) != 0) {
1336 return ret;
1337 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1338
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1339 /* maskedSeed: Apply seedMask to seed */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1340 if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1341 ctx->hash_id)) != 0) {
1342 return ret;
1343 }
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1344
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1345 return mbedtls_rsa_public(ctx, output, output);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1346}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1347#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1348
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1349#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1350/*
1351 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1352 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1353int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
1354 int (*f_rng)(void *, unsigned char *, size_t),
1355 void *p_rng, size_t ilen,
1356 const unsigned char *input,
1357 unsigned char *output)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1358{
1359 size_t nb_pad, olen;
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1360 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1361 unsigned char *p = output;
1362
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1363 olen = ctx->len;
Manuel Pégourié-Gonnard370717b2016-02-11 10:35:13 +0100[diff] [blame]1364
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1365 /* first comparison checks for overflow */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1366 if (ilen + 11 < ilen || olen < ilen + 11) {
1367 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1368 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1369
1370 nb_pad = olen - 3 - ilen;
1371
1372 *p++ = 0;
Thomas Daubney53e4ac62021-05-13 18:26:49 +0100[diff] [blame]1373
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1374 if (f_rng == NULL) {
1375 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1376 }
Thomas Daubney53e4ac62021-05-13 18:26:49 +0100[diff] [blame]1377
1378 *p++ = MBEDTLS_RSA_CRYPT;
1379
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1380 while (nb_pad-- > 0) {
Thomas Daubney53e4ac62021-05-13 18:26:49 +0100[diff] [blame]1381 int rng_dl = 100;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]1382
Thomas Daubney53e4ac62021-05-13 18:26:49 +0100[diff] [blame]1383 do {
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1384 ret = f_rng(p_rng, p, 1);
1385 } while (*p == 0 && --rng_dl && ret == 0);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1386
Thomas Daubney53e4ac62021-05-13 18:26:49 +0100[diff] [blame]1387 /* Check if RNG failed to generate data */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1388 if (rng_dl == 0 || ret != 0) {
1389 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1390 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1391
Thomas Daubney53e4ac62021-05-13 18:26:49 +0100[diff] [blame]1392 p++;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1393 }
1394
1395 *p++ = 0;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1396 if (ilen != 0) {
1397 memcpy(p, input, ilen);
1398 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1399
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1400 return mbedtls_rsa_public(ctx, output, output);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1401}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1402#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1403
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1404/*
1405 * Add the message padding, then do an RSA operation
1406 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1407int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
1408 int (*f_rng)(void *, unsigned char *, size_t),
1409 void *p_rng,
1410 size_t ilen,
1411 const unsigned char *input,
1412 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1413{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1414 switch (ctx->padding) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1415#if defined(MBEDTLS_PKCS1_V15)
1416 case MBEDTLS_RSA_PKCS_V15:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1417 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng,
1418 ilen, input, output);
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1419#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1420
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1421#if defined(MBEDTLS_PKCS1_V21)
1422 case MBEDTLS_RSA_PKCS_V21:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1423 return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,
1424 ilen, input, output);
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]1425#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1426
1427 default:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1428 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1429 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1430}
1431
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1432#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1433/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1434 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1435 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1436int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
1437 int (*f_rng)(void *, unsigned char *, size_t),
1438 void *p_rng,
1439 const unsigned char *label, size_t label_len,
1440 size_t *olen,
1441 const unsigned char *input,
1442 unsigned char *output,
1443 size_t output_max_len)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1444{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1445 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1446 size_t ilen, i, pad_len;
1447 unsigned char *p, bad, pad_done;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1448 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Przemek Stekiel40afdd22022-09-06 13:08:28 +0200[diff] [blame]1449 unsigned char lhash[MBEDTLS_HASH_MAX_SIZE];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1450 unsigned int hlen;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1451
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1452 /*
1453 * Parameters sanity checks
1454 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1455 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1456 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1457 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1458
1459 ilen = ctx->len;
1460
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1461 if (ilen < 16 || ilen > sizeof(buf)) {
1462 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1463 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1464
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1465 hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
1466 if (hlen == 0) {
1467 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1468 }
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1469
Janos Follathc17cda12016-02-11 11:08:18 +0000[diff] [blame]1470 // checking for integer underflow
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1471 if (2 * hlen + 2 > ilen) {
1472 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1473 }
Janos Follathc17cda12016-02-11 11:08:18 +0000[diff] [blame]1474
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1475 /*
1476 * RSA operation
1477 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1478 ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1479
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1480 if (ret != 0) {
Gilles Peskine4a7f6a02017-03-23 14:37:37 +0100[diff] [blame]1481 goto cleanup;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1482 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1483
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1484 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1485 * Unmask data and generate lHash
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1486 */
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1487 /* seed: Apply seedMask to maskedSeed */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1488 if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1489 ctx->hash_id)) != 0 ||
1490 /* DB: Apply dbMask to maskedDB */
1491 (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1492 ctx->hash_id)) != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1493 goto cleanup;
1494 }
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1495
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1496 /* Generate lHash */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1497 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id,
1498 label, label_len, lhash);
1499 if (ret != 0) {
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1500 goto cleanup;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1501 }
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]1502
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1503 /*
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1504 * Check contents, in "constant-time"
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1505 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1506 p = buf;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1507 bad = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1508
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1509 bad |= *p++; /* First byte must be 0 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1510
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1511 p += hlen; /* Skip seed */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1512
Manuel Pégourié-Gonnarda5cfc352013-11-28 15:57:52 +0100[diff] [blame]1513 /* Check lHash */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1514 for (i = 0; i < hlen; i++) {
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1515 bad |= lhash[i] ^ *p++;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1516 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1517
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1518 /* Get zero-padding len, but always read till end of buffer
1519 * (minus one, for the 01 byte) */
1520 pad_len = 0;
1521 pad_done = 0;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1522 for (i = 0; i < ilen - 2 * hlen - 2; i++) {
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1523 pad_done |= p[i];
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1524 pad_len += ((pad_done | (unsigned char) -pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1525 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1526
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1527 p += pad_len;
1528 bad |= *p++ ^ 0x01;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1529
Manuel Pégourié-Gonnardab44d7e2013-11-29 12:49:44 +0100[diff] [blame]1530 /*
1531 * The only information "leaked" is whether the padding was correct or not
1532 * (eg, no data is copied if it was not correct). This meets the
1533 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1534 * the different error conditions.
1535 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1536 if (bad != 0) {
Gilles Peskine4a7f6a02017-03-23 14:37:37 +0100[diff] [blame]1537 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1538 goto cleanup;
1539 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1540
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1541 if (ilen - (p - buf) > output_max_len) {
Gilles Peskine4a7f6a02017-03-23 14:37:37 +0100[diff] [blame]1542 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1543 goto cleanup;
1544 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1545
1546 *olen = ilen - (p - buf);
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1547 if (*olen != 0) {
1548 memcpy(output, p, *olen);
1549 }
Gilles Peskine4a7f6a02017-03-23 14:37:37 +0100[diff] [blame]1550 ret = 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1551
Gilles Peskine4a7f6a02017-03-23 14:37:37 +0100[diff] [blame]1552cleanup:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1553 mbedtls_platform_zeroize(buf, sizeof(buf));
1554 mbedtls_platform_zeroize(lhash, sizeof(lhash));
Gilles Peskine4a7f6a02017-03-23 14:37:37 +0100[diff] [blame]1555
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1556 return ret;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1557}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1558#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1559
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1560#if defined(MBEDTLS_PKCS1_V15)
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1561/*
1562 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1563 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1564int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
1565 int (*f_rng)(void *, unsigned char *, size_t),
1566 void *p_rng,
1567 size_t *olen,
1568 const unsigned char *input,
1569 unsigned char *output,
1570 size_t output_max_len)
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1571{
1572 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1573 size_t ilen;
1574 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1575
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1576 ilen = ctx->len;
1577
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1578 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
1579 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1580 }
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1581
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1582 if (ilen < 16 || ilen > sizeof(buf)) {
1583 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1584 }
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1585
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1586 ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1587
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1588 if (ret != 0) {
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1589 goto cleanup;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1590 }
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1591
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1592 ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen,
1593 output, output_max_len, olen);
gabor-mezei-armbef600f2021-09-26 15:20:48 +0200[diff] [blame]1594
Gilles Peskine4a7f6a02017-03-23 14:37:37 +0100[diff] [blame]1595cleanup:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1596 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine4a7f6a02017-03-23 14:37:37 +0100[diff] [blame]1597
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1598 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1599}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1600#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1601
1602/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1603 * Do an RSA operation, then remove the message padding
1604 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1605int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
1606 int (*f_rng)(void *, unsigned char *, size_t),
1607 void *p_rng,
1608 size_t *olen,
1609 const unsigned char *input,
1610 unsigned char *output,
1611 size_t output_max_len)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1612{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1613 switch (ctx->padding) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1614#if defined(MBEDTLS_PKCS1_V15)
1615 case MBEDTLS_RSA_PKCS_V15:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1616 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen,
1617 input, output, output_max_len);
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]1618#endif
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1619
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1620#if defined(MBEDTLS_PKCS1_V21)
1621 case MBEDTLS_RSA_PKCS_V21:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1622 return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,
1623 olen, input, output,
1624 output_max_len);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1625#endif
1626
1627 default:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1628 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1629 }
1630}
1631
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1632#if defined(MBEDTLS_PKCS1_V21)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1633static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
1634 int (*f_rng)(void *, unsigned char *, size_t),
1635 void *p_rng,
1636 mbedtls_md_type_t md_alg,
1637 unsigned int hashlen,
1638 const unsigned char *hash,
1639 int saltlen,
1640 unsigned char *sig)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1641{
1642 size_t olen;
1643 unsigned char *p = sig;
Cédric Meuter668a78d2020-04-30 11:57:04 +0200[diff] [blame]1644 unsigned char *salt = NULL;
Jaeden Amero3725bb22018-09-07 19:12:36 +0100[diff] [blame]1645 size_t slen, min_slen, hlen, offset = 0;
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1646 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1647 size_t msb;
Manuel Pégourié-Gonnardf701acc2022-07-15 12:49:14 +0200[diff] [blame]1648
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1649 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +0100[diff] [blame]1650 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1651 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1652
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1653 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1654 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1655 }
Thomas Daubneyd58ed582021-05-21 11:50:39 +0100[diff] [blame]1656
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1657 if (f_rng == NULL) {
1658 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1659 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1660
1661 olen = ctx->len;
1662
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1663 if (md_alg != MBEDTLS_MD_NONE) {
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1664 /* Gather length of hash to sign */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1665 size_t exp_hashlen = mbedtls_hash_info_get_size(md_alg);
1666 if (exp_hashlen == 0) {
1667 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1668 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1669
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1670 if (hashlen != exp_hashlen) {
1671 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1672 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1673 }
1674
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1675 hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
1676 if (hlen == 0) {
1677 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1678 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1679
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1680 if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
1681 /* Calculate the largest possible salt length, up to the hash size.
1682 * Normally this is the hash length, which is the maximum salt length
1683 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
1684 * enough room, use the maximum salt length that fits. The constraint is
1685 * that the hash length plus the salt length plus 2 bytes must be at most
1686 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
1687 * (PKCS#1 v2.2) §9.1.1 step 3. */
Cedric Meuter8aa4d752020-04-21 12:49:11 +0200[diff] [blame]1688 min_slen = hlen - 2;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1689 if (olen < hlen + min_slen + 2) {
1690 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1691 } else if (olen >= hlen + hlen + 2) {
Cedric Meuter8aa4d752020-04-21 12:49:11 +0200[diff] [blame]1692 slen = hlen;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1693 } else {
Cedric Meuter8aa4d752020-04-21 12:49:11 +0200[diff] [blame]1694 slen = olen - hlen - 2;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1695 }
1696 } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {
1697 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1698 } else {
Cédric Meuter010ddc22020-04-25 09:24:11 +0200[diff] [blame]1699 slen = (size_t) saltlen;
Cedric Meuter8aa4d752020-04-21 12:49:11 +0200[diff] [blame]1700 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1701
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1702 memset(sig, 0, olen);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1703
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1704 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1705 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
Jaeden Amero3725bb22018-09-07 19:12:36 +0100[diff] [blame]1706 p += olen - hlen - slen - 2;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1707 *p++ = 0x01;
Cédric Meuter668a78d2020-04-30 11:57:04 +0200[diff] [blame]1708
1709 /* Generate salt of length slen in place in the encoded message */
1710 salt = p;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1711 if ((ret = f_rng(p_rng, salt, slen)) != 0) {
1712 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1713 }
Cédric Meuter668a78d2020-04-30 11:57:04 +0200[diff] [blame]1714
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1715 p += slen;
1716
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1717 /* Generate H = Hash( M' ) */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1718 ret = hash_mprime(hash, hashlen, salt, slen, p, ctx->hash_id);
1719 if (ret != 0) {
1720 return ret;
1721 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1722
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1723 /* Compensate for boundary condition when applying mask */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1724 if (msb % 8 == 0) {
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1725 offset = 1;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1726 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1727
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]1728 /* maskedDB: Apply dbMask to DB */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1729 ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen,
1730 ctx->hash_id);
1731 if (ret != 0) {
1732 return ret;
1733 }
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1734
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1735 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
1736 sig[0] &= 0xFF >> (olen * 8 - msb);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1737
1738 p += hlen;
1739 *p++ = 0xBC;
1740
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1741 return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1742}
Cedric Meuter8aa4d752020-04-21 12:49:11 +0200[diff] [blame]1743
1744/*
Cédric Meuterf3fab332020-04-25 11:30:45 +0200[diff] [blame]1745 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
1746 * the option to pass in the salt length.
1747 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1748int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
1749 int (*f_rng)(void *, unsigned char *, size_t),
1750 void *p_rng,
1751 mbedtls_md_type_t md_alg,
1752 unsigned int hashlen,
1753 const unsigned char *hash,
1754 int saltlen,
1755 unsigned char *sig)
Cédric Meuterf3fab332020-04-25 11:30:45 +0200[diff] [blame]1756{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1757 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
1758 hashlen, hash, saltlen, sig);
Cédric Meuterf3fab332020-04-25 11:30:45 +0200[diff] [blame]1759}
1760
1761
1762/*
Cedric Meuter8aa4d752020-04-21 12:49:11 +0200[diff] [blame]1763 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1764 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1765int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
1766 int (*f_rng)(void *, unsigned char *, size_t),
1767 void *p_rng,
1768 mbedtls_md_type_t md_alg,
1769 unsigned int hashlen,
1770 const unsigned char *hash,
1771 unsigned char *sig)
Cedric Meuter8aa4d752020-04-21 12:49:11 +0200[diff] [blame]1772{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1773 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
1774 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
Cedric Meuter8aa4d752020-04-21 12:49:11 +0200[diff] [blame]1775}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1776#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1777
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1778#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1779/*
1780 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1781 */
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1782
1783/* Construct a PKCS v1.5 encoding of a hashed message
1784 *
1785 * This is used both for signature generation and verification.
1786 *
1787 * Parameters:
1788 * - md_alg: Identifies the hash algorithm used to generate the given hash;
Hanno Beckere58d38c2017-09-27 17:09:00 +0100[diff] [blame]1789 * MBEDTLS_MD_NONE if raw data is signed.
Gilles Peskine6e3187b2021-06-22 18:39:53 +0200[diff] [blame]1790 * - hashlen: Length of hash. Must match md_alg if that's not NONE.
Hanno Beckere58d38c2017-09-27 17:09:00 +0100[diff] [blame]1791 * - hash: Buffer containing the hashed message or the raw data.
1792 * - dst_len: Length of the encoded message.
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1793 * - dst: Buffer to hold the encoded message.
1794 *
1795 * Assumptions:
Gilles Peskine6e3187b2021-06-22 18:39:53 +0200[diff] [blame]1796 * - hash has size hashlen.
Hanno Beckere58d38c2017-09-27 17:09:00 +0100[diff] [blame]1797 * - dst points to a buffer of size at least dst_len.
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1798 *
1799 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1800static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
1801 unsigned int hashlen,
1802 const unsigned char *hash,
1803 size_t dst_len,
1804 unsigned char *dst)
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1805{
1806 size_t oid_size = 0;
Hanno Beckere58d38c2017-09-27 17:09:00 +0100[diff] [blame]1807 size_t nb_pad = dst_len;
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1808 unsigned char *p = dst;
1809 const char *oid = NULL;
1810
1811 /* Are we signing hashed or raw data? */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1812 if (md_alg != MBEDTLS_MD_NONE) {
1813 unsigned char md_size = mbedtls_hash_info_get_size(md_alg);
1814 if (md_size == 0) {
1815 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1816 }
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1817
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1818 if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
1819 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1820 }
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1821
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1822 if (hashlen != md_size) {
1823 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1824 }
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1825
1826 /* Double-check that 8 + hashlen + oid_size can be used as a
1827 * 1-byte ASN.1 length encoding and that there's no overflow. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1828 if (8 + hashlen + oid_size >= 0x80 ||
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1829 10 + hashlen < hashlen ||
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1830 10 + hashlen + oid_size < 10 + hashlen) {
1831 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1832 }
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1833
1834 /*
1835 * Static bounds check:
1836 * - Need 10 bytes for five tag-length pairs.
1837 * (Insist on 1-byte length encodings to protect against variants of
1838 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1839 * - Need hashlen bytes for hash
1840 * - Need oid_size bytes for hash alg OID.
1841 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1842 if (nb_pad < 10 + hashlen + oid_size) {
1843 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1844 }
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1845 nb_pad -= 10 + hashlen + oid_size;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1846 } else {
1847 if (nb_pad < hashlen) {
1848 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1849 }
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1850
1851 nb_pad -= hashlen;
1852 }
1853
Hanno Becker2b2f8982017-09-27 17:10:03 +0100[diff] [blame]1854 /* Need space for signature header and padding delimiter (3 bytes),
1855 * and 8 bytes for the minimal padding */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1856 if (nb_pad < 3 + 8) {
1857 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1858 }
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1859 nb_pad -= 3;
1860
1861 /* Now nb_pad is the amount of memory to be filled
Hanno Becker2b2f8982017-09-27 17:10:03 +0100[diff] [blame]1862 * with padding, and at least 8 bytes long. */
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1863
1864 /* Write signature header and padding */
1865 *p++ = 0;
1866 *p++ = MBEDTLS_RSA_SIGN;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1867 memset(p, 0xFF, nb_pad);
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1868 p += nb_pad;
1869 *p++ = 0;
1870
1871 /* Are we signing raw data? */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1872 if (md_alg == MBEDTLS_MD_NONE) {
1873 memcpy(p, hash, hashlen);
1874 return 0;
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1875 }
1876
1877 /* Signing hashed data, add corresponding ASN.1 structure
1878 *
1879 * DigestInfo ::= SEQUENCE {
1880 * digestAlgorithm DigestAlgorithmIdentifier,
1881 * digest Digest }
1882 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1883 * Digest ::= OCTET STRING
1884 *
1885 * Schematic:
1886 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1887 * TAG-NULL + LEN [ NULL ] ]
1888 * TAG-OCTET + LEN [ HASH ] ]
1889 */
1890 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1891 *p++ = (unsigned char) (0x08 + oid_size + hashlen);
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1892 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1893 *p++ = (unsigned char) (0x04 + oid_size);
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1894 *p++ = MBEDTLS_ASN1_OID;
Hanno Becker87ae1972018-01-15 15:27:56 +0000[diff] [blame]1895 *p++ = (unsigned char) oid_size;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1896 memcpy(p, oid, oid_size);
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1897 p += oid_size;
1898 *p++ = MBEDTLS_ASN1_NULL;
1899 *p++ = 0x00;
1900 *p++ = MBEDTLS_ASN1_OCTET_STRING;
Hanno Becker87ae1972018-01-15 15:27:56 +0000[diff] [blame]1901 *p++ = (unsigned char) hashlen;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1902 memcpy(p, hash, hashlen);
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1903 p += hashlen;
1904
1905 /* Just a sanity-check, should be automatic
1906 * after the initial bounds check. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1907 if (p != dst + dst_len) {
1908 mbedtls_platform_zeroize(dst, dst_len);
1909 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1910 }
1911
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1912 return 0;
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1913}
1914
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1915/*
1916 * Do an RSA operation to sign the message digest
1917 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1918int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
1919 int (*f_rng)(void *, unsigned char *, size_t),
1920 void *p_rng,
1921 mbedtls_md_type_t md_alg,
1922 unsigned int hashlen,
1923 const unsigned char *hash,
1924 unsigned char *sig)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1925{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1926 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1927 unsigned char *sig_try = NULL, *verif = NULL;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1928
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1929 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +0100[diff] [blame]1930 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1931 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]1932
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1933 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
1934 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1935 }
Thomas Daubneyd58ed582021-05-21 11:50:39 +0100[diff] [blame]1936
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1937 /*
1938 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
1939 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1940
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1941 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
1942 ctx->len, sig)) != 0) {
1943 return ret;
1944 }
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +0200[diff] [blame]1945
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1946 /* Private key operation
1947 *
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +0200[diff] [blame]1948 * In order to prevent Lenstra's attack, make the signature in a
1949 * temporary buffer and check it before returning it.
1950 */
Hanno Beckerfdf38032017-09-06 12:35:55 +0100[diff] [blame]1951
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1952 sig_try = mbedtls_calloc(1, ctx->len);
1953 if (sig_try == NULL) {
1954 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
Simon Butcher1285ab52016-01-01 21:42:47 +0000[diff] [blame]1955 }
1956
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1957 verif = mbedtls_calloc(1, ctx->len);
1958 if (verif == NULL) {
1959 mbedtls_free(sig_try);
1960 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
1961 }
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +0200[diff] [blame]1962
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1963 MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
1964 MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
1965
1966 if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +0200[diff] [blame]1967 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1968 goto cleanup;
1969 }
1970
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1971 memcpy(sig, sig_try, ctx->len);
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +0200[diff] [blame]1972
1973cleanup:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1974 mbedtls_platform_zeroize(sig_try, ctx->len);
1975 mbedtls_platform_zeroize(verif, ctx->len);
1976 mbedtls_free(sig_try);
1977 mbedtls_free(verif);
Manuel Pégourié-Gonnard5f501042015-09-03 20:03:15 +0200[diff] [blame]1978
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1979 if (ret != 0) {
1980 memset(sig, '!', ctx->len);
1981 }
1982 return ret;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1983}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1984#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]1985
1986/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1987 * Do an RSA operation to sign the message digest
1988 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1989int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
1990 int (*f_rng)(void *, unsigned char *, size_t),
1991 void *p_rng,
1992 mbedtls_md_type_t md_alg,
1993 unsigned int hashlen,
1994 const unsigned char *hash,
1995 unsigned char *sig)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1996{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1997 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +0100[diff] [blame]1998 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]1999 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2000
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2001 switch (ctx->padding) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2002#if defined(MBEDTLS_PKCS1_V15)
2003 case MBEDTLS_RSA_PKCS_V15:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2004 return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng,
2005 md_alg, hashlen, hash, sig);
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]2006#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2008#if defined(MBEDTLS_PKCS1_V21)
2009 case MBEDTLS_RSA_PKCS_V21:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2010 return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
2011 hashlen, hash, sig);
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2012#endif
2013
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014 default:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2015 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2017}
2018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2019#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2020/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2021 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2022 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2023int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
2024 mbedtls_md_type_t md_alg,
2025 unsigned int hashlen,
2026 const unsigned char *hash,
2027 mbedtls_md_type_t mgf1_hash_id,
2028 int expected_salt_len,
2029 const unsigned char *sig)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2030{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]2031 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2032 size_t siglen;
2033 unsigned char *p;
Gilles Peskine6a54b022017-10-17 19:02:13 +0200[diff] [blame]2034 unsigned char *hash_start;
Przemek Stekiel40afdd22022-09-06 13:08:28 +0200[diff] [blame]2035 unsigned char result[MBEDTLS_HASH_MAX_SIZE];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2036 unsigned int hlen;
Gilles Peskine6a54b022017-10-17 19:02:13 +0200[diff] [blame]2037 size_t observed_salt_len, msb;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2038 unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2039
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2040 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +0100[diff] [blame]2041 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2042 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2043
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2044 siglen = ctx->len;
2045
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2046 if (siglen < 16 || siglen > sizeof(buf)) {
2047 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2048 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2049
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2050 ret = mbedtls_rsa_public(ctx, sig, buf);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2051
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2052 if (ret != 0) {
2053 return ret;
2054 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2055
2056 p = buf;
2057
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2058 if (buf[siglen - 1] != 0xBC) {
2059 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2060 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2061
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2062 if (md_alg != MBEDTLS_MD_NONE) {
2063 /* Gather length of hash to sign */
2064 size_t exp_hashlen = mbedtls_hash_info_get_size(md_alg);
2065 if (exp_hashlen == 0) {
2066 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2067 }
2068
2069 if (hashlen != exp_hashlen) {
2070 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2071 }
2072 }
2073
2074 hlen = mbedtls_hash_info_get_size(mgf1_hash_id);
2075 if (hlen == 0) {
2076 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2077 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2078
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]2079 /*
2080 * Note: EMSA-PSS verification is over the length of N - 1 bits
2081 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2082 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2083
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2084 if (buf[0] >> (8 - siglen * 8 + msb)) {
2085 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2086 }
Gilles Peskineb00b0da2017-10-19 15:23:49 +0200[diff] [blame]2087
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]2088 /* Compensate for boundary condition when applying mask */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2089 if (msb % 8 == 0) {
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2090 p++;
2091 siglen -= 1;
2092 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2093
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2094 if (siglen < hlen + 2) {
2095 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2096 }
Gilles Peskine139108a2017-10-18 19:03:42 +0200[diff] [blame]2097 hash_start = p + siglen - hlen - 1;
2098
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2099 ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id);
2100 if (ret != 0) {
2101 return ret;
2102 }
Paul Bakker02303e82013-01-03 11:08:31 +0100[diff] [blame]2103
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2104 buf[0] &= 0xFF >> (siglen * 8 - msb);
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2105
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2106 while (p < hash_start - 1 && *p == 0) {
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2107 p++;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2108 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2109
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2110 if (*p++ != 0x01) {
2111 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2112 }
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2113
Gilles Peskine6a54b022017-10-17 19:02:13 +0200[diff] [blame]2114 observed_salt_len = hash_start - p;
Paul Bakker9dcc3222011-03-08 14:16:06 +0000[diff] [blame]2115
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2116 if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
2117 observed_salt_len != (size_t) expected_salt_len) {
2118 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]2119 }
2120
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]2121 /*
2122 * Generate H = Hash( M' )
2123 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2124 ret = hash_mprime(hash, hashlen, p, observed_salt_len,
2125 result, mgf1_hash_id);
2126 if (ret != 0) {
2127 return ret;
2128 }
Paul Bakker53019ae2011-03-25 13:58:48 +0000[diff] [blame]2129
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2130 if (memcmp(hash_start, result, hlen) != 0) {
2131 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
2132 }
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]2133
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2134 return 0;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2135}
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]2136
2137/*
2138 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2139 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2140int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
2141 mbedtls_md_type_t md_alg,
2142 unsigned int hashlen,
2143 const unsigned char *hash,
2144 const unsigned char *sig)
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]2145{
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2146 mbedtls_md_type_t mgf1_hash_id;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2147 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +0100[diff] [blame]2148 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2149 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2150
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2151 mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2152 ? (mbedtls_md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]2153 : md_alg;
2154
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2155 return mbedtls_rsa_rsassa_pss_verify_ext(ctx,
2156 md_alg, hashlen, hash,
2157 mgf1_hash_id,
2158 MBEDTLS_RSA_SALT_LEN_ANY,
2159 sig);
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200[diff] [blame]2160
2161}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2162#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker40628ba2013-01-03 10:50:31 +0100[diff] [blame]2163
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2164#if defined(MBEDTLS_PKCS1_V15)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2165/*
2166 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2167 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2168int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
2169 mbedtls_md_type_t md_alg,
2170 unsigned int hashlen,
2171 const unsigned char *hash,
2172 const unsigned char *sig)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2173{
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2174 int ret = 0;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2175 size_t sig_len;
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2176 unsigned char *encoded = NULL, *encoded_expected = NULL;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2177
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2178 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +0100[diff] [blame]2179 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2180 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2181
2182 sig_len = ctx->len;
2183
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2184 /*
2185 * Prepare expected PKCS1 v1.5 encoding of hash.
2186 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2187
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2188 if ((encoded = mbedtls_calloc(1, sig_len)) == NULL ||
2189 (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2190 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2191 goto cleanup;
2192 }
2193
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2194 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
2195 encoded_expected)) != 0) {
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2196 goto cleanup;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2197 }
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2198
2199 /*
2200 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2201 */
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2202
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2203 ret = mbedtls_rsa_public(ctx, sig, encoded);
2204 if (ret != 0) {
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2205 goto cleanup;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2206 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2207
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]2208 /*
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2209 * Compare
Simon Butcher02037452016-03-01 21:19:12 +0000[diff] [blame]2210 */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2211
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2212 if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
2213 sig_len)) != 0) {
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2214 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2215 goto cleanup;
2216 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2217
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2218cleanup:
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2219
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2220 if (encoded != NULL) {
2221 mbedtls_platform_zeroize(encoded, sig_len);
2222 mbedtls_free(encoded);
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2223 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2224
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2225 if (encoded_expected != NULL) {
2226 mbedtls_platform_zeroize(encoded_expected, sig_len);
2227 mbedtls_free(encoded_expected);
Hanno Becker64a8c0a2017-09-06 12:39:49 +0100[diff] [blame]2228 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2229
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2230 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2231}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2232#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2233
2234/*
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2235 * Do an RSA operation and check the message digest
2236 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2237int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
2238 mbedtls_md_type_t md_alg,
2239 unsigned int hashlen,
2240 const unsigned char *hash,
2241 const unsigned char *sig)
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2242{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2243 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
Tuvshinzaya Erdenekhuu6a473b22022-08-05 15:49:56 +0100[diff] [blame]2244 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2245 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2246
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2247 switch (ctx->padding) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2248#if defined(MBEDTLS_PKCS1_V15)
2249 case MBEDTLS_RSA_PKCS_V15:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2250 return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg,
2251 hashlen, hash, sig);
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]2252#endif
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2253
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2254#if defined(MBEDTLS_PKCS1_V21)
2255 case MBEDTLS_RSA_PKCS_V21:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2256 return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg,
2257 hashlen, hash, sig);
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2258#endif
2259
2260 default:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2261 return MBEDTLS_ERR_RSA_INVALID_PADDING;
Paul Bakkerb3869132013-02-28 17:21:01 +0100[diff] [blame]2262 }
2263}
2264
2265/*
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2266 * Copy the components of an RSA key
2267 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2268int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2269{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]2270 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2271
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2272 dst->len = src->len;
2273
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2274 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
2275 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2276
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2277 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
2278 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
2279 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
Hanno Becker33c30a02017-08-23 07:00:22 +0100[diff] [blame]2280
2281#if !defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2282 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
2283 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
2284 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
2285 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
2286 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
Hanno Becker33c30a02017-08-23 07:00:22 +0100[diff] [blame]2287#endif
2288
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2289 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2290
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2291 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
2292 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200[diff] [blame]2293
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2294 dst->padding = src->padding;
Manuel Pégourié-Gonnardfdddac92014-03-25 15:58:35 +0100[diff] [blame]2295 dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2296
2297cleanup:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2298 if (ret != 0) {
2299 mbedtls_rsa_free(dst);
2300 }
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2301
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2302 return ret;
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200[diff] [blame]2303}
2304
2305/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2306 * Free the components of an RSA key
2307 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2308void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2309{
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2310 if (ctx == NULL) {
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2311 return;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2312 }
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2313
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2314 mbedtls_mpi_free(&ctx->Vi);
2315 mbedtls_mpi_free(&ctx->Vf);
2316 mbedtls_mpi_free(&ctx->RN);
2317 mbedtls_mpi_free(&ctx->D);
2318 mbedtls_mpi_free(&ctx->Q);
2319 mbedtls_mpi_free(&ctx->P);
2320 mbedtls_mpi_free(&ctx->E);
2321 mbedtls_mpi_free(&ctx->N);
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]2322
Hanno Becker33c30a02017-08-23 07:00:22 +0100[diff] [blame]2323#if !defined(MBEDTLS_RSA_NO_CRT)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2324 mbedtls_mpi_free(&ctx->RQ);
2325 mbedtls_mpi_free(&ctx->RP);
2326 mbedtls_mpi_free(&ctx->QP);
2327 mbedtls_mpi_free(&ctx->DQ);
2328 mbedtls_mpi_free(&ctx->DP);
Hanno Becker33c30a02017-08-23 07:00:22 +0100[diff] [blame]2329#endif /* MBEDTLS_RSA_NO_CRT */
2330
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2331#if defined(MBEDTLS_THREADING_C)
Gilles Peskineeb940592021-02-01 17:57:41 +0100[diff] [blame]2332 /* Free the mutex, but only if it hasn't been freed already. */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2333 if (ctx->ver != 0) {
2334 mbedtls_mutex_free(&ctx->mutex);
Gilles Peskineeb940592021-02-01 17:57:41 +0100[diff] [blame]2335 ctx->ver = 0;
2336 }
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200[diff] [blame]2337#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2338}
2339
Hanno Beckerab377312017-08-23 16:24:51 +0100[diff] [blame]2340#endif /* !MBEDTLS_RSA_ALT */
2341
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2342#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2343
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]2344#include "mbedtls/sha1.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2345
2346/*
2347 * Example RSA-1024 keypair, for test purposes
2348 */
2349#define KEY_LEN 128
2350
2351#define RSA_N "9292758453063D803DD603D5E777D788" \
2352 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2353 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2354 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2355 "93A89813FBF3C4F8066D2D800F7C38A8" \
2356 "1AE31942917403FF4946B0A83D3D3E05" \
2357 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2358 "5E94BB77B07507233A0BC7BAC8F90F79"
2359
2360#define RSA_E "10001"
2361
2362#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2363 "66CA472BC44D253102F8B4A9D3BFA750" \
2364 "91386C0077937FE33FA3252D28855837" \
2365 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2366 "DF79C5CE07EE72C7F123142198164234" \
2367 "CABB724CF78B8173B9F880FC86322407" \
2368 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2369 "071513A1E85B5DFA031F21ECAE91A34D"
2370
2371#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2372 "2C01CAD19EA484A87EA4377637E75500" \
2373 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2374 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2375
2376#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2377 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2378 "910E4168387E3C30AA1E00C339A79508" \
2379 "8452DD96A9A5EA5D9DCA68DA636032AF"
2380
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2381#define PT_LEN 24
2382#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2383 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2385#if defined(MBEDTLS_PKCS1_V15)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2386static int myrand(void *rng_state, unsigned char *output, size_t len)
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]2387{
gufe44c2620da2020-08-03 17:56:50 +0200[diff] [blame]2388#if !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2389 size_t i;
2390
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2391 if (rng_state != NULL) {
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]2392 rng_state = NULL;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2393 }
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]2394
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2395 for (i = 0; i < len; ++i) {
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2396 output[i] = rand();
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2397 }
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame]2398#else
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2399 if (rng_state != NULL) {
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame]2400 rng_state = NULL;
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2401 }
Paul Bakkerf96f7b62014-04-30 16:02:38 +0200[diff] [blame]2402
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2403 arc4random_buf(output, len);
gufe44c2620da2020-08-03 17:56:50 +0200[diff] [blame]2404#endif /* !OpenBSD && !NetBSD */
Paul Bakker48377d92013-08-30 12:06:24 +0200[diff] [blame]2405
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2406 return 0;
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]2407}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2408#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker545570e2010-07-18 09:00:25 +0000[diff] [blame]2409
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2410/*
2411 * Checkup routine
2412 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2413int mbedtls_rsa_self_test(int verbose)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2414{
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]2415 int ret = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2416#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2417 size_t len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2418 mbedtls_rsa_context rsa;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2419 unsigned char rsa_plaintext[PT_LEN];
2420 unsigned char rsa_decrypted[PT_LEN];
2421 unsigned char rsa_ciphertext[KEY_LEN];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2422#if defined(MBEDTLS_SHA1_C)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2423 unsigned char sha1sum[20];
2424#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2425
Hanno Becker3a701162017-08-22 13:52:43 +0100[diff] [blame]2426 mbedtls_mpi K;
2427
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2428 mbedtls_mpi_init(&K);
2429 mbedtls_rsa_init(&rsa);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2430
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2431 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
2432 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
2433 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
2434 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
2435 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
2436 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
2437 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
2438 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
2439 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
2440 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
Hanno Becker3a701162017-08-22 13:52:43 +0100[diff] [blame]2441
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2442 MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2443
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2444 if (verbose != 0) {
2445 mbedtls_printf(" RSA key validation: ");
2446 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2447
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2448 if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||
2449 mbedtls_rsa_check_privkey(&rsa) != 0) {
2450 if (verbose != 0) {
2451 mbedtls_printf("failed\n");
2452 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2453
Hanno Becker5bc87292017-05-03 15:09:31 +0100[diff] [blame]2454 ret = 1;
2455 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2456 }
2457
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2458 if (verbose != 0) {
2459 mbedtls_printf("passed\n PKCS#1 encryption : ");
2460 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2461
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2462 memcpy(rsa_plaintext, RSA_PT, PT_LEN);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2463
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2464 if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL,
2465 PT_LEN, rsa_plaintext,
2466 rsa_ciphertext) != 0) {
2467 if (verbose != 0) {
2468 mbedtls_printf("failed\n");
2469 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2470
Hanno Becker5bc87292017-05-03 15:09:31 +0100[diff] [blame]2471 ret = 1;
2472 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2473 }
2474
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2475 if (verbose != 0) {
2476 mbedtls_printf("passed\n PKCS#1 decryption : ");
2477 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2478
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2479 if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL,
2480 &len, rsa_ciphertext, rsa_decrypted,
2481 sizeof(rsa_decrypted)) != 0) {
2482 if (verbose != 0) {
2483 mbedtls_printf("failed\n");
2484 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2485
Hanno Becker5bc87292017-05-03 15:09:31 +0100[diff] [blame]2486 ret = 1;
2487 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2488 }
2489
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2490 if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
2491 if (verbose != 0) {
2492 mbedtls_printf("failed\n");
2493 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2494
Hanno Becker5bc87292017-05-03 15:09:31 +0100[diff] [blame]2495 ret = 1;
2496 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2497 }
2498
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2499 if (verbose != 0) {
2500 mbedtls_printf("passed\n");
2501 }
Manuel Pégourié-Gonnardd1004f02015-08-07 10:46:54 +0200[diff] [blame]2502
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2503#if defined(MBEDTLS_SHA1_C)
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2504 if (verbose != 0) {
2505 mbedtls_printf(" PKCS#1 data sign : ");
Andres Amaya Garcia698089e2017-06-28 11:46:46 +0100[diff] [blame]2506 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2507
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2508 if (mbedtls_sha1(rsa_plaintext, PT_LEN, sha1sum) != 0) {
2509 if (verbose != 0) {
2510 mbedtls_printf("failed\n");
2511 }
2512
2513 return 1;
2514 }
2515
2516 if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
2517 MBEDTLS_MD_SHA1, 20,
2518 sha1sum, rsa_ciphertext) != 0) {
2519 if (verbose != 0) {
2520 mbedtls_printf("failed\n");
2521 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2522
Hanno Becker5bc87292017-05-03 15:09:31 +0100[diff] [blame]2523 ret = 1;
2524 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2525 }
2526
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2527 if (verbose != 0) {
2528 mbedtls_printf("passed\n PKCS#1 sig. verify: ");
2529 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2530
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2531 if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20,
2532 sha1sum, rsa_ciphertext) != 0) {
2533 if (verbose != 0) {
2534 mbedtls_printf("failed\n");
2535 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2536
Hanno Becker5bc87292017-05-03 15:09:31 +0100[diff] [blame]2537 ret = 1;
2538 goto cleanup;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2539 }
2540
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2541 if (verbose != 0) {
2542 mbedtls_printf("passed\n");
2543 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2544#endif /* MBEDTLS_SHA1_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2545
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2546 if (verbose != 0) {
2547 mbedtls_printf("\n");
2548 }
Manuel Pégourié-Gonnardd1004f02015-08-07 10:46:54 +0200[diff] [blame]2549
Paul Bakker3d8fb632014-04-17 12:42:41 +0200[diff] [blame]2550cleanup:
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2551 mbedtls_mpi_free(&K);
2552 mbedtls_rsa_free(&rsa);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2553#else /* MBEDTLS_PKCS1_V15 */
Paul Bakker3e41fe82013-09-15 17:42:50 +0200[diff] [blame]2554 ((void) verbose);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2555#endif /* MBEDTLS_PKCS1_V15 */
David Horstmann8b6068b2023-01-05 15:42:32 +0000[diff] [blame^]2556 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2557}
2558
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2559#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2560
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2561#endif /* MBEDTLS_RSA_C */