Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

2009-01-03 21:22:43 +0000

[diff] [blame]

1

/*

2

* The RSA public-key cryptosystem

3

*

Bence Szépkúti

1e14827

2020-08-07 13:07:28 +0200

[diff] [blame]

4

* Copyright The Mbed TLS Contributors

Manuel Pégourié-Gonnard

37ff140

2015-09-04 14:21:07 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

18

*/

Hanno Becker

7471631

2017-10-02 10:00:37 +0100

[diff] [blame]

19

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

20

/*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

21

* The following sources were referenced in the design of this implementation

22

* of the RSA algorithm:

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

23

*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

24

* [1] A method for obtaining digital signatures and public-key cryptosystems

25

* R Rivest, A Shamir, and L Adleman

26

* http://people.csail.mit.edu/rivest/pubs.html#RSA78

27

*

28

* [2] Handbook of Applied Cryptography - 1997, Chapter 8

29

* Menezes, van Oorschot and Vanstone

30

*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

31

* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks

32

* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and

33

* Stefan Mangard

34

* https://arxiv.org/abs/1702.08719v2

35

*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

36

*/

37

Gilles Peskine

db09ef6

2020-06-03 01:43:33 +0200

[diff] [blame]

38

#include "common.h"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

39

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

40

#if defined(MBEDTLS_RSA_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

41

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

42

# include "mbedtls/rsa.h"

43

# include "rsa_alt_helpers.h"

44

# include "mbedtls/oid.h"

45

# include "mbedtls/platform_util.h"

46

# include "mbedtls/error.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

47

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

48

# include <string.h>

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

49

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

50

# if defined(MBEDTLS_PKCS1_V21)

51

# include "mbedtls/md.h"

52

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

53

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

54

# if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && \

55

!defined(__NetBSD__)

56

# include <stdlib.h>

57

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

58

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

59

# if defined(MBEDTLS_PLATFORM_C)

60

# include "mbedtls/platform.h"

61

# else

62

# include <stdio.h>

63

# define mbedtls_printf printf

64

# define mbedtls_calloc calloc

65

# define mbedtls_free free

66

# endif

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

67

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

68

# if !defined(MBEDTLS_RSA_ALT)

Hanno Becker

a565f54

2017-10-11 11:00:19 +0100

[diff] [blame]

69

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

70

/* Parameter validation macros */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

71

# define RSA_VALIDATE_RET(cond) \

72

MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA)

73

# define RSA_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE(cond)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

74

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

75

# if defined(MBEDTLS_PKCS1_V15)

Hanno Becker

2017-09-06 12:32:16 +0100

[diff] [blame]

76

/* constant-time buffer comparison */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

77

static inline int mbedtls_safer_memcmp(const void *a, const void *b, size_t n)

Hanno Becker

2017-09-06 12:32:16 +0100

[diff] [blame]

78

{

79

size_t i;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

80

const unsigned char *A = (const unsigned char *)a;

81

const unsigned char *B = (const unsigned char *)b;

Hanno Becker

2017-09-06 12:32:16 +0100

[diff] [blame]

82

unsigned char diff = 0;

83

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

84

for (i = 0; i < n; i++)

Hanno Becker

2017-09-06 12:32:16 +0100

[diff] [blame]

85

diff |= A[i] ^ B[i];

86

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

87

return diff;

Hanno Becker

2017-09-06 12:32:16 +0100

[diff] [blame]

88

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

89

# endif /* MBEDTLS_PKCS1_V15 */

Hanno Becker

2017-09-06 12:32:16 +0100

[diff] [blame]

90

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

91

int mbedtls_rsa_import(mbedtls_rsa_context *ctx,

92

const mbedtls_mpi *N,

93

const mbedtls_mpi *P,

94

const mbedtls_mpi *Q,

95

const mbedtls_mpi *D,

96

const mbedtls_mpi *E)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

97

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

98

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

99

RSA_VALIDATE_RET(ctx != NULL);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

100

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

101

if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||

102

(P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||

103

(Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||

104

(D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||

105

(E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {

106

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

107

}

108

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

109

if (N != NULL)

110

ctx->len = mbedtls_mpi_size(&ctx->N);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

111

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

112

return 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

113

}

114

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

115

int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,

116

unsigned char const *N,

117

size_t N_len,

118

unsigned char const *P,

119

size_t P_len,

120

unsigned char const *Q,

121

size_t Q_len,

122

unsigned char const *D,

123

size_t D_len,

124

unsigned char const *E,

125

size_t E_len)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

126

{

Hanno Becker

d4d6057

2018-01-10 07:12:01 +0000

[diff] [blame]

127

int ret = 0;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

128

RSA_VALIDATE_RET(ctx != NULL);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

129

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

130

if (N != NULL) {

131

MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));

132

ctx->len = mbedtls_mpi_size(&ctx->N);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

133

}

134

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

135

if (P != NULL)

136

MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

137

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

138

if (Q != NULL)

139

MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

140

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

141

if (D != NULL)

142

MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

143

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

144

if (E != NULL)

145

MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

149

if (ret != 0)

150

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

151

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

152

return 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

153

}

154

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

155

/*

156

* Checks whether the context fields are set in such a way

157

* that the RSA primitives will be able to execute without error.

158

* It does *not* make guarantees for consistency of the parameters.

159

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

160

static int rsa_check_context(mbedtls_rsa_context const *ctx,

161

int is_priv,

162

int blinding_needed)

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

163

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

164

# if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

ebd2c02

2017-10-12 10:54:53 +0100

[diff] [blame]

165

/* blinding_needed is only used for NO_CRT to decide whether

166

* P,Q need to be present or not. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

167

((void)blinding_needed);

168

# endif

Hanno Becker

ebd2c02

2017-10-12 10:54:53 +0100

[diff] [blame]

169

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

170

if (ctx->len != mbedtls_mpi_size(&ctx->N) ||

171

ctx->len > MBEDTLS_MPI_MAX_SIZE) {

172

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

3a760a1

2018-01-05 08:14:49 +0000

[diff] [blame]

173

}

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

174

175

/*

176

* 1. Modular exponentiation needs positive, odd moduli.

177

*/

178

179

/* Modular exponentiation wrt. N is always used for

180

* RSA public key operations. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

181

if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||

182

mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {

183

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

184

}

185

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

186

# if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

187

/* Modular exponentiation for P and Q is only

188

* used for private key operations and if CRT

189

* is used. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

190

if (is_priv && (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||

191

mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||

192

mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||

193

mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {

194

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

195

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

196

# endif /* !MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

197

198

/*

199

* 2. Exponents must be positive

200

*/

201

202

/* Always need E for public key operations */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

203

if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0)

204

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

205

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

206

# if defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

207

/* For private key operations, use D or DP & DQ

208

* as (unblinded) exponents. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

209

if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0)

210

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

211

# else

212

if (is_priv && (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||

213

mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {

214

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

215

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

216

# endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

217

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

218

/* Blinding shouldn't make exponents negative either,

219

* so check that P, Q >= 1 if that hasn't yet been

220

* done as part of 1. */

221

# if defined(MBEDTLS_RSA_NO_CRT)

222

if (is_priv && blinding_needed &&

223

(mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||

224

mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {

225

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

226

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

227

# endif

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

228

229

/* It wouldn't lead to an error if it wasn't satisfied,

Hanno Becker

f8c028a

2017-10-17 09:20:57 +0100

[diff] [blame]

230

* but check for QP >= 1 nonetheless. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

231

# if !defined(MBEDTLS_RSA_NO_CRT)

232

if (is_priv && mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {

233

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

234

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

235

# endif

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

236

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

237

return 0;

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

238

}

239

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

240

int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

241

{

242

int ret = 0;

Jack Lloyd

8c2631b

2020-01-23 17:23:52 -0500

[diff] [blame]

243

int have_N, have_P, have_Q, have_D, have_E;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

244

# if !defined(MBEDTLS_RSA_NO_CRT)

Jack Lloyd

8c2631b

2020-01-23 17:23:52 -0500

[diff] [blame]

245

int have_DP, have_DQ, have_QP;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

246

# endif

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

247

int n_missing, pq_missing, d_missing, is_pub, is_priv;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

248

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

249

RSA_VALIDATE_RET(ctx != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

250

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

251

have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);

252

have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);

253

have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);

254

have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);

255

have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);

Jack Lloyd

8c2631b

2020-01-23 17:23:52 -0500

[diff] [blame]

256

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

257

# if !defined(MBEDTLS_RSA_NO_CRT)

258

have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);

259

have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);

260

have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);

261

# endif

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

262

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

263

/*

264

* Check whether provided parameters are enough

265

* to deduce all others. The following incomplete

266

* parameter sets for private keys are supported:

267

*

268

* (1) P, Q missing.

269

* (2) D and potentially N missing.

270

*

271

*/

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

272

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

273

n_missing = have_P && have_Q && have_D && have_E;

274

pq_missing = have_N && !have_P && !have_Q && have_D && have_E;

275

d_missing = have_P && have_Q && !have_D && have_E;

276

is_pub = have_N && !have_P && !have_Q && !have_D && have_E;

Hanno Becker

2017-09-29 11:46:40 +0100

[diff] [blame]

277

278

/* These three alternatives are mutually exclusive */

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

279

is_priv = n_missing || pq_missing || d_missing;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

280

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

281

if (!is_priv && !is_pub)

282

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

283

284

/*

Hanno Becker

2017-09-29 11:46:40 +0100

[diff] [blame]

285

* Step 1: Deduce N if P, Q are provided.

286

*/

287

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

288

if (!have_N && have_P && have_Q) {

289

if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q)) != 0) {

290

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);

Hanno Becker

2017-09-29 11:46:40 +0100

[diff] [blame]

291

}

292

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

293

ctx->len = mbedtls_mpi_size(&ctx->N);

Hanno Becker

2017-09-29 11:46:40 +0100

[diff] [blame]

}

/*

* Step 2: Deduce and verify all remaining core parameters.

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

298

*/

299

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

300

if (pq_missing) {

301

ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D, &ctx->P,

302

&ctx->Q);

303

if (ret != 0)

304

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

305

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

306

} else if (d_missing) {

307

if ((ret = mbedtls_rsa_deduce_private_exponent(

308

&ctx->P, &ctx->Q, &ctx->E, &ctx->D)) != 0) {

309

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

310

}

311

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

312

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

313

/*

Hanno Becker

2017-09-29 11:46:40 +0100

[diff] [blame]

314

* Step 3: Deduce all additional parameters specific

Hanno Becker

e867489

2017-10-10 17:56:14 +0100

[diff] [blame]

315

* to our current RSA implementation.

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

316

*/

317

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

318

# if !defined(MBEDTLS_RSA_NO_CRT)

319

if (is_priv && !(have_DP && have_DQ && have_QP)) {

320

ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, &ctx->DP,

321

&ctx->DQ, &ctx->QP);

322

if (ret != 0)

323

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

324

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

325

# endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

326

327

/*

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

328

* Step 3: Basic sanity checks

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

329

*/

330

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

331

return rsa_check_context(ctx, is_priv, 1);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

332

}

333

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

334

int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,

unsigned char *N,

size_t N_len,

unsigned char *P,

size_t P_len,

unsigned char *Q,

size_t Q_len,

unsigned char *D,

size_t D_len,

unsigned char *E,

size_t E_len)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

345

{

346

int ret = 0;

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

347

int is_priv;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

348

RSA_VALIDATE_RET(ctx != NULL);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

349

350

/* Check if key is private or public */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

351

is_priv = mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&

352

mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&

353

mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&

354

mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&

355

mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

356

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

357

if (!is_priv) {

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

358

/* If we're trying to export private parameters for a public key,

359

* something must be wrong. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

360

if (P != NULL || Q != NULL || D != NULL)

361

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

362

}

363

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

364

if (N != NULL)

365

MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

366

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

367

if (P != NULL)

368

MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

369

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

370

if (Q != NULL)

371

MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

372

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

373

if (D != NULL)

374

MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

375

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

376

if (E != NULL)

377

MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

381

return ret;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

382

}

383

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

384

int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,

mbedtls_mpi *N,

mbedtls_mpi *P,

mbedtls_mpi *Q,

mbedtls_mpi *D,

mbedtls_mpi *E)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

390

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

391

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

392

int is_priv;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

393

RSA_VALIDATE_RET(ctx != NULL);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

394

395

/* Check if key is private or public */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

396

is_priv = mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&

397

mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&

398

mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&

399

mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&

400

mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

401

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

402

if (!is_priv) {

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

403

/* If we're trying to export private parameters for a public key,

404

* something must be wrong. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

405

if (P != NULL || Q != NULL || D != NULL)

406

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

407

}

408

409

/* Export all requested core parameters. */

410

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

411

if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||

412

(P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||

413

(Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||

414

(D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||

415

(E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {

416

return ret;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

417

}

418

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

419

return 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

}

/*

* Export CRT parameters

424

* This must also be implemented if CRT is not used, for being able to

425

* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt

426

* can be used in this case.

427

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

428

int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,

429

mbedtls_mpi *DP,

430

mbedtls_mpi *DQ,

431

mbedtls_mpi *QP)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

432

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

433

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

434

int is_priv;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

435

RSA_VALIDATE_RET(ctx != NULL);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

436

437

/* Check if key is private or public */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

438

is_priv = mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&

439

mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&

440

mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&

441

mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&

442

mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

443

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

444

if (!is_priv)

445

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

446

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

447

# if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

448

/* Export all requested blinding parameters. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

449

if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||

450

(DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||

451

(QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {

452

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

453

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

454

# else

455

if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, DP, DQ, QP)) !=

456

0) {

457

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

458

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

459

# endif

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

460

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

461

return 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

462

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

463

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

464

/*

465

* Initialize an RSA context

466

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

467

void mbedtls_rsa_init(mbedtls_rsa_context *ctx)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

468

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

469

RSA_VALIDATE(ctx != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

470

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

471

memset(ctx, 0, sizeof(mbedtls_rsa_context));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

472

Ronald Cron

c1905a1

2021-06-05 11:11:14 +0200

[diff] [blame]

473

ctx->padding = MBEDTLS_RSA_PKCS_V15;

474

ctx->hash_id = MBEDTLS_MD_NONE;

Paul Bakker

c9965dc

2013-09-29 14:58:17 +0200

[diff] [blame]

475

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

476

# if defined(MBEDTLS_THREADING_C)

Gilles Peskine

eb94059

2021-02-01 17:57:41 +0100

[diff] [blame]

477

/* Set ctx->ver to nonzero to indicate that the mutex has been

478

* initialized and will need to be freed. */

479

ctx->ver = 1;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

480

mbedtls_mutex_init(&ctx->mutex);

481

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

482

}

483

Manuel Pégourié-Gonnard

2014-03-10 21:55:35 +0100

[diff] [blame]

484

/*

485

* Set padding for an existing RSA context

486

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

487

int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx,

488

int padding,

489

mbedtls_md_type_t hash_id)

Manuel Pégourié-Gonnard

2014-03-10 21:55:35 +0100

[diff] [blame]

490

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

491

switch (padding) {

492

# if defined(MBEDTLS_PKCS1_V15)

Ronald Cron

2021-06-08 10:22:28 +0200

[diff] [blame]

493

case MBEDTLS_RSA_PKCS_V15:

494

break;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

495

# endif

Ronald Cron

2021-06-08 10:22:28 +0200

[diff] [blame]

496

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

497

# if defined(MBEDTLS_PKCS1_V21)

Ronald Cron

2021-06-08 10:22:28 +0200

[diff] [blame]

498

case MBEDTLS_RSA_PKCS_V21:

499

break;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

500

# endif

Ronald Cron

2021-06-08 10:22:28 +0200

[diff] [blame]

501

default:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

502

return MBEDTLS_ERR_RSA_INVALID_PADDING;

Ronald Cron

2021-06-08 10:22:28 +0200

[diff] [blame]

503

}

Ronald Cron

2021-06-03 18:51:59 +0200

[diff] [blame]

504

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

505

if ((padding == MBEDTLS_RSA_PKCS_V21) && (hash_id != MBEDTLS_MD_NONE)) {

Ronald Cron

2021-06-03 18:51:59 +0200

[diff] [blame]

506

const mbedtls_md_info_t *md_info;

507

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

508

md_info = mbedtls_md_info_from_type(hash_id);

509

if (md_info == NULL)

510

return MBEDTLS_ERR_RSA_INVALID_PADDING;

Ronald Cron

2021-06-03 18:51:59 +0200

[diff] [blame]

511

}

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

512

Manuel Pégourié-Gonnard

2014-03-10 21:55:35 +0100

[diff] [blame]

513

ctx->padding = padding;

514

ctx->hash_id = hash_id;

Ronald Cron

2021-06-03 18:51:59 +0200

[diff] [blame]

515

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

516

return 0;

Manuel Pégourié-Gonnard

2014-03-10 21:55:35 +0100

[diff] [blame]

517

}

518

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

519

/*

520

* Get length in bytes of RSA modulus

521

*/

522

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

523

size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

524

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

525

return ctx->len;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

526

}

527

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

528

# if defined(MBEDTLS_GENPRIME)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

529

530

/*

531

* Generate an RSA keypair

Jethro Beekman

c645bfe

2018-02-14 19:27:13 -0800

[diff] [blame]

532

*

533

* This generation method follows the RSA key pair generation procedure of

534

* FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

535

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

536

int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,

537

int (*f_rng)(void *, unsigned char *, size_t),

538

void *p_rng,

539

unsigned int nbits,

540

int exponent)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

541

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

542

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jethro Beekman

2018-02-13 15:50:36 -0800

[diff] [blame]

543

mbedtls_mpi H, G, L;

Janos Follath

b8fc1b0

2018-09-03 15:37:01 +0100

[diff] [blame]

544

int prime_quality = 0;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

545

RSA_VALIDATE_RET(ctx != NULL);

546

RSA_VALIDATE_RET(f_rng != NULL);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

547

Janos Follath

b8fc1b0

2018-09-03 15:37:01 +0100

[diff] [blame]

548

/*

549

* If the modulus is 1024 bit long or shorter, then the security strength of

550

* the RSA algorithm is less than or equal to 80 bits and therefore an error

551

* rate of 2^-80 is sufficient.

552

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

553

if (nbits > 1024)

Janos Follath

b8fc1b0

2018-09-03 15:37:01 +0100

[diff] [blame]

554

prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;

555

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

556

mbedtls_mpi_init(&H);

557

mbedtls_mpi_init(&G);

558

mbedtls_mpi_init(&L);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

559

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

560

if (nbits < 128 || exponent < 3 || nbits % 2 != 0) {

Gilles Peskine

5e40a7c

2021-02-02 21:06:10 +0100

[diff] [blame]

561

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

565

/*

566

* find primes P and Q with Q < P so that:

Jethro Beekman

c645bfe

2018-02-14 19:27:13 -0800

[diff] [blame]

567

* 1. |P-Q| > 2^( nbits / 2 - 100 )

568

* 2. GCD( E, (P-1)*(Q-1) ) == 1

569

* 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

570

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

571

MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

572

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

573

do {

574

MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,

575

prime_quality, f_rng, p_rng));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

576

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

577

MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,

578

prime_quality, f_rng, p_rng));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

579

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

580

/* make sure the difference between p and q is not too small (FIPS 186-4

581

* §B.3.3 step 5.4) */

582

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));

583

if (mbedtls_mpi_bitlen(&H) <=

584

((nbits >= 200) ? ((nbits >> 1) - 99) : 0))

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

585

continue;

586

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

587

/* not required by any standards, but some users rely on the fact that P

588

* > Q */

589

if (H.s < 0)

590

mbedtls_mpi_swap(&ctx->P, &ctx->Q);

Janos Follath

ef44178

2016-09-21 13:18:12 +0100

[diff] [blame]

591

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

592

/* Temporarily replace P,Q by P-1, Q-1 */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

593

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));

594

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));

595

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));

Jethro Beekman

2018-02-13 15:50:36 -0800

[diff] [blame]

596

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

597

/* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a))

598

*/

599

MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));

600

if (mbedtls_mpi_cmp_int(&G, 1) != 0)

Jethro Beekman

2018-02-13 15:50:36 -0800

[diff] [blame]

601

continue;

602

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

603

/* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4

604

* §B.3.1 criterion 3(b)) */

605

MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));

606

MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));

607

MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));

Jethro Beekman

2018-02-13 15:50:36 -0800

[diff] [blame]

608

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

609

if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) // (FIPS 186-4

610

// §B.3.1

611

// criterion 3(a))

Jethro Beekman

2018-02-13 15:50:36 -0800

[diff] [blame]

612

continue;

613

614

break;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

615

} while (1);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

616

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

617

/* Restore P,Q */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

618

MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));

619

MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

620

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

621

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));

Jethro Beekman

c645bfe

2018-02-14 19:27:13 -0800

[diff] [blame]

622

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

623

ctx->len = mbedtls_mpi_size(&ctx->N);

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

624

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

625

# if !defined(MBEDTLS_RSA_NO_CRT)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

626

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

* DP = D mod (P - 1)

* DQ = D mod (Q - 1)

* QP = Q^-1 mod P

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

631

MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, &ctx->DP,

632

&ctx->DQ, &ctx->QP));

633

# endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

634

Hanno Becker

83aad1f

2017-08-23 06:45:10 +0100

[diff] [blame]

635

/* Double-check */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

636

MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

640

mbedtls_mpi_free(&H);

641

mbedtls_mpi_free(&G);

642

mbedtls_mpi_free(&L);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

643

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

644

if (ret != 0) {

645

mbedtls_rsa_free(ctx);

Chris Jones

7439209

2021-04-01 16:00:01 +0100

[diff] [blame]

646

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

647

if ((-ret & ~0x7f) == 0)

648

ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);

649

return ret;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

650

}

651

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

652

return 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

653

}

654

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

655

# endif /* MBEDTLS_GENPRIME */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

656

657

/*

658

* Check a public RSA key

659

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

660

int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

661

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

662

RSA_VALIDATE_RET(ctx != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

663

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

664

if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0)

665

return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Paul Bakker

37940d9f

2009-07-10 22:38:58 +0000

[diff] [blame]

666

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

667

if (mbedtls_mpi_bitlen(&ctx->N) < 128) {

668

return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

98838b0

2017-10-02 13:16:10 +0100

[diff] [blame]

669

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

670

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

671

if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||

672

mbedtls_mpi_bitlen(&ctx->E) < 2 ||

673

mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {

674

return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

98838b0

2017-10-02 13:16:10 +0100

[diff] [blame]

675

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

676

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

677

return 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

678

}

679

680

/*

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

681

* Check for the consistency of all fields in an RSA private key context

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

682

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

683

int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

684

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

685

RSA_VALIDATE_RET(ctx != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

686

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

687

if (mbedtls_rsa_check_pubkey(ctx) != 0 ||

688

rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {

689

return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

690

}

Paul Bakker

48377d9

2013-08-30 12:06:24 +0200

[diff] [blame]

691

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

692

if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q, &ctx->D, &ctx->E,

693

NULL, NULL) != 0) {

694

return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

695

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

696

# if !defined(MBEDTLS_RSA_NO_CRT)

697

else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D, &ctx->DP,

698

&ctx->DQ, &ctx->QP) != 0) {

699

return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

b269a85

2017-08-25 08:03:21 +0100

[diff] [blame]

700

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

701

# endif

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

702

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

703

return 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

704

}

705

706

/*

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

707

* Check if contexts holding a public and private key match

708

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

709

int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,

710

const mbedtls_rsa_context *prv)

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

711

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

712

RSA_VALIDATE_RET(pub != NULL);

713

RSA_VALIDATE_RET(prv != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

714

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

715

if (mbedtls_rsa_check_pubkey(pub) != 0 ||

716

mbedtls_rsa_check_privkey(prv) != 0) {

717

return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

718

}

719

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

720

if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||

721

mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {

722

return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

723

}

724

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

725

return 0;

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

726

}

727

728

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

729

* Do an RSA public key operation

730

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

731

int mbedtls_rsa_public(mbedtls_rsa_context *ctx,

732

const unsigned char *input,

733

unsigned char *output)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

734

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

735

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

736

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

737

mbedtls_mpi T;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

738

RSA_VALIDATE_RET(ctx != NULL);

739

RSA_VALIDATE_RET(input != NULL);

740

RSA_VALIDATE_RET(output != NULL);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

741

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

742

if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */))

743

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-10-10 17:57:02 +0100

[diff] [blame]

744

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

745

mbedtls_mpi_init(&T);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

746

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

747

# if defined(MBEDTLS_THREADING_C)

748

if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)

749

return ret;

750

# endif

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

751

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

752

MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

753

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

754

if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {

Manuel Pégourié-Gonnard

4d04cdc

2015-08-28 10:32:21 +0200

[diff] [blame]

755

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

756

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

757

}

758

759

olen = ctx->len;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

760

MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));

761

MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

762

763

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

764

# if defined(MBEDTLS_THREADING_C)

765

if (mbedtls_mutex_unlock(&ctx->mutex) != 0)

766

return MBEDTLS_ERR_THREADING_MUTEX_ERROR;

767

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

768

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

769

mbedtls_mpi_free(&T);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

770

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

771

if (ret != 0)

772

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

773

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

774

return 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

775

}

776

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

777

/*

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

778

* Generate or update blinding values, see section 10 of:

779

* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,

Manuel Pégourié-Gonnard

998930a

2015-04-03 13:48:06 +0200

[diff] [blame]

780

* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

781

* Berlin Heidelberg, 1996. p. 104-113.

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

782

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

783

static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,

784

int (*f_rng)(void *, unsigned char *, size_t),

785

void *p_rng)

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

786

{

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

787

int ret, count = 0;

Manuel Pégourié-Gonnard

2020-06-26 11:19:12 +0200

[diff] [blame]

788

mbedtls_mpi R;

789

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

790

mbedtls_mpi_init(&R);

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

791

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

792

if (ctx->Vf.p != NULL) {

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

793

/* We already have blinding values, just update them by squaring */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

794

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));

795

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));

796

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));

797

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

798

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

799

goto cleanup;

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

800

}

801

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

802

/* Unblinding value: Vf = random number, invertible mod N */

803

do {

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

804

if (count++ > 10) {

Manuel Pégourié-Gonnard

e288ec0

2020-07-16 09:23:30 +0200

[diff] [blame]

805

ret = MBEDTLS_ERR_RSA_RNG_FAILED;

806

goto cleanup;

807

}

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

808

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

809

MBEDTLS_MPI_CHK(

810

mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

811

Manuel Pégourié-Gonnard

7868396

2020-07-16 09:48:54 +0200

[diff] [blame]

812

/* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

813

MBEDTLS_MPI_CHK(

814

mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));

815

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));

816

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));

Manuel Pégourié-Gonnard

2020-06-26 11:19:12 +0200

[diff] [blame]

817

Manuel Pégourié-Gonnard

7868396

2020-07-16 09:48:54 +0200

[diff] [blame]

818

/* At this point, Vi is invertible mod N if and only if both Vf and R

819

* are invertible mod N. If one of them isn't, we don't need to know

820

* which one, we just loop and choose new values for both of them.

821

* (Each iteration succeeds with overwhelming probability.) */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

822

ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);

823

if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE)

Manuel Pégourié-Gonnard

b3e3d79

2020-06-26 11:03:19 +0200

[diff] [blame]

824

goto cleanup;

825

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

826

} while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);

Peter Kolbus

ca8b8e7

2020-09-24 11:11:50 -0500

[diff] [blame]

827

828

/* Finish the computation of Vf^-1 = R * (R Vf)^-1 */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

829

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));

830

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

831

Manuel Pégourié-Gonnard

7868396

2020-07-16 09:48:54 +0200

[diff] [blame]

832

/* Blinding value: Vi = Vf^(-e) mod N

Manuel Pégourié-Gonnard

2020-06-26 11:19:12 +0200

[diff] [blame]

833

* (Vi already contains Vf^-1 at this point) */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

834

MBEDTLS_MPI_CHK(

835

mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

836

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

837

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

838

mbedtls_mpi_free(&R);

Manuel Pégourié-Gonnard

2020-06-26 11:19:12 +0200

[diff] [blame]

839

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

840

return ret;

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

841

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

842

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

843

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

844

* Exponent blinding supposed to prevent side-channel attacks using multiple

845

* traces of measurements to recover the RSA key. The more collisions are there,

846

* the more bits of the key can be recovered. See [3].

847

*

848

* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)

849

* observations on avarage.

850

*

851

* For example with 28 byte blinding to achieve 2 collisions the adversary has

852

* to make 2^112 observations on avarage.

853

*

854

* (With the currently (as of 2017 April) known best algorithms breaking 2048

855

* bit RSA requires approximately as much time as trying out 2^112 random keys.

856

* Thus in this sense with 28 byte blinding the security is not reduced by

857

* side-channel attacks like the one in [3])

858

*

859

* This countermeasure does not help if the key recovery is possible with a

860

* single trace.

861

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

862

# define RSA_EXPONENT_BLINDING 28

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

863

864

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

865

* Do an RSA private key operation

866

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

867

int mbedtls_rsa_private(mbedtls_rsa_context *ctx,

868

int (*f_rng)(void *, unsigned char *, size_t),

869

void *p_rng,

870

const unsigned char *input,

871

unsigned char *output)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

872

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

873

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

874

size_t olen;

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

875

876

/* Temporary holding the result */

877

mbedtls_mpi T;

878

879

/* Temporaries holding P-1, Q-1 and the

880

* exponent blinding factor, respectively. */

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

881

mbedtls_mpi P1, Q1, R;

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

882

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

883

# if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

884

/* Temporaries holding the results mod p resp. mod q. */

885

mbedtls_mpi TP, TQ;

886

887

/* Temporaries holding the blinded exponents for

888

* the mod p resp. mod q computation (if used). */

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

889

mbedtls_mpi DP_blind, DQ_blind;

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

890

891

/* Pointers to actual exponents to be used - either the unblinded

892

* or the blinded ones, depending on the presence of a PRNG. */

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

893

mbedtls_mpi *DP = &ctx->DP;

894

mbedtls_mpi *DQ = &ctx->DQ;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

895

# else

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

896

/* Temporary holding the blinded exponent (if used). */

897

mbedtls_mpi D_blind;

898

899

/* Pointer to actual exponent to be used - either the unblinded

900

* or the blinded one, depending on the presence of a PRNG. */

901

mbedtls_mpi *D = &ctx->D;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

902

# endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

903

Hanno Becker

c6075cc

2017-08-25 11:45:35 +0100

[diff] [blame]

904

/* Temporaries holding the initial input and the double

905

* checked result; should be the same in the end. */

906

mbedtls_mpi I, C;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

907

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

908

RSA_VALIDATE_RET(ctx != NULL);

909

RSA_VALIDATE_RET(input != NULL);

910

RSA_VALIDATE_RET(output != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

911

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

912

if (f_rng == NULL)

913

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

914

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

915

if (rsa_check_context(ctx, 1 /* private key checks */,

916

1 /* blinding on */) != 0) {

917

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

ebd2c02

2017-10-12 10:54:53 +0100

[diff] [blame]

918

}

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

919

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

920

# if defined(MBEDTLS_THREADING_C)

921

if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0)

922

return ret;

923

# endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

924

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

925

/* MPI Initialization */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

926

mbedtls_mpi_init(&T);

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

927

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

928

mbedtls_mpi_init(&P1);

929

mbedtls_mpi_init(&Q1);

930

mbedtls_mpi_init(&R);

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

931

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

932

# if defined(MBEDTLS_RSA_NO_CRT)

933

mbedtls_mpi_init(&D_blind);

934

# else

935

mbedtls_mpi_init(&DP_blind);

936

mbedtls_mpi_init(&DQ_blind);

937

# endif

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

938

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

939

# if !defined(MBEDTLS_RSA_NO_CRT)

940

mbedtls_mpi_init(&TP);

941

mbedtls_mpi_init(&TQ);

942

# endif

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

943

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

944

mbedtls_mpi_init(&I);

945

mbedtls_mpi_init(&C);

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

946

947

/* End of MPI initialization */

948

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

949

MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));

950

if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {

Manuel Pégourié-Gonnard

4d04cdc

2015-08-28 10:32:21 +0200

[diff] [blame]

951

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

952

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

953

}

954

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

955

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

956

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

/*

* Blinding

* T = T * Vi mod N

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

961

MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));

962

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));

963

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

964

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

965

/*

966

* Exponent blinding

967

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

968

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));

969

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

970

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

971

# if defined(MBEDTLS_RSA_NO_CRT)

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

972

/*

973

* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D

974

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

975

MBEDTLS_MPI_CHK(

976

mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING, f_rng, p_rng));

977

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));

978

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));

979

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

980

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

981

D = &D_blind;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

982

# else

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

983

/*

984

* DP_blind = ( P - 1 ) * R + DP

985

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

986

MBEDTLS_MPI_CHK(

987

mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING, f_rng, p_rng));

988

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));

989

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind, &ctx->DP));

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

990

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

991

DP = &DP_blind;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

992

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

993

/*

994

* DQ_blind = ( Q - 1 ) * R + DQ

995

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

996

MBEDTLS_MPI_CHK(

997

mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING, f_rng, p_rng));

998

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));

999

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind, &ctx->DQ));

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1000

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

1001

DQ = &DQ_blind;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1002

# endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1003

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1004

# if defined(MBEDTLS_RSA_NO_CRT)

1005

MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));

1006

# else

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1007

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1008

* Faster decryption using the CRT

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1009

*

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1010

* TP = input ^ dP mod P

1011

* TQ = input ^ dQ mod Q

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1012

*/

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1013

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1014

MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));

1015

MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1016

1017

/*

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1018

* T = (TP - TQ) * (Q^-1 mod P) mod P

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1019

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1020

MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));

1021

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));

1022

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1023

1024

/*

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1025

* T = TQ + T * Q

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1026

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1027

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));

1028

MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));

1029

# endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1030

Manuel Pégourié-Gonnard

2021-06-15 11:29:26 +0200

[diff] [blame]

/*

* Unblind

* T = T * Vf mod N

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1035

MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vf));

1036

MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1037

Hanno Becker

2dec5e8

2017-10-03 07:49:52 +0100

[diff] [blame]

1038

/* Verify the result to prevent glitching attacks. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1039

MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E, &ctx->N, &ctx->RN));

1040

if (mbedtls_mpi_cmp_mpi(&C, &I) != 0) {

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1041

ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;

1042

goto cleanup;

1043

}

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1044

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1045

olen = ctx->len;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1046

MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1047

1048

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1049

# if defined(MBEDTLS_THREADING_C)

1050

if (mbedtls_mutex_unlock(&ctx->mutex) != 0)

1051

return MBEDTLS_ERR_THREADING_MUTEX_ERROR;

1052

# endif

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1053

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1054

mbedtls_mpi_free(&P1);

1055

mbedtls_mpi_free(&Q1);

1056

mbedtls_mpi_free(&R);

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1057

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1058

# if defined(MBEDTLS_RSA_NO_CRT)

1059

mbedtls_mpi_free(&D_blind);

1060

# else

1061

mbedtls_mpi_free(&DP_blind);

1062

mbedtls_mpi_free(&DQ_blind);

1063

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1064

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1065

mbedtls_mpi_free(&T);

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1066

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1067

# if !defined(MBEDTLS_RSA_NO_CRT)

1068

mbedtls_mpi_free(&TP);

1069

mbedtls_mpi_free(&TQ);

1070

# endif

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1071

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1072

mbedtls_mpi_free(&C);

1073

mbedtls_mpi_free(&I);

Hanno Becker

2017-05-03 15:10:34 +0100

[diff] [blame]

1074

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1075

if (ret != 0 && ret >= -0x007f)

1076

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1077

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1078

return ret;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1079

}

1080

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1081

# if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1082

/**

1083

* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.

1084

*

Paul Bakker

b125ed8

2011-11-10 13:33:51 +0000

[diff] [blame]

1085

* \param dst buffer to mask

1086

* \param dlen length of destination buffer

1087

* \param src source of the mask generation

1088

* \param slen length of the source buffer

1089

* \param md_ctx message digest context to use

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1090

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1091

static int mgf_mask(unsigned char *dst,

size_t dlen,

unsigned char *src,

size_t slen,

mbedtls_md_context_t *md_ctx)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1096

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1097

unsigned char mask[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1098

unsigned char counter[4];

1099

unsigned char *p;

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1100

unsigned int hlen;

1101

size_t i, use_len;

Andres Amaya Garcia

94682d1

2017-07-20 14:26:37 +0100

[diff] [blame]

1102

int ret = 0;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1103

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1104

memset(mask, 0, MBEDTLS_MD_MAX_SIZE);

1105

memset(counter, 0, 4);

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1106

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1107

hlen = mbedtls_md_get_size(md_ctx->md_info);

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1108

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1109

/* Generate and apply dbMask */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1110

p = dst;

1111

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1112

while (dlen > 0) {

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1113

use_len = hlen;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1114

if (dlen < hlen)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1115

use_len = dlen;

1116

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1117

if ((ret = mbedtls_md_starts(md_ctx)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1118

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1119

if ((ret = mbedtls_md_update(md_ctx, src, slen)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1120

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1121

if ((ret = mbedtls_md_update(md_ctx, counter, 4)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1122

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1123

if ((ret = mbedtls_md_finish(md_ctx, mask)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1124

goto exit;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1125

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1126

for (i = 0; i < use_len; ++i)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

*p++ ^= mask[i];

counter[3]++;

dlen -= use_len;

}

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1133

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1134

exit:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1135

mbedtls_platform_zeroize(mask, sizeof(mask));

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1136

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1137

return ret;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1138

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1139

# endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1140

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1141

# if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1142

/*

1143

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function

1144

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1145

int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,

1146

int (*f_rng)(void *, unsigned char *, size_t),

1147

void *p_rng,

1148

const unsigned char *label,

1149

size_t label_len,

1150

size_t ilen,

1151

const unsigned char *input,

1152

unsigned char *output)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1153

{

1154

size_t olen;

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

1155

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1156

unsigned char *p = output;

1157

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1158

const mbedtls_md_info_t *md_info;

1159

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1160

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1161

RSA_VALIDATE_RET(ctx != NULL);

1162

RSA_VALIDATE_RET(output != NULL);

1163

RSA_VALIDATE_RET(ilen == 0 || input != NULL);

1164

RSA_VALIDATE_RET(label_len == 0 || label != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1165

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1166

if (f_rng == NULL)

1167

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1168

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1169

md_info = mbedtls_md_info_from_type((mbedtls_md_type_t)ctx->hash_id);

1170

if (md_info == NULL)

1171

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1172

1173

olen = ctx->len;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1174

hlen = mbedtls_md_get_size(md_info);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1175

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1176

/* first comparison checks for overflow */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1177

if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2)

1178

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1179

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1180

memset(output, 0, olen);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

*p++ = 0;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1184

/* Generate a random octet string seed */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1185

if ((ret = f_rng(p_rng, p, hlen)) != 0)

1186

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p += hlen;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1190

/* Construct DB */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1191

if ((ret = mbedtls_md(md_info, label, label_len, p)) != 0)

1192

return ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1193

p += hlen;

1194

p += olen - 2 * hlen - 2 - ilen;

1195

*p++ = 1;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1196

if (ilen != 0)

1197

memcpy(p, input, ilen);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1198

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1199

mbedtls_md_init(&md_ctx);

1200

if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1201

goto exit;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1202

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1203

/* maskedDB: Apply dbMask to DB */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1204

if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,

1205

&md_ctx)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1206

goto exit;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1207

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1208

/* maskedSeed: Apply seedMask to seed */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1209

if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,

1210

&md_ctx)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1211

goto exit;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1212

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1213

exit:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1214

mbedtls_md_free(&md_ctx);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1215

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1216

if (ret != 0)

1217

return ret;

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1218

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1219

return mbedtls_rsa_public(ctx, output, output);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1220

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1221

# endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1222

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1223

# if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1224

/*

1225

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function

1226

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1227

int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,

int (*f_rng)(void *,

unsigned char *,

size_t),

void *p_rng,

size_t ilen,

const unsigned char *input,

1234

unsigned char *output)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1235

{

1236

size_t nb_pad, olen;

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

1237

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1238

unsigned char *p = output;

1239

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1240

RSA_VALIDATE_RET(ctx != NULL);

1241

RSA_VALIDATE_RET(output != NULL);

1242

RSA_VALIDATE_RET(ilen == 0 || input != NULL);

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1243

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1244

olen = ctx->len;

Manuel Pégourié-Gonnard

370717b

2016-02-11 10:35:13 +0100

[diff] [blame]

1245

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1246

/* first comparison checks for overflow */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1247

if (ilen + 11 < ilen || olen < ilen + 11)

1248

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1249

1250

nb_pad = olen - 3 - ilen;

1251

1252

*p++ = 0;

Thomas Daubney

2021-05-13 18:26:49 +0100

[diff] [blame]

1253

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1254

if (f_rng == NULL)

1255

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Thomas Daubney

2021-05-13 18:26:49 +0100

[diff] [blame]

1256

1257

*p++ = MBEDTLS_RSA_CRYPT;

1258

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1259

while (nb_pad-- > 0) {

Thomas Daubney

2021-05-13 18:26:49 +0100

[diff] [blame]

1260

int rng_dl = 100;

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1261

Thomas Daubney

2021-05-13 18:26:49 +0100

[diff] [blame]

1262

do {

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1263

ret = f_rng(p_rng, p, 1);

1264

} while (*p == 0 && --rng_dl && ret == 0);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1265

Thomas Daubney

2021-05-13 18:26:49 +0100

[diff] [blame]

1266

/* Check if RNG failed to generate data */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1267

if (rng_dl == 0 || ret != 0)

1268

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1269

Thomas Daubney

2021-05-13 18:26:49 +0100

[diff] [blame]

1270

p++;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1271

}

1272

1273

*p++ = 0;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1274

if (ilen != 0)

1275

memcpy(p, input, ilen);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1276

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1277

return mbedtls_rsa_public(ctx, output, output);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1278

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1279

# endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1280

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1281

/*

1282

* Add the message padding, then do an RSA operation

1283

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1284

int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,

1285

int (*f_rng)(void *, unsigned char *, size_t),

1286

void *p_rng,

1287

size_t ilen,

1288

const unsigned char *input,

1289

unsigned char *output)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1290

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1291

RSA_VALIDATE_RET(ctx != NULL);

1292

RSA_VALIDATE_RET(output != NULL);

1293

RSA_VALIDATE_RET(ilen == 0 || input != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1294

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1295

switch (ctx->padding) {

1296

# if defined(MBEDTLS_PKCS1_V15)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1297

case MBEDTLS_RSA_PKCS_V15:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1298

return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng, ilen,

1299

input, output);

1300

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1301

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1302

# if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1303

case MBEDTLS_RSA_PKCS_V21:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1304

return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,

1305

ilen, input, output);

1306

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1307

1308

default:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1309

return MBEDTLS_ERR_RSA_INVALID_PADDING;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1310

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1311

}

1312

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1313

# if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1314

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1315

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1316

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1317

int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,

1318

int (*f_rng)(void *, unsigned char *, size_t),

1319

void *p_rng,

1320

const unsigned char *label,

1321

size_t label_len,

1322

size_t *olen,

1323

const unsigned char *input,

1324

unsigned char *output,

1325

size_t output_max_len)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1326

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

1327

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1328

size_t ilen, i, pad_len;

1329

unsigned char *p, bad, pad_done;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1330

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

1331

unsigned char lhash[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1332

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1333

const mbedtls_md_info_t *md_info;

1334

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1335

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1336

RSA_VALIDATE_RET(ctx != NULL);

1337

RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);

1338

RSA_VALIDATE_RET(label_len == 0 || label != NULL);

1339

RSA_VALIDATE_RET(input != NULL);

1340

RSA_VALIDATE_RET(olen != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1341

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1342

/*

1343

* Parameters sanity checks

1344

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1345

if (ctx->padding != MBEDTLS_RSA_PKCS_V21)

1346

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

ilen = ctx->len;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1350

if (ilen < 16 || ilen > sizeof(buf))

1351

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1352

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1353

md_info = mbedtls_md_info_from_type((mbedtls_md_type_t)ctx->hash_id);

1354

if (md_info == NULL)

1355

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1356

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1357

hlen = mbedtls_md_get_size(md_info);

Janos Follath

c17cda1

2016-02-11 11:08:18 +0000

[diff] [blame]

1358

1359

// checking for integer underflow

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1360

if (2 * hlen + 2 > ilen)

1361

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Janos Follath

c17cda1

2016-02-11 11:08:18 +0000

[diff] [blame]

1362

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1363

/*

1364

* RSA operation

1365

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1366

ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1367

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1368

if (ret != 0)

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1369

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1370

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1371

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1372

* Unmask data and generate lHash

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1373

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1374

mbedtls_md_init(&md_ctx);

1375

if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {

1376

mbedtls_md_free(&md_ctx);

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1377

goto cleanup;

Brian J Murray

e7be5bd

2016-06-23 12:57:03 -0700

[diff] [blame]

1378

}

1379

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1380

/* seed: Apply seedMask to maskedSeed */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1381

if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,

1382

&md_ctx)) != 0 ||

1383

/* DB: Apply dbMask to maskedDB */

1384

(ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,

1385

&md_ctx)) != 0) {

1386

mbedtls_md_free(&md_ctx);

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1387

goto cleanup;

1388

}

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1389

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1390

mbedtls_md_free(&md_ctx);

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1391

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1392

/* Generate lHash */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1393

if ((ret = mbedtls_md(md_info, label, label_len, lhash)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1394

goto cleanup;

1395

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1396

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1397

* Check contents, in "constant-time"

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1398

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1399

p = buf;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1400

bad = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1401

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1402

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1403

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1404

p += hlen; /* Skip seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1405

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1406

/* Check lHash */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1407

for (i = 0; i < hlen; i++)

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1408

bad |= lhash[i] ^ *p++;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1409

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1410

/* Get zero-padding len, but always read till end of buffer

1411

* (minus one, for the 01 byte) */

1412

pad_len = 0;

1413

pad_done = 0;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1414

for (i = 0; i < ilen - 2 * hlen - 2; i++) {

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1415

pad_done |= p[i];

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1416

pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1417

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1418

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1419

p += pad_len;

1420

bad |= *p++ ^ 0x01;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1421

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1422

/*

1423

* The only information "leaked" is whether the padding was correct or not

1424

* (eg, no data is copied if it was not correct). This meets the

1425

* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between

1426

* the different error conditions.

1427

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1428

if (bad != 0) {

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1429

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1430

goto cleanup;

1431

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1432

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1433

if (ilen - (p - buf) > output_max_len) {

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1434

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1435

goto cleanup;

1436

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1437

1438

*olen = ilen - (p - buf);

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1439

if (*olen != 0)

1440

memcpy(output, p, *olen);

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1441

ret = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1442

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1443

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1444

mbedtls_platform_zeroize(buf, sizeof(buf));

1445

mbedtls_platform_zeroize(lhash, sizeof(lhash));

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1446

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1447

return ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1448

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1449

# endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1450

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1451

# if defined(MBEDTLS_PKCS1_V15)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1452

/** Turn zero-or-nonzero into zero-or-all-bits-one, without branches.

1453

*

1454

* \param value The value to analyze.

1455

* \return Zero if \p value is zero, otherwise all-bits-one.

1456

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1457

static unsigned all_or_nothing_int(unsigned value)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1458

{

1459

/* MSVC has a warning about unary minus on unsigned, but this is

1460

* well-defined and precisely what we want to do here */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1461

# if defined(_MSC_VER)

1462

# pragma warning(push)

1463

# pragma warning(disable : 4146)

1464

# endif

1465

return (-((value | -value) >> (sizeof(value) * 8 - 1)));

1466

# if defined(_MSC_VER)

1467

# pragma warning(pop)

1468

# endif

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1469

}

1470

1471

/** Check whether a size is out of bounds, without branches.

1472

*

1473

* This is equivalent to `size > max`, but is likely to be compiled to

1474

* to code using bitwise operation rather than a branch.

1475

*

1476

* \param size Size to check.

1477

* \param max Maximum desired value for \p size.

1478

* \return \c 0 if `size <= max`.

1479

* \return \c 1 if `size > max`.

1480

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1481

static unsigned size_greater_than(size_t size, size_t max)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1482

{

1483

/* Return the sign bit (1 for negative) of (max - size). */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1484

return ((max - size) >> (sizeof(size_t) * 8 - 1));

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1485

}

1486

1487

/** Choose between two integer values, without branches.

1488

*

1489

* This is equivalent to `cond ? if1 : if0`, but is likely to be compiled

1490

* to code using bitwise operation rather than a branch.

1491

*

1492

* \param cond Condition to test.

1493

* \param if1 Value to use if \p cond is nonzero.

1494

* \param if0 Value to use if \p cond is zero.

1495

* \return \c if1 if \p cond is nonzero, otherwise \c if0.

1496

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1497

static unsigned if_int(unsigned cond, unsigned if1, unsigned if0)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1498

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1499

unsigned mask = all_or_nothing_int(cond);

1500

return ((mask & if1) | (~mask & if0));

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1501

}

1502

1503

/** Shift some data towards the left inside a buffer without leaking

1504

* the length of the data through side channels.

1505

*

1506

* `mem_move_to_left(start, total, offset)` is functionally equivalent to

1507

* ```

1508

* memmove(start, start + offset, total - offset);

1509

* memset(start + offset, 0, total - offset);

1510

* ```

1511

* but it strives to use a memory access pattern (and thus total timing)

1512

* that does not depend on \p offset. This timing independence comes at

1513

* the expense of performance.

1514

*

1515

* \param start Pointer to the start of the buffer.

1516

* \param total Total size of the buffer.

1517

* \param offset Offset from which to copy \p total - \p offset bytes.

1518

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1519

static void mem_move_to_left(void *start, size_t total, size_t offset)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1520

{

1521

volatile unsigned char *buf = start;

1522

size_t i, n;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1523

if (total == 0)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1524

return;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1525

for (i = 0; i < total; i++) {

1526

unsigned no_op = size_greater_than(total - offset, i);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1527

/* The first `total - offset` passes are a no-op. The last

1528

* `offset` passes shift the data one byte to the left and

1529

* zero out the last byte. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1530

for (n = 0; n < total - 1; n++) {

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1531

unsigned char current = buf[n];

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1532

unsigned char next = buf[n + 1];

1533

buf[n] = if_int(no_op, current, next);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1534

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1535

buf[total - 1] = if_int(no_op, buf[total - 1], 0);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

}

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1539

/*

1540

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function

1541

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1542

int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,

int (*f_rng)(void *,

unsigned char *,

size_t),

void *p_rng,

size_t *olen,

const unsigned char *input,

1549

unsigned char *output,

1550

size_t output_max_len)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1551

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

1552

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1553

size_t ilen, i, plaintext_max_size;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1554

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1555

/* The following variables take sensitive values: their value must

1556

* not leak into the observable behavior of the function other than

1557

* the designated outputs (output, olen, return value). Otherwise

1558

* this would open the execution of the function to

1559

* side-channel-based variants of the Bleichenbacher padding oracle

1560

* attack. Potential side channels include overall timing, memory

1561

* access patterns (especially visible to an adversary who has access

1562

* to a shared memory cache), and branches (especially visible to

1563

* an adversary who has access to a shared code cache or to a shared

1564

* branch predictor). */

1565

size_t pad_count = 0;

1566

unsigned bad = 0;

1567

unsigned char pad_done = 0;

1568

size_t plaintext_size = 0;

1569

unsigned output_too_large;

1570

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1571

RSA_VALIDATE_RET(ctx != NULL);

1572

RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);

1573

RSA_VALIDATE_RET(input != NULL);

1574

RSA_VALIDATE_RET(olen != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1575

1576

ilen = ctx->len;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1577

plaintext_max_size =

1578

(output_max_len > ilen - 11 ? ilen - 11 : output_max_len);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1579

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1580

if (ctx->padding != MBEDTLS_RSA_PKCS_V15)

1581

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1582

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1583

if (ilen < 16 || ilen > sizeof(buf))

1584

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1585

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1586

ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1587

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1588

if (ret != 0)

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1589

goto cleanup;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1590

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1591

/* Check and get padding length in constant time and constant

1592

* memory trace. The first byte must be 0. */

1593

bad |= buf[0];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1594

Thomas Daubney

2021-05-12 09:24:29 +0100

[diff] [blame]

1595

/* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1596

* where PS must be at least 8 nonzero bytes. */

Thomas Daubney

2021-05-12 09:24:29 +0100

[diff] [blame]

1597

bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1598

Thomas Daubney

2021-05-12 09:24:29 +0100

[diff] [blame]

1599

/* Read the whole buffer. Set pad_done to nonzero if we find

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1600

* the 0x00 byte and remember the padding length in pad_count. */

1601

for (i = 2; i < ilen; i++) {

1602

pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;

Thomas Daubney

2021-05-12 09:24:29 +0100

[diff] [blame]

1603

pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1604

}

1605

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1606

/* If pad_done is still zero, there's no data, only unfinished padding. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1607

bad |= if_int(pad_done, 0, 1);

Janos Follath

b6eb1ca

2016-02-08 13:59:25 +0000

[diff] [blame]

1608

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1609

/* There must be at least 8 bytes of padding. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1610

bad |= size_greater_than(8, pad_count);

Paul Bakker

8804f69

2013-02-28 18:06:26 +0100

[diff] [blame]

1611

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1612

/* If the padding is valid, set plaintext_size to the number of

1613

* remaining bytes after stripping the padding. If the padding

1614

* is invalid, avoid leaking this fact through the size of the

1615

* output: use the maximum message size that fits in the output

1616

* buffer. Do it without branches to avoid leaking the padding

1617

* validity through timing. RSA keys are small enough that all the

1618

* size_t values involved fit in unsigned int. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1619

plaintext_size = if_int(bad, (unsigned)plaintext_max_size,

1620

(unsigned)(ilen - pad_count - 3));

Paul Bakker

060c568

2009-01-12 21:48:39 +0000

[diff] [blame]

1621

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1622

/* Set output_too_large to 0 if the plaintext fits in the output

1623

* buffer and to 1 otherwise. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1624

output_too_large = size_greater_than(plaintext_size, plaintext_max_size);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1625

1626

/* Set ret without branches to avoid timing attacks. Return:

1627

* - INVALID_PADDING if the padding is bad (bad != 0).

1628

* - OUTPUT_TOO_LARGE if the padding is good but the decrypted

1629

* plaintext does not fit in the output buffer.

1630

* - 0 if the padding is correct. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1631

ret = -(int)if_int(bad, -MBEDTLS_ERR_RSA_INVALID_PADDING,

1632

if_int(output_too_large,

1633

-MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, 0));

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1634

1635

/* If the padding is bad or the plaintext is too large, zero the

1636

* data that we're about to copy to the output buffer.

1637

* We need to copy the same amount of data

1638

* from the same buffer whether the padding is good or not to

1639

* avoid leaking the padding validity through overall timing or

1640

* through memory or cache access patterns. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1641

bad = all_or_nothing_int(bad | output_too_large);

1642

for (i = 11; i < ilen; i++)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1643

buf[i] &= ~bad;

1644

1645

/* If the plaintext is too large, truncate it to the buffer size.

1646

* Copy anyway to avoid revealing the length through timing, because

1647

* revealing the length is as bad as revealing the padding validity

1648

* for a Bleichenbacher attack. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1649

plaintext_size = if_int(output_too_large, (unsigned)plaintext_max_size,

1650

(unsigned)plaintext_size);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1651

1652

/* Move the plaintext to the leftmost position where it can start in

1653

* the working buffer, i.e. make it start plaintext_max_size from

1654

* the end of the buffer. Do this with a memory access trace that

1655

* does not depend on the plaintext size. After this move, the

1656

* starting location of the plaintext is no longer sensitive

1657

* information. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1658

mem_move_to_left(buf + ilen - plaintext_max_size, plaintext_max_size,

1659

plaintext_max_size - plaintext_size);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1660

Jaeden Amero

6f7703d

2019-02-06 10:44:56 +0000

[diff] [blame]

1661

/* Finally copy the decrypted plaintext plus trailing zeros into the output

1662

* buffer. If output_max_len is 0, then output may be an invalid pointer

1663

* and the result of memcpy() would be undefined; prevent undefined

1664

* behavior making sure to depend only on output_max_len (the size of the

1665

* user-provided output buffer), which is independent from plaintext

1666

* length, validity of padding, success of the decryption, and other

1667

* secrets. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1668

if (output_max_len != 0)

1669

memcpy(output, buf + ilen - plaintext_max_size, plaintext_max_size);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1670

1671

/* Report the amount of data we copied to the output buffer. In case

1672

* of errors (bad padding or output too large), the value of *olen

1673

* when this function returns is not specified. Making it equivalent

1674

* to the good case limits the risks of leaking the padding validity. */

1675

*olen = plaintext_size;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1676

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1677

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1678

mbedtls_platform_zeroize(buf, sizeof(buf));

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1679

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1680

return ret;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1681

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1682

# endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1683

1684

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1685

* Do an RSA operation, then remove the message padding

1686

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1687

int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,

1688

int (*f_rng)(void *, unsigned char *, size_t),

1689

void *p_rng,

1690

size_t *olen,

1691

const unsigned char *input,

1692

unsigned char *output,

1693

size_t output_max_len)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1694

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1695

RSA_VALIDATE_RET(ctx != NULL);

1696

RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);

1697

RSA_VALIDATE_RET(input != NULL);

1698

RSA_VALIDATE_RET(olen != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

1699

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1700

switch (ctx->padding) {

1701

# if defined(MBEDTLS_PKCS1_V15)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1702

case MBEDTLS_RSA_PKCS_V15:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1703

return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(

1704

ctx, f_rng, p_rng, olen, input, output, output_max_len);

1705

# endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1706

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1707

# if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1708

case MBEDTLS_RSA_PKCS_V21:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1709

return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,

1710

olen, input, output,

1711

output_max_len);

1712

# endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1713

1714

default:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1715

return MBEDTLS_ERR_RSA_INVALID_PADDING;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

}

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1719

# if defined(MBEDTLS_PKCS1_V21)

1720

static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,

1721

int (*f_rng)(void *, unsigned char *, size_t),

1722

void *p_rng,

1723

mbedtls_md_type_t md_alg,

1724

unsigned int hashlen,

1725

const unsigned char *hash,

1726

int saltlen,

1727

unsigned char *sig)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1728

{

1729

size_t olen;

1730

unsigned char *p = sig;

Cédric Meuter

668a78d

2020-04-30 11:57:04 +0200

[diff] [blame]

1731

unsigned char *salt = NULL;

Jaeden Amero

3725bb2

2018-09-07 19:12:36 +0100

[diff] [blame]

1732

size_t slen, min_slen, hlen, offset = 0;

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

1733

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1734

size_t msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1735

const mbedtls_md_info_t *md_info;

1736

mbedtls_md_context_t md_ctx;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1737

RSA_VALIDATE_RET(ctx != NULL);

1738

RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hashlen == 0) ||

1739

hash != NULL);

1740

RSA_VALIDATE_RET(sig != NULL);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1741

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1742

if (ctx->padding != MBEDTLS_RSA_PKCS_V21)

1743

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Thomas Daubney

d58ed58

2021-05-21 11:50:39 +0100

[diff] [blame]

1744

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1745

if (f_rng == NULL)

1746

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

olen = ctx->len;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1750

if (md_alg != MBEDTLS_MD_NONE) {

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1751

/* Gather length of hash to sign */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1752

md_info = mbedtls_md_info_from_type(md_alg);

1753

if (md_info == NULL)

1754

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1755

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1756

if (hashlen != mbedtls_md_get_size(md_info))

1757

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1758

}

1759

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1760

md_info = mbedtls_md_info_from_type((mbedtls_md_type_t)ctx->hash_id);

1761

if (md_info == NULL)

1762

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1763

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1764

hlen = mbedtls_md_get_size(md_info);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1765

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1766

if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {

1767

/* Calculate the largest possible salt length, up to the hash size.

1768

* Normally this is the hash length, which is the maximum salt length

1769

* according to FIPS 185-4 §5.5 (e) and common practice. If there is not

1770

* enough room, use the maximum salt length that fits. The constraint is

1771

* that the hash length plus the salt length plus 2 bytes must be at

1772

* most the key length. This complies with FIPS 186-4 §5.5 (e) and RFC

1773

* 8017 (PKCS#1 v2.2) §9.1.1 step 3. */

Cedric Meuter

2020-04-21 12:49:11 +0200

[diff] [blame]

1774

min_slen = hlen - 2;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1775

if (olen < hlen + min_slen + 2)

1776

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

1777

else if (olen >= hlen + hlen + 2)

Cedric Meuter

2020-04-21 12:49:11 +0200

[diff] [blame]

1778

slen = hlen;

1779

else

1780

slen = olen - hlen - 2;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1781

} else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {

1782

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

1783

} else {

1784

slen = (size_t)saltlen;

Cedric Meuter

2020-04-21 12:49:11 +0200

[diff] [blame]

1785

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1786

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1787

memset(sig, 0, olen);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1788

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1789

/* Note: EMSA-PSS encoding is over the length of N - 1 bits */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1790

msb = mbedtls_mpi_bitlen(&ctx->N) - 1;

Jaeden Amero

3725bb2

2018-09-07 19:12:36 +0100

[diff] [blame]

1791

p += olen - hlen - slen - 2;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1792

*p++ = 0x01;

Cédric Meuter

668a78d

2020-04-30 11:57:04 +0200

[diff] [blame]

1793

1794

/* Generate salt of length slen in place in the encoded message */

1795

salt = p;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1796

if ((ret = f_rng(p_rng, salt, slen)) != 0)

1797

return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);

Cédric Meuter

668a78d

2020-04-30 11:57:04 +0200

[diff] [blame]

1798

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1799

p += slen;

1800

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1801

mbedtls_md_init(&md_ctx);

1802

if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1803

goto exit;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1804

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1805

/* Generate H = Hash( M' ) */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1806

if ((ret = mbedtls_md_starts(&md_ctx)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1807

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1808

if ((ret = mbedtls_md_update(&md_ctx, p, 8)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1809

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1810

if ((ret = mbedtls_md_update(&md_ctx, hash, hashlen)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1811

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1812

if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1813

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1814

if ((ret = mbedtls_md_finish(&md_ctx, p)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1815

goto exit;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1816

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1817

/* Compensate for boundary condition when applying mask */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1818

if (msb % 8 == 0)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1819

offset = 1;

1820

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1821

/* maskedDB: Apply dbMask to DB */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1822

if ((ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen,

1823

&md_ctx)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1824

goto exit;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1825

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1826

msb = mbedtls_mpi_bitlen(&ctx->N) - 1;

1827

sig[0] &= 0xFF >> (olen * 8 - msb);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p += hlen;

*p++ = 0xBC;

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1832

exit:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1833

mbedtls_md_free(&md_ctx);

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1834

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1835

if (ret != 0)

1836

return ret;

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

1837

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1838

return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1839

}

Cedric Meuter

2020-04-21 12:49:11 +0200

[diff] [blame]

1840

1841

/*

Cédric Meuter

2020-04-25 11:30:45 +0200

[diff] [blame]

1842

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with

1843

* the option to pass in the salt length.

1844

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1845

int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,

int (*f_rng)(void *,

unsigned char *,

size_t),

void *p_rng,

mbedtls_md_type_t md_alg,

1851

unsigned int hashlen,

1852

const unsigned char *hash,

1853

int saltlen,

1854

unsigned char *sig)

Cédric Meuter

2020-04-25 11:30:45 +0200

[diff] [blame]

1855

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1856

return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg, hashlen, hash,

1857

saltlen, sig);

Cédric Meuter

2020-04-25 11:30:45 +0200

[diff] [blame]

1858

}

1859

Cédric Meuter

2020-04-25 11:30:45 +0200

[diff] [blame]

1860

/*

Cedric Meuter

2020-04-21 12:49:11 +0200

[diff] [blame]

1861

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function

1862

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1863

int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,

1864

int (*f_rng)(void *, unsigned char *, size_t),

1865

void *p_rng,

1866

mbedtls_md_type_t md_alg,

1867

unsigned int hashlen,

1868

const unsigned char *hash,

1869

unsigned char *sig)

Cedric Meuter

2020-04-21 12:49:11 +0200

[diff] [blame]

1870

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1871

return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg, hashlen, hash,

1872

MBEDTLS_RSA_SALT_LEN_ANY, sig);

Cedric Meuter

2020-04-21 12:49:11 +0200

[diff] [blame]

1873

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1874

# endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1875

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1876

# if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1877

/*

1878

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function

1879

*/

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1880

1881

/* Construct a PKCS v1.5 encoding of a hashed message

1882

*

1883

* This is used both for signature generation and verification.

1884

*

1885

* Parameters:

1886

* - md_alg: Identifies the hash algorithm used to generate the given hash;

Hanno Becker

e58d38c

2017-09-27 17:09:00 +0100

[diff] [blame]

1887

* MBEDTLS_MD_NONE if raw data is signed.

Gilles Peskine

6e3187b

2021-06-22 18:39:53 +0200

[diff] [blame]

1888

* - hashlen: Length of hash. Must match md_alg if that's not NONE.

Hanno Becker

e58d38c

2017-09-27 17:09:00 +0100

[diff] [blame]

1889

* - hash: Buffer containing the hashed message or the raw data.

1890

* - dst_len: Length of the encoded message.

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1891

* - dst: Buffer to hold the encoded message.

1892

*

1893

* Assumptions:

Gilles Peskine

6e3187b

2021-06-22 18:39:53 +0200

[diff] [blame]

1894

* - hash has size hashlen.

Hanno Becker

e58d38c

2017-09-27 17:09:00 +0100

[diff] [blame]

1895

* - dst points to a buffer of size at least dst_len.

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1896

*

1897

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1898

static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,

1899

unsigned int hashlen,

1900

const unsigned char *hash,

1901

size_t dst_len,

1902

unsigned char *dst)

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1903

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1904

size_t oid_size = 0;

1905

size_t nb_pad = dst_len;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1906

unsigned char *p = dst;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1907

const char *oid = NULL;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1908

1909

/* Are we signing hashed or raw data? */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1910

if (md_alg != MBEDTLS_MD_NONE) {

1911

const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);

1912

if (md_info == NULL)

1913

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1914

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1915

if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0)

1916

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1917

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1918

if (hashlen != mbedtls_md_get_size(md_info))

1919

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1920

1921

/* Double-check that 8 + hashlen + oid_size can be used as a

1922

* 1-byte ASN.1 length encoding and that there's no overflow. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1923

if (8 + hashlen + oid_size >= 0x80 || 10 + hashlen < hashlen ||

1924

10 + hashlen + oid_size < 10 + hashlen)

1925

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1926

1927

/*

1928

* Static bounds check:

1929

* - Need 10 bytes for five tag-length pairs.

1930

* (Insist on 1-byte length encodings to protect against variants of

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1931

* Bleichenbacher's forgery attack against lax PKCS#1v1.5

1932

* verification)

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1933

* - Need hashlen bytes for hash

1934

* - Need oid_size bytes for hash alg OID.

1935

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1936

if (nb_pad < 10 + hashlen + oid_size)

1937

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1938

nb_pad -= 10 + hashlen + oid_size;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1939

} else {

1940

if (nb_pad < hashlen)

1941

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

nb_pad -= hashlen;

}

Hanno Becker

2017-09-27 17:10:03 +0100

[diff] [blame]

1946

/* Need space for signature header and padding delimiter (3 bytes),

1947

* and 8 bytes for the minimal padding */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1948

if (nb_pad < 3 + 8)

1949

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1950

nb_pad -= 3;

1951

1952

/* Now nb_pad is the amount of memory to be filled

Hanno Becker

2b2f898

2017-09-27 17:10:03 +0100

[diff] [blame]

1953

* with padding, and at least 8 bytes long. */

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1954

1955

/* Write signature header and padding */

1956

*p++ = 0;

1957

*p++ = MBEDTLS_RSA_SIGN;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1958

memset(p, 0xFF, nb_pad);

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

p += nb_pad;

*p++ = 0;

/* Are we signing raw data? */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1963

if (md_alg == MBEDTLS_MD_NONE) {

1964

memcpy(p, hash, hashlen);

1965

return 0;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1966

}

1967

1968

/* Signing hashed data, add corresponding ASN.1 structure

1969

*

1970

* DigestInfo ::= SEQUENCE {

1971

* digestAlgorithm DigestAlgorithmIdentifier,

1972

* digest Digest }

1973

* DigestAlgorithmIdentifier ::= AlgorithmIdentifier

1974

* Digest ::= OCTET STRING

1975

*

1976

* Schematic:

1977

* TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]

1978

* TAG-NULL + LEN [ NULL ] ]

1979

* TAG-OCTET + LEN [ HASH ] ]

1980

*/

1981

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1982

*p++ = (unsigned char)(0x08 + oid_size + hashlen);

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1983

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1984

*p++ = (unsigned char)(0x04 + oid_size);

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1985

*p++ = MBEDTLS_ASN1_OID;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1986

*p++ = (unsigned char)oid_size;

1987

memcpy(p, oid, oid_size);

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1988

p += oid_size;

1989

*p++ = MBEDTLS_ASN1_NULL;

1990

*p++ = 0x00;

1991

*p++ = MBEDTLS_ASN1_OCTET_STRING;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1992

*p++ = (unsigned char)hashlen;

1993

memcpy(p, hash, hashlen);

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

1994

p += hashlen;

1995

1996

/* Just a sanity-check, should be automatic

1997

* after the initial bounds check. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

1998

if (p != dst + dst_len) {

1999

mbedtls_platform_zeroize(dst, dst_len);

2000

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

2001

}

2002

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2003

return 0;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

2004

}

2005

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2006

/*

2007

* Do an RSA operation to sign the message digest

2008

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2009

int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,

int (*f_rng)(void *,

unsigned char *,

size_t),

void *p_rng,

mbedtls_md_type_t md_alg,

2015

unsigned int hashlen,

2016

const unsigned char *hash,

2017

unsigned char *sig)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2018

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

2019

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

2020

unsigned char *sig_try = NULL, *verif = NULL;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2021

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2022

RSA_VALIDATE_RET(ctx != NULL);

2023

RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hashlen == 0) ||

2024

hash != NULL);

2025

RSA_VALIDATE_RET(sig != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

2026

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2027

if (ctx->padding != MBEDTLS_RSA_PKCS_V15)

2028

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Thomas Daubney

d58ed58

2021-05-21 11:50:39 +0100

[diff] [blame]

2029

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

2030

/*

2031

* Prepare PKCS1-v1.5 encoding (padding and hash identifier)

2032

*/

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2033

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2034

if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, ctx->len,

2035

sig)) != 0)

2036

return ret;

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2037

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

2038

/* Private key operation

2039

*

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2040

* In order to prevent Lenstra's attack, make the signature in a

2041

* temporary buffer and check it before returning it.

2042

*/

Hanno Becker

2017-09-06 12:35:55 +0100

[diff] [blame]

2043

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2044

sig_try = mbedtls_calloc(1, ctx->len);

2045

if (sig_try == NULL)

2046

return MBEDTLS_ERR_MPI_ALLOC_FAILED;

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2047

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2048

verif = mbedtls_calloc(1, ctx->len);

2049

if (verif == NULL) {

2050

mbedtls_free(sig_try);

2051

return MBEDTLS_ERR_MPI_ALLOC_FAILED;

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2052

}

2053

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2054

MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));

2055

MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2056

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2057

if (mbedtls_safer_memcmp(verif, sig, ctx->len) != 0) {

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2058

ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;

goto cleanup;

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2062

memcpy(sig, sig_try, ctx->len);

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2063

2064

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2065

mbedtls_free(sig_try);

2066

mbedtls_free(verif);

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2067

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2068

return ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2069

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2070

# endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2071

2072

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2073

* Do an RSA operation to sign the message digest

2074

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2075

int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,

2076

int (*f_rng)(void *, unsigned char *, size_t),

2077

void *p_rng,

2078

mbedtls_md_type_t md_alg,

2079

unsigned int hashlen,

2080

const unsigned char *hash,

2081

unsigned char *sig)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2082

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2083

RSA_VALIDATE_RET(ctx != NULL);

2084

RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hashlen == 0) ||

2085

hash != NULL);

2086

RSA_VALIDATE_RET(sig != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

2087

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2088

switch (ctx->padding) {

2089

# if defined(MBEDTLS_PKCS1_V15)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2090

case MBEDTLS_RSA_PKCS_V15:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2091

return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng, md_alg,

2092

hashlen, hash, sig);

2093

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2094

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2095

# if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2096

case MBEDTLS_RSA_PKCS_V21:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2097

return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,

2098

hashlen, hash, sig);

2099

# endif

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2100

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2101

default:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2102

return MBEDTLS_ERR_RSA_INVALID_PADDING;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2103

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2104

}

2105

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2106

# if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2107

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2108

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2109

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2110

int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,

2111

mbedtls_md_type_t md_alg,

2112

unsigned int hashlen,

2113

const unsigned char *hash,

2114

mbedtls_md_type_t mgf1_hash_id,

2115

int expected_salt_len,

2116

const unsigned char *sig)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2117

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

2118

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2119

size_t siglen;

2120

unsigned char *p;

Gilles Peskine

6a54b02

2017-10-17 19:02:13 +0200

[diff] [blame]

2121

unsigned char *hash_start;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2122

unsigned char result[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2123

unsigned char zeros[8];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2124

unsigned int hlen;

Gilles Peskine

6a54b02

2017-10-17 19:02:13 +0200

[diff] [blame]

2125

size_t observed_salt_len, msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2126

const mbedtls_md_info_t *md_info;

2127

mbedtls_md_context_t md_ctx;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2128

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2129

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2130

RSA_VALIDATE_RET(ctx != NULL);

2131

RSA_VALIDATE_RET(sig != NULL);

2132

RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hashlen == 0) ||

2133

hash != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

2134

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2135

siglen = ctx->len;

2136

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2137

if (siglen < 16 || siglen > sizeof(buf))

2138

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2139

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2140

ret = mbedtls_rsa_public(ctx, sig, buf);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2141

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2142

if (ret != 0)

2143

return ret;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

p = buf;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2147

if (buf[siglen - 1] != 0xBC)

2148

return MBEDTLS_ERR_RSA_INVALID_PADDING;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2149

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2150

if (md_alg != MBEDTLS_MD_NONE) {

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2151

/* Gather length of hash to sign */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2152

md_info = mbedtls_md_info_from_type(md_alg);

2153

if (md_info == NULL)

2154

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2155

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2156

if (hashlen != mbedtls_md_get_size(md_info))

2157

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2158

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2159

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2160

md_info = mbedtls_md_info_from_type(mgf1_hash_id);

2161

if (md_info == NULL)

2162

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2163

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2164

hlen = mbedtls_md_get_size(md_info);

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2165

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2166

memset(zeros, 0, 8);

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2167

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2168

/*

2169

* Note: EMSA-PSS verification is over the length of N - 1 bits

2170

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2171

msb = mbedtls_mpi_bitlen(&ctx->N) - 1;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2172

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2173

if (buf[0] >> (8 - siglen * 8 + msb))

2174

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Gilles Peskine

b00b0da

2017-10-19 15:23:49 +0200

[diff] [blame]

2175

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2176

/* Compensate for boundary condition when applying mask */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2177

if (msb % 8 == 0) {

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2178

p++;

2179

siglen -= 1;

2180

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2181

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2182

if (siglen < hlen + 2)

2183

return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

Gilles Peskine

139108a

2017-10-18 19:03:42 +0200

[diff] [blame]

2184

hash_start = p + siglen - hlen - 1;

2185

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2186

mbedtls_md_init(&md_ctx);

2187

if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2188

goto exit;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2189

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2190

ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, &md_ctx);

2191

if (ret != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2192

goto exit;

Paul Bakker

02303e8

2013-01-03 11:08:31 +0100

[diff] [blame]

2193

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2194

buf[0] &= 0xFF >> (siglen * 8 - msb);

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2195

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2196

while (p < hash_start - 1 && *p == 0)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2197

p++;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2198

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2199

if (*p++ != 0x01) {

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2200

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

2201

goto exit;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2202

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2203

Gilles Peskine

6a54b02

2017-10-17 19:02:13 +0200

[diff] [blame]

2204

observed_salt_len = hash_start - p;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2205

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2206

if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&

2207

observed_salt_len != (size_t)expected_salt_len) {

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2208

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

2209

goto exit;

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2210

}

2211

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2212

/*

2213

* Generate H = Hash( M' )

2214

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2215

ret = mbedtls_md_starts(&md_ctx);

2216

if (ret != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2217

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2218

ret = mbedtls_md_update(&md_ctx, zeros, 8);

2219

if (ret != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2220

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2221

ret = mbedtls_md_update(&md_ctx, hash, hashlen);

2222

if (ret != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2223

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2224

ret = mbedtls_md_update(&md_ctx, p, observed_salt_len);

2225

if (ret != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2226

goto exit;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2227

ret = mbedtls_md_finish(&md_ctx, result);

2228

if (ret != 0)

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2229

goto exit;

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2230

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2231

if (memcmp(hash_start, result, hlen) != 0) {

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2232

ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;

Andres Amaya Garcia

c5c7d76

2017-07-20 14:42:16 +0100

[diff] [blame]

2233

goto exit;

2234

}

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2235

2236

exit:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2237

mbedtls_md_free(&md_ctx);

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2238

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2239

return ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2240

}

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2241

2242

/*

2243

* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function

2244

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2245

int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,

2246

mbedtls_md_type_t md_alg,

2247

unsigned int hashlen,

2248

const unsigned char *hash,

2249

const unsigned char *sig)

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2250

{

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

2251

mbedtls_md_type_t mgf1_hash_id;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2252

RSA_VALIDATE_RET(ctx != NULL);

2253

RSA_VALIDATE_RET(sig != NULL);

2254

RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hashlen == 0) ||

2255

hash != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

2256

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2257

mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE) ?

2258

(mbedtls_md_type_t)ctx->hash_id :

2259

md_alg;

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2260

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2261

return (mbedtls_rsa_rsassa_pss_verify_ext(ctx, md_alg, hashlen, hash,

2262

mgf1_hash_id,

2263

MBEDTLS_RSA_SALT_LEN_ANY, sig));

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2264

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2265

# endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

40628ba

2013-01-03 10:50:31 +0100

[diff] [blame]

2266

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2267

# if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2268

/*

2269

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function

2270

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2271

int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,

2272

mbedtls_md_type_t md_alg,

2273

unsigned int hashlen,

2274

const unsigned char *hash,

2275

const unsigned char *sig)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2276

{

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2277

int ret = 0;

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

2278

size_t sig_len;

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2279

unsigned char *encoded = NULL, *encoded_expected = NULL;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2280

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2281

RSA_VALIDATE_RET(ctx != NULL);

2282

RSA_VALIDATE_RET(sig != NULL);

2283

RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hashlen == 0) ||

2284

hash != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

sig_len = ctx->len;

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2288

/*

2289

* Prepare expected PKCS1 v1.5 encoding of hash.

2290

*/

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2291

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2292

if ((encoded = mbedtls_calloc(1, sig_len)) == NULL ||

2293

(encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2294

ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;

goto cleanup;

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2298

if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,

2299

encoded_expected)) != 0)

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

goto cleanup;

/*

* Apply RSA primitive to get what should be PKCS1 encoded hash.

2304

*/

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2305

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2306

ret = mbedtls_rsa_public(ctx, sig, encoded);

2307

if (ret != 0)

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2308

goto cleanup;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2309

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2310

/*

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2311

* Compare

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2312

*/

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2313

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2314

if ((ret = mbedtls_safer_memcmp(encoded, encoded_expected, sig_len)) != 0) {

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2315

ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;

2316

goto cleanup;

2317

}

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2318

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2319

cleanup:

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2320

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2321

if (encoded != NULL) {

2322

mbedtls_platform_zeroize(encoded, sig_len);

2323

mbedtls_free(encoded);

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2324

}

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2325

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2326

if (encoded_expected != NULL) {

2327

mbedtls_platform_zeroize(encoded_expected, sig_len);

2328

mbedtls_free(encoded_expected);

Hanno Becker

2017-09-06 12:39:49 +0100

[diff] [blame]

2329

}

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2330

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2331

return ret;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2332

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2333

# endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2334

2335

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2336

* Do an RSA operation and check the message digest

2337

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2338

int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,

2339

mbedtls_md_type_t md_alg,

2340

unsigned int hashlen,

2341

const unsigned char *hash,

2342

const unsigned char *sig)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2343

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2344

RSA_VALIDATE_RET(ctx != NULL);

2345

RSA_VALIDATE_RET(sig != NULL);

2346

RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE && hashlen == 0) ||

2347

hash != NULL);

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

2348

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2349

switch (ctx->padding) {

2350

# if defined(MBEDTLS_PKCS1_V15)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2351

case MBEDTLS_RSA_PKCS_V15:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2352

return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg, hashlen,

2353

hash, sig);

2354

# endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2355

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2356

# if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2357

case MBEDTLS_RSA_PKCS_V21:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2358

return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg, hashlen, hash,

2359

sig);

2360

# endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2361

2362

default:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2363

return MBEDTLS_ERR_RSA_INVALID_PADDING;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

}

}

/*

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2368

* Copy the components of an RSA key

2369

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2370

int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2371

{

Janos Follath

2019-11-22 13:21:35 +0000

[diff] [blame]

2372

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2373

RSA_VALIDATE_RET(dst != NULL);

2374

RSA_VALIDATE_RET(src != NULL);

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2375

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2376

dst->len = src->len;

2377

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2378

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));

2379

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2380

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2381

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));

2382

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));

2383

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));

Hanno Becker

33c30a0

2017-08-23 07:00:22 +0100

[diff] [blame]

2384

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2385

# if !defined(MBEDTLS_RSA_NO_CRT)

2386

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));

2387

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));

2388

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));

2389

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));

2390

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));

2391

# endif

Hanno Becker

33c30a0

2017-08-23 07:00:22 +0100

[diff] [blame]

2392

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2393

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2394

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2395

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));

2396

MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

2397

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2398

dst->padding = src->padding;

Manuel Pégourié-Gonnard

fdddac9

2014-03-25 15:58:35 +0100

[diff] [blame]

2399

dst->hash_id = src->hash_id;

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2400

2401

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2402

if (ret != 0)

2403

mbedtls_rsa_free(dst);

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2404

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2405

return ret;

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2406

}

2407

2408

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2409

* Free the components of an RSA key

2410

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2411

void mbedtls_rsa_free(mbedtls_rsa_context *ctx)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2412

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2413

if (ctx == NULL)

Andrzej Kurek

2019-01-31 08:20:20 -0500

[diff] [blame]

2414

return;

2415

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2416

mbedtls_mpi_free(&ctx->Vi);

2417

mbedtls_mpi_free(&ctx->Vf);

2418

mbedtls_mpi_free(&ctx->RN);

2419

mbedtls_mpi_free(&ctx->D);

2420

mbedtls_mpi_free(&ctx->Q);

2421

mbedtls_mpi_free(&ctx->P);

2422

mbedtls_mpi_free(&ctx->E);

2423

mbedtls_mpi_free(&ctx->N);

Paul Bakker

c9965dc

2013-09-29 14:58:17 +0200

[diff] [blame]

2424

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2425

# if !defined(MBEDTLS_RSA_NO_CRT)

2426

mbedtls_mpi_free(&ctx->RQ);

2427

mbedtls_mpi_free(&ctx->RP);

2428

mbedtls_mpi_free(&ctx->QP);

2429

mbedtls_mpi_free(&ctx->DQ);

2430

mbedtls_mpi_free(&ctx->DP);

2431

# endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

33c30a0

2017-08-23 07:00:22 +0100

[diff] [blame]

2432

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2433

# if defined(MBEDTLS_THREADING_C)

Gilles Peskine

eb94059

2021-02-01 17:57:41 +0100

[diff] [blame]

2434

/* Free the mutex, but only if it hasn't been freed already. */

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2435

if (ctx->ver != 0) {

2436

mbedtls_mutex_free(&ctx->mutex);

Gilles Peskine

eb94059

2021-02-01 17:57:41 +0100

[diff] [blame]

2437

ctx->ver = 0;

2438

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2439

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2440

}

2441

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2442

# endif /* !MBEDTLS_RSA_ALT */

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

2443

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2444

# if defined(MBEDTLS_SELF_TEST)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2445

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2446

# include "mbedtls/sha1.h"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2447

2448

/*

2449

* Example RSA-1024 keypair, for test purposes

2450

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2451

# define KEY_LEN 128

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2452

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2453

# define RSA_N \

2454

"9292758453063D803DD603D5E777D788" \

2455

"8ED1D5BF35786190FA2F23EBC0848AEA" \

2456

"DDA92CA6C3D80B32C4D109BE0F36D6AE" \

2457

"7130B9CED7ACDF54CFC7555AC14EEBAB" \

2458

"93A89813FBF3C4F8066D2D800F7C38A8" \

2459

"1AE31942917403FF4946B0A83D3D3E05" \

2460

"EE57C6F5F5606FB5D4BC6CD34EE0801A" \

2461

"5E94BB77B07507233A0BC7BAC8F90F79"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2462

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2463

# define RSA_E "10001"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2464

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2465

# define RSA_D \

2466

"24BF6185468786FDD303083D25E64EFC" \

2467

"66CA472BC44D253102F8B4A9D3BFA750" \

2468

"91386C0077937FE33FA3252D28855837" \

2469

"AE1B484A8A9A45F7EE8C0C634F99E8CD" \

2470

"DF79C5CE07EE72C7F123142198164234" \

2471

"CABB724CF78B8173B9F880FC86322407" \

2472

"AF1FEDFDDE2BEB674CA15F3E81A1521E" \

2473

"071513A1E85B5DFA031F21ECAE91A34D"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2474

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2475

# define RSA_P \

2476

"C36D0EB7FCD285223CFB5AABA5BDA3D8" \

2477

"2C01CAD19EA484A87EA4377637E75500" \

2478

"FCB2005C5C7DD6EC4AC023CDA285D796" \

2479

"C3D9E75E1EFC42488BB4F1D13AC30A57"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2480

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2481

# define RSA_Q \

2482

"C000DF51A7C77AE8D7C7370C1FF55B69" \

2483

"E211C2B9E5DB1ED0BF61D0D9899620F4" \

2484

"910E4168387E3C30AA1E00C339A79508" \

2485

"8452DD96A9A5EA5D9DCA68DA636032AF"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2486

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2487

# define PT_LEN 24

2488

# define RSA_PT \

2489

"\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \

2490

"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2491

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2492

# if defined(MBEDTLS_PKCS1_V15)

2493

static int myrand(void *rng_state, unsigned char *output, size_t len)

Paul Bakker

545570e

2010-07-18 09:00:25 +0000

[diff] [blame]

2494

{

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2495

# if !defined(__OpenBSD__) && !defined(__NetBSD__)

Paul Bakker

a3d195c

2011-11-27 21:07:34 +0000

[diff] [blame]

2496

size_t i;

2497

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2498

if (rng_state != NULL)

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2499

rng_state = NULL;

2500

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2501

for (i = 0; i < len; ++i)

2502

output[i] = rand();

2503

# else

2504

if (rng_state != NULL)

2505

rng_state = NULL;

Paul Bakker

48377d9

2013-08-30 12:06:24 +0200

[diff] [blame]

2506

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2507

arc4random_buf(output, len);

2508

# endif /* !OpenBSD && !NetBSD */

2509

2510

return 0;

Paul Bakker

545570e

2010-07-18 09:00:25 +0000

[diff] [blame]

2511

}

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2512

# endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

545570e

2010-07-18 09:00:25 +0000

[diff] [blame]

2513

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2514

/*

2515

* Checkup routine

2516

*/

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2517

int mbedtls_rsa_self_test(int verbose)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2518

{

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2519

int ret = 0;

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2520

# if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2521

size_t len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2522

mbedtls_rsa_context rsa;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2523

unsigned char rsa_plaintext[PT_LEN];

2524

unsigned char rsa_decrypted[PT_LEN];

2525

unsigned char rsa_ciphertext[KEY_LEN];

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2526

# if defined(MBEDTLS_SHA1_C)

Paul Bakker

5690efc

2011-05-26 13:16:06 +0000

[diff] [blame]

2527

unsigned char sha1sum[20];

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2528

# endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2529

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2530

mbedtls_mpi K;

2531

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2532

mbedtls_mpi_init(&K);

2533

mbedtls_rsa_init(&rsa);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2534

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2535

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));

2536

MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));

2537

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));

2538

MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));

2539

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));

2540

MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));

2541

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));

2542

MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));

2543

MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));

2544

MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2545

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2546

MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2547

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2548

if (verbose != 0)

2549

mbedtls_printf(" RSA key validation: ");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2550

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2551

if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||

2552

mbedtls_rsa_check_privkey(&rsa) != 0) {

2553

if (verbose != 0)

2554

mbedtls_printf("failed\n");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2555

Hanno Becker

2017-05-03 15:09:31 +0100

[diff] [blame]

2556

ret = 1;

2557

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2558

}

2559

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2560

if (verbose != 0)

2561

mbedtls_printf("passed\n PKCS#1 encryption : ");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2562

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2563

memcpy(rsa_plaintext, RSA_PT, PT_LEN);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2564

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2565

if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL, PT_LEN, rsa_plaintext,

2566

rsa_ciphertext) != 0) {

2567

if (verbose != 0)

2568

mbedtls_printf("failed\n");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2569

Hanno Becker

2017-05-03 15:09:31 +0100

[diff] [blame]

2570

ret = 1;

2571

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2572

}

2573

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2574

if (verbose != 0)

2575

mbedtls_printf("passed\n PKCS#1 decryption : ");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2576

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2577

if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL, &len, rsa_ciphertext,

2578

rsa_decrypted, sizeof(rsa_decrypted)) != 0) {

2579

if (verbose != 0)

2580

mbedtls_printf("failed\n");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2581

Hanno Becker

2017-05-03 15:09:31 +0100

[diff] [blame]

2582

ret = 1;

2583

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2584

}

2585

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2586

if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {

2587

if (verbose != 0)

2588

mbedtls_printf("failed\n");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2589

Hanno Becker

2017-05-03 15:09:31 +0100

[diff] [blame]

2590

ret = 1;

2591

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2592

}

2593

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2594

if (verbose != 0)

2595

mbedtls_printf("passed\n");

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2596

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2597

# if defined(MBEDTLS_SHA1_C)

2598

if (verbose != 0)

2599

mbedtls_printf(" PKCS#1 data sign : ");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2600

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2601

if (mbedtls_sha1(rsa_plaintext, PT_LEN, sha1sum) != 0) {

2602

if (verbose != 0)

2603

mbedtls_printf("failed\n");

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2604

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2605

return 1;

Andres Amaya Garcia

2017-06-28 11:46:46 +0100

[diff] [blame]

2606

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2607

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2608

if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL, MBEDTLS_MD_SHA1, 20, sha1sum,

2609

rsa_ciphertext) != 0) {

2610

if (verbose != 0)

2611

mbedtls_printf("failed\n");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2612

Hanno Becker

2017-05-03 15:09:31 +0100

[diff] [blame]

2613

ret = 1;

2614

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2615

}

2616

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2617

if (verbose != 0)

2618

mbedtls_printf("passed\n PKCS#1 sig. verify: ");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2619

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2620

if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20, sha1sum,

2621

rsa_ciphertext) != 0) {

2622

if (verbose != 0)

2623

mbedtls_printf("failed\n");

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2624

Hanno Becker

2017-05-03 15:09:31 +0100

[diff] [blame]

2625

ret = 1;

2626

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2627

}

2628

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2629

if (verbose != 0)

2630

mbedtls_printf("passed\n");

2631

# endif /* MBEDTLS_SHA1_C */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2632

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2633

if (verbose != 0)

2634

mbedtls_printf("\n");

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2635

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2636

cleanup:

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2637

mbedtls_mpi_free(&K);

2638

mbedtls_rsa_free(&rsa);

2639

# else /* MBEDTLS_PKCS1_V15 */

2640

((void)verbose);

2641

# endif /* MBEDTLS_PKCS1_V15 */

2642

return ret;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2643

}

2644

Mateusz Starzyk

2021-08-03 14:09:02 +0200

[diff] [blame^]

2645

# endif /* MBEDTLS_SELF_TEST */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2646

Manuel Pégourié-Gonnard