Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 4df240abf3ee134bdfdfaa8ae39a4b873d22b129 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* The RSA public-key cryptosystem
				3	*
Bence Szépkúti	1e14827	2020-08-07 13:07:28 +0200	[diff] [blame]	4	* Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard	37ff140	2015-09-04 14:21:07 +0200	[diff] [blame]	5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	18	*/
Hanno Becker	7471631	2017-10-02 10:00:37 +0100	[diff] [blame]	19
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	20	/*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	21	* The following sources were referenced in the design of this implementation
				22	* of the RSA algorithm:
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23	*
Simon Butcher	bdae02c	2016-01-20 00:44:42 +0000	[diff] [blame]	24	* [1] A method for obtaining digital signatures and public-key cryptosystems
				25	* R Rivest, A Shamir, and L Adleman
				26	* http://people.csail.mit.edu/rivest/pubs.html#RSA78
				27	*
				28	* [2] Handbook of Applied Cryptography - 1997, Chapter 8
				29	* Menezes, van Oorschot and Vanstone
				30	*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	31	* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
				32	* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
				33	* Stefan Mangard
				34	* https://arxiv.org/abs/1702.08719v2
				35	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	36	*/
				37
Gilles Peskine	db09ef6	2020-06-03 01:43:33 +0200	[diff] [blame]	38	#include "common.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	39
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	40	#if defined(MBEDTLS_RSA_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	41
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	42	#include "mbedtls/rsa.h"
Chris Jones	66a4cd4	2021-03-09 16:04:12 +0000	[diff] [blame]	43	#include "rsa_alt_helpers.h"
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	44	#include "mbedtls/oid.h"
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	45	#include "mbedtls/platform_util.h"
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	46	#include "mbedtls/error.h"
Gabor Mezei	22c9a6f	2021-10-20 12:09:35 +0200	[diff] [blame]	47	#include "constant_time_internal.h"
Gabor Mezei	765862c	2021-10-19 12:22:25 +0200	[diff] [blame]	48	#include "mbedtls/constant_time.h"
Manuel Pégourié-Gonnard	4772884	2022-07-18 13:00:40 +0200	[diff] [blame]	49	#include "hash_info.h"
Paul Bakker	bb51f0c	2012-08-23 07:46:58 +0000	[diff] [blame]	50
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	51	#include <string.h>
				52
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	53	#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	54	#include <stdlib.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	55	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	56
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	57	/* We use MD first if it's available (for compatibility reasons)
				58	* and "fall back" to PSA otherwise (which needs psa_crypto_init()). */
				59	#if defined(MBEDTLS_PKCS1_V21)
Przemek Stekiel	40afdd2	2022-09-06 13:08:28 +0200	[diff] [blame]	60	#if !defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	61	#include "psa/crypto.h"
				62	#include "mbedtls/psa_util.h"
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	63	#endif /* MBEDTLS_MD_C */
				64	#endif /* MBEDTLS_PKCS1_V21 */
				65
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	66	#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	67	#include "mbedtls/platform.h"
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	68	#else
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	69	#include <stdio.h>
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	70	#define mbedtls_printf printf
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	71	#define mbedtls_calloc calloc
				72	#define mbedtls_free free
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	73	#endif
				74
Hanno Becker	a565f54	2017-10-11 11:00:19 +0100	[diff] [blame]	75	#if !defined(MBEDTLS_RSA_ALT)
				76
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	77	int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
				78	const mbedtls_mpi *N,
				79	const mbedtls_mpi P, const mbedtls_mpi Q,
				80	const mbedtls_mpi D, const mbedtls_mpi E )
				81	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	82	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	83
				84	if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) \|\|
				85	( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) \|\|
				86	( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) \|\|
				87	( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) \|\|
				88	( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
				89	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	90	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	91	}
				92
				93	if( N != NULL )
				94	ctx->len = mbedtls_mpi_size( &ctx->N );
				95
				96	return( 0 );
				97	}
				98
				99	int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
Hanno Becker	7471631	2017-10-02 10:00:37 +0100	[diff] [blame]	100	unsigned char const *N, size_t N_len,
				101	unsigned char const *P, size_t P_len,
				102	unsigned char const *Q, size_t Q_len,
				103	unsigned char const *D, size_t D_len,
				104	unsigned char const *E, size_t E_len )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	105	{
Hanno Becker	d4d6057	2018-01-10 07:12:01 +0000	[diff] [blame]	106	int ret = 0;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	107
				108	if( N != NULL )
				109	{
				110	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
				111	ctx->len = mbedtls_mpi_size( &ctx->N );
				112	}
				113
				114	if( P != NULL )
				115	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
				116
				117	if( Q != NULL )
				118	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
				119
				120	if( D != NULL )
				121	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
				122
				123	if( E != NULL )
				124	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
				125
				126	cleanup:
				127
				128	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	129	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	130
				131	return( 0 );
				132	}
				133
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	134	/*
				135	* Checks whether the context fields are set in such a way
				136	* that the RSA primitives will be able to execute without error.
				137	* It does not make guarantees for consistency of the parameters.
				138	*/
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	139	static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
				140	int blinding_needed )
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	141	{
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	142	#if !defined(MBEDTLS_RSA_NO_CRT)
				143	/* blinding_needed is only used for NO_CRT to decide whether
				144	* P,Q need to be present or not. */
				145	((void) blinding_needed);
				146	#endif
				147
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	148	if( ctx->len != mbedtls_mpi_size( &ctx->N ) \|\|
				149	ctx->len > MBEDTLS_MPI_MAX_SIZE )
				150	{
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	151	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	152	}
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	153
				154	/*
				155	* 1. Modular exponentiation needs positive, odd moduli.
				156	*/
				157
				158	/* Modular exponentiation wrt. N is always used for
				159	* RSA public key operations. */
				160	if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 \|\|
				161	mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )
				162	{
				163	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				164	}
				165
				166	#if !defined(MBEDTLS_RSA_NO_CRT)
				167	/* Modular exponentiation for P and Q is only
				168	* used for private key operations and if CRT
				169	* is used. */
				170	if( is_priv &&
				171	( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 \|\|
				172	mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 \|\|
				173	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 \|\|
				174	mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
				175	{
				176	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				177	}
				178	#endif /* !MBEDTLS_RSA_NO_CRT */
				179
				180	/*
				181	* 2. Exponents must be positive
				182	*/
				183
				184	/* Always need E for public key operations */
				185	if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
				186	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				187
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	188	#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	189	/* For private key operations, use D or DP & DQ
				190	* as (unblinded) exponents. */
				191	if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
				192	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				193	#else
				194	if( is_priv &&
				195	( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 \|\|
				196	mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
				197	{
				198	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				199	}
				200	#endif /* MBEDTLS_RSA_NO_CRT */
				201
				202	/* Blinding shouldn't make exponents negative either,
				203	* so check that P, Q >= 1 if that hasn't yet been
				204	* done as part of 1. */
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	205	#if defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	206	if( is_priv && blinding_needed &&
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	207	( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 \|\|
				208	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
				209	{
				210	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				211	}
				212	#endif
				213
				214	/* It wouldn't lead to an error if it wasn't satisfied,
Hanno Becker	f8c028a	2017-10-17 09:20:57 +0100	[diff] [blame]	215	* but check for QP >= 1 nonetheless. */
Hanno Becker	b82a5b5	2017-10-11 19:10:23 +0100	[diff] [blame]	216	#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	217	if( is_priv &&
				218	mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
				219	{
				220	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				221	}
				222	#endif
				223
				224	return( 0 );
				225	}
				226
Hanno Becker	f9e184b	2017-10-10 16:49:26 +0100	[diff] [blame]	227	int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	228	{
				229	int ret = 0;
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	230	int have_N, have_P, have_Q, have_D, have_E;
				231	#if !defined(MBEDTLS_RSA_NO_CRT)
				232	int have_DP, have_DQ, have_QP;
				233	#endif
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	234	int n_missing, pq_missing, d_missing, is_pub, is_priv;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	235
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	236	have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
				237	have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
				238	have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
				239	have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
				240	have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	241
				242	#if !defined(MBEDTLS_RSA_NO_CRT)
Jack Lloyd	80cc811	2020-01-22 17:34:29 -0500	[diff] [blame]	243	have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
				244	have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
				245	have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
Jack Lloyd	8c2631b	2020-01-23 17:23:52 -0500	[diff] [blame]	246	#endif
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	247
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	248	/*
				249	* Check whether provided parameters are enough
				250	* to deduce all others. The following incomplete
				251	* parameter sets for private keys are supported:
				252	*
				253	* (1) P, Q missing.
				254	* (2) D and potentially N missing.
				255	*
				256	*/
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	257
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	258	n_missing = have_P && have_Q && have_D && have_E;
				259	pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
				260	d_missing = have_P && have_Q && !have_D && have_E;
				261	is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	262
				263	/* These three alternatives are mutually exclusive */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	264	is_priv = n_missing \|\| pq_missing \|\| d_missing;
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	265
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	266	if( !is_priv && !is_pub )
				267	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				268
				269	/*
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	270	* Step 1: Deduce N if P, Q are provided.
				271	*/
				272
				273	if( !have_N && have_P && have_Q )
				274	{
				275	if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
				276	&ctx->Q ) ) != 0 )
				277	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	278	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	279	}
				280
				281	ctx->len = mbedtls_mpi_size( &ctx->N );
				282	}
				283
				284	/*
				285	* Step 2: Deduce and verify all remaining core parameters.
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	286	*/
				287
				288	if( pq_missing )
				289	{
Hanno Becker	c36aab6	2017-10-17 09:15:06 +0100	[diff] [blame]	290	ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	291	&ctx->P, &ctx->Q );
				292	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	293	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	294
				295	}
				296	else if( d_missing )
				297	{
Hanno Becker	8ba6ce4	2017-10-03 14:36:26 +0100	[diff] [blame]	298	if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
				299	&ctx->Q,
				300	&ctx->E,
				301	&ctx->D ) ) != 0 )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	302	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	303	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	304	}
				305	}
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	306
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	307	/*
Hanno Becker	2cca6f3	2017-09-29 11:46:40 +0100	[diff] [blame]	308	* Step 3: Deduce all additional parameters specific
Hanno Becker	e867489	2017-10-10 17:56:14 +0100	[diff] [blame]	309	* to our current RSA implementation.
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	310	*/
				311
Hanno Becker	23344b5	2017-08-23 07:43:27 +0100	[diff] [blame]	312	#if !defined(MBEDTLS_RSA_NO_CRT)
Jack Lloyd	2e9eef4	2020-01-28 14:43:52 -0500	[diff] [blame]	313	if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	314	{
				315	ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				316	&ctx->DP, &ctx->DQ, &ctx->QP );
				317	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	318	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	319	}
Hanno Becker	23344b5	2017-08-23 07:43:27 +0100	[diff] [blame]	320	#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	321
				322	/*
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	323	* Step 3: Basic sanity checks
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	324	*/
				325
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	326	return( rsa_check_context( ctx, is_priv, 1 ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	327	}
				328
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	329	int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
				330	unsigned char *N, size_t N_len,
				331	unsigned char *P, size_t P_len,
				332	unsigned char *Q, size_t Q_len,
				333	unsigned char *D, size_t D_len,
				334	unsigned char *E, size_t E_len )
				335	{
				336	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	337	int is_priv;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	338
				339	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	340	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	341	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				342	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				343	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				344	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				345	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				346
				347	if( !is_priv )
				348	{
				349	/* If we're trying to export private parameters for a public key,
				350	* something must be wrong. */
				351	if( P != NULL \|\| Q != NULL \|\| D != NULL )
				352	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				353
				354	}
				355
				356	if( N != NULL )
				357	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
				358
				359	if( P != NULL )
				360	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
				361
				362	if( Q != NULL )
				363	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
				364
				365	if( D != NULL )
				366	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
				367
				368	if( E != NULL )
				369	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	370
				371	cleanup:
				372
				373	return( ret );
				374	}
				375
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	376	int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
				377	mbedtls_mpi N, mbedtls_mpi P, mbedtls_mpi *Q,
				378	mbedtls_mpi D, mbedtls_mpi E )
				379	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	380	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	381	int is_priv;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	382
				383	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	384	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	385	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				386	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				387	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				388	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				389	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				390
				391	if( !is_priv )
				392	{
				393	/* If we're trying to export private parameters for a public key,
				394	* something must be wrong. */
				395	if( P != NULL \|\| Q != NULL \|\| D != NULL )
				396	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				397
				398	}
				399
				400	/* Export all requested core parameters. */
				401
				402	if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) \|\|
				403	( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) \|\|
				404	( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) \|\|
				405	( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) \|\|
				406	( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
				407	{
				408	return( ret );
				409	}
				410
				411	return( 0 );
				412	}
				413
				414	/*
				415	* Export CRT parameters
				416	* This must also be implemented if CRT is not used, for being able to
				417	* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
				418	* can be used in this case.
				419	*/
				420	int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
				421	mbedtls_mpi DP, mbedtls_mpi DQ, mbedtls_mpi *QP )
				422	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	423	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	424	int is_priv;
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	425
				426	/* Check if key is private or public */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	427	is_priv =
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	428	mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
				429	mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
				430	mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
				431	mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
				432	mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
				433
				434	if( !is_priv )
				435	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				436
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	437	#if !defined(MBEDTLS_RSA_NO_CRT)
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	438	/* Export all requested blinding parameters. */
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	439	if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) \|\|
				440	( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) \|\|
				441	( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
				442	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	443	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	444	}
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	445	#else
				446	if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				447	DP, DQ, QP ) ) != 0 )
				448	{
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	449	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
Hanno Becker	dc95c89	2017-08-23 06:57:02 +0100	[diff] [blame]	450	}
				451	#endif
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	452
				453	return( 0 );
				454	}
Hanno Becker	e2e8b8d	2017-08-23 14:06:45 +0100	[diff] [blame]	455
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	456	/*
				457	* Initialize an RSA context
				458	*/
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	459	void mbedtls_rsa_init( mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	460	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	461	memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	462
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	463	ctx->padding = MBEDTLS_RSA_PKCS_V15;
				464	ctx->hash_id = MBEDTLS_MD_NONE;
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	465
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	466	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	467	/* Set ctx->ver to nonzero to indicate that the mutex has been
				468	* initialized and will need to be freed. */
				469	ctx->ver = 1;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	470	mbedtls_mutex_init( &ctx->mutex );
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	471	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	472	}
				473
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	474	/*
				475	* Set padding for an existing RSA context
				476	*/
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	477	int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
				478	mbedtls_md_type_t hash_id )
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	479	{
Ronald Cron	3a0375f	2021-06-08 10:22:28 +0200	[diff] [blame]	480	switch( padding )
				481	{
				482	#if defined(MBEDTLS_PKCS1_V15)
				483	case MBEDTLS_RSA_PKCS_V15:
				484	break;
				485	#endif
				486
				487	#if defined(MBEDTLS_PKCS1_V21)
				488	case MBEDTLS_RSA_PKCS_V21:
				489	break;
				490	#endif
				491	default:
				492	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
				493	}
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	494
Manuel Pégourié-Gonnard	3356b89	2022-07-05 10:25:06 +0200	[diff] [blame]	495	#if defined(MBEDTLS_PKCS1_V21)
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	496	if( ( padding == MBEDTLS_RSA_PKCS_V21 ) &&
				497	( hash_id != MBEDTLS_MD_NONE ) )
				498	{
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	499	/* Just make sure this hash is supported in this build. */
Przemek Stekiel	712bb9c	2022-07-29 11:12:00 +0200	[diff] [blame]	500	if( mbedtls_hash_info_psa_from_md( hash_id ) == PSA_ALG_NONE )
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	501	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
				502	}
Manuel Pégourié-Gonnard	3356b89	2022-07-05 10:25:06 +0200	[diff] [blame]	503	#endif /* MBEDTLS_PKCS1_V21 */
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	504
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	505	ctx->padding = padding;
				506	ctx->hash_id = hash_id;
Ronald Cron	ea7631b	2021-06-03 18:51:59 +0200	[diff] [blame]	507
				508	return( 0 );
Manuel Pégourié-Gonnard	844a4c0	2014-03-10 21:55:35 +0100	[diff] [blame]	509	}
				510
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	511	/*
				512	* Get length in bytes of RSA modulus
				513	*/
				514
				515	size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
				516	{
Hanno Becker	2f8f06a	2017-09-29 11:47:26 +0100	[diff] [blame]	517	return( ctx->len );
Hanno Becker	617c1ae	2017-08-23 14:11:24 +0100	[diff] [blame]	518	}
				519
				520
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	521	#if defined(MBEDTLS_GENPRIME)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	522
				523	/*
				524	* Generate an RSA keypair
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	525	*
				526	* This generation method follows the RSA key pair generation procedure of
				527	* FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	528	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	529	int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	530	int (f_rng)(void , unsigned char *, size_t),
				531	void *p_rng,
				532	unsigned int nbits, int exponent )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	533	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	534	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	535	mbedtls_mpi H, G, L;
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	536	int prime_quality = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	537
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	538	/*
				539	* If the modulus is 1024 bit long or shorter, then the security strength of
				540	* the RSA algorithm is less than or equal to 80 bits and therefore an error
				541	* rate of 2^-80 is sufficient.
				542	*/
				543	if( nbits > 1024 )
				544	prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
				545
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	546	mbedtls_mpi_init( &H );
				547	mbedtls_mpi_init( &G );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	548	mbedtls_mpi_init( &L );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	549
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	550	if( nbits < 128 \|\| exponent < 3 \|\| nbits % 2 != 0 )
				551	{
				552	ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
				553	goto cleanup;
				554	}
				555
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	556	/*
				557	* find primes P and Q with Q < P so that:
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	558	* 1. \|P-Q\| > 2^( nbits / 2 - 100 )
				559	* 2. GCD( E, (P-1)*(Q-1) ) == 1
				560	* 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	561	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	562	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	563
				564	do
				565	{
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	566	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
				567	prime_quality, f_rng, p_rng ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	568
Janos Follath	b8fc1b0	2018-09-03 15:37:01 +0100	[diff] [blame]	569	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
				570	prime_quality, f_rng, p_rng ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	571
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	572	/* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
				573	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
				574	if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	575	continue;
				576
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	577	/* not required by any standards, but some users rely on the fact that P > Q */
				578	if( H.s < 0 )
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	579	mbedtls_mpi_swap( &ctx->P, &ctx->Q );
Janos Follath	ef44178	2016-09-21 13:18:12 +0100	[diff] [blame]	580
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	581	/* Temporarily replace P,Q by P-1, Q-1 */
				582	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
				583	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
				584	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	585
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	586	/* check GCD( E, (P-1)(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) /
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	587	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	588	if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
				589	continue;
				590
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	591	/* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	592	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
				593	MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
				594	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
				595
				596	if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
				597	continue;
				598
				599	break;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	600	}
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	601	while( 1 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	602
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	603	/* Restore P,Q */
				604	MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
				605	MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
				606
Jethro Beekman	c645bfe	2018-02-14 19:27:13 -0800	[diff] [blame]	607	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
				608
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	609	ctx->len = mbedtls_mpi_size( &ctx->N );
				610
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	611	#if !defined(MBEDTLS_RSA_NO_CRT)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	612	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	613	* DP = D mod (P - 1)
				614	* DQ = D mod (Q - 1)
				615	* QP = Q^-1 mod P
				616	*/
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	617	MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
				618	&ctx->DP, &ctx->DQ, &ctx->QP ) );
				619	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	620
Hanno Becker	83aad1f	2017-08-23 06:45:10 +0100	[diff] [blame]	621	/* Double-check */
				622	MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	623
				624	cleanup:
				625
Hanno Becker	bee3aae	2017-08-23 06:59:15 +0100	[diff] [blame]	626	mbedtls_mpi_free( &H );
				627	mbedtls_mpi_free( &G );
Jethro Beekman	97f95c9	2018-02-13 15:50:36 -0800	[diff] [blame]	628	mbedtls_mpi_free( &L );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	629
				630	if( ret != 0 )
				631	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	632	mbedtls_rsa_free( ctx );
Chris Jones	7439209	2021-04-01 16:00:01 +0100	[diff] [blame]	633
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	634	if( ( -ret & ~0x7f ) == 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	635	ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret );
Gilles Peskine	5e40a7c	2021-02-02 21:06:10 +0100	[diff] [blame]	636	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	637	}
				638
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	639	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	640	}
				641
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	642	#endif /* MBEDTLS_GENPRIME */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	643
				644	/*
				645	* Check a public RSA key
				646	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	647	int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	648	{
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	649	if( rsa_check_context( ctx, 0 /* public /, 0 / no blinding */ ) != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	650	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	37940d9f	2009-07-10 22:38:58 +0000	[diff] [blame]	651
Hanno Becker	3a760a1	2018-01-05 08:14:49 +0000	[diff] [blame]	652	if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	653	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	654	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	655	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	656
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	657	if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 \|\|
				658	mbedtls_mpi_bitlen( &ctx->E ) < 2 \|\|
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	659	mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	660	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	661	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	662	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	663
				664	return( 0 );
				665	}
				666
				667	/*
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	668	* Check for the consistency of all fields in an RSA private key context
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	669	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	670	int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	671	{
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	672	if( mbedtls_rsa_check_pubkey( ctx ) != 0 \|\|
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	673	rsa_check_context( ctx, 1 /* private /, 1 / blinding */ ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	674	{
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	675	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	676	}
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	677
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	678	if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	679	&ctx->D, &ctx->E, NULL, NULL ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	680	{
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	681	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	682	}
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	683
Hanno Becker	b269a85	2017-08-25 08:03:21 +0100	[diff] [blame]	684	#if !defined(MBEDTLS_RSA_NO_CRT)
				685	else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
				686	&ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
				687	{
				688	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
				689	}
				690	#endif
Paul Bakker	6c591fa	2011-05-05 11:49:20 +0000	[diff] [blame]	691
				692	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	693	}
				694
				695	/*
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	696	* Check if contexts holding a public and private key match
				697	*/
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	698	int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
				699	const mbedtls_rsa_context *prv )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	700	{
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	701	if( mbedtls_rsa_check_pubkey( pub ) != 0 \|\|
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	702	mbedtls_rsa_check_privkey( prv ) != 0 )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	703	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	704	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	705	}
				706
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	707	if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 \|\|
				708	mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	709	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	710	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
Manuel Pégourié-Gonnard	2f8d1f9	2014-11-06 14:02:51 +0100	[diff] [blame]	711	}
				712
				713	return( 0 );
				714	}
				715
				716	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	717	* Do an RSA public key operation
				718	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	719	int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	720	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	721	unsigned char *output )
				722	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	723	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	724	size_t olen;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	725	mbedtls_mpi T;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	726
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	727	if( rsa_check_context( ctx, 0 /* public /, 0 / no blinding */ ) )
Hanno Becker	705fc68	2017-10-10 17:57:02 +0100	[diff] [blame]	728	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				729
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	730	mbedtls_mpi_init( &T );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	731
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	732	#if defined(MBEDTLS_THREADING_C)
				733	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				734	return( ret );
				735	#endif
				736
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	737	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	738
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	739	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	740	{
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	741	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				742	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	743	}
				744
				745	olen = ctx->len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	746	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
				747	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	748
				749	cleanup:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	750	#if defined(MBEDTLS_THREADING_C)
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	751	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				752	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard	88fca3e	2015-03-27 15:06:07 +0100	[diff] [blame]	753	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	754
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	755	mbedtls_mpi_free( &T );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	756
				757	if( ret != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	758	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	759
				760	return( 0 );
				761	}
				762
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	763	/*
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	764	* Generate or update blinding values, see section 10 of:
				765	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
Manuel Pégourié-Gonnard	998930a	2015-04-03 13:48:06 +0200	[diff] [blame]	766	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	767	* Berlin Heidelberg, 1996. p. 104-113.
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	768	*/
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	769	static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	770	int (f_rng)(void , unsigned char , size_t), void p_rng )
				771	{
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	772	int ret, count = 0;
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	773	mbedtls_mpi R;
				774
				775	mbedtls_mpi_init( &R );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	776
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	777	if( ctx->Vf.p != NULL )
				778	{
				779	/* We already have blinding values, just update them by squaring */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	780	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
				781	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
				782	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
				783	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	784
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	785	goto cleanup;
Manuel Pégourié-Gonnard	8a109f1	2013-09-10 13:37:26 +0200	[diff] [blame]	786	}
				787
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	788	/* Unblinding value: Vf = random number, invertible mod N */
				789	do {
				790	if( count++ > 10 )
Manuel Pégourié-Gonnard	e288ec0	2020-07-16 09:23:30 +0200	[diff] [blame]	791	{
				792	ret = MBEDTLS_ERR_RSA_RNG_FAILED;
				793	goto cleanup;
				794	}
Manuel Pégourié-Gonnard	4d89c7e	2013-10-04 15:18:38 +0200	[diff] [blame]	795
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	796	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	797
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	798	/* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	799	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
				800	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
				801	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
				802
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	803	/* At this point, Vi is invertible mod N if and only if both Vf and R
				804	* are invertible mod N. If one of them isn't, we don't need to know
				805	* which one, we just loop and choose new values for both of them.
				806	* (Each iteration succeeds with overwhelming probability.) */
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	807	ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
Peter Kolbus	ca8b8e7	2020-09-24 11:11:50 -0500	[diff] [blame]	808	if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
Manuel Pégourié-Gonnard	b3e3d79	2020-06-26 11:03:19 +0200	[diff] [blame]	809	goto cleanup;
				810
Peter Kolbus	ca8b8e7	2020-09-24 11:11:50 -0500	[diff] [blame]	811	} while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
				812
				813	/* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
				814	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
				815	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	816
Manuel Pégourié-Gonnard	7868396	2020-07-16 09:48:54 +0200	[diff] [blame]	817	/* Blinding value: Vi = Vf^(-e) mod N
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	818	* (Vi already contains Vf^-1 at this point) */
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	819	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	820
Manuel Pégourié-Gonnard	ae10299	2013-10-04 17:07:12 +0200	[diff] [blame]	821
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	822	cleanup:
Manuel Pégourié-Gonnard	750d3c7	2020-06-26 11:19:12 +0200	[diff] [blame]	823	mbedtls_mpi_free( &R );
				824
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	825	return( ret );
				826	}
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	827
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	828	/*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	829	* Exponent blinding supposed to prevent side-channel attacks using multiple
				830	* traces of measurements to recover the RSA key. The more collisions are there,
				831	* the more bits of the key can be recovered. See [3].
				832	*
				833	* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	834	* observations on average.
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	835	*
				836	* For example with 28 byte blinding to achieve 2 collisions the adversary has
Shaun Case	8b0ecbc	2021-12-20 21:14:10 -0800	[diff] [blame]	837	* to make 2^112 observations on average.
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	838	*
				839	* (With the currently (as of 2017 April) known best algorithms breaking 2048
				840	* bit RSA requires approximately as much time as trying out 2^112 random keys.
				841	* Thus in this sense with 28 byte blinding the security is not reduced by
				842	* side-channel attacks like the one in [3])
				843	*
				844	* This countermeasure does not help if the key recovery is possible with a
				845	* single trace.
				846	*/
				847	#define RSA_EXPONENT_BLINDING 28
				848
				849	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	850	* Do an RSA private key operation
				851	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	852	int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	853	int (f_rng)(void , unsigned char *, size_t),
				854	void *p_rng,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	855	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	856	unsigned char *output )
				857	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	858	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	859	size_t olen;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	860
				861	/* Temporary holding the result */
				862	mbedtls_mpi T;
				863
				864	/* Temporaries holding P-1, Q-1 and the
				865	* exponent blinding factor, respectively. */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	866	mbedtls_mpi P1, Q1, R;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	867
				868	#if !defined(MBEDTLS_RSA_NO_CRT)
				869	/* Temporaries holding the results mod p resp. mod q. */
				870	mbedtls_mpi TP, TQ;
				871
				872	/* Temporaries holding the blinded exponents for
				873	* the mod p resp. mod q computation (if used). */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	874	mbedtls_mpi DP_blind, DQ_blind;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	875
				876	/* Pointers to actual exponents to be used - either the unblinded
				877	* or the blinded ones, depending on the presence of a PRNG. */
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	878	mbedtls_mpi *DP = &ctx->DP;
				879	mbedtls_mpi *DQ = &ctx->DQ;
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	880	#else
				881	/* Temporary holding the blinded exponent (if used). */
				882	mbedtls_mpi D_blind;
				883
				884	/* Pointer to actual exponent to be used - either the unblinded
				885	* or the blinded one, depending on the presence of a PRNG. */
				886	mbedtls_mpi *D = &ctx->D;
Hanno Becker	43f9472	2017-08-25 11:50:00 +0100	[diff] [blame]	887	#endif /* MBEDTLS_RSA_NO_CRT */
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	888
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	889	/* Temporaries holding the initial input and the double
				890	* checked result; should be the same in the end. */
				891	mbedtls_mpi I, C;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	892
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	893	if( f_rng == NULL )
				894	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				895
				896	if( rsa_check_context( ctx, 1 /* private key checks */,
				897	1 /* blinding on */ ) != 0 )
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	898	{
Manuel Pégourié-Gonnard	fb84d38	2015-10-30 10:56:25 +0100	[diff] [blame]	899	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	ebd2c02	2017-10-12 10:54:53 +0100	[diff] [blame]	900	}
Manuel Pégourié-Gonnard	fb84d38	2015-10-30 10:56:25 +0100	[diff] [blame]	901
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	902	#if defined(MBEDTLS_THREADING_C)
				903	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
				904	return( ret );
				905	#endif
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	906
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	907	/* MPI Initialization */
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	908	mbedtls_mpi_init( &T );
				909
				910	mbedtls_mpi_init( &P1 );
				911	mbedtls_mpi_init( &Q1 );
				912	mbedtls_mpi_init( &R );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	913
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	914	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	915	mbedtls_mpi_init( &D_blind );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	916	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	917	mbedtls_mpi_init( &DP_blind );
				918	mbedtls_mpi_init( &DQ_blind );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	919	#endif
				920
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	921	#if !defined(MBEDTLS_RSA_NO_CRT)
				922	mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	923	#endif
				924
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	925	mbedtls_mpi_init( &I );
				926	mbedtls_mpi_init( &C );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	927
				928	/* End of MPI initialization */
				929
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	930	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
				931	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	932	{
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	933	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
				934	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	935	}
				936
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	937	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	938
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	939	/*
				940	* Blinding
				941	* T = T * Vi mod N
				942	*/
				943	MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
				944	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
				945	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	946
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	947	/*
				948	* Exponent blinding
				949	*/
				950	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
				951	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	952
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	953	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	954	/*
				955	* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
				956	*/
				957	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				958	f_rng, p_rng ) );
				959	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
				960	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
				961	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	962
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	963	D = &D_blind;
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	964	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	965	/*
				966	* DP_blind = ( P - 1 ) * R + DP
				967	*/
				968	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				969	f_rng, p_rng ) );
				970	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
				971	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
				972	&ctx->DP ) );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	973
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	974	DP = &DP_blind;
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	975
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	976	/*
				977	* DQ_blind = ( Q - 1 ) * R + DQ
				978	*/
				979	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
				980	f_rng, p_rng ) );
				981	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
				982	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
				983	&ctx->DQ ) );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	984
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	985	DQ = &DQ_blind;
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	986	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	987
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	988	#if defined(MBEDTLS_RSA_NO_CRT)
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	989	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
Manuel Pégourié-Gonnard	e10e06d	2014-11-06 18:15:12 +0100	[diff] [blame]	990	#else
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	991	/*
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	992	* Faster decryption using the CRT
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	993	*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	994	* TP = input ^ dP mod P
				995	* TQ = input ^ dQ mod Q
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	996	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	997
				998	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
				999	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1000
				1001	/*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1002	* T = (TP - TQ) * (Q^-1 mod P) mod P
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1003	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1004	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
				1005	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
				1006	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1007
				1008	/*
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1009	* T = TQ + T * Q
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1010	*/
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1011	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
				1012	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1013	#endif /* MBEDTLS_RSA_NO_CRT */
Paul Bakker	aab30c1	2013-08-30 11:00:25 +0200	[diff] [blame]	1014
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1015	/*
				1016	* Unblind
				1017	* T = T * Vf mod N
				1018	*/
				1019	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
				1020	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1021
Hanno Becker	2dec5e8	2017-10-03 07:49:52 +0100	[diff] [blame]	1022	/* Verify the result to prevent glitching attacks. */
				1023	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
				1024	&ctx->N, &ctx->RN ) );
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	1025	if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1026	{
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1027	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
				1028	goto cleanup;
				1029	}
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1030
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1031	olen = ctx->len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1032	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1033
				1034	cleanup:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1035	#if defined(MBEDTLS_THREADING_C)
Manuel Pégourié-Gonnard	4d04cdc	2015-08-28 10:32:21 +0200	[diff] [blame]	1036	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
				1037	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
Manuel Pégourié-Gonnard	ae10299	2013-10-04 17:07:12 +0200	[diff] [blame]	1038	#endif
Manuel Pégourié-Gonnard	1385a28	2015-08-27 11:30:58 +0200	[diff] [blame]	1039
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1040	mbedtls_mpi_free( &P1 );
				1041	mbedtls_mpi_free( &Q1 );
				1042	mbedtls_mpi_free( &R );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1043
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1044	#if defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1045	mbedtls_mpi_free( &D_blind );
Janos Follath	f9203b4	2017-03-22 15:13:15 +0000	[diff] [blame]	1046	#else
Manuel Pégourié-Gonnard	f035904	2021-06-15 11:29:26 +0200	[diff] [blame]	1047	mbedtls_mpi_free( &DP_blind );
				1048	mbedtls_mpi_free( &DQ_blind );
Janos Follath	e81102e	2017-03-22 13:38:28 +0000	[diff] [blame]	1049	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1050
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1051	mbedtls_mpi_free( &T );
				1052
				1053	#if !defined(MBEDTLS_RSA_NO_CRT)
				1054	mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
				1055	#endif
				1056
Hanno Becker	c6075cc	2017-08-25 11:45:35 +0100	[diff] [blame]	1057	mbedtls_mpi_free( &C );
				1058	mbedtls_mpi_free( &I );
Hanno Becker	06811ce	2017-05-03 15:10:34 +0100	[diff] [blame]	1059
Gilles Peskine	ae3741e	2020-11-25 00:10:31 +0100	[diff] [blame]	1060	if( ret != 0 && ret >= -0x007f )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1061	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1062
Gilles Peskine	ae3741e	2020-11-25 00:10:31 +0100	[diff] [blame]	1063	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1064	}
				1065
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1066	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1067	/**
				1068	* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
				1069	*
Paul Bakker	b125ed8	2011-11-10 13:33:51 +0000	[diff] [blame]	1070	* \param dst buffer to mask
				1071	* \param dlen length of destination buffer
				1072	* \param src source of the mask generation
				1073	* \param slen length of the source buffer
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1074	* \param md_alg message digest to use
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1075	*/
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1076	static int mgf_mask( unsigned char dst, size_t dlen, unsigned char src,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1077	size_t slen, mbedtls_md_type_t md_alg )
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1078	{
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1079	unsigned char counter[4];
				1080	unsigned char *p;
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1081	unsigned int hlen;
				1082	size_t i, use_len;
Przemek Stekiel	40afdd2	2022-09-06 13:08:28 +0200	[diff] [blame]	1083	unsigned char mask[MBEDTLS_HASH_MAX_SIZE];
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1084	#if defined(MBEDTLS_MD_C)
Andres Amaya Garcia	94682d1	2017-07-20 14:26:37 +0100	[diff] [blame]	1085	int ret = 0;
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1086	const mbedtls_md_info_t *md_info;
				1087	mbedtls_md_context_t md_ctx;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1088
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1089	mbedtls_md_init( &md_ctx );
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1090	md_info = mbedtls_md_info_from_type( md_alg );
				1091	if( md_info == NULL )
				1092	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1093
				1094	mbedtls_md_init( &md_ctx );
				1095	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
				1096	goto exit;
				1097
				1098	hlen = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1099	#else
				1100	psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
				1101	psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
				1102	psa_status_t status = PSA_SUCCESS;
				1103	size_t out_len;
				1104
				1105	hlen = PSA_HASH_LENGTH( alg );
				1106	#endif
				1107
				1108	memset( mask, 0, sizeof( mask ) );
				1109	memset( counter, 0, 4 );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1110
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1111	/* Generate and apply dbMask */
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1112	p = dst;
				1113
				1114	while( dlen > 0 )
				1115	{
				1116	use_len = hlen;
				1117	if( dlen < hlen )
				1118	use_len = dlen;
				1119
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1120	#if defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1121	if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1122	goto exit;
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1123	if( ( ret = mbedtls_md_update( &md_ctx, src, slen ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1124	goto exit;
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1125	if( ( ret = mbedtls_md_update( &md_ctx, counter, 4 ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1126	goto exit;
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1127	if( ( ret = mbedtls_md_finish( &md_ctx, mask ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1128	goto exit;
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1129	#else
				1130	if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS )
				1131	goto exit;
				1132	if( ( status = psa_hash_update( &op, src, slen ) ) != PSA_SUCCESS )
				1133	goto exit;
				1134	if( ( status = psa_hash_update( &op, counter, 4 ) ) != PSA_SUCCESS )
				1135	goto exit;
				1136	status = psa_hash_finish( &op, mask, sizeof( mask ), &out_len );
				1137	if( status != PSA_SUCCESS )
				1138	goto exit;
				1139	#endif
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1140
				1141	for( i = 0; i < use_len; ++i )
				1142	*p++ ^= mask[i];
				1143
				1144	counter[3]++;
				1145
				1146	dlen -= use_len;
				1147	}
Gilles Peskine	18ac716	2017-05-05 19:24:06 +0200	[diff] [blame]	1148
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1149	exit:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1150	mbedtls_platform_zeroize( mask, sizeof( mask ) );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1151	#if defined(MBEDTLS_MD_C)
				1152	mbedtls_md_free( &md_ctx );
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1153
				1154	return( ret );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1155	#else
				1156	psa_hash_abort( &op );
				1157
Przemek Stekiel	2aae040	2022-07-29 11:20:07 +0200	[diff] [blame]	1158	return( mbedtls_md_error_from_psa( status ) );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1159	#endif
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1160	}
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1161
				1162	/**
				1163	* Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
				1164	*
				1165	* \param hash the input hash
				1166	* \param hlen length of the input hash
				1167	* \param salt the input salt
				1168	* \param slen length of the input salt
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1169	* \param out the output buffer - must be large enough for \p md_alg
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1170	* \param md_alg message digest to use
				1171	*/
				1172	static int hash_mprime( const unsigned char *hash, size_t hlen,
				1173	const unsigned char *salt, size_t slen,
				1174	unsigned char *out, mbedtls_md_type_t md_alg )
				1175	{
				1176	const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1177
				1178	#if defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1179	mbedtls_md_context_t md_ctx;
Przemek Stekiel	f98b57f	2022-07-29 11:27:46 +0200	[diff] [blame]	1180	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1181
				1182	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
				1183	if( md_info == NULL )
				1184	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1185
				1186	mbedtls_md_init( &md_ctx );
				1187	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
				1188	goto exit;
				1189	if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
				1190	goto exit;
				1191	if( ( ret = mbedtls_md_update( &md_ctx, zeros, sizeof( zeros ) ) ) != 0 )
				1192	goto exit;
				1193	if( ( ret = mbedtls_md_update( &md_ctx, hash, hlen ) ) != 0 )
				1194	goto exit;
				1195	if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
				1196	goto exit;
				1197	if( ( ret = mbedtls_md_finish( &md_ctx, out ) ) != 0 )
				1198	goto exit;
				1199
				1200	exit:
				1201	mbedtls_md_free( &md_ctx );
				1202
				1203	return( ret );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1204	#else
				1205	psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
				1206	psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
Przemek Stekiel	f98b57f	2022-07-29 11:27:46 +0200	[diff] [blame]	1207	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED ;
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1208	size_t out_size = PSA_HASH_LENGTH( alg );
				1209	size_t out_len;
				1210
				1211	if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS )
				1212	goto exit;
				1213	if( ( status = psa_hash_update( &op, zeros, sizeof( zeros ) ) ) != PSA_SUCCESS )
				1214	goto exit;
				1215	if( ( status = psa_hash_update( &op, hash, hlen ) ) != PSA_SUCCESS )
				1216	goto exit;
				1217	if( ( status = psa_hash_update( &op, salt, slen ) ) != PSA_SUCCESS )
				1218	goto exit;
				1219	status = psa_hash_finish( &op, out, out_size, &out_len );
				1220	if( status != PSA_SUCCESS )
				1221	goto exit;
				1222
				1223	exit:
				1224	psa_hash_abort( &op );
				1225
Przemek Stekiel	2aae040	2022-07-29 11:20:07 +0200	[diff] [blame]	1226	return( mbedtls_md_error_from_psa( status ) );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1227	#endif /* !MBEDTLS_MD_C */
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1228	}
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1229
				1230	/**
				1231	* Compute a hash.
				1232	*
				1233	* \param md_alg algorithm to use
				1234	* \param input input message to hash
				1235	* \param ilen input length
				1236	* \param output the output buffer - must be large enough for \p md_alg
				1237	*/
				1238	static int compute_hash( mbedtls_md_type_t md_alg,
				1239	const unsigned char *input, size_t ilen,
				1240	unsigned char *output )
				1241	{
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1242	#if defined(MBEDTLS_MD_C)
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1243	const mbedtls_md_info_t *md_info;
				1244
				1245	md_info = mbedtls_md_info_from_type( md_alg );
				1246	if( md_info == NULL )
				1247	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1248
				1249	return( mbedtls_md( md_info, input, ilen, output ) );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1250	#else
				1251	psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
				1252	psa_status_t status;
				1253	size_t out_size = PSA_HASH_LENGTH( alg );
				1254	size_t out_len;
				1255
				1256	status = psa_hash_compute( alg, input, ilen, output, out_size, &out_len );
				1257
Przemek Stekiel	2aae040	2022-07-29 11:20:07 +0200	[diff] [blame]	1258	return( mbedtls_md_error_from_psa( status ) );
Manuel Pégourié-Gonnard	077ba84	2022-07-27 10:42:31 +0200	[diff] [blame]	1259	#endif /* !MBEDTLS_MD_C */
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1260	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1261	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1262
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1263	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1264	/*
				1265	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
				1266	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1267	int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1268	int (f_rng)(void , unsigned char *, size_t),
				1269	void *p_rng,
Paul Bakker	a43231c	2013-02-28 17:33:49 +0100	[diff] [blame]	1270	const unsigned char *label, size_t label_len,
				1271	size_t ilen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1272	const unsigned char *input,
				1273	unsigned char *output )
				1274	{
				1275	size_t olen;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1276	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1277	unsigned char *p = output;
				1278	unsigned int hlen;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1279
Manuel Pégourié-Gonnard	e6d1d82	2014-06-02 16:47:02 +0200	[diff] [blame]	1280	if( f_rng == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1281	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1282
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1283	hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
				1284	if( hlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1285	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1286
				1287	olen = ctx->len;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1288
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1289	/* first comparison checks for overflow */
Janos Follath	eddfe8f	2016-02-08 14:52:29 +0000	[diff] [blame]	1290	if( ilen + 2 * hlen + 2 < ilen \|\| olen < ilen + 2 * hlen + 2 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1291	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1292
				1293	memset( output, 0, olen );
				1294
				1295	*p++ = 0;
				1296
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1297	/* Generate a random octet string seed */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1298	if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1299	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1300
				1301	p += hlen;
				1302
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1303	/* Construct DB */
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1304	ret = compute_hash( (mbedtls_md_type_t) ctx->hash_id, label, label_len, p );
				1305	if( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1306	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1307	p += hlen;
				1308	p += olen - 2 * hlen - 2 - ilen;
				1309	*p++ = 1;
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1310	if( ilen != 0 )
				1311	memcpy( p, input, ilen );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1312
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1313	/* maskedDB: Apply dbMask to DB */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1314	if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1315	ctx->hash_id ) ) != 0 )
Manuel Pégourié-Gonnard	f3a6755	2022-07-15 12:16:42 +0200	[diff] [blame]	1316	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1317
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1318	/* maskedSeed: Apply seedMask to seed */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1319	if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1320	ctx->hash_id ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1321	return( ret );
				1322
Thomas Daubney	141700f	2021-05-13 19:06:10 +0100	[diff] [blame]	1323	return( mbedtls_rsa_public( ctx, output, output ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1324	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1325	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1326
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1327	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1328	/*
				1329	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
				1330	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1331	int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1332	int (f_rng)(void , unsigned char *, size_t),
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1333	void *p_rng, size_t ilen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1334	const unsigned char *input,
				1335	unsigned char *output )
				1336	{
				1337	size_t nb_pad, olen;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1338	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1339	unsigned char *p = output;
				1340
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1341	olen = ctx->len;
Manuel Pégourié-Gonnard	370717b	2016-02-11 10:35:13 +0100	[diff] [blame]	1342
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1343	/* first comparison checks for overflow */
Janos Follath	eddfe8f	2016-02-08 14:52:29 +0000	[diff] [blame]	1344	if( ilen + 11 < ilen \|\| olen < ilen + 11 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1345	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1346
				1347	nb_pad = olen - 3 - ilen;
				1348
				1349	*p++ = 0;
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1350
				1351	if( f_rng == NULL )
				1352	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1353
				1354	*p++ = MBEDTLS_RSA_CRYPT;
				1355
				1356	while( nb_pad-- > 0 )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1357	{
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1358	int rng_dl = 100;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1359
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1360	do {
				1361	ret = f_rng( p_rng, p, 1 );
				1362	} while( *p == 0 && --rng_dl && ret == 0 );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1363
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1364	/* Check if RNG failed to generate data */
				1365	if( rng_dl == 0 \|\| ret != 0 )
				1366	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1367
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1368	p++;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1369	}
				1370
				1371	*p++ = 0;
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1372	if( ilen != 0 )
				1373	memcpy( p, input, ilen );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1374
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1375	return( mbedtls_rsa_public( ctx, output, output ) );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1376	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1377	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1378
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1379	/*
				1380	* Add the message padding, then do an RSA operation
				1381	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1382	int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	1383	int (f_rng)(void , unsigned char *, size_t),
Paul Bakker	21eb280	2010-08-16 11:10:02 +0000	[diff] [blame]	1384	void *p_rng,
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1385	size_t ilen,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	1386	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1387	unsigned char *output )
				1388	{
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1389	switch( ctx->padding )
				1390	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1391	#if defined(MBEDTLS_PKCS1_V15)
				1392	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1393	return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng,
Thomas Daubney	53e4ac6	2021-05-13 18:26:49 +0100	[diff] [blame]	1394	ilen, input, output );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1395	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1396
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1397	#if defined(MBEDTLS_PKCS1_V21)
				1398	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	141700f	2021-05-13 19:06:10 +0100	[diff] [blame]	1399	return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, NULL, 0,
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	1400	ilen, input, output );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1401	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1402
				1403	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1404	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1405	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1406	}
				1407
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1408	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1409	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1410	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1411	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1412	int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1413	int (f_rng)(void , unsigned char *, size_t),
				1414	void *p_rng,
Paul Bakker	a43231c	2013-02-28 17:33:49 +0100	[diff] [blame]	1415	const unsigned char *label, size_t label_len,
				1416	size_t *olen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1417	const unsigned char *input,
				1418	unsigned char *output,
				1419	size_t output_max_len )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1420	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1421	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1422	size_t ilen, i, pad_len;
				1423	unsigned char *p, bad, pad_done;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1424	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
Przemek Stekiel	40afdd2	2022-09-06 13:08:28 +0200	[diff] [blame]	1425	unsigned char lhash[MBEDTLS_HASH_MAX_SIZE];
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1426	unsigned int hlen;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1427
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1428	/*
				1429	* Parameters sanity checks
				1430	*/
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1431	if( ctx->padding != MBEDTLS_RSA_PKCS_V21 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1432	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1433
				1434	ilen = ctx->len;
				1435
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	1436	if( ilen < 16 \|\| ilen > sizeof( buf ) )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1437	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1438
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1439	hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
				1440	if( hlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1441	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1442
Janos Follath	c17cda1	2016-02-11 11:08:18 +0000	[diff] [blame]	1443	// checking for integer underflow
				1444	if( 2 * hlen + 2 > ilen )
				1445	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1446
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1447	/*
				1448	* RSA operation
				1449	*/
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1450	ret = mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1451
				1452	if( ret != 0 )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1453	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1454
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1455	/*
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1456	* Unmask data and generate lHash
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1457	*/
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1458	/* seed: Apply seedMask to maskedSeed */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1459	if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1460	ctx->hash_id ) ) != 0 \|\|
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1461	/* DB: Apply dbMask to maskedDB */
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1462	( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	1463	ctx->hash_id ) ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1464	{
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1465	goto cleanup;
				1466	}
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1467
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1468	/* Generate lHash */
Manuel Pégourié-Gonnard	35c09e4	2022-07-15 13:10:54 +0200	[diff] [blame]	1469	ret = compute_hash( (mbedtls_md_type_t) ctx->hash_id,
				1470	label, label_len, lhash );
				1471	if( ret != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	1472	goto cleanup;
				1473
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1474	/*
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1475	* Check contents, in "constant-time"
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1476	*/
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1477	p = buf;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1478	bad = 0;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1479
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1480	bad \|= p++; / First byte must be 0 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1481
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1482	p += hlen; /* Skip seed */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1483
Manuel Pégourié-Gonnard	a5cfc35	2013-11-28 15:57:52 +0100	[diff] [blame]	1484	/* Check lHash */
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1485	for( i = 0; i < hlen; i++ )
				1486	bad \|= lhash[i] ^ *p++;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1487
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1488	/* Get zero-padding len, but always read till end of buffer
				1489	* (minus one, for the 01 byte) */
				1490	pad_len = 0;
				1491	pad_done = 0;
				1492	for( i = 0; i < ilen - 2 * hlen - 2; i++ )
				1493	{
				1494	pad_done \|= p[i];
Pascal Junod	b99183d	2015-03-11 16:49:45 +0100	[diff] [blame]	1495	pad_len += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1496	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1497
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1498	p += pad_len;
				1499	bad \|= *p++ ^ 0x01;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1500
Manuel Pégourié-Gonnard	ab44d7e	2013-11-29 12:49:44 +0100	[diff] [blame]	1501	/*
				1502	* The only information "leaked" is whether the padding was correct or not
				1503	* (eg, no data is copied if it was not correct). This meets the
				1504	* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
				1505	* the different error conditions.
				1506	*/
				1507	if( bad != 0 )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1508	{
				1509	ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
				1510	goto cleanup;
				1511	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1512
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1513	if( ilen - ( p - buf ) > output_max_len )
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1514	{
				1515	ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
				1516	goto cleanup;
				1517	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1518
				1519	*olen = ilen - (p - buf);
Gilles Peskine	004f87b	2018-07-06 15:47:54 +0200	[diff] [blame]	1520	if( *olen != 0 )
				1521	memcpy( output, p, *olen );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1522	ret = 0;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1523
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1524	cleanup:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1525	mbedtls_platform_zeroize( buf, sizeof( buf ) );
				1526	mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1527
				1528	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1529	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1530	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1531
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1532	#if defined(MBEDTLS_PKCS1_V15)
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1533	/*
				1534	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
				1535	*/
				1536	int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
				1537	int (f_rng)(void , unsigned char *, size_t),
				1538	void *p_rng,
				1539	size_t *olen,
				1540	const unsigned char *input,
				1541	unsigned char *output,
				1542	size_t output_max_len )
				1543	{
				1544	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
				1545	size_t ilen;
				1546	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
				1547
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1548	ilen = ctx->len;
				1549
				1550	if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
				1551	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1552
				1553	if( ilen < 16 \|\| ilen > sizeof( buf ) )
				1554	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1555
				1556	ret = mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
				1557
				1558	if( ret != 0 )
				1559	goto cleanup;
				1560
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	1561	ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding( buf, ilen,
Gabor Mezei	63bbba5	2021-10-18 16:17:57 +0200	[diff] [blame]	1562	output, output_max_len, olen );
gabor-mezei-arm	bef600f	2021-09-26 15:20:48 +0200	[diff] [blame]	1563
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1564	cleanup:
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1565	mbedtls_platform_zeroize( buf, sizeof( buf ) );
Gilles Peskine	4a7f6a0	2017-03-23 14:37:37 +0100	[diff] [blame]	1566
				1567	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1568	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1569	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1570
				1571	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1572	* Do an RSA operation, then remove the message padding
				1573	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1574	int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1575	int (f_rng)(void , unsigned char *, size_t),
				1576	void *p_rng,
Thomas Daubney	c7feaf3	2021-05-07 14:02:43 +0100	[diff] [blame]	1577	size_t *olen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1578	const unsigned char *input,
				1579	unsigned char *output,
				1580	size_t output_max_len)
				1581	{
				1582	switch( ctx->padding )
				1583	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1584	#if defined(MBEDTLS_PKCS1_V15)
				1585	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	3473308	2021-05-12 09:24:29 +0100	[diff] [blame]	1586	return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, olen,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1587	input, output, output_max_len );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1588	#endif
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1589
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1590	#if defined(MBEDTLS_PKCS1_V21)
				1591	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	d21e0b7	2021-05-06 11:41:09 +0100	[diff] [blame]	1592	return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, NULL, 0,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1593	olen, input, output,
				1594	output_max_len );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1595	#endif
				1596
				1597	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1598	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1599	}
				1600	}
				1601
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1602	#if defined(MBEDTLS_PKCS1_V21)
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1603	static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1604	int (f_rng)(void , unsigned char *, size_t),
				1605	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1606	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1607	unsigned int hashlen,
				1608	const unsigned char *hash,
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1609	int saltlen,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1610	unsigned char *sig )
				1611	{
				1612	size_t olen;
				1613	unsigned char *p = sig;
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1614	unsigned char *salt = NULL;
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1615	size_t slen, min_slen, hlen, offset = 0;
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1616	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1617	size_t msb;
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1618
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	1619	if( ( md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0 ) && hash == NULL )
				1620	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1621
Thomas Daubney	d58ed58	2021-05-21 11:50:39 +0100	[diff] [blame]	1622	if( ctx->padding != MBEDTLS_RSA_PKCS_V21 )
				1623	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1624
Manuel Pégourié-Gonnard	e6d1d82	2014-06-02 16:47:02 +0200	[diff] [blame]	1625	if( f_rng == NULL )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1626	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1627
				1628	olen = ctx->len;
				1629
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1630	if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1631	{
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1632	/* Gather length of hash to sign */
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1633	size_t exp_hashlen = mbedtls_hash_info_get_size( md_alg );
				1634	if( exp_hashlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1635	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	1636
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1637	if( hashlen != exp_hashlen )
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1638	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1639	}
				1640
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	1641	hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
				1642	if( hlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1643	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1644
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1645	if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY)
				1646	{
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1647	/* Calculate the largest possible salt length, up to the hash size.
				1648	* Normally this is the hash length, which is the maximum salt length
				1649	* according to FIPS 185-4 §5.5 (e) and common practice. If there is not
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1650	* enough room, use the maximum salt length that fits. The constraint is
				1651	* that the hash length plus the salt length plus 2 bytes must be at most
				1652	* the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
				1653	* (PKCS#1 v2.2) §9.1.1 step 3. */
				1654	min_slen = hlen - 2;
				1655	if( olen < hlen + min_slen + 2 )
				1656	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1657	else if( olen >= hlen + hlen + 2 )
				1658	slen = hlen;
				1659	else
				1660	slen = olen - hlen - 2;
				1661	}
Cédric Meuter	46bad33	2021-01-10 12:57:19 +0100	[diff] [blame]	1662	else if ( (saltlen < 0) \|\| (saltlen + hlen + 2 > olen) )
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1663	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1664	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1665	}
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1666	else
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1667	{
Cédric Meuter	010ddc2	2020-04-25 09:24:11 +0200	[diff] [blame]	1668	slen = (size_t) saltlen;
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1669	}
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1670
				1671	memset( sig, 0, olen );
				1672
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1673	/* Note: EMSA-PSS encoding is over the length of N - 1 bits */
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	1674	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Jaeden Amero	3725bb2	2018-09-07 19:12:36 +0100	[diff] [blame]	1675	p += olen - hlen - slen - 2;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1676	*p++ = 0x01;
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1677
				1678	/* Generate salt of length slen in place in the encoded message */
				1679	salt = p;
				1680	if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
Chris Jones	b7d02e0	2021-04-01 17:40:03 +0100	[diff] [blame]	1681	return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
Cédric Meuter	668a78d	2020-04-30 11:57:04 +0200	[diff] [blame]	1682
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1683	p += slen;
				1684
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1685	/* Generate H = Hash( M' ) */
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1686	ret = hash_mprime( hash, hashlen, salt, slen, p, ctx->hash_id );
				1687	if( ret != 0 )
				1688	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1689
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1690	/* Compensate for boundary condition when applying mask */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1691	if( msb % 8 == 0 )
				1692	offset = 1;
				1693
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	1694	/* maskedDB: Apply dbMask to DB */
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	1695	ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
				1696	ctx->hash_id );
				1697	if( ret != 0 )
				1698	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1699
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	1700	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1701	sig[0] &= 0xFF >> ( olen * 8 - msb );
				1702
				1703	p += hlen;
				1704	*p++ = 0xBC;
				1705
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1706	return mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1707	}
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1708
				1709	/*
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1710	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
				1711	* the option to pass in the salt length.
				1712	*/
				1713	int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx,
				1714	int (f_rng)(void , unsigned char *, size_t),
				1715	void *p_rng,
				1716	mbedtls_md_type_t md_alg,
				1717	unsigned int hashlen,
				1718	const unsigned char *hash,
				1719	int saltlen,
				1720	unsigned char *sig )
				1721	{
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1722	return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1723	hashlen, hash, saltlen, sig );
				1724	}
				1725
				1726
				1727	/*
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1728	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
				1729	*/
				1730	int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
				1731	int (f_rng)(void , unsigned char *, size_t),
				1732	void *p_rng,
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1733	mbedtls_md_type_t md_alg,
				1734	unsigned int hashlen,
				1735	const unsigned char *hash,
				1736	unsigned char *sig )
				1737	{
Thomas Daubney	cad59ed	2021-05-19 15:04:08 +0100	[diff] [blame]	1738	return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
Cédric Meuter	f3fab33	2020-04-25 11:30:45 +0200	[diff] [blame]	1739	hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig );
Cedric Meuter	8aa4d75	2020-04-21 12:49:11 +0200	[diff] [blame]	1740	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1741	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1742
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1743	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1744	/*
				1745	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
				1746	*/
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1747
				1748	/* Construct a PKCS v1.5 encoding of a hashed message
				1749	*
				1750	* This is used both for signature generation and verification.
				1751	*
				1752	* Parameters:
				1753	* - md_alg: Identifies the hash algorithm used to generate the given hash;
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1754	* MBEDTLS_MD_NONE if raw data is signed.
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1755	* - hashlen: Length of hash. Must match md_alg if that's not NONE.
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1756	* - hash: Buffer containing the hashed message or the raw data.
				1757	* - dst_len: Length of the encoded message.
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1758	* - dst: Buffer to hold the encoded message.
				1759	*
				1760	* Assumptions:
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1761	* - hash has size hashlen.
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1762	* - dst points to a buffer of size at least dst_len.
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1763	*
				1764	*/
				1765	static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
				1766	unsigned int hashlen,
				1767	const unsigned char *hash,
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1768	size_t dst_len,
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1769	unsigned char *dst )
				1770	{
				1771	size_t oid_size = 0;
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1772	size_t nb_pad = dst_len;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1773	unsigned char *p = dst;
				1774	const char *oid = NULL;
				1775
				1776	/* Are we signing hashed or raw data? */
				1777	if( md_alg != MBEDTLS_MD_NONE )
				1778	{
Manuel Pégourié-Gonnard	4772884	2022-07-18 13:00:40 +0200	[diff] [blame]	1779	unsigned char md_size = mbedtls_hash_info_get_size( md_alg );
Manuel Pégourié-Gonnard	f493f2a	2022-07-05 17:41:05 +0200	[diff] [blame]	1780	if( md_size == 0 )
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1781	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1782
				1783	if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
				1784	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1785
Manuel Pégourié-Gonnard	f493f2a	2022-07-05 17:41:05 +0200	[diff] [blame]	1786	if( hashlen != md_size )
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	1787	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1788
				1789	/* Double-check that 8 + hashlen + oid_size can be used as a
				1790	* 1-byte ASN.1 length encoding and that there's no overflow. */
				1791	if( 8 + hashlen + oid_size >= 0x80 \|\|
				1792	10 + hashlen < hashlen \|\|
				1793	10 + hashlen + oid_size < 10 + hashlen )
				1794	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1795
				1796	/*
				1797	* Static bounds check:
				1798	* - Need 10 bytes for five tag-length pairs.
				1799	* (Insist on 1-byte length encodings to protect against variants of
				1800	* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
				1801	* - Need hashlen bytes for hash
				1802	* - Need oid_size bytes for hash alg OID.
				1803	*/
				1804	if( nb_pad < 10 + hashlen + oid_size )
				1805	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1806	nb_pad -= 10 + hashlen + oid_size;
				1807	}
				1808	else
				1809	{
				1810	if( nb_pad < hashlen )
				1811	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1812
				1813	nb_pad -= hashlen;
				1814	}
				1815
Hanno Becker	2b2f898	2017-09-27 17:10:03 +0100	[diff] [blame]	1816	/* Need space for signature header and padding delimiter (3 bytes),
				1817	* and 8 bytes for the minimal padding */
				1818	if( nb_pad < 3 + 8 )
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1819	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1820	nb_pad -= 3;
				1821
				1822	/* Now nb_pad is the amount of memory to be filled
Hanno Becker	2b2f898	2017-09-27 17:10:03 +0100	[diff] [blame]	1823	* with padding, and at least 8 bytes long. */
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1824
				1825	/* Write signature header and padding */
				1826	*p++ = 0;
				1827	*p++ = MBEDTLS_RSA_SIGN;
				1828	memset( p, 0xFF, nb_pad );
				1829	p += nb_pad;
				1830	*p++ = 0;
				1831
				1832	/* Are we signing raw data? */
				1833	if( md_alg == MBEDTLS_MD_NONE )
				1834	{
				1835	memcpy( p, hash, hashlen );
				1836	return( 0 );
				1837	}
				1838
				1839	/* Signing hashed data, add corresponding ASN.1 structure
				1840	*
				1841	* DigestInfo ::= SEQUENCE {
				1842	* digestAlgorithm DigestAlgorithmIdentifier,
				1843	* digest Digest }
				1844	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
				1845	* Digest ::= OCTET STRING
				1846	*
				1847	* Schematic:
				1848	* TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
				1849	* TAG-NULL + LEN [ NULL ] ]
				1850	* TAG-OCTET + LEN [ HASH ] ]
				1851	*/
				1852	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1853	*p++ = (unsigned char)( 0x08 + oid_size + hashlen );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1854	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1855	*p++ = (unsigned char)( 0x04 + oid_size );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1856	*p++ = MBEDTLS_ASN1_OID;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1857	*p++ = (unsigned char) oid_size;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1858	memcpy( p, oid, oid_size );
				1859	p += oid_size;
				1860	*p++ = MBEDTLS_ASN1_NULL;
				1861	*p++ = 0x00;
				1862	*p++ = MBEDTLS_ASN1_OCTET_STRING;
Hanno Becker	87ae197	2018-01-15 15:27:56 +0000	[diff] [blame]	1863	*p++ = (unsigned char) hashlen;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1864	memcpy( p, hash, hashlen );
				1865	p += hashlen;
				1866
				1867	/* Just a sanity-check, should be automatic
				1868	* after the initial bounds check. */
Hanno Becker	e58d38c	2017-09-27 17:09:00 +0100	[diff] [blame]	1869	if( p != dst + dst_len )
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1870	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	1871	mbedtls_platform_zeroize( dst, dst_len );
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1872	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1873	}
				1874
				1875	return( 0 );
				1876	}
				1877
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1878	/*
				1879	* Do an RSA operation to sign the message digest
				1880	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1881	int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
Paul Bakker	548957d	2013-08-30 10:30:02 +0200	[diff] [blame]	1882	int (f_rng)(void , unsigned char *, size_t),
				1883	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1884	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1885	unsigned int hashlen,
				1886	const unsigned char *hash,
				1887	unsigned char *sig )
				1888	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1889	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1890	unsigned char sig_try = NULL, verif = NULL;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1891
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	1892	if( ( md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0 ) && hash == NULL )
				1893	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1894
Thomas Daubney	d58ed58	2021-05-21 11:50:39 +0100	[diff] [blame]	1895	if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
				1896	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				1897
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1898	/*
				1899	* Prepare PKCS1-v1.5 encoding (padding and hash identifier)
				1900	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1901
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1902	if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
				1903	ctx->len, sig ) ) != 0 )
				1904	return( ret );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1905
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1906	/* Private key operation
				1907	*
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1908	* In order to prevent Lenstra's attack, make the signature in a
				1909	* temporary buffer and check it before returning it.
				1910	*/
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1911
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1912	sig_try = mbedtls_calloc( 1, ctx->len );
Simon Butcher	1285ab5	2016-01-01 21:42:47 +0000	[diff] [blame]	1913	if( sig_try == NULL )
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1914	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
				1915
Hanno Becker	fdf3803	2017-09-06 12:35:55 +0100	[diff] [blame]	1916	verif = mbedtls_calloc( 1, ctx->len );
Simon Butcher	1285ab5	2016-01-01 21:42:47 +0000	[diff] [blame]	1917	if( verif == NULL )
				1918	{
				1919	mbedtls_free( sig_try );
				1920	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
				1921	}
				1922
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1923	MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
				1924	MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
				1925
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	1926	if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 )
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1927	{
				1928	ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
				1929	goto cleanup;
				1930	}
				1931
				1932	memcpy( sig, sig_try, ctx->len );
				1933
				1934	cleanup:
Gilles Peskine	14d5fef	2021-12-13 12:37:55 +0100	[diff] [blame]	1935	mbedtls_platform_zeroize( sig_try, ctx->len );
				1936	mbedtls_platform_zeroize( verif, ctx->len );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1937	mbedtls_free( sig_try );
				1938	mbedtls_free( verif );
				1939
Gilles Peskine	14d5fef	2021-12-13 12:37:55 +0100	[diff] [blame]	1940	if( ret != 0 )
				1941	memset( sig, '!', ctx->len );
Manuel Pégourié-Gonnard	5f50104	2015-09-03 20:03:15 +0200	[diff] [blame]	1942	return( ret );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1943	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1944	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1945
				1946	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1947	* Do an RSA operation to sign the message digest
				1948	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1949	int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	1950	int (f_rng)(void , unsigned char *, size_t),
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1951	void *p_rng,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1952	mbedtls_md_type_t md_alg,
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1953	unsigned int hashlen,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	1954	const unsigned char *hash,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1955	unsigned char *sig )
				1956	{
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	1957	if( ( md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0 ) && hash == NULL )
				1958	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	1959
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1960	switch( ctx->padding )
				1961	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1962	#if defined(MBEDTLS_PKCS1_V15)
				1963	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	5265498	2021-05-18 16:54:00 +0100	[diff] [blame]	1964	return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng,
Thomas Daubney	140184d	2021-05-18 16:04:07 +0100	[diff] [blame]	1965	md_alg, hashlen, hash, sig );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	1966	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1967
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1968	#if defined(MBEDTLS_PKCS1_V21)
				1969	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	de9fdc4	2021-05-18 17:10:04 +0100	[diff] [blame]	1970	return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg,
				1971	hashlen, hash, sig );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	1972	#endif
				1973
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1974	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1975	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1976	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1977	}
				1978
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1979	#if defined(MBEDTLS_PKCS1_V21)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1980	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1981	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1982	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1983	int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1984	mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	1985	unsigned int hashlen,
				1986	const unsigned char *hash,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	1987	mbedtls_md_type_t mgf1_hash_id,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	1988	int expected_salt_len,
				1989	const unsigned char *sig )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1990	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	1991	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1992	size_t siglen;
				1993	unsigned char *p;
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	1994	unsigned char *hash_start;
Przemek Stekiel	40afdd2	2022-09-06 13:08:28 +0200	[diff] [blame]	1995	unsigned char result[MBEDTLS_HASH_MAX_SIZE];
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	1996	unsigned int hlen;
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	1997	size_t observed_salt_len, msb;
Leonid Rozenboim	a3008e7	2022-04-21 17:28:18 -0700	[diff] [blame]	1998	unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = {0};
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	1999
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	2000	if( ( md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0 ) && hash == NULL )
				2001	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2002
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2003	siglen = ctx->len;
				2004
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	2005	if( siglen < 16 \|\| siglen > sizeof( buf ) )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2006	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2007
Thomas Daubney	782a7f5	2021-05-19 12:27:35 +0100	[diff] [blame]	2008	ret = mbedtls_rsa_public( ctx, sig, buf );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2009
				2010	if( ret != 0 )
				2011	return( ret );
				2012
				2013	p = buf;
				2014
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2015	if( buf[siglen - 1] != 0xBC )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2016	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2017
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2018	if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2019	{
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2020	/* Gather length of hash to sign */
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	2021	size_t exp_hashlen = mbedtls_hash_info_get_size( md_alg );
				2022	if( exp_hashlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2023	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2024
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	2025	if( hashlen != exp_hashlen )
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2026	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2027	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2028
Manuel Pégourié-Gonnard	faa3b4e	2022-07-15 13:18:15 +0200	[diff] [blame]	2029	hlen = mbedtls_hash_info_get_size( mgf1_hash_id );
				2030	if( hlen == 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2031	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2032
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2033	/*
				2034	* Note: EMSA-PSS verification is over the length of N - 1 bits
				2035	*/
Manuel Pégourié-Gonnard	c0696c2	2015-06-18 16:47:17 +0200	[diff] [blame]	2036	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2037
Gilles Peskine	b00b0da	2017-10-19 15:23:49 +0200	[diff] [blame]	2038	if( buf[0] >> ( 8 - siglen * 8 + msb ) )
				2039	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				2040
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2041	/* Compensate for boundary condition when applying mask */
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2042	if( msb % 8 == 0 )
				2043	{
				2044	p++;
				2045	siglen -= 1;
				2046	}
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2047
Gilles Peskine	139108a	2017-10-18 19:03:42 +0200	[diff] [blame]	2048	if( siglen < hlen + 2 )
				2049	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
				2050	hash_start = p + siglen - hlen - 1;
				2051
Manuel Pégourié-Gonnard	259c213	2022-07-15 12:09:08 +0200	[diff] [blame]	2052	ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id );
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2053	if( ret != 0 )
Manuel Pégourié-Gonnard	f3a6755	2022-07-15 12:16:42 +0200	[diff] [blame]	2054	return( ret );
Paul Bakker	02303e8	2013-01-03 11:08:31 +0100	[diff] [blame]	2055
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2056	buf[0] &= 0xFF >> ( siglen * 8 - msb );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2057
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2058	while( p < hash_start - 1 && *p == 0 )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2059	p++;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2060
Gilles Peskine	91048a3	2017-10-19 17:46:14 +0200	[diff] [blame]	2061	if( *p++ != 0x01 )
Manuel Pégourié-Gonnard	f3a6755	2022-07-15 12:16:42 +0200	[diff] [blame]	2062	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2063
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2064	observed_salt_len = hash_start - p;
Paul Bakker	9dcc322	2011-03-08 14:16:06 +0000	[diff] [blame]	2065
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2066	if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
Gilles Peskine	6a54b02	2017-10-17 19:02:13 +0200	[diff] [blame]	2067	observed_salt_len != (size_t) expected_salt_len )
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2068	{
Manuel Pégourié-Gonnard	f3a6755	2022-07-15 12:16:42 +0200	[diff] [blame]	2069	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2070	}
				2071
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2072	/*
				2073	* Generate H = Hash( M' )
				2074	*/
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	2075	ret = hash_mprime( hash, hashlen, p, observed_salt_len,
				2076	result, mgf1_hash_id );
				2077	if( ret != 0 )
				2078	return( ret );
Paul Bakker	53019ae	2011-03-25 13:58:48 +0000	[diff] [blame]	2079
Jaeden Amero	66954e1	2018-01-25 16:05:54 +0000	[diff] [blame]	2080	if( memcmp( hash_start, result, hlen ) != 0 )
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	2081	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2082
Manuel Pégourié-Gonnard	f701acc	2022-07-15 12:49:14 +0200	[diff] [blame]	2083	return( 0 );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2084	}
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2085
				2086	/*
				2087	* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
				2088	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2089	int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2090	mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2091	unsigned int hashlen,
				2092	const unsigned char *hash,
				2093	const unsigned char *sig )
				2094	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2095	mbedtls_md_type_t mgf1_hash_id;
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	2096	if( ( md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0 ) && hash == NULL )
				2097	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2098
				2099	mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2100	? (mbedtls_md_type_t) ctx->hash_id
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2101	: md_alg;
				2102
Thomas Daubney	9e65f79	2021-05-19 12:18:58 +0100	[diff] [blame]	2103	return( mbedtls_rsa_rsassa_pss_verify_ext( ctx,
Thomas Daubney	5ee4cc0	2021-05-19 12:07:42 +0100	[diff] [blame]	2104	md_alg, hashlen, hash,
				2105	mgf1_hash_id,
				2106	MBEDTLS_RSA_SALT_LEN_ANY,
				2107	sig ) );
Manuel Pégourié-Gonnard	5ec628a	2014-06-03 11:44:06 +0200	[diff] [blame]	2108
				2109	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2110	#endif /* MBEDTLS_PKCS1_V21 */
Paul Bakker	40628ba	2013-01-03 10:50:31 +0100	[diff] [blame]	2111
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2112	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2113	/*
				2114	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
				2115	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2116	int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2117	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2118	unsigned int hashlen,
				2119	const unsigned char *hash,
Manuel Pégourié-Gonnard	cc0a9d0	2013-08-12 11:34:35 +0200	[diff] [blame]	2120	const unsigned char *sig )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2121	{
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2122	int ret = 0;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2123	size_t sig_len;
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2124	unsigned char encoded = NULL, encoded_expected = NULL;
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2125
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	2126	if( ( md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0 ) && hash == NULL )
				2127	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2128
				2129	sig_len = ctx->len;
				2130
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2131	/*
				2132	* Prepare expected PKCS1 v1.5 encoding of hash.
				2133	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2134
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2135	if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL \|\|
				2136	( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
				2137	{
				2138	ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
				2139	goto cleanup;
				2140	}
				2141
				2142	if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
				2143	encoded_expected ) ) != 0 )
				2144	goto cleanup;
				2145
				2146	/*
				2147	* Apply RSA primitive to get what should be PKCS1 encoded hash.
				2148	*/
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2149
Thomas Daubney	41e4ce4	2021-05-19 15:10:05 +0100	[diff] [blame]	2150	ret = mbedtls_rsa_public( ctx, sig, encoded );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2151	if( ret != 0 )
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2152	goto cleanup;
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2153
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2154	/*
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2155	* Compare
Simon Butcher	0203745	2016-03-01 21:19:12 +0000	[diff] [blame]	2156	*/
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2157
Gabor Mezei	90437e3	2021-10-20 11:59:27 +0200	[diff] [blame]	2158	if( ( ret = mbedtls_ct_memcmp( encoded, encoded_expected,
gabor-mezei-arm	4602564	2021-07-19 15:19:19 +0200	[diff] [blame]	2159	sig_len ) ) != 0 )
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2160	{
				2161	ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
				2162	goto cleanup;
				2163	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2164
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2165	cleanup:
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2166
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2167	if( encoded != NULL )
				2168	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	2169	mbedtls_platform_zeroize( encoded, sig_len );
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2170	mbedtls_free( encoded );
				2171	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2172
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2173	if( encoded_expected != NULL )
				2174	{
Andres Amaya Garcia	1f6301b	2018-04-17 09:51:09 -0500	[diff] [blame]	2175	mbedtls_platform_zeroize( encoded_expected, sig_len );
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2176	mbedtls_free( encoded_expected );
				2177	}
Paul Bakker	c70b982	2013-04-07 22:00:46 +0200	[diff] [blame]	2178
Hanno Becker	64a8c0a	2017-09-06 12:39:49 +0100	[diff] [blame]	2179	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2180	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2181	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2182
				2183	/*
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2184	* Do an RSA operation and check the message digest
				2185	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2186	int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2187	mbedtls_md_type_t md_alg,
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2188	unsigned int hashlen,
				2189	const unsigned char *hash,
Manuel Pégourié-Gonnard	cc0a9d0	2013-08-12 11:34:35 +0200	[diff] [blame]	2190	const unsigned char *sig )
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2191	{
Tuvshinzaya Erdenekhuu	6a473b2	2022-08-05 15:49:56 +0100	[diff] [blame]	2192	if( ( md_alg != MBEDTLS_MD_NONE \|\| hashlen != 0 ) && hash == NULL )
				2193	return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2194
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2195	switch( ctx->padding )
				2196	{
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2197	#if defined(MBEDTLS_PKCS1_V15)
				2198	case MBEDTLS_RSA_PKCS_V15:
Thomas Daubney	2e12625	2021-05-19 11:48:53 +0100	[diff] [blame]	2199	return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, md_alg,
				2200	hashlen, hash, sig );
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2201	#endif
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2202
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2203	#if defined(MBEDTLS_PKCS1_V21)
				2204	case MBEDTLS_RSA_PKCS_V21:
Thomas Daubney	5ee4cc0	2021-05-19 12:07:42 +0100	[diff] [blame]	2205	return mbedtls_rsa_rsassa_pss_verify( ctx, md_alg,
				2206	hashlen, hash, sig );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2207	#endif
				2208
				2209	default:
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2210	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
Paul Bakker	b386913	2013-02-28 17:21:01 +0100	[diff] [blame]	2211	}
				2212	}
				2213
				2214	/*
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2215	* Copy the components of an RSA key
				2216	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2217	int mbedtls_rsa_copy( mbedtls_rsa_context dst, const mbedtls_rsa_context src )
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2218	{
Janos Follath	24eed8d	2019-11-22 13:21:35 +0000	[diff] [blame]	2219	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2220
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2221	dst->len = src->len;
				2222
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2223	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
				2224	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2225
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2226	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
				2227	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
				2228	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2229
				2230	#if !defined(MBEDTLS_RSA_NO_CRT)
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2231	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
				2232	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
				2233	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2234	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
				2235	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2236	#endif
				2237
				2238	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2239
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2240	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
				2241	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
Manuel Pégourié-Gonnard	ea53a55	2013-09-10 13:29:30 +0200	[diff] [blame]	2242
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2243	dst->padding = src->padding;
Manuel Pégourié-Gonnard	fdddac9	2014-03-25 15:58:35 +0100	[diff] [blame]	2244	dst->hash_id = src->hash_id;
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2245
				2246	cleanup:
				2247	if( ret != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2248	mbedtls_rsa_free( dst );
Manuel Pégourié-Gonnard	3053f5b	2013-08-14 13:39:57 +0200	[diff] [blame]	2249
				2250	return( ret );
				2251	}
				2252
				2253	/*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2254	* Free the components of an RSA key
				2255	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2256	void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2257	{
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2258	if( ctx == NULL )
				2259	return;
				2260
				2261	mbedtls_mpi_free( &ctx->Vi );
				2262	mbedtls_mpi_free( &ctx->Vf );
				2263	mbedtls_mpi_free( &ctx->RN );
				2264	mbedtls_mpi_free( &ctx->D );
				2265	mbedtls_mpi_free( &ctx->Q );
				2266	mbedtls_mpi_free( &ctx->P );
				2267	mbedtls_mpi_free( &ctx->E );
				2268	mbedtls_mpi_free( &ctx->N );
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	2269
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2270	#if !defined(MBEDTLS_RSA_NO_CRT)
Andrzej Kurek	c470b6b	2019-01-31 08:20:20 -0500	[diff] [blame]	2271	mbedtls_mpi_free( &ctx->RQ );
				2272	mbedtls_mpi_free( &ctx->RP );
				2273	mbedtls_mpi_free( &ctx->QP );
				2274	mbedtls_mpi_free( &ctx->DQ );
Hanno Becker	33c30a0	2017-08-23 07:00:22 +0100	[diff] [blame]	2275	mbedtls_mpi_free( &ctx->DP );
				2276	#endif /* MBEDTLS_RSA_NO_CRT */
				2277
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2278	#if defined(MBEDTLS_THREADING_C)
Gilles Peskine	eb94059	2021-02-01 17:57:41 +0100	[diff] [blame]	2279	/* Free the mutex, but only if it hasn't been freed already. */
				2280	if( ctx->ver != 0 )
				2281	{
				2282	mbedtls_mutex_free( &ctx->mutex );
				2283	ctx->ver = 0;
				2284	}
Paul Bakker	c9965dc	2013-09-29 14:58:17 +0200	[diff] [blame]	2285	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2286	}
				2287
Hanno Becker	ab37731	2017-08-23 16:24:51 +0100	[diff] [blame]	2288	#endif /* !MBEDTLS_RSA_ALT */
				2289
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2290	#if defined(MBEDTLS_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2291
Manuel Pégourié-Gonnard	7f80997	2015-03-09 17:05:11 +0000	[diff] [blame]	2292	#include "mbedtls/sha1.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2293
				2294	/*
				2295	* Example RSA-1024 keypair, for test purposes
				2296	*/
				2297	#define KEY_LEN 128
				2298
				2299	#define RSA_N "9292758453063D803DD603D5E777D788" \
				2300	"8ED1D5BF35786190FA2F23EBC0848AEA" \
				2301	"DDA92CA6C3D80B32C4D109BE0F36D6AE" \
				2302	"7130B9CED7ACDF54CFC7555AC14EEBAB" \
				2303	"93A89813FBF3C4F8066D2D800F7C38A8" \
				2304	"1AE31942917403FF4946B0A83D3D3E05" \
				2305	"EE57C6F5F5606FB5D4BC6CD34EE0801A" \
				2306	"5E94BB77B07507233A0BC7BAC8F90F79"
				2307
				2308	#define RSA_E "10001"
				2309
				2310	#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
				2311	"66CA472BC44D253102F8B4A9D3BFA750" \
				2312	"91386C0077937FE33FA3252D28855837" \
				2313	"AE1B484A8A9A45F7EE8C0C634F99E8CD" \
				2314	"DF79C5CE07EE72C7F123142198164234" \
				2315	"CABB724CF78B8173B9F880FC86322407" \
				2316	"AF1FEDFDDE2BEB674CA15F3E81A1521E" \
				2317	"071513A1E85B5DFA031F21ECAE91A34D"
				2318
				2319	#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
				2320	"2C01CAD19EA484A87EA4377637E75500" \
				2321	"FCB2005C5C7DD6EC4AC023CDA285D796" \
				2322	"C3D9E75E1EFC42488BB4F1D13AC30A57"
				2323
				2324	#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
				2325	"E211C2B9E5DB1ED0BF61D0D9899620F4" \
				2326	"910E4168387E3C30AA1E00C339A79508" \
				2327	"8452DD96A9A5EA5D9DCA68DA636032AF"
				2328
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2329	#define PT_LEN 24
				2330	#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
				2331	"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
				2332
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2333	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2334	static int myrand( void rng_state, unsigned char output, size_t len )
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2335	{
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	2336	#if !defined(__OpenBSD__) && !defined(__NetBSD__)
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2337	size_t i;
				2338
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2339	if( rng_state != NULL )
				2340	rng_state = NULL;
				2341
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2342	for( i = 0; i < len; ++i )
				2343	output[i] = rand();
Paul Bakker	f96f7b6	2014-04-30 16:02:38 +0200	[diff] [blame]	2344	#else
				2345	if( rng_state != NULL )
				2346	rng_state = NULL;
				2347
				2348	arc4random_buf( output, len );
gufe44	c2620da	2020-08-03 17:56:50 +0200	[diff] [blame]	2349	#endif /* !OpenBSD && !NetBSD */
Paul Bakker	48377d9	2013-08-30 12:06:24 +0200	[diff] [blame]	2350
Paul Bakker	a3d195c	2011-11-27 21:07:34 +0000	[diff] [blame]	2351	return( 0 );
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2352	}
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2353	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	545570e	2010-07-18 09:00:25 +0000	[diff] [blame]	2354
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2355	/*
				2356	* Checkup routine
				2357	*/
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2358	int mbedtls_rsa_self_test( int verbose )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2359	{
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2360	int ret = 0;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2361	#if defined(MBEDTLS_PKCS1_V15)
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	2362	size_t len;
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2363	mbedtls_rsa_context rsa;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2364	unsigned char rsa_plaintext[PT_LEN];
				2365	unsigned char rsa_decrypted[PT_LEN];
				2366	unsigned char rsa_ciphertext[KEY_LEN];
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2367	#if defined(MBEDTLS_SHA1_C)
Paul Bakker	5690efc	2011-05-26 13:16:06 +0000	[diff] [blame]	2368	unsigned char sha1sum[20];
				2369	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2370
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2371	mbedtls_mpi K;
				2372
				2373	mbedtls_mpi_init( &K );
Ronald Cron	c1905a1	2021-06-05 11:11:14 +0200	[diff] [blame]	2374	mbedtls_rsa_init( &rsa );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2375
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2376	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );
				2377	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
				2378	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );
				2379	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
				2380	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );
				2381	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
				2382	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );
				2383	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
				2384	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );
				2385	MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
				2386
Hanno Becker	7f25f85	2017-10-10 16:56:22 +0100	[diff] [blame]	2387	MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2388
				2389	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2390	mbedtls_printf( " RSA key validation: " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2391
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2392	if( mbedtls_rsa_check_pubkey( &rsa ) != 0 \|\|
				2393	mbedtls_rsa_check_privkey( &rsa ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2394	{
				2395	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2396	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2397
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2398	ret = 1;
				2399	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2400	}
				2401
				2402	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2403	mbedtls_printf( "passed\n PKCS#1 encryption : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2404
				2405	memcpy( rsa_plaintext, RSA_PT, PT_LEN );
				2406
Thomas Daubney	2177277	2021-05-13 17:30:32 +0100	[diff] [blame]	2407	if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2408	PT_LEN, rsa_plaintext,
				2409	rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2410	{
				2411	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2412	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2413
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2414	ret = 1;
				2415	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2416	}
				2417
				2418	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2419	mbedtls_printf( "passed\n PKCS#1 decryption : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2420
Thomas Daubney	c7feaf3	2021-05-07 14:02:43 +0100	[diff] [blame]	2421	if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2422	&len, rsa_ciphertext, rsa_decrypted,
				2423	sizeof(rsa_decrypted) ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2424	{
				2425	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2426	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2427
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2428	ret = 1;
				2429	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2430	}
				2431
				2432	if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
				2433	{
				2434	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2435	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2436
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2437	ret = 1;
				2438	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2439	}
				2440
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2441	if( verbose != 0 )
				2442	mbedtls_printf( "passed\n" );
				2443
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2444	#if defined(MBEDTLS_SHA1_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2445	if( verbose != 0 )
Brian Murray	930a370	2016-05-18 14:38:02 -0700	[diff] [blame]	2446	mbedtls_printf( " PKCS#1 data sign : " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2447
TRodziewicz	26371e4	2021-06-08 16:45:41 +0200	[diff] [blame]	2448	if( mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
Andres Amaya Garcia	698089e	2017-06-28 11:46:46 +0100	[diff] [blame]	2449	{
				2450	if( verbose != 0 )
				2451	mbedtls_printf( "failed\n" );
				2452
				2453	return( 1 );
				2454	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2455
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2456	if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2457	MBEDTLS_MD_SHA1, 20,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2458	sha1sum, rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2459	{
				2460	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2461	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2462
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2463	ret = 1;
				2464	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2465	}
				2466
				2467	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2468	mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2469
Gilles Peskine	6e3187b	2021-06-22 18:39:53 +0200	[diff] [blame]	2470	if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA1, 20,
Hanno Becker	98838b0	2017-10-02 13:16:10 +0100	[diff] [blame]	2471	sha1sum, rsa_ciphertext ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2472	{
				2473	if( verbose != 0 )
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2474	mbedtls_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2475
Hanno Becker	5bc8729	2017-05-03 15:09:31 +0100	[diff] [blame]	2476	ret = 1;
				2477	goto cleanup;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2478	}
				2479
				2480	if( verbose != 0 )
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2481	mbedtls_printf( "passed\n" );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2482	#endif /* MBEDTLS_SHA1_C */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2483
Manuel Pégourié-Gonnard	d1004f0	2015-08-07 10:46:54 +0200	[diff] [blame]	2484	if( verbose != 0 )
				2485	mbedtls_printf( "\n" );
				2486
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2487	cleanup:
Hanno Becker	3a70116	2017-08-22 13:52:43 +0100	[diff] [blame]	2488	mbedtls_mpi_free( &K );
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2489	mbedtls_rsa_free( &rsa );
				2490	#else /* MBEDTLS_PKCS1_V15 */
Paul Bakker	3e41fe8	2013-09-15 17:42:50 +0200	[diff] [blame]	2491	((void) verbose);
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2492	#endif /* MBEDTLS_PKCS1_V15 */
Paul Bakker	3d8fb63	2014-04-17 12:42:41 +0200	[diff] [blame]	2493	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2494	}
				2495
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2496	#endif /* MBEDTLS_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	2497
Manuel Pégourié-Gonnard	2cf5a7c	2015-04-08 12:49:31 +0200	[diff] [blame]	2498	#endif /* MBEDTLS_RSA_C */