Blame - library/rsa.c - mirror/mbed-tls - TrustedFirmware Git Browser

2009-01-03 21:22:43 +0000

[diff] [blame]

1

/*

2

* The RSA public-key cryptosystem

3

*

Manuel Pégourié-Gonnard

6fb8187

2015-07-27 11:11:48 +0200

[diff] [blame]

4

Manuel Pégourié-Gonnard

37ff140

2015-09-04 14:21:07 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

Paul Bakker

b96f154

2010-07-18 20:36:00 +0000

[diff] [blame]

18

*

Manuel Pégourié-Gonnard

fe44643

2015-03-06 13:17:10 +0000

[diff] [blame]

19

* This file is part of mbed TLS (https://tls.mbed.org)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

20

*/

21

/*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

22

* The following sources were referenced in the design of this implementation

23

* of the RSA algorithm:

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

24

*

Simon Butcher

bdae02c

2016-01-20 00:44:42 +0000

[diff] [blame]

25

* [1] A method for obtaining digital signatures and public-key cryptosystems

26

* R Rivest, A Shamir, and L Adleman

27

* http://people.csail.mit.edu/rivest/pubs.html#RSA78

28

*

29

* [2] Handbook of Applied Cryptography - 1997, Chapter 8

30

* Menezes, van Oorschot and Vanstone

31

*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

32

* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks

33

* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and

34

* Stefan Mangard

35

* https://arxiv.org/abs/1702.08719v2

36

*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

37

*/

38

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

39

#if !defined(MBEDTLS_CONFIG_FILE)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

40

#include "mbedtls/config.h"

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

41

#else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

42

#include MBEDTLS_CONFIG_FILE

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

43

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

44

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

45

#if defined(MBEDTLS_RSA_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

46

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

47

#include "mbedtls/rsa.h"

48

#include "mbedtls/oid.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

49

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

50

#include <string.h>

51

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

52

#if defined(MBEDTLS_PKCS1_V21)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

53

#include "mbedtls/md.h"

Paul Bakker

bb51f0c

2012-08-23 07:46:58 +0000

[diff] [blame]

54

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

55

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

56

#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

57

#include <stdlib.h>

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

58

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

59

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

60

#if defined(MBEDTLS_PLATFORM_C)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

61

#include "mbedtls/platform.h"

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

62

#else

Rich Evans

00ab470

2015-02-06 13:43:58 +0000

[diff] [blame]

63

#include <stdio.h>

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

64

#define mbedtls_printf printf

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

65

#define mbedtls_calloc calloc

66

#define mbedtls_free free

Paul Bakker

7dc4c44

2014-02-01 22:50:26 +0100

[diff] [blame]

67

#endif

68

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

69

/* Implementation that should never be optimized out by the compiler */

70

static void mbedtls_zeroize( void *v, size_t n ) {

71

volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;

72

}

73

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

74

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

75

* Context-independent RSA helper functions.

76

*

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame^]

77

* There are two classes of helper functions:

78

* (1) Parameter-generating helpers. These are:

79

* - mbedtls_rsa_deduce_moduli

80

* - mbedtls_rsa_deduce_private

81

* - mbedtls_rsa_deduce_crt

82

* Each of these functions takes a set of core RSA parameters

83

* and generates some other, or CRT related parameters.

84

* (2) Parameter-checking helpers. These are:

85

* - mbedtls_rsa_validate_params

86

* - mbedtls_rsa_validate_crt

87

* They take a set of core or CRT related RSA parameters

88

* and check their validity.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

89

*

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame^]

90

* The helper functions do not use the RSA context structure

91

* and therefore do not need to be replaced when providing

92

* an alternative RSA implementation.

93

*

94

* Their main purpose is to provide common MPI operations in the context

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

95

* of RSA that can be easily shared across multiple implementations.

96

*/

97

98

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

99

*

100

* Given the modulus N=PQ and a pair of public and private

101

* exponents E and D, respectively, factor N.

102

*

103

* Setting F := lcm(P-1,Q-1), the idea is as follows:

104

*

105

* (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)

106

* is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the

107

* square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four

108

* possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)

109

* or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime

110

* factors of N.

111

*

112

* (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same

113

* construction still applies since (-)^K is the identity on the set of

114

* roots of 1 in Z/NZ.

115

*

116

* The public and private key primitives (-)^E and (-)^D are mutually inverse

117

* bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.

118

* if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.

119

* Splitting L = 2^t * K with K odd, we have

120

*

121

* DE - 1 = FL = (F/2) * (2^(t+1)) * K,

122

*

123

* so (F / 2) * K is among the numbers

124

*

125

* (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord

126

*

127

* where ord is the order of 2 in (DE - 1).

128

* We can therefore iterate through these numbers apply the construction

129

* of (a) and (b) above to attempt to factor N.

130

*

131

*/

132

int mbedtls_rsa_deduce_moduli( mbedtls_mpi *N, mbedtls_mpi *D, mbedtls_mpi *E,

133

int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,

134

mbedtls_mpi *P, mbedtls_mpi *Q )

135

{

136

/* Implementation note:

137

*

138

* Space-efficiency is given preference over time-efficiency here:

139

* several calculations are done in place and temporarily change

140

* the values of D and E.

141

*

142

* Specifically, D is replaced the largest odd divisor of DE - 1

143

* throughout the calculations.

*/

int ret = 0;

uint16_t attempt; /* Number of current attempt */

149

uint16_t iter; /* Number of squares computed in the current attempt */

150

151

uint16_t bitlen_half; /* Half the bitsize of the modulus N */

152

uint16_t order; /* Order of 2 in DE - 1 */

153

154

mbedtls_mpi K; /* Temporary used for two purposes:

155

* - During factorization attempts, stores a andom integer

156

* in the range of [0,..,N]

157

* - During verification, holding intermediate results.

158

*/

159

160

if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )

161

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

162

163

if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||

164

mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||

165

mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||

166

mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||

167

mbedtls_mpi_cmp_mpi( E, N ) >= 0 )

168

{

169

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

}

/*

* Initializations and temporary changes

174

*/

175

176

mbedtls_mpi_init( &K );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

177

178

/* Replace D by DE - 1 */

179

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( D, D, E ) );

180

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( D, D, 1 ) );

181

182

if( ( order = mbedtls_mpi_lsb( D ) ) == 0 )

183

{

184

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

goto cleanup;

}

/* After this operation, D holds the largest odd divisor

189

* of DE - 1 for the original values of D and E. */

190

MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( D, order ) );

191

192

/* This is used to generate a few numbers around N / 2

193

* if no PRNG is provided. */

194

if( f_rng == NULL )

195

bitlen_half = mbedtls_mpi_bitlen( N ) / 2;

/*

* Actual work

*/

for( attempt = 0; attempt < 30; ++attempt )

202

{

203

/* Generate some number in [0,N], either randomly

204

* if a PRNG is given, or try numbers around N/2 */

205

if( f_rng != NULL )

206

{

207

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &K,

208

mbedtls_mpi_size( N ),

f_rng, p_rng ) );

}

else

{

MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &K, 1 ) ) ;

214

MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &K, bitlen_half ) ) ;

215

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, attempt + 1 ) );

216

}

217

218

/* Check if gcd(K,N) = 1 */

219

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );

220

if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )

221

continue;

222

223

/* Go through K^X + 1, K^(2X) + 1, K^(4X) + 1, ...

224

* and check whether they have nontrivial GCD with N. */

225

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, D, N,

226

Q /* temporarily use Q for storing Montgomery

227

* multiplication helper values */ ) );

228

229

for( iter = 1; iter < order; ++iter )

230

{

231

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );

232

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );

233

234

if( mbedtls_mpi_cmp_int( P, 1 ) == 1 &&

235

mbedtls_mpi_cmp_mpi( P, N ) == -1 )

236

{

237

/*

238

* Have found a nontrivial divisor P of N.

Hanno Becker

d56d83a

2017-08-25 07:29:35 +0100

[diff] [blame]

239

* Set Q := N / P.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

240

*/

241

242

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, &K, N, P ) );

243

Hanno Becker

d56d83a

2017-08-25 07:29:35 +0100

[diff] [blame]

244

/* Restore D */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

245

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

246

MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( D, order ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

247

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( D, D, 1 ) );

248

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( D, NULL, D, E ) );

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

254

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );

255

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );

}

}

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

cleanup:

mbedtls_mpi_free( &K );

return( ret );

}

/*

* Given P, Q and the public exponent E, deduce D.

269

* This is essentially a modular inversion.

270

*/

271

272

int mbedtls_rsa_deduce_private( mbedtls_mpi *P, mbedtls_mpi *Q,

273

mbedtls_mpi *D, mbedtls_mpi *E )

{

int ret = 0;

mbedtls_mpi K;

if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )

279

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

280

281

if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||

282

mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||

283

mbedtls_mpi_cmp_int( E, 0 ) == 0 )

284

{

285

return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );

286

}

287

288

mbedtls_mpi_init( &K );

289

290

/* Temporarily replace P and Q by P-1 and Q-1, respectively. */

291

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( P, P, 1 ) );

292

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( Q, Q, 1 ) );

293

294

/* Temporarily compute the gcd(P-1, Q-1) in D. */

295

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, P, Q ) );

296

297

/* Compute LCM(P-1, Q-1) in K */

298

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );

299

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );

300

301

/* Compute modular inverse of E in LCM(P-1, Q-1) */

302

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );

303

304

/* Restore P and Q. */

305

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( P, P, 1 ) );

306

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( Q, Q, 1 ) );

307

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

308

cleanup:

309

310

mbedtls_mpi_free( &K );

return( ret );

}

/*

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

316

* Check that RSA CRT parameters are in accordance with core parameters.

317

*/

318

319

int mbedtls_rsa_validate_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,

320

const mbedtls_mpi *D, const mbedtls_mpi *DP,

321

const mbedtls_mpi *DQ, const mbedtls_mpi *QP )

{

int ret = 0;

mbedtls_mpi K, L;

mbedtls_mpi_init( &K );

327

mbedtls_mpi_init( &L );

328

329

/* Check that DP - P == 0 mod P - 1 */

if( DP != NULL )

{

if( P == NULL )

{

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

339

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );

340

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );

341

342

if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )

343

{

344

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

}

}

/* Check that DQ - Q == 0 mod Q - 1 */

if( DQ != NULL )

{

if( Q == NULL )

{

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );

358

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );

359

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );

360

361

if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )

362

{

363

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

}

}

/* Check that QP * P - 1 == 0 mod P */

368

if( QP != NULL )

369

{

370

if( P == NULL || Q == NULL )

371

{

372

ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;

goto cleanup;

}

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );

377

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

378

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );

379

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

380

{

381

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

}

}

cleanup:

/* Wrap MPI error codes by RSA check failure error code */

388

if( ret != 0 &&

389

ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&

390

ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )

391

{

392

ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

393

}

394

395

mbedtls_mpi_free( &K );

396

mbedtls_mpi_free( &L );

return( ret );

}

/*

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

402

* Check that core RSA parameters are sane.

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

403

*/

404

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

405

int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,

406

const mbedtls_mpi *Q, const mbedtls_mpi *D,

407

const mbedtls_mpi *E,

408

int (*f_rng)(void *, unsigned char *, size_t),

409

void *p_rng )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

410

{

411

int ret = 0;

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

412

mbedtls_mpi K, L;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

413

414

mbedtls_mpi_init( &K );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

415

mbedtls_mpi_init( &L );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

416

417

/*

418

* Step 1: If PRNG provided, check that P and Q are prime

419

*/

420

Hanno Becker

2017-08-24 06:55:11 +0100

[diff] [blame]

421

#if defined(MBEDTLS_GENPRIME)

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

422

if( f_rng != NULL && P != NULL &&

423

( ret = mbedtls_mpi_is_prime( P, f_rng, p_rng ) ) != 0 )

424

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

425

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

if( f_rng != NULL && Q != NULL &&

430

( ret = mbedtls_mpi_is_prime( Q, f_rng, p_rng ) ) != 0 )

431

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

432

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

433

goto cleanup;

434

}

Hanno Becker

2017-08-24 06:55:11 +0100

[diff] [blame]

#else

((void) f_rng);

((void) p_rng);

#endif /* MBEDTLS_GENPRIME */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

439

440

/*

441

* Step 2: Check that N = PQ

442

*/

443

444

if( P != NULL && Q != NULL && N != NULL )

445

{

446

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

447

if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 ||

448

mbedtls_mpi_cmp_mpi( &K, N ) != 0 )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

449

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

450

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

}

/*

* Step 3: Check that D, E are inverse modulo P-1 and Q-1

457

*/

458

459

if( P != NULL && Q != NULL && D != NULL && E != NULL )

460

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

461

if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||

462

mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||

463

mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||

464

mbedtls_mpi_cmp_int( E, 1 ) <= 0 )

465

{

466

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

467

goto cleanup;

468

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

469

470

/* Compute DE-1 mod P-1 */

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

471

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );

472

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

473

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );

474

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

475

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

476

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

477

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

goto cleanup;

}

/* Compute DE-1 mod Q-1 */

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

482

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );

483

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );

484

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );

485

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

486

if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )

487

{

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

488

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

489

goto cleanup;

490

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

}

cleanup:

mbedtls_mpi_free( &K );

Hanno Becker

2017-08-25 07:54:27 +0100

[diff] [blame]

496

mbedtls_mpi_free( &L );

497

498

/* Wrap MPI error codes by RSA check failure error code */

499

if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )

500

{

501

ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

502

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

return( ret );

}

int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,

508

const mbedtls_mpi *D, mbedtls_mpi *DP,

509

mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret = 0;

mbedtls_mpi K;

mbedtls_mpi_init( &K );

514

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame^]

515

/* DP = D mod P-1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

516

if( DP != NULL )

517

{

518

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );

519

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );

520

}

521

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame^]

522

/* DQ = D mod Q-1 */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

523

if( DQ != NULL )

524

{

525

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );

526

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );

527

}

528

Hanno Becker

2017-08-25 08:03:13 +0100

[diff] [blame^]

529

/* QP = Q^{-1} mod P */

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

530

if( QP != NULL )

531

{

532

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );

}

cleanup:

mbedtls_mpi_free( &K );

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

541

542

/*

543

* Default RSA interface implementation

544

*/

545

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

546

#if !defined(MBEDTLS_RSA_ALT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

547

548

int mbedtls_rsa_import( mbedtls_rsa_context *ctx,

549

const mbedtls_mpi *N,

550

const mbedtls_mpi *P, const mbedtls_mpi *Q,

551

const mbedtls_mpi *D, const mbedtls_mpi *E )

{

int ret;

if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||

556

( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||

557

( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||

558

( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||

559

( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )

560

{

561

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

if( N != NULL )

ctx->len = mbedtls_mpi_size( &ctx->N );

return( 0 );

}

int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,

571

unsigned char *N, size_t N_len,

572

unsigned char *P, size_t P_len,

573

unsigned char *Q, size_t Q_len,

574

unsigned char *D, size_t D_len,

575

unsigned char *E, size_t E_len )

{

int ret;

if( N != NULL )

{

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );

582

ctx->len = mbedtls_mpi_size( &ctx->N );

}

if( P != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );

587

588

if( Q != NULL )

589

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );

590

591

if( D != NULL )

592

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );

593

594

if( E != NULL )

595

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );

cleanup:

if( ret != 0 )

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

return( 0 );

}

int mbedtls_rsa_complete( mbedtls_rsa_context *ctx,

606

int (*f_rng)(void *, unsigned char *, size_t),

607

void *p_rng )

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

{

int ret = 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

611

const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );

612

const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );

613

const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );

614

const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );

615

const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

616

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

617

/*

618

* Check whether provided parameters are enough

619

* to deduce all others. The following incomplete

620

* parameter sets for private keys are supported:

621

*

622

* (1) P, Q missing.

623

* (2) D and potentially N missing.

624

*

625

*/

626

const int complete = have_N && have_P && have_Q && have_D && have_E;

627

const int pq_missing = have_N && !have_P && !have_Q && have_D && have_E;

628

const int d_missing = have_P && have_Q && !have_D && have_E;

629

const int is_pub = have_N && !have_P && !have_Q && !have_D && have_E;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

630

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

631

const int is_priv = complete || pq_missing || d_missing;

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

632

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

633

if( !is_priv && !is_pub )

634

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

635

636

/*

637

* Step 1: Deduce and verify all core parameters.

*/

if( pq_missing )

{

/* This includes sanity checking of core parameters,

643

* so no further checks necessary. */

644

ret = mbedtls_rsa_deduce_moduli( &ctx->N, &ctx->D, &ctx->E,

f_rng, p_rng,

&ctx->P, &ctx->Q );

if( ret != 0 )

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

}

else if( d_missing )

{

Hanno Becker

2017-08-24 06:55:11 +0100

[diff] [blame]

653

#if defined(MBEDTLS_GENPRIME)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

654

/* If a PRNG is provided, check if P, Q are prime. */

655

if( f_rng != NULL &&

656

( ( ret = mbedtls_mpi_is_prime( &ctx->P, f_rng, p_rng ) ) != 0 ||

657

( ret = mbedtls_mpi_is_prime( &ctx->Q, f_rng, p_rng ) ) != 0 ) )

658

{

659

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

660

}

Hanno Becker

2017-08-24 06:55:11 +0100

[diff] [blame]

661

#endif /* MBEDTLS_GENPRIME */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

662

663

/* Compute N if missing. */

664

if( !have_N &&

665

( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) ) != 0 )

666

{

667

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

668

}

669

670

/* Deduce private exponent. This includes double-checking of the result,

671

* so together with the primality test above all core parameters are

672

* guaranteed to be sane if this call succeeds. */

673

if( ( ret = mbedtls_rsa_deduce_private( &ctx->P, &ctx->Q,

674

&ctx->D, &ctx->E ) ) != 0 )

675

{

676

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

677

}

678

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

679

680

/* In the remaining case of a public key, there's nothing to check for. */

681

682

/*

683

* Step 2: Deduce all additional parameters specific

684

* to our current RSA implementaiton.

685

*/

686

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

687

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

688

if( is_priv )

689

{

690

ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

691

&ctx->DP, &ctx->DQ, &ctx->QP );

692

if( ret != 0 )

693

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

694

}

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

695

#endif /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

696

697

/*

698

* Step 3: Double check

*/

if( is_priv )

{

if( ( ret = mbedtls_rsa_check_privkey( ctx ) ) != 0 )

return( ret );

}

else

{

if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )

return( ret );

}

return( 0 );

}

/*

* Check if CRT parameters match RSA context.

717

* This has to be implemented even if CRT is not used,

718

* in order to be able to validate DER encoded RSA keys,

719

* which always contain CRT parameters.

720

*/

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

721

int mbedtls_rsa_check_crt( const mbedtls_rsa_context *ctx,

722

mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

723

{

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

724

int ret = 0;

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

725

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

726

/* Check if key is private or public */

727

const int is_priv =

728

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

729

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

730

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

731

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

732

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

733

734

if( !is_priv )

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

735

{

736

/* Checking optional parameters only makes sense for private keys. */

737

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

738

}

739

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

740

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

741

if( ( DP != NULL && mbedtls_mpi_cmp_mpi( DP, &ctx->DP ) != 0 ) ||

742

( DQ != NULL && mbedtls_mpi_cmp_mpi( DQ, &ctx->DQ ) != 0 ) ||

743

( QP != NULL && mbedtls_mpi_cmp_mpi( QP, &ctx->QP ) != 0 ) )

744

{

745

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

746

}

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

747

#else /* MBEDTLS_RSA_NO_CRT */

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

748

if( ( ret = mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,

749

DP, DQ, QP ) ) != 0 )

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

750

{

Hanno Becker

2017-08-25 07:55:03 +0100

[diff] [blame]

751

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

752

}

Hanno Becker

2017-08-23 07:43:27 +0100

[diff] [blame]

#endif

if( ret != 0 )

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

return( 0 );

}

int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,

762

unsigned char *N, size_t N_len,

763

unsigned char *P, size_t P_len,

764

unsigned char *Q, size_t Q_len,

765

unsigned char *D, size_t D_len,

766

unsigned char *E, size_t E_len )

{

int ret = 0;

/* Check if key is private or public */

771

const int is_priv =

772

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

773

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

774

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

775

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

776

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

781

* something must be wrong. */

782

if( P != NULL || Q != NULL || D != NULL )

783

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

if( N != NULL )

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );

789

790

if( P != NULL )

791

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );

792

793

if( Q != NULL )

794

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );

795

796

if( D != NULL )

797

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );

798

799

if( E != NULL )

800

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

cleanup:

return( ret );

}

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

807

int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,

808

mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,

809

mbedtls_mpi *D, mbedtls_mpi *E )

{

int ret;

/* Check if key is private or public */

814

int is_priv =

815

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

816

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

817

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

818

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

819

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

if( !is_priv )

{

/* If we're trying to export private parameters for a public key,

824

* something must be wrong. */

825

if( P != NULL || Q != NULL || D != NULL )

826

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

}

/* Export all requested core parameters. */

831

832

if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||

833

( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||

834

( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||

835

( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||

836

( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )

{

return( ret );

}

return( 0 );

}

/*

* Export CRT parameters

846

* This must also be implemented if CRT is not used, for being able to

847

* write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt

848

* can be used in this case.

849

*/

850

int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,

851

mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )

{

int ret;

/* Check if key is private or public */

856

int is_priv =

857

mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&

858

mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&

859

mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&

860

mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&

861

mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;

862

863

if( !is_priv )

864

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

865

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

866

#if !defined(MBEDTLS_RSA_NO_CRT)

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

867

/* Export all requested blinding parameters. */

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

868

if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||

869

( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||

870

( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )

871

{

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

872

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

873

}

Hanno Becker

dc95c89

2017-08-23 06:57:02 +0100

[diff] [blame]

874

#else

875

if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

876

DP, DQ, QP ) ) != 0 )

877

{

878

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );

879

}

880

#endif

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

881

882

return( 0 );

883

}

Hanno Becker

2017-08-23 14:06:45 +0100

[diff] [blame]

884

885

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

886

* Initialize an RSA context

887

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

888

void mbedtls_rsa_init( mbedtls_rsa_context *ctx,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

889

int padding,

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

890

int hash_id )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

891

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

892

memset( ctx, 0, sizeof( mbedtls_rsa_context ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

893

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

894

mbedtls_rsa_set_padding( ctx, padding, hash_id );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

895

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

896

#if defined(MBEDTLS_THREADING_C)

897

mbedtls_mutex_init( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

898

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

899

}

900

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

901

/*

902

* Set padding for an existing RSA context

903

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

904

void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )

Manuel Pégourié-Gonnard

844a4c0

2014-03-10 21:55:35 +0100

[diff] [blame]

905

{

906

ctx->padding = padding;

907

ctx->hash_id = hash_id;

908

}

909

Hanno Becker

2017-08-23 14:11:24 +0100

[diff] [blame]

910

/*

911

* Get length in bytes of RSA modulus

912

*/

913

914

size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )

915

{

916

return( mbedtls_mpi_size( &ctx->N ) );

917

}

918

919

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

920

#if defined(MBEDTLS_GENPRIME)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

921

922

/*

923

* Generate an RSA keypair

924

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

925

int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

926

int (*f_rng)(void *, unsigned char *, size_t),

927

void *p_rng,

928

unsigned int nbits, int exponent )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

929

{

930

int ret;

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

931

mbedtls_mpi H, G;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

932

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

933

if( f_rng == NULL || nbits < 128 || exponent < 3 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

934

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

935

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

936

if( nbits % 2 )

937

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

938

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

939

mbedtls_mpi_init( &H );

940

mbedtls_mpi_init( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

941

942

/*

943

* find primes P and Q with Q < P so that:

944

* GCD( E, (P-1)*(Q-1) ) == 1

945

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

946

MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

947

948

do

949

{

Janos Follath

10c575b

2016-02-23 14:42:48 +0000

[diff] [blame]

950

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

951

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

952

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

953

MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

954

f_rng, p_rng ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

955

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

956

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

957

continue;

958

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

959

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

960

if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

961

continue;

962

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

963

if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

964

mbedtls_mpi_swap( &ctx->P, &ctx->Q );

Janos Follath

2016-09-21 13:18:12 +0100

[diff] [blame]

965

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

966

/* Temporarily replace P,Q by P-1, Q-1 */

967

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );

968

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );

969

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

970

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

971

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

972

while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

973

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

974

/* Restore P,Q */

975

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );

976

MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );

977

978

ctx->len = mbedtls_mpi_size( &ctx->N );

979

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

980

/*

981

* D = E^-1 mod ((P-1)*(Q-1))

* DP = D mod (P - 1)

* DQ = D mod (Q - 1)

* QP = Q^-1 mod P

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

986

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

987

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &H ) );

988

989

#if !defined(MBEDTLS_RSA_NO_CRT)

990

MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,

991

&ctx->DP, &ctx->DQ, &ctx->QP ) );

992

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

993

Hanno Becker

83aad1f

2017-08-23 06:45:10 +0100

[diff] [blame]

994

/* Double-check */

995

MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );

996

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

997

cleanup:

998

Hanno Becker

2017-08-23 06:59:15 +0100

[diff] [blame]

999

mbedtls_mpi_free( &H );

1000

mbedtls_mpi_free( &G );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1001

1002

if( ret != 0 )

1003

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1004

mbedtls_rsa_free( ctx );

1005

return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1006

}

1007

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1008

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1009

}

1010

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1011

#endif /* MBEDTLS_GENPRIME */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1012

1013

/*

1014

* Check a public RSA key

1015

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1016

int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1017

{

Paul Bakker

2009-07-10 22:38:58 +0000

[diff] [blame]

1018

if( !ctx->N.p || !ctx->E.p )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1019

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-07-10 22:38:58 +0000

[diff] [blame]

1020

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1021

if( ( ctx->N.p[0] & 1 ) == 0 ||

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1022

( ctx->E.p[0] & 1 ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1023

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1024

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1025

if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||

1026

mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1027

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1028

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1029

if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1030

mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )

1031

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

/*

* Check a private RSA key

1038

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1039

int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1040

{

1041

int ret;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1042

mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1043

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1044

if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1045

return( ret );

1046

Paul Bakker

2009-07-10 22:38:58 +0000

[diff] [blame]

1047

if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1048

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Paul Bakker

2009-07-10 22:38:58 +0000

[diff] [blame]

1049

Hanno Becker

2017-08-23 06:59:48 +0100

[diff] [blame]

1050

mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 );

1051

mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I );

1052

mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 ); mbedtls_mpi_init( &L1 );

1053

mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1054

mbedtls_mpi_init( &QP );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1055

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1056

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );

1057

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );

1058

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );

1059

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );

1060

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );

1061

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1062

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1063

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );

1064

MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );

1065

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );

Paul Bakker

b572adf

2010-07-18 08:29:32 +0000

[diff] [blame]

1066

Hanno Becker

2017-08-23 06:59:48 +0100

[diff] [blame]

1067

#if !defined(MBEDTLS_RSA_NO_CRT)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1068

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );

1069

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );

1070

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );

Hanno Becker

2017-08-23 06:59:48 +0100

[diff] [blame]

1071

#endif

1072

Paul Bakker

b572adf

2010-07-18 08:29:32 +0000

[diff] [blame]

1073

/*

1074

* Check for a valid PKCS1v2 private key

1075

*/

Hanno Becker

2017-08-23 06:59:48 +0100

[diff] [blame]

1076

if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||

1077

#if !defined(MBEDTLS_RSA_NO_CRT)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1078

mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||

1079

mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||

1080

mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||

Hanno Becker

2017-08-23 06:59:48 +0100

[diff] [blame]

1081

#endif

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1082

mbedtls_mpi_cmp_int( &L2, 0 ) != 0 ||

Hanno Becker

2017-08-23 06:59:48 +0100

[diff] [blame]

1083

mbedtls_mpi_cmp_int( &I, 1 ) != 0 ||

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1084

mbedtls_mpi_cmp_int( &G, 1 ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1085

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1086

ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1087

}

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1088

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1089

cleanup:

Hanno Becker

2017-08-23 06:59:48 +0100

[diff] [blame]

1090

mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 );

1091

mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I );

1092

mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 ); mbedtls_mpi_free( &L1 );

1093

mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1094

mbedtls_mpi_free( &QP );

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

1095

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1096

if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )

Paul Bakker

9d78140

2011-05-09 16:17:09 +0000

[diff] [blame]

1097

return( ret );

1098

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

1099

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1100

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );

Paul Bakker

6c591fa

2011-05-05 11:49:20 +0000

[diff] [blame]

1101

1102

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1103

}

1104

1105

/*

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1106

* Check if contexts holding a public and private key match

1107

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1108

int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1109

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1110

if( mbedtls_rsa_check_pubkey( pub ) != 0 ||

1111

mbedtls_rsa_check_privkey( prv ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1112

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1113

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1114

}

1115

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1116

if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||

1117

mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

1118

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1119

return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );

Manuel Pégourié-Gonnard

2014-11-06 14:02:51 +0100

[diff] [blame]

}

return( 0 );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1126

* Do an RSA public key operation

1127

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1128

int mbedtls_rsa_public( mbedtls_rsa_context *ctx,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1129

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1130

unsigned char *output )

1131

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1132

int ret;

1133

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1134

mbedtls_mpi T;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1135

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1136

mbedtls_mpi_init( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1137

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1138

#if defined(MBEDTLS_THREADING_C)

1139

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

1140

return( ret );

1141

#endif

1142

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1143

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1144

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1145

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1146

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1147

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1148

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1149

}

1150

1151

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1152

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );

1153

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1154

1155

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1156

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1157

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

1158

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

88fca3e

2015-03-27 15:06:07 +0100

[diff] [blame]

1159

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1160

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1161

mbedtls_mpi_free( &T );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1162

1163

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1164

return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1169

/*

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1170

* Generate or update blinding values, see section 10 of:

1171

* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,

Manuel Pégourié-Gonnard

998930a

2015-04-03 13:48:06 +0200

[diff] [blame]

1172

* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1173

* Berlin Heidelberg, 1996. p. 104-113.

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1174

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1175

static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1176

int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )

1177

{

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1178

int ret, count = 0;

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1179

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1180

if( ctx->Vf.p != NULL )

1181

{

1182

/* We already have blinding values, just update them by squaring */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1183

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );

1184

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );

1185

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );

1186

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1187

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1188

goto cleanup;

Manuel Pégourié-Gonnard

2013-09-10 13:37:26 +0200

[diff] [blame]

1189

}

1190

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1191

/* Unblinding value: Vf = random number, invertible mod N */

1192

do {

1193

if( count++ > 10 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1194

return( MBEDTLS_ERR_RSA_RNG_FAILED );

Manuel Pégourié-Gonnard

4d89c7e

2013-10-04 15:18:38 +0200

[diff] [blame]

1195

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1196

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );

1197

MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );

1198

} while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1199

1200

/* Blinding value: Vi = Vf^(-e) mod N */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1201

MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );

1202

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1203

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

1204

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1205

cleanup:

1206

return( ret );

1207

}

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1208

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1209

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1210

* Exponent blinding supposed to prevent side-channel attacks using multiple

1211

* traces of measurements to recover the RSA key. The more collisions are there,

1212

* the more bits of the key can be recovered. See [3].

1213

*

1214

* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)

1215

* observations on avarage.

1216

*

1217

* For example with 28 byte blinding to achieve 2 collisions the adversary has

1218

* to make 2^112 observations on avarage.

1219

*

1220

* (With the currently (as of 2017 April) known best algorithms breaking 2048

1221

* bit RSA requires approximately as much time as trying out 2^112 random keys.

1222

* Thus in this sense with 28 byte blinding the security is not reduced by

1223

* side-channel attacks like the one in [3])

1224

*

1225

* This countermeasure does not help if the key recovery is possible with a

1226

* single trace.

1227

*/

1228

#define RSA_EXPONENT_BLINDING 28

1229

1230

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1231

* Do an RSA private key operation

1232

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1233

int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1234

int (*f_rng)(void *, unsigned char *, size_t),

1235

void *p_rng,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1236

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1237

unsigned char *output )

1238

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1239

int ret;

1240

size_t olen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1241

mbedtls_mpi T, T1, T2;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1242

mbedtls_mpi P1, Q1, R;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1243

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1244

mbedtls_mpi D_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1245

mbedtls_mpi *D = &ctx->D;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1246

#else

1247

mbedtls_mpi DP_blind, DQ_blind;

1248

mbedtls_mpi *DP = &ctx->DP;

1249

mbedtls_mpi *DQ = &ctx->DQ;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1250

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1251

Manuel Pégourié-Gonnard

fb84d38

2015-10-30 10:56:25 +0100

[diff] [blame]

1252

/* Make sure we have private key info, prevent possible misuse */

1253

if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )

1254

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1255

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1256

mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1257

mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );

if( f_rng != NULL )

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1262

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1263

mbedtls_mpi_init( &D_blind );

1264

#else

1265

mbedtls_mpi_init( &DP_blind );

1266

mbedtls_mpi_init( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1267

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1268

}

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1269

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1270

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1271

#if defined(MBEDTLS_THREADING_C)

1272

if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )

1273

return( ret );

1274

#endif

1275

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1276

MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );

1277

if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1278

{

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1279

ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;

1280

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1281

}

1282

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1283

if( f_rng != NULL )

1284

{

1285

/*

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1286

* Blinding

1287

* T = T * Vi mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1288

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1289

MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );

1290

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1291

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1292

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

/*

* Exponent blinding

*/

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );

1297

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );

1298

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1299

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1300

/*

1301

* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D

1302

*/

1303

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1304

f_rng, p_rng ) );

1305

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );

1306

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );

1307

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );

1308

1309

D = &D_blind;

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1310

#else

1311

/*

1312

* DP_blind = ( P - 1 ) * R + DP

1313

*/

1314

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1315

f_rng, p_rng ) );

1316

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );

1317

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,

&ctx->DP ) );

DP = &DP_blind;

/*

* DQ_blind = ( Q - 1 ) * R + DQ

1324

*/

1325

MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,

1326

f_rng, p_rng ) );

1327

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );

1328

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,

1329

&ctx->DQ ) );

1330

1331

DQ = &DQ_blind;

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1332

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1333

}

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1334

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1335

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1336

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );

Manuel Pégourié-Gonnard

e10e06d

2014-11-06 18:15:12 +0100

[diff] [blame]

1337

#else

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1338

/*

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1339

* Faster decryption using the CRT

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1340

*

1341

* T1 = input ^ dP mod P

1342

* T2 = input ^ dQ mod Q

1343

*/

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1344

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );

1345

MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1346

1347

/*

1348

* T = (T1 - T2) * (Q^-1 mod P) mod P

1349

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1350

MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );

1351

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );

1352

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1353

1354

/*

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1355

* T = T2 + T * Q

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1356

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1357

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );

1358

MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );

1359

#endif /* MBEDTLS_RSA_NO_CRT */

Paul Bakker

aab30c1

2013-08-30 11:00:25 +0200

[diff] [blame]

1360

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

if( f_rng != NULL )

{

/*

* Unblind

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

1365

* T = T * Vf mod N

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1366

*/

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1367

MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1368

MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );

Paul Bakker

2013-08-30 15:37:02 +0200

[diff] [blame]

1369

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1370

1371

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1372

MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1373

1374

cleanup:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1375

#if defined(MBEDTLS_THREADING_C)

Manuel Pégourié-Gonnard

2015-08-28 10:32:21 +0200

[diff] [blame]

1376

if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )

1377

return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );

Manuel Pégourié-Gonnard

ae10299

2013-10-04 17:07:12 +0200

[diff] [blame]

1378

#endif

Manuel Pégourié-Gonnard

2015-08-27 11:30:58 +0200

[diff] [blame]

1379

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1380

mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1381

mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );

1382

1383

if( f_rng != NULL )

1384

{

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1385

#if defined(MBEDTLS_RSA_NO_CRT)

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1386

mbedtls_mpi_free( &D_blind );

1387

#else

1388

mbedtls_mpi_free( &DP_blind );

1389

mbedtls_mpi_free( &DQ_blind );

Janos Follath

2017-03-22 13:38:28 +0000

[diff] [blame]

1390

#endif

Janos Follath

2017-03-22 15:13:15 +0000

[diff] [blame]

1391

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1392

1393

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1394

return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 0 );

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1399

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1400

/**

1401

* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.

1402

*

Paul Bakker

b125ed8

2011-11-10 13:33:51 +0000

[diff] [blame]

1403

* \param dst buffer to mask

1404

* \param dlen length of destination buffer

1405

* \param src source of the mask generation

1406

* \param slen length of the source buffer

1407

* \param md_ctx message digest context to use

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1408

*/

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1409

static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1410

size_t slen, mbedtls_md_context_t *md_ctx )

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1411

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1412

unsigned char mask[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1413

unsigned char counter[4];

1414

unsigned char *p;

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1415

unsigned int hlen;

1416

size_t i, use_len;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1417

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1418

memset( mask, 0, MBEDTLS_MD_MAX_SIZE );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1419

memset( counter, 0, 4 );

1420

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1421

hlen = mbedtls_md_get_size( md_ctx->md_info );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1422

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1423

/* Generate and apply dbMask */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

p = dst;

while( dlen > 0 )

{

use_len = hlen;

if( dlen < hlen )

use_len = dlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1432

mbedtls_md_starts( md_ctx );

1433

mbedtls_md_update( md_ctx, src, slen );

1434

mbedtls_md_update( md_ctx, counter, 4 );

1435

mbedtls_md_finish( md_ctx, mask );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1436

1437

for( i = 0; i < use_len; ++i )

*p++ ^= mask[i];

counter[3]++;

dlen -= use_len;

}

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1444

1445

mbedtls_zeroize( mask, sizeof( mask ) );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1446

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1447

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1448

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1449

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1450

/*

1451

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function

1452

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1453

int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1454

int (*f_rng)(void *, unsigned char *, size_t),

1455

void *p_rng,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1456

int mode,

1457

const unsigned char *label, size_t label_len,

1458

size_t ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1459

const unsigned char *input,

1460

unsigned char *output )

{

size_t olen;

int ret;

unsigned char *p = output;

1465

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1466

const mbedtls_md_info_t *md_info;

1467

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1468

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1469

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1470

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1471

1472

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1473

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1474

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1475

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1476

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1477

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1478

1479

olen = ctx->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1480

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1481

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1482

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1483

if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1484

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1485

1486

memset( output, 0, olen );

*p++ = 0;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1490

/* Generate a random octet string seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1491

if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1492

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p += hlen;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1496

/* Construct DB */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1497

mbedtls_md( md_info, label, label_len, p );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1498

p += hlen;

1499

p += olen - 2 * hlen - 2 - ilen;

1500

*p++ = 1;

1501

memcpy( p, input, ilen );

1502

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1503

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1504

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1505

{

1506

mbedtls_md_free( &md_ctx );

1507

return( ret );

1508

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1509

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1510

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1511

mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,

1512

&md_ctx );

1513

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1514

/* maskedSeed: Apply seedMask to seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1515

mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,

1516

&md_ctx );

1517

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1518

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1519

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1520

return( ( mode == MBEDTLS_RSA_PUBLIC )

1521

? mbedtls_rsa_public( ctx, output, output )

1522

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1523

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1524

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1525

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1526

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1527

/*

1528

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function

1529

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1530

int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1531

int (*f_rng)(void *, unsigned char *, size_t),

1532

void *p_rng,

1533

int mode, size_t ilen,

1534

const unsigned char *input,

1535

unsigned char *output )

{

size_t nb_pad, olen;

int ret;

unsigned char *p = output;

1540

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1541

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1542

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1543

Janos Follath

1ed9f99

2016-03-18 11:45:44 +0000

[diff] [blame]

1544

// We don't check p_rng because it won't be dereferenced here

1545

if( f_rng == NULL || input == NULL || output == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1546

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1547

1548

olen = ctx->len;

Manuel Pégourié-Gonnard

370717b

2016-02-11 10:35:13 +0100

[diff] [blame]

1549

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1550

/* first comparison checks for overflow */

Janos Follath

eddfe8f

2016-02-08 14:52:29 +0000

[diff] [blame]

1551

if( ilen + 11 < ilen || olen < ilen + 11 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1552

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1553

1554

nb_pad = olen - 3 - ilen;

1555

1556

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1557

if( mode == MBEDTLS_RSA_PUBLIC )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1558

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1559

*p++ = MBEDTLS_RSA_CRYPT;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1560

1561

while( nb_pad-- > 0 )

{

int rng_dl = 100;

do {

ret = f_rng( p_rng, p, 1 );

1567

} while( *p == 0 && --rng_dl && ret == 0 );

1568

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1569

/* Check if RNG failed to generate data */

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1570

if( rng_dl == 0 || ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1571

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

p++;

}

}

else

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1578

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1579

1580

while( nb_pad-- > 0 )

*p++ = 0xFF;

}

*p++ = 0;

memcpy( p, input, ilen );

1586

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1587

return( ( mode == MBEDTLS_RSA_PUBLIC )

1588

? mbedtls_rsa_public( ctx, output, output )

1589

: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1590

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1591

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1592

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1593

/*

1594

* Add the message padding, then do an RSA operation

1595

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1596

int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

1597

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

21eb280

2010-08-16 11:10:02 +0000

[diff] [blame]

1598

void *p_rng,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1599

int mode, size_t ilen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

1600

const unsigned char *input,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1601

unsigned char *output )

1602

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1603

switch( ctx->padding )

1604

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1605

#if defined(MBEDTLS_PKCS1_V15)

1606

case MBEDTLS_RSA_PKCS_V15:

1607

return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1608

input, output );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1609

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1610

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1611

#if defined(MBEDTLS_PKCS1_V21)

1612

case MBEDTLS_RSA_PKCS_V21:

1613

return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1614

ilen, input, output );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

1615

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1616

1617

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1618

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1619

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1620

}

1621

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1622

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1623

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1624

* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1625

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1626

int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1627

int (*f_rng)(void *, unsigned char *, size_t),

1628

void *p_rng,

1629

int mode,

Paul Bakker

a43231c

2013-02-28 17:33:49 +0100

[diff] [blame]

1630

const unsigned char *label, size_t label_len,

1631

size_t *olen,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1632

const unsigned char *input,

1633

unsigned char *output,

1634

size_t output_max_len )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1635

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1636

int ret;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1637

size_t ilen, i, pad_len;

1638

unsigned char *p, bad, pad_done;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1639

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

1640

unsigned char lhash[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

1641

unsigned int hlen;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1642

const mbedtls_md_info_t *md_info;

1643

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1644

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1645

/*

1646

* Parameters sanity checks

1647

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1648

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1649

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

ilen = ctx->len;

Paul Bakker

2011-06-09 13:55:13 +0000

[diff] [blame]

1653

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1654

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1655

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1656

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1657

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1658

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1659

Janos Follath

c17cda1

2016-02-11 11:08:18 +0000

[diff] [blame]

1660

hlen = mbedtls_md_get_size( md_info );

1661

1662

// checking for integer underflow

1663

if( 2 * hlen + 2 > ilen )

1664

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

1665

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1666

/*

1667

* RSA operation

1668

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1669

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1670

? mbedtls_rsa_public( ctx, input, buf )

1671

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1672

1673

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1674

goto cleanup;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1675

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1676

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1677

* Unmask data and generate lHash

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1678

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1679

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1680

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1681

{

1682

mbedtls_md_free( &md_ctx );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1683

goto cleanup;

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1684

}

1685

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1686

1687

/* Generate lHash */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1688

mbedtls_md( md_info, label, label_len, lhash );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1689

1690

/* seed: Apply seedMask to maskedSeed */

1691

mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,

1692

&md_ctx );

1693

1694

/* DB: Apply dbMask to maskedDB */

1695

mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,

1696

&md_ctx );

1697

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1698

mbedtls_md_free( &md_ctx );

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1699

1700

/*

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1701

* Check contents, in "constant-time"

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1702

*/

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1703

p = buf;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1704

bad = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1705

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1706

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1707

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1708

p += hlen; /* Skip seed */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1709

Manuel Pégourié-Gonnard

2013-11-28 15:57:52 +0100

[diff] [blame]

1710

/* Check lHash */

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1711

for( i = 0; i < hlen; i++ )

1712

bad |= lhash[i] ^ *p++;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1713

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1714

/* Get zero-padding len, but always read till end of buffer

1715

* (minus one, for the 01 byte) */

1716

pad_len = 0;

1717

pad_done = 0;

1718

for( i = 0; i < ilen - 2 * hlen - 2; i++ )

1719

{

1720

pad_done |= p[i];

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1721

pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1722

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1723

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1724

p += pad_len;

1725

bad |= *p++ ^ 0x01;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1726

Manuel Pégourié-Gonnard

2013-11-29 12:49:44 +0100

[diff] [blame]

1727

/*

1728

* The only information "leaked" is whether the padding was correct or not

1729

* (eg, no data is copied if it was not correct). This meets the

1730

* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between

1731

* the different error conditions.

1732

*/

1733

if( bad != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1734

{

1735

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1736

goto cleanup;

1737

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1738

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1739

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1740

{

1741

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1742

goto cleanup;

1743

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1744

1745

*olen = ilen - (p - buf);

1746

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1747

ret = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1748

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1749

cleanup:

1750

mbedtls_zeroize( buf, sizeof( buf ) );

1751

mbedtls_zeroize( lhash, sizeof( lhash ) );

1752

1753

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1754

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1755

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1756

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1757

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1758

/*

1759

* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function

1760

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1761

int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1762

int (*f_rng)(void *, unsigned char *, size_t),

1763

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1764

int mode, size_t *olen,

1765

const unsigned char *input,

1766

unsigned char *output,

1767

size_t output_max_len)

1768

{

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1769

int ret;

1770

size_t ilen, pad_count = 0, i;

1771

unsigned char *p, bad, pad_done = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1772

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1773

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1774

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

1775

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

ilen = ctx->len;

if( ilen < 16 || ilen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1780

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1781

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1782

ret = ( mode == MBEDTLS_RSA_PUBLIC )

1783

? mbedtls_rsa_public( ctx, input, buf )

1784

: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1785

1786

if( ret != 0 )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1787

goto cleanup;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1788

1789

p = buf;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1790

bad = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1791

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1792

/*

1793

* Check and get padding len in "constant-time"

1794

*/

1795

bad |= *p++; /* First byte must be 0 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1796

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1797

/* This test does not depend on secret data */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1798

if( mode == MBEDTLS_RSA_PRIVATE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1799

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1800

bad |= *p++ ^ MBEDTLS_RSA_CRYPT;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1801

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1802

/* Get padding len, but always read till end of buffer

1803

* (minus one, for the 00 byte) */

1804

for( i = 0; i < ilen - 3; i++ )

1805

{

Pascal Junod

b99183d

2015-03-11 16:49:45 +0100

[diff] [blame]

1806

pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;

1807

pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1808

}

Paul Bakker

e6ee41f

2012-05-19 08:43:48 +0000

[diff] [blame]

1809

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1810

p += pad_count;

1811

bad |= *p++; /* Must be zero */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1812

}

1813

else

1814

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1815

bad |= *p++ ^ MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1816

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1817

/* Get padding len, but always read till end of buffer

1818

* (minus one, for the 00 byte) */

1819

for( i = 0; i < ilen - 3; i++ )

1820

{

Manuel Pégourié-Gonnard

fbf0915

2014-02-03 11:58:55 +0100

[diff] [blame]

1821

pad_done |= ( p[i] != 0xFF );

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1822

pad_count += ( pad_done == 0 );

1823

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1824

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1825

p += pad_count;

1826

bad |= *p++; /* Must be zero */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1827

}

1828

Janos Follath

c69fa50

2016-02-12 13:30:09 +0000

[diff] [blame]

1829

bad |= ( pad_count < 8 );

Janos Follath

b6eb1ca

2016-02-08 13:59:25 +0000

[diff] [blame]

1830

Manuel Pégourié-Gonnard

2013-11-30 13:36:53 +0100

[diff] [blame]

1831

if( bad )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1832

{

1833

ret = MBEDTLS_ERR_RSA_INVALID_PADDING;

1834

goto cleanup;

1835

}

Paul Bakker

8804f69

2013-02-28 18:06:26 +0100

[diff] [blame]

1836

Paul Bakker

66d5d07

2014-06-17 16:39:18 +0200

[diff] [blame]

1837

if( ilen - ( p - buf ) > output_max_len )

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1838

{

1839

ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;

1840

goto cleanup;

1841

}

Paul Bakker

060c568

2009-01-12 21:48:39 +0000

[diff] [blame]

1842

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

1843

*olen = ilen - (p - buf);

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1844

memcpy( output, p, *olen );

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1845

ret = 0;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1846

Gilles Peskine

2017-03-23 14:37:37 +0100

[diff] [blame]

1847

cleanup:

1848

mbedtls_zeroize( buf, sizeof( buf ) );

1849

1850

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1851

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1852

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

1853

1854

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1855

* Do an RSA operation, then remove the message padding

1856

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1857

int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1858

int (*f_rng)(void *, unsigned char *, size_t),

1859

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1860

int mode, size_t *olen,

1861

const unsigned char *input,

1862

unsigned char *output,

1863

size_t output_max_len)

1864

{

1865

switch( ctx->padding )

1866

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1867

#if defined(MBEDTLS_PKCS1_V15)

1868

case MBEDTLS_RSA_PKCS_V15:

1869

return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1870

input, output, output_max_len );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

1871

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1872

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1873

#if defined(MBEDTLS_PKCS1_V21)

1874

case MBEDTLS_RSA_PKCS_V21:

1875

return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1876

olen, input, output,

1877

output_max_len );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1878

#endif

1879

1880

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1881

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1882

}

1883

}

1884

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1885

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1886

/*

1887

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function

1888

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1889

int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1890

int (*f_rng)(void *, unsigned char *, size_t),

1891

void *p_rng,

1892

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1893

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1894

unsigned int hashlen,

1895

const unsigned char *hash,

unsigned char *sig )

{

size_t olen;

unsigned char *p = sig;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1900

unsigned char salt[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1901

unsigned int slen, hlen, offset = 0;

1902

int ret;

1903

size_t msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1904

const mbedtls_md_info_t *md_info;

1905

mbedtls_md_context_t md_ctx;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1906

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1907

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

1908

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Manuel Pégourié-Gonnard

e6d1d82

2014-06-02 16:47:02 +0200

[diff] [blame]

1909

1910

if( f_rng == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1911

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1912

1913

olen = ctx->len;

1914

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1915

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1916

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1917

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1918

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1919

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1920

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

1921

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1922

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1923

}

1924

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1925

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1926

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1927

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1928

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1929

hlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1930

slen = hlen;

1931

1932

if( olen < hlen + slen + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1933

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1934

1935

memset( sig, 0, olen );

1936

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1937

/* Generate salt of length slen */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1938

if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1939

return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1940

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1941

/* Note: EMSA-PSS encoding is over the length of N - 1 bits */

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1942

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1943

p += olen - hlen * 2 - 2;

1944

*p++ = 0x01;

1945

memcpy( p, salt, slen );

1946

p += slen;

1947

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1948

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1949

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

1950

{

1951

mbedtls_md_free( &md_ctx );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1952

/* No need to zeroize salt: we didn't use it. */

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

1953

return( ret );

1954

}

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1955

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1956

/* Generate H = Hash( M' ) */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1957

mbedtls_md_starts( &md_ctx );

1958

mbedtls_md_update( &md_ctx, p, 8 );

1959

mbedtls_md_update( &md_ctx, hash, hashlen );

1960

mbedtls_md_update( &md_ctx, salt, slen );

1961

mbedtls_md_finish( &md_ctx, p );

Gilles Peskine

18ac716

2017-05-05 19:24:06 +0200

[diff] [blame]

1962

mbedtls_zeroize( salt, sizeof( salt ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1963

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1964

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

offset = 1;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

1968

/* maskedDB: Apply dbMask to DB */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1969

mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );

1970

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1971

mbedtls_md_free( &md_ctx );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1972

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

1973

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1974

sig[0] &= 0xFF >> ( olen * 8 - msb );

p += hlen;

*p++ = 0xBC;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1979

return( ( mode == MBEDTLS_RSA_PUBLIC )

1980

? mbedtls_rsa_public( ctx, sig, sig )

1981

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1982

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1983

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1984

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1985

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1986

/*

1987

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function

1988

*/

1989

/*

1990

* Do an RSA operation to sign the message digest

1991

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1992

int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

1993

int (*f_rng)(void *, unsigned char *, size_t),

1994

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1995

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1996

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

1997

unsigned int hashlen,

1998

const unsigned char *hash,

1999

unsigned char *sig )

2000

{

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2001

size_t nb_pad, olen, oid_size = 0;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2002

unsigned char *p = sig;

Paul Bakker

21e081b

2014-07-24 10:38:01 +0200

[diff] [blame]

2003

const char *oid = NULL;

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2004

unsigned char *sig_try = NULL, *verif = NULL;

2005

size_t i;

2006

unsigned char diff;

2007

volatile unsigned char diff_no_optimize;

2008

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2009

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2010

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

2011

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2012

2013

olen = ctx->len;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2014

nb_pad = olen - 3;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2015

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2016

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2017

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2018

const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2019

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2020

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2021

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2022

if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )

2023

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2024

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2025

nb_pad -= 10 + oid_size;

2026

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2027

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2028

}

2029

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2030

nb_pad -= hashlen;

2031

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2032

if( ( nb_pad < 8 ) || ( nb_pad > olen ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2033

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2034

2035

*p++ = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2036

*p++ = MBEDTLS_RSA_SIGN;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2037

memset( p, 0xFF, nb_pad );

2038

p += nb_pad;

2039

*p++ = 0;

2040

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2041

if( md_alg == MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2042

{

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2043

memcpy( p, hash, hashlen );

}

else

{

/*

* DigestInfo ::= SEQUENCE {

2049

* digestAlgorithm DigestAlgorithmIdentifier,

2050

* digest Digest }

2051

*

2052

* DigestAlgorithmIdentifier ::= AlgorithmIdentifier

2053

*

2054

* Digest ::= OCTET STRING

2055

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2056

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2057

*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2058

*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2059

*p++ = (unsigned char) ( 0x04 + oid_size );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2060

*p++ = MBEDTLS_ASN1_OID;

Paul Bakker

b9cfaa0

2013-10-11 18:58:55 +0200

[diff] [blame]

2061

*p++ = oid_size & 0xFF;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2062

memcpy( p, oid, oid_size );

2063

p += oid_size;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2064

*p++ = MBEDTLS_ASN1_NULL;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2065

*p++ = 0x00;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2066

*p++ = MBEDTLS_ASN1_OCTET_STRING;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2067

*p++ = hashlen;

2068

memcpy( p, hash, hashlen );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2069

}

2070

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2071

if( mode == MBEDTLS_RSA_PUBLIC )

2072

return( mbedtls_rsa_public( ctx, sig, sig ) );

2073

2074

/*

2075

* In order to prevent Lenstra's attack, make the signature in a

2076

* temporary buffer and check it before returning it.

2077

*/

2078

sig_try = mbedtls_calloc( 1, ctx->len );

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2079

if( sig_try == NULL )

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2080

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

2081

Simon Butcher

1285ab5

2016-01-01 21:42:47 +0000

[diff] [blame]

2082

verif = mbedtls_calloc( 1, ctx->len );

2083

if( verif == NULL )

2084

{

2085

mbedtls_free( sig_try );

2086

return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

2087

}

2088

Manuel Pégourié-Gonnard

2015-09-03 20:03:15 +0200

[diff] [blame]

2089

MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );

2090

MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );

2091

2092

/* Compare in constant time just in case */

2093

for( diff = 0, i = 0; i < ctx->len; i++ )

2094

diff |= verif[i] ^ sig[i];

2095

diff_no_optimize = diff;

2096

2097

if( diff_no_optimize != 0 )

2098

{

2099

ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;

goto cleanup;

}

memcpy( sig, sig_try, ctx->len );

2104

2105

cleanup:

2106

mbedtls_free( sig_try );

2107

mbedtls_free( verif );

2108

2109

return( ret );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2110

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2111

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2112

2113

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2114

* Do an RSA operation to sign the message digest

2115

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2116

int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2117

int (*f_rng)(void *, unsigned char *, size_t),

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2118

void *p_rng,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2119

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2120

mbedtls_md_type_t md_alg,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2121

unsigned int hashlen,

Paul Bakker

2010-03-16 21:09:09 +0000

[diff] [blame]

2122

const unsigned char *hash,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2123

unsigned char *sig )

2124

{

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2125

switch( ctx->padding )

2126

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2127

#if defined(MBEDTLS_PKCS1_V15)

2128

case MBEDTLS_RSA_PKCS_V15:

2129

return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2130

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2131

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2132

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2133

#if defined(MBEDTLS_PKCS1_V21)

2134

case MBEDTLS_RSA_PKCS_V21:

2135

return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2136

hashlen, hash, sig );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2137

#endif

2138

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2139

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2140

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2141

}

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2142

}

2143

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2144

#if defined(MBEDTLS_PKCS1_V21)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2145

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2146

* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2147

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2148

int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2149

int (*f_rng)(void *, unsigned char *, size_t),

2150

void *p_rng,

2151

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2152

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2153

unsigned int hashlen,

2154

const unsigned char *hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2155

mbedtls_md_type_t mgf1_hash_id,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2156

int expected_salt_len,

2157

const unsigned char *sig )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2158

{

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2159

int ret;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2160

size_t siglen;

2161

unsigned char *p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2162

unsigned char result[MBEDTLS_MD_MAX_SIZE];

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2163

unsigned char zeros[8];

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2164

unsigned int hlen;

2165

size_t slen, msb;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2166

const mbedtls_md_info_t *md_info;

2167

mbedtls_md_context_t md_ctx;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2168

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2169

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2170

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )

2171

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2172

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2173

siglen = ctx->len;

2174

Paul Bakker

27fdf46

2011-06-09 13:55:13 +0000

[diff] [blame]

2175

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2176

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2177

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2178

ret = ( mode == MBEDTLS_RSA_PUBLIC )

2179

? mbedtls_rsa_public( ctx, sig, buf )

2180

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2187

if( buf[siglen - 1] != 0xBC )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2188

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2189

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2190

if( md_alg != MBEDTLS_MD_NONE )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2191

{

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2192

/* Gather length of hash to sign */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2193

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2194

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2195

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2196

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2197

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2198

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2199

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2200

md_info = mbedtls_md_info_from_type( mgf1_hash_id );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2201

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2202

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2203

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2204

hlen = mbedtls_md_get_size( md_info );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2205

slen = siglen - hlen - 1; /* Currently length of salt + padding */

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2206

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2207

memset( zeros, 0, 8 );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2208

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2209

/*

2210

* Note: EMSA-PSS verification is over the length of N - 1 bits

2211

*/

Manuel Pégourié-Gonnard

2015-06-18 16:47:17 +0200

[diff] [blame]

2212

msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2213

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2214

/* Compensate for boundary condition when applying mask */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( msb % 8 == 0 )

{

p++;

siglen -= 1;

}

if( buf[0] >> ( 8 - siglen * 8 + msb ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2221

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2222

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2223

mbedtls_md_init( &md_ctx );

Brian J Murray

2016-06-23 12:57:03 -0700

[diff] [blame]

2224

if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )

2225

{

2226

mbedtls_md_free( &md_ctx );

2227

return( ret );

2228

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2229

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2230

mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );

Paul Bakker

02303e8

2013-01-03 11:08:31 +0100

[diff] [blame]

2231

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2232

buf[0] &= 0xFF >> ( siglen * 8 - msb );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2233

Paul Bakker

4de44aa

2013-12-31 11:43:01 +0100

[diff] [blame]

2234

while( p < buf + siglen && *p == 0 )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2235

p++;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2236

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2237

if( p == buf + siglen ||

2238

*p++ != 0x01 )

2239

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2240

mbedtls_md_free( &md_ctx );

2241

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2242

}

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2243

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2244

/* Actual salt len */

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2245

slen -= p - buf;

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2246

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2247

if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2248

slen != (size_t) expected_salt_len )

2249

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2250

mbedtls_md_free( &md_ctx );

2251

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2252

}

2253

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2254

/*

2255

* Generate H = Hash( M' )

2256

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2257

mbedtls_md_starts( &md_ctx );

2258

mbedtls_md_update( &md_ctx, zeros, 8 );

2259

mbedtls_md_update( &md_ctx, hash, hashlen );

2260

mbedtls_md_update( &md_ctx, p, slen );

2261

mbedtls_md_finish( &md_ctx, result );

Paul Bakker

53019ae

2011-03-25 13:58:48 +0000

[diff] [blame]

2262

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2263

mbedtls_md_free( &md_ctx );

Paul Bakker

2011-03-08 14:16:06 +0000

[diff] [blame]

2264

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2265

if( memcmp( p + slen, result, hlen ) == 0 )

2266

return( 0 );

2267

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2268

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2269

}

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2270

2271

/*

2272

* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function

2273

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2274

int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2275

int (*f_rng)(void *, unsigned char *, size_t),

2276

void *p_rng,

2277

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2278

mbedtls_md_type_t md_alg,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2279

unsigned int hashlen,

2280

const unsigned char *hash,

2281

const unsigned char *sig )

2282

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2283

mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )

2284

? (mbedtls_md_type_t) ctx->hash_id

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2285

: md_alg;

2286

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2287

return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2288

md_alg, hashlen, hash,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2289

mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,

Manuel Pégourié-Gonnard

2014-06-03 11:44:06 +0200

[diff] [blame]

2290

sig ) );

2291

2292

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2293

#endif /* MBEDTLS_PKCS1_V21 */

Paul Bakker

40628ba

2013-01-03 10:50:31 +0100

[diff] [blame]

2294

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2295

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2296

/*

2297

* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function

2298

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2299

int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

2300

int (*f_rng)(void *, unsigned char *, size_t),

2301

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2302

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2303

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2304

unsigned int hashlen,

2305

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

2306

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2307

{

2308

int ret;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2309

size_t len, siglen, asn1_len;

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2310

unsigned char *p, *p0, *end;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2311

mbedtls_md_type_t msg_md_alg;

2312

const mbedtls_md_info_t *md_info;

2313

mbedtls_asn1_buf oid;

Nicholas Wilson

409401c

2016-04-13 11:48:25 +0100

[diff] [blame]

2314

unsigned char buf[MBEDTLS_MPI_MAX_SIZE];

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2315

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2316

if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )

2317

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

siglen = ctx->len;

if( siglen < 16 || siglen > sizeof( buf ) )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2322

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2323

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2324

ret = ( mode == MBEDTLS_RSA_PUBLIC )

2325

? mbedtls_rsa_public( ctx, sig, buf )

2326

: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

if( ret != 0 )

return( ret );

p = buf;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2333

if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )

2334

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

while( *p != 0 )

{

if( p >= buf + siglen - 1 || *p != 0xFF )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2339

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2340

p++;

2341

}

Manuel Pégourié-Gonnard

c1380de

2017-05-11 12:49:51 +0200

[diff] [blame]

2342

p++; /* skip 00 byte */

2343

2344

/* We've read: 00 01 PS 00 where PS must be at least 8 bytes */

2345

if( p - buf < 11 )

2346

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2347

2348

len = siglen - ( p - buf );

2349

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2350

if( len == hashlen && md_alg == MBEDTLS_MD_NONE )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2351

{

2352

if( memcmp( p, hash, hashlen ) == 0 )

2353

return( 0 );

2354

else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2355

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2356

}

2357

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2358

md_info = mbedtls_md_info_from_type( md_alg );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2359

if( md_info == NULL )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2360

return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

2361

hashlen = mbedtls_md_get_size( md_info );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

end = p + len;

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2365

/*

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2366

* Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.

2367

* Insist on 2-byte length tags, to protect against variants of

2368

* Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.

Simon Butcher

2016-03-01 21:19:12 +0000

[diff] [blame]

2369

*/

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2370

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2371

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,

2372

MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )

2373

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2374

if( p != p0 + 2 || asn1_len + 2 != len )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2375

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2376

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2377

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2378

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,

2379

MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )

2380

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2381

if( p != p0 + 2 || asn1_len + 6 + hashlen != len )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2382

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2383

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2384

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2385

if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )

2386

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2387

if( p != p0 + 2 )

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2388

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

oid.p = p;

p += oid.len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2393

if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )

2394

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2395

2396

if( md_alg != msg_md_alg )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2397

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2398

2399

/*

2400

* assume the algorithm parameters must be NULL

2401

*/

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2402

p0 = p;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2403

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )

2404

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-04 12:48:39 +0200

[diff] [blame]

2405

if( p != p0 + 2 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2406

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2407

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2408

p0 = p;

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2409

if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )

2410

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Gilles Peskine

2017-05-03 18:32:21 +0200

[diff] [blame]

2411

if( p != p0 + 2 || asn1_len != hashlen )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2412

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2413

2414

if( memcmp( p, hash, hashlen ) != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2415

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

p += hashlen;

if( p != end )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2420

return( MBEDTLS_ERR_RSA_VERIFY_FAILED );

Paul Bakker

2013-04-07 22:00:46 +0200

[diff] [blame]

2421

2422

return( 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2423

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2424

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2425

2426

/*

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2427

* Do an RSA operation and check the message digest

2428

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2429

int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,

Paul Bakker

2013-08-30 10:30:02 +0200

[diff] [blame]

2430

int (*f_rng)(void *, unsigned char *, size_t),

2431

void *p_rng,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2432

int mode,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2433

mbedtls_md_type_t md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2434

unsigned int hashlen,

2435

const unsigned char *hash,

Manuel Pégourié-Gonnard

cc0a9d0

2013-08-12 11:34:35 +0200

[diff] [blame]

2436

const unsigned char *sig )

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2437

{

2438

switch( ctx->padding )

2439

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2440

#if defined(MBEDTLS_PKCS1_V15)

2441

case MBEDTLS_RSA_PKCS_V15:

2442

return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2443

hashlen, hash, sig );

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2444

#endif

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2445

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2446

#if defined(MBEDTLS_PKCS1_V21)

2447

case MBEDTLS_RSA_PKCS_V21:

2448

return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

2449

hashlen, hash, sig );

2450

#endif

2451

2452

default:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2453

return( MBEDTLS_ERR_RSA_INVALID_PADDING );

Paul Bakker

2013-02-28 17:21:01 +0100

[diff] [blame]

}

}

/*

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2458

* Copy the components of an RSA key

2459

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2460

int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

{

int ret;

dst->ver = src->ver;

dst->len = src->len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2467

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );

2468

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2469

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2470

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );

2471

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );

2472

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2473

2474

#if !defined(MBEDTLS_RSA_NO_CRT)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2475

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );

2476

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );

2477

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2478

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );

2479

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2480

#endif

2481

2482

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2483

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2484

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );

2485

MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );

Manuel Pégourié-Gonnard

2013-09-10 13:29:30 +0200

[diff] [blame]

2486

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2487

dst->padding = src->padding;

Manuel Pégourié-Gonnard

fdddac9

2014-03-25 15:58:35 +0100

[diff] [blame]

2488

dst->hash_id = src->hash_id;

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

2489

2490

cleanup:

2491

if( ret != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2492

mbedtls_rsa_free( dst );

Manuel Pégourié-Gonnard

2013-08-14 13:39:57 +0200

[diff] [blame]

return( ret );

}

/*

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2498

* Free the components of an RSA key

2499

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2500

void mbedtls_rsa_free( mbedtls_rsa_context *ctx )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2501

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2502

mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2503

mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D );

2504

mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2505

mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2506

Hanno Becker

2017-08-23 07:00:22 +0100

[diff] [blame]

2507

#if !defined(MBEDTLS_RSA_NO_CRT)

2508

mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );

2509

mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );

2510

mbedtls_mpi_free( &ctx->DP );

2511

#endif /* MBEDTLS_RSA_NO_CRT */

2512

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2513

#if defined(MBEDTLS_THREADING_C)

2514

mbedtls_mutex_free( &ctx->mutex );

Paul Bakker

2013-09-29 14:58:17 +0200

[diff] [blame]

2515

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2516

}

2517

Hanno Becker

ab37731

2017-08-23 16:24:51 +0100

[diff] [blame]

2518

#endif /* !MBEDTLS_RSA_ALT */

2519

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2520

#if defined(MBEDTLS_SELF_TEST)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2521

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

2522

#include "mbedtls/sha1.h"

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2523

2524

/*

2525

* Example RSA-1024 keypair, for test purposes

*/

#define KEY_LEN 128

#define RSA_N "9292758453063D803DD603D5E777D788" \

2530

"8ED1D5BF35786190FA2F23EBC0848AEA" \

2531

"DDA92CA6C3D80B32C4D109BE0F36D6AE" \

2532

"7130B9CED7ACDF54CFC7555AC14EEBAB" \

2533

"93A89813FBF3C4F8066D2D800F7C38A8" \

2534

"1AE31942917403FF4946B0A83D3D3E05" \

2535

"EE57C6F5F5606FB5D4BC6CD34EE0801A" \

2536

"5E94BB77B07507233A0BC7BAC8F90F79"

2537

2538

#define RSA_E "10001"

2539

2540

#define RSA_D "24BF6185468786FDD303083D25E64EFC" \

2541

"66CA472BC44D253102F8B4A9D3BFA750" \

2542

"91386C0077937FE33FA3252D28855837" \

2543

"AE1B484A8A9A45F7EE8C0C634F99E8CD" \

2544

"DF79C5CE07EE72C7F123142198164234" \

2545

"CABB724CF78B8173B9F880FC86322407" \

2546

"AF1FEDFDDE2BEB674CA15F3E81A1521E" \

2547

"071513A1E85B5DFA031F21ECAE91A34D"

2548

2549

#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \

2550

"2C01CAD19EA484A87EA4377637E75500" \

2551

"FCB2005C5C7DD6EC4AC023CDA285D796" \

2552

"C3D9E75E1EFC42488BB4F1D13AC30A57"

2553

2554

#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \

2555

"E211C2B9E5DB1ED0BF61D0D9899620F4" \

2556

"910E4168387E3C30AA1E00C339A79508" \

2557

"8452DD96A9A5EA5D9DCA68DA636032AF"

2558

2559

#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \

2560

"3C94D22288ACD763FD8E5600ED4A702D" \

2561

"F84198A5F06C2E72236AE490C93F07F8" \

2562

"3CC559CD27BC2D1CA488811730BB5725"

2563

2564

#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \

2565

"D8AAEA56749EA28623272E4F7D0592AF" \

2566

"7C1F1313CAC9471B5C523BFE592F517B" \

2567

"407A1BD76C164B93DA2D32A383E58357"

2568

2569

#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \

2570

"F38D18D2B2F0E2DD275AA977E2BF4411" \

2571

"F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \

2572

"A74206CEC169D74BF5A8C50D6F48EA08"

2573

2574

#define PT_LEN 24

2575

#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \

2576

"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"

2577

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2578

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2579

static int myrand( void *rng_state, unsigned char *output, size_t len )

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2580

{

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2581

#if !defined(__OpenBSD__)

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2582

size_t i;

2583

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2584

if( rng_state != NULL )

2585

rng_state = NULL;

2586

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2587

for( i = 0; i < len; ++i )

2588

output[i] = rand();

Paul Bakker

f96f7b6

2014-04-30 16:02:38 +0200

[diff] [blame]

2589

#else

2590

if( rng_state != NULL )

2591

rng_state = NULL;

2592

2593

arc4random_buf( output, len );

2594

#endif /* !OpenBSD */

Paul Bakker

2013-08-30 12:06:24 +0200

[diff] [blame]

2595

Paul Bakker

2011-11-27 21:07:34 +0000

[diff] [blame]

2596

return( 0 );

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2597

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2598

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

2010-07-18 09:00:25 +0000

[diff] [blame]

2599

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2600

/*

2601

* Checkup routine

2602

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2603

int mbedtls_rsa_self_test( int verbose )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2604

{

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2605

int ret = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2606

#if defined(MBEDTLS_PKCS1_V15)

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2607

size_t len;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2608

mbedtls_rsa_context rsa;

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2609

unsigned char rsa_plaintext[PT_LEN];

2610

unsigned char rsa_decrypted[PT_LEN];

2611

unsigned char rsa_ciphertext[KEY_LEN];

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2612

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

5690efc

2011-05-26 13:16:06 +0000

[diff] [blame]

2613

unsigned char sha1sum[20];

2614

#endif

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2615

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2616

mbedtls_mpi K;

2617

2618

mbedtls_mpi_init( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2619

mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2620

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2621

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );

2622

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );

2623

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );

2624

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );

2625

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );

2626

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );

2627

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );

2628

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );

2629

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );

2630

MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );

2631

2632

MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa, NULL, NULL ) );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2633

2634

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2635

mbedtls_printf( " RSA key validation: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2636

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2637

if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||

2638

mbedtls_rsa_check_privkey( &rsa ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2639

{

2640

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2641

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

Hanno Becker

2017-08-22 13:52:43 +0100

[diff] [blame]

2646

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_DP ) );

2647

MBEDTLS_MPI_CHK( mbedtls_rsa_check_crt( &rsa, &K, NULL, NULL ) );

2648

2649

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_DQ ) );

2650

MBEDTLS_MPI_CHK( mbedtls_rsa_check_crt( &rsa, NULL, &K, NULL ) );

2651

2652

MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_QP ) );

2653

MBEDTLS_MPI_CHK( mbedtls_rsa_check_crt( &rsa, NULL, NULL, &K ) );

2654

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2655

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2656

mbedtls_printf( "passed\n PKCS#1 encryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2657

2658

memcpy( rsa_plaintext, RSA_PT, PT_LEN );

2659

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2660

if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2661

rsa_plaintext, rsa_ciphertext ) != 0 )

2662

{

2663

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2664

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2670

mbedtls_printf( "passed\n PKCS#1 decryption : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2671

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2672

if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,

Paul Bakker

060c568

2009-01-12 21:48:39 +0000

[diff] [blame]

2673

rsa_ciphertext, rsa_decrypted,

Paul Bakker

2011-04-24 08:57:21 +0000

[diff] [blame]

2674

sizeof(rsa_decrypted) ) != 0 )

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2675

{

2676

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2677

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )

2683

{

2684

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2685

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2690

if( verbose != 0 )

2691

mbedtls_printf( "passed\n" );

2692

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2693

#if defined(MBEDTLS_SHA1_C)

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2694

if( verbose != 0 )

Brian Murray

930a370

2016-05-18 14:38:02 -0700

[diff] [blame]

2695

mbedtls_printf( " PKCS#1 data sign : " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2696

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2697

mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2698

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2699

if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2700

sha1sum, rsa_ciphertext ) != 0 )

2701

{

2702

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2703

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2709

mbedtls_printf( "passed\n PKCS#1 sig. verify: " );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2710

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2711

if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2712

sha1sum, rsa_ciphertext ) != 0 )

2713

{

2714

if( verbose != 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2715

mbedtls_printf( "failed\n" );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

return( 1 );

}

if( verbose != 0 )

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2721

mbedtls_printf( "passed\n" );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2722

#endif /* MBEDTLS_SHA1_C */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2723

Manuel Pégourié-Gonnard

d1004f0

2015-08-07 10:46:54 +0200

[diff] [blame]

2724

if( verbose != 0 )

2725

mbedtls_printf( "\n" );

2726

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2727

cleanup:

Hanno Becker

3a70116

2017-08-22 13:52:43 +0100

[diff] [blame]

2728

mbedtls_mpi_free( &K );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2729

mbedtls_rsa_free( &rsa );

2730

#else /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3e41fe8

2013-09-15 17:42:50 +0200

[diff] [blame]

2731

((void) verbose);

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2732

#endif /* MBEDTLS_PKCS1_V15 */

Paul Bakker

3d8fb63

2014-04-17 12:42:41 +0200

[diff] [blame]

2733

return( ret );

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2734

}

2735

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

2736

#endif /* MBEDTLS_SELF_TEST */

Paul Bakker

2009-01-03 21:22:43 +0000

[diff] [blame]

2737

Manuel Pégourié-Gonnard