Lines Matching +full:restore +full:- +full:keys
2 * The RSA public-key cryptosystem
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
12 * [1] A method for obtaining digital signatures and public-key cryptosystems
16 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
57 * - never a valid value for an RSA parameter
58 * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
98 * modulus INTEGER, -- n in mbedtls_rsa_parse_key()
99 * publicExponent INTEGER, -- e in mbedtls_rsa_parse_key()
100 * privateExponent INTEGER, -- d in mbedtls_rsa_parse_key()
101 * prime1 INTEGER, -- p in mbedtls_rsa_parse_key()
102 * prime2 INTEGER, -- q in mbedtls_rsa_parse_key()
103 * exponent1 INTEGER, -- d mod (p-1) in mbedtls_rsa_parse_key()
104 * exponent2 INTEGER, -- d mod (q-1) in mbedtls_rsa_parse_key()
105 * coefficient INTEGER, -- (inverse of q) mod p in mbedtls_rsa_parse_key()
167 * RSA private keys into memory and also avoids side channels which in mbedtls_rsa_parse_key()
175 (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) { in mbedtls_rsa_parse_key()
181 (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) { in mbedtls_rsa_parse_key()
187 (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) { in mbedtls_rsa_parse_key()
202 * - for the benefit of alternative implementation that may want to in mbedtls_rsa_parse_key()
203 * pre-compute stuff beyond what's provided (eg Montgomery factors) in mbedtls_rsa_parse_key()
204 * - as is also sanity-checks the key in mbedtls_rsa_parse_key()
238 * modulus INTEGER, -- n in mbedtls_rsa_parse_pubkey()
239 * publicExponent INTEGER -- e in mbedtls_rsa_parse_pubkey()
376 * modulus INTEGER, -- n
377 * publicExponent INTEGER -- e
420 * operation (EME-PKCS1-v1_5 decoding).
424 * in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING
458 * side-channel-based variants of the Bleichenbacher padding oracle in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
470 plaintext_max_size = (output_max_len > ilen - 11) ? ilen - 11 in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
478 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
502 * validity through timing. RSA keys are small enough that all the in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
506 (unsigned) (ilen - pad_count - 3)); in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
514 * - INVALID_PADDING if the padding is bad (bad != 0). in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
515 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
517 * - 0 if the padding is correct. */ in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
530 mbedtls_ct_zeroize_if(mbedtls_ct_bool_or(bad, output_too_large), input + 11, ilen - 11); in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
546 mbedtls_ct_memmove_left(input + ilen - plaintext_max_size, in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
548 plaintext_max_size - plaintext_size); in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
554 * user-provided output buffer), which is independent from plaintext in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
558 memcpy(output, input + ilen - plaintext_max_size, plaintext_max_size); in mbedtls_ct_rsaes_pkcs1_v15_unpadding()
581 if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) || in mbedtls_rsa_import()
582 (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) || in mbedtls_rsa_import()
583 (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) || in mbedtls_rsa_import()
584 (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) || in mbedtls_rsa_import()
585 (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) { in mbedtls_rsa_import()
590 ctx->len = mbedtls_mpi_size(&ctx->N); in mbedtls_rsa_import()
606 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len)); in mbedtls_rsa_import_raw()
607 ctx->len = mbedtls_mpi_size(&ctx->N); in mbedtls_rsa_import_raw()
611 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len)); in mbedtls_rsa_import_raw()
615 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len)); in mbedtls_rsa_import_raw()
619 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len)); in mbedtls_rsa_import_raw()
623 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len)); in mbedtls_rsa_import_raw()
649 if (ctx->len != mbedtls_mpi_size(&ctx->N) || in rsa_check_context()
650 ctx->len > MBEDTLS_MPI_MAX_SIZE) { in rsa_check_context()
660 if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 || in rsa_check_context()
661 mbedtls_mpi_get_bit(&ctx->N, 0) == 0) { in rsa_check_context()
670 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 || in rsa_check_context()
671 mbedtls_mpi_get_bit(&ctx->P, 0) == 0 || in rsa_check_context()
672 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 || in rsa_check_context()
673 mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) { in rsa_check_context()
683 if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) { in rsa_check_context()
690 if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) { in rsa_check_context()
695 (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 || in rsa_check_context()
696 mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) { in rsa_check_context()
706 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 || in rsa_check_context()
707 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) { in rsa_check_context()
716 mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) { in rsa_check_context()
733 have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0); in mbedtls_rsa_complete()
734 have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0); in mbedtls_rsa_complete()
735 have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0); in mbedtls_rsa_complete()
736 have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0); in mbedtls_rsa_complete()
737 have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0); in mbedtls_rsa_complete()
740 have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0); in mbedtls_rsa_complete()
741 have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0); in mbedtls_rsa_complete()
742 have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0); in mbedtls_rsa_complete()
748 * parameter sets for private keys are supported: in mbedtls_rsa_complete()
772 if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, in mbedtls_rsa_complete()
773 &ctx->Q)) != 0) { in mbedtls_rsa_complete()
777 ctx->len = mbedtls_mpi_size(&ctx->N); in mbedtls_rsa_complete()
785 ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D, in mbedtls_rsa_complete()
786 &ctx->P, &ctx->Q); in mbedtls_rsa_complete()
792 if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P, in mbedtls_rsa_complete()
793 &ctx->Q, in mbedtls_rsa_complete()
794 &ctx->E, in mbedtls_rsa_complete()
795 &ctx->D)) != 0) { in mbedtls_rsa_complete()
807 ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, in mbedtls_rsa_complete()
808 &ctx->DP, &ctx->DQ, &ctx->QP); in mbedtls_rsa_complete()
834 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && in mbedtls_rsa_export_raw()
835 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && in mbedtls_rsa_export_raw()
836 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && in mbedtls_rsa_export_raw()
837 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && in mbedtls_rsa_export_raw()
838 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; in mbedtls_rsa_export_raw()
850 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len)); in mbedtls_rsa_export_raw()
854 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len)); in mbedtls_rsa_export_raw()
858 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len)); in mbedtls_rsa_export_raw()
862 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len)); in mbedtls_rsa_export_raw()
866 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len)); in mbedtls_rsa_export_raw()
883 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && in mbedtls_rsa_export()
884 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && in mbedtls_rsa_export()
885 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && in mbedtls_rsa_export()
886 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && in mbedtls_rsa_export()
887 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; in mbedtls_rsa_export()
900 if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) || in mbedtls_rsa_export()
901 (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) || in mbedtls_rsa_export()
902 (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) || in mbedtls_rsa_export()
903 (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) || in mbedtls_rsa_export()
904 (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) { in mbedtls_rsa_export()
914 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
925 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && in mbedtls_rsa_export_crt()
926 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && in mbedtls_rsa_export_crt()
927 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && in mbedtls_rsa_export_crt()
928 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && in mbedtls_rsa_export_crt()
929 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; in mbedtls_rsa_export_crt()
937 if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) || in mbedtls_rsa_export_crt()
938 (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) || in mbedtls_rsa_export_crt()
939 (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) { in mbedtls_rsa_export_crt()
943 if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, in mbedtls_rsa_export_crt()
959 ctx->padding = MBEDTLS_RSA_PKCS_V15; in mbedtls_rsa_init()
960 ctx->hash_id = MBEDTLS_MD_NONE; in mbedtls_rsa_init()
963 /* Set ctx->ver to nonzero to indicate that the mutex has been in mbedtls_rsa_init()
965 ctx->ver = 1; in mbedtls_rsa_init()
966 mbedtls_mutex_init(&ctx->mutex); in mbedtls_rsa_init()
1000 ctx->padding = padding; in mbedtls_rsa_set_padding()
1001 ctx->hash_id = hash_id; in mbedtls_rsa_set_padding()
1011 return ctx->padding; in mbedtls_rsa_get_padding_mode()
1019 return ctx->hash_id; in mbedtls_rsa_get_md_alg()
1027 return mbedtls_mpi_bitlen(&ctx->N); in mbedtls_rsa_get_bitlen()
1035 return ctx->len; in mbedtls_rsa_get_len()
1044 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
1058 * rate of 2^-80 is sufficient. in mbedtls_rsa_gen_key()
1080 * 1. |P-Q| > 2^( nbits / 2 - 100 ) in mbedtls_rsa_gen_key()
1081 * 2. GCD( E, (P-1)*(Q-1) ) == 1 in mbedtls_rsa_gen_key()
1082 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 ) in mbedtls_rsa_gen_key()
1084 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent)); in mbedtls_rsa_gen_key()
1087 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1, in mbedtls_rsa_gen_key()
1090 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1, in mbedtls_rsa_gen_key()
1093 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */ in mbedtls_rsa_gen_key()
1094 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q)); in mbedtls_rsa_gen_key()
1095 if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) { in mbedtls_rsa_gen_key()
1101 mbedtls_mpi_swap(&ctx->P, &ctx->Q); in mbedtls_rsa_gen_key()
1104 /* Temporarily replace P,Q by P-1, Q-1 */ in mbedtls_rsa_gen_key()
1105 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1)); in mbedtls_rsa_gen_key()
1106 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1)); in mbedtls_rsa_gen_key()
1107 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q)); in mbedtls_rsa_gen_key()
1109 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */ in mbedtls_rsa_gen_key()
1110 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H)); in mbedtls_rsa_gen_key()
1115 … /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */ in mbedtls_rsa_gen_key()
1116 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q)); in mbedtls_rsa_gen_key()
1118 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L)); in mbedtls_rsa_gen_key()
1120 … if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a)) in mbedtls_rsa_gen_key()
1127 /* Restore P,Q */ in mbedtls_rsa_gen_key()
1128 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1)); in mbedtls_rsa_gen_key()
1129 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1)); in mbedtls_rsa_gen_key()
1131 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q)); in mbedtls_rsa_gen_key()
1133 ctx->len = mbedtls_mpi_size(&ctx->N); in mbedtls_rsa_gen_key()
1137 * DP = D mod (P - 1) in mbedtls_rsa_gen_key()
1138 * DQ = D mod (Q - 1) in mbedtls_rsa_gen_key()
1139 * QP = Q^-1 mod P in mbedtls_rsa_gen_key()
1141 MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, in mbedtls_rsa_gen_key()
1142 &ctx->DP, &ctx->DQ, &ctx->QP)); in mbedtls_rsa_gen_key()
1145 /* Double-check */ in mbedtls_rsa_gen_key()
1157 if ((-ret & ~0x7f) == 0) { in mbedtls_rsa_gen_key()
1177 if (mbedtls_mpi_bitlen(&ctx->N) < 128) { in mbedtls_rsa_check_pubkey()
1181 if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 || in mbedtls_rsa_check_pubkey()
1182 mbedtls_mpi_bitlen(&ctx->E) < 2 || in mbedtls_rsa_check_pubkey()
1183 mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) { in mbedtls_rsa_check_pubkey()
1200 if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q, in mbedtls_rsa_check_privkey()
1201 &ctx->D, &ctx->E, NULL, NULL) != 0) { in mbedtls_rsa_check_privkey()
1206 else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D, in mbedtls_rsa_check_privkey()
1207 &ctx->DP, &ctx->DQ, &ctx->QP) != 0) { in mbedtls_rsa_check_privkey()
1226 if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 || in mbedtls_rsa_check_pub_priv()
1227 mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) { in mbedtls_rsa_check_pub_priv()
1252 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) { in mbedtls_rsa_public()
1257 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len)); in mbedtls_rsa_public()
1259 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) { in mbedtls_rsa_public()
1264 olen = ctx->len; in mbedtls_rsa_public()
1265 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod_unsafe(&T, &T, &ctx->E, &ctx->N, &ctx->RN)); in mbedtls_rsa_public()
1270 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) { in mbedtls_rsa_public()
1286 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
1287 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
1288 * Berlin Heidelberg, 1996. p. 104-113.
1298 if (ctx->Vf.p != NULL) { in rsa_prepare_blinding()
1300 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi)); in rsa_prepare_blinding()
1301 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N)); in rsa_prepare_blinding()
1302 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf)); in rsa_prepare_blinding()
1303 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N)); in rsa_prepare_blinding()
1315 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng)); in rsa_prepare_blinding()
1317 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */ in rsa_prepare_blinding()
1318 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng)); in rsa_prepare_blinding()
1319 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R)); in rsa_prepare_blinding()
1320 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N)); in rsa_prepare_blinding()
1326 ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N); in rsa_prepare_blinding()
1333 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */ in rsa_prepare_blinding()
1334 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R)); in rsa_prepare_blinding()
1335 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N)); in rsa_prepare_blinding()
1337 /* Blinding value: Vi = Vf^(-e) mod N in rsa_prepare_blinding()
1338 * (Vi already contains Vf^-1 at this point) */ in rsa_prepare_blinding()
1339 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN)); in rsa_prepare_blinding()
1355 const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); in rsa_unblind()
1356 const size_t nlimbs = N->n; in rsa_unblind()
1370 * Reminder: montmul(A, B, N) = A * B * R^-1 mod N in rsa_unblind()
1374 * N, so the result is directly what we want - no need to call in rsa_unblind()
1376 mbedtls_mpi_core_to_mont_rep(T->p, T->p, N->p, nlimbs, mm, RR.p, M_T.p); in rsa_unblind()
1377 mbedtls_mpi_core_montmul(T->p, T->p, Vf->p, nlimbs, N->p, nlimbs, mm, M_T.p); in rsa_unblind()
1388 * Exponent blinding supposed to prevent side-channel attacks using multiple
1392 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
1399 * bit RSA requires approximately as much time as trying out 2^112 random keys.
1401 * side-channel attacks like the one in [3])
1423 /* Temporaries holding P-1, Q-1 and the in mbedtls_rsa_private()
1453 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) { in mbedtls_rsa_private()
1481 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len)); in mbedtls_rsa_private()
1482 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) { in mbedtls_rsa_private()
1492 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi)); in mbedtls_rsa_private()
1493 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N)); in mbedtls_rsa_private()
1500 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1)); in mbedtls_rsa_private()
1501 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1)); in mbedtls_rsa_private()
1505 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D in mbedtls_rsa_private()
1511 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D)); in mbedtls_rsa_private()
1514 * DP_blind = ( P - 1 ) * R + DP in mbedtls_rsa_private()
1520 &ctx->DP)); in mbedtls_rsa_private()
1523 * DQ_blind = ( Q - 1 ) * R + DQ in mbedtls_rsa_private()
1529 &ctx->DQ)); in mbedtls_rsa_private()
1533 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &D_blind, &ctx->N, &ctx->RN)); in mbedtls_rsa_private()
1542 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, &DP_blind, &ctx->P, &ctx->RP)); in mbedtls_rsa_private()
1543 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, &DQ_blind, &ctx->Q, &ctx->RQ)); in mbedtls_rsa_private()
1546 * T = (TP - TQ) * (Q^-1 mod P) mod P in mbedtls_rsa_private()
1549 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP)); in mbedtls_rsa_private()
1550 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P)); in mbedtls_rsa_private()
1555 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q)); in mbedtls_rsa_private()
1560 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&check_result_blinded, &T, &ctx->E, in mbedtls_rsa_private()
1561 &ctx->N, &ctx->RN)); in mbedtls_rsa_private()
1571 MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N)); in mbedtls_rsa_private()
1573 olen = ctx->len; in mbedtls_rsa_private()
1578 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) { in mbedtls_rsa_private()
1603 if (ret != 0 && ret >= -0x007f) { in mbedtls_rsa_private()
1676 dlen -= use_len; in mgf_mask()
1693 * \param out the output buffer - must be large enough for \p md_alg
1742 * \param output the output buffer - must be large enough for \p md_alg
1761 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1780 hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id); in mbedtls_rsa_rsaes_oaep_encrypt()
1785 olen = ctx->len; in mbedtls_rsa_rsaes_oaep_encrypt()
1804 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p); in mbedtls_rsa_rsaes_oaep_encrypt()
1809 p += olen - 2 * hlen - 2 - ilen; in mbedtls_rsa_rsaes_oaep_encrypt()
1816 if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen, in mbedtls_rsa_rsaes_oaep_encrypt()
1817 (mbedtls_md_type_t) ctx->hash_id)) != 0) { in mbedtls_rsa_rsaes_oaep_encrypt()
1822 if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1, in mbedtls_rsa_rsaes_oaep_encrypt()
1823 (mbedtls_md_type_t) ctx->hash_id)) != 0) { in mbedtls_rsa_rsaes_oaep_encrypt()
1833 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1845 olen = ctx->len; in mbedtls_rsa_rsaes_pkcs1_v15_encrypt()
1852 nb_pad = olen - 3 - ilen; in mbedtls_rsa_rsaes_pkcs1_v15_encrypt()
1862 while (nb_pad-- > 0) { in mbedtls_rsa_rsaes_pkcs1_v15_encrypt()
1867 } while (*p == 0 && --rng_dl && ret == 0); in mbedtls_rsa_rsaes_pkcs1_v15_encrypt()
1896 switch (ctx->padding) { in mbedtls_rsa_pkcs1_encrypt()
1916 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1938 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) { in mbedtls_rsa_rsaes_oaep_decrypt()
1942 ilen = ctx->len; in mbedtls_rsa_rsaes_oaep_decrypt()
1948 hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id); in mbedtls_rsa_rsaes_oaep_decrypt()
1961 if( ctx->P.n == 0 ) in mbedtls_rsa_rsaes_oaep_decrypt()
1974 if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, in mbedtls_rsa_rsaes_oaep_decrypt()
1975 (mbedtls_md_type_t) ctx->hash_id)) != 0 || in mbedtls_rsa_rsaes_oaep_decrypt()
1977 (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, in mbedtls_rsa_rsaes_oaep_decrypt()
1978 (mbedtls_md_type_t) ctx->hash_id)) != 0) { in mbedtls_rsa_rsaes_oaep_decrypt()
1983 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, in mbedtls_rsa_rsaes_oaep_decrypt()
1990 * Check contents, in "constant-time" in mbedtls_rsa_rsaes_oaep_decrypt()
2002 /* Get zero-padding len, but always read till end of buffer in mbedtls_rsa_rsaes_oaep_decrypt()
2006 for (i = 0; i < ilen - 2 * hlen - 2; i++) { in mbedtls_rsa_rsaes_oaep_decrypt()
2025 if (ilen - ((size_t) (p - buf)) > output_max_len) { in mbedtls_rsa_rsaes_oaep_decrypt()
2030 *olen = ilen - ((size_t) (p - buf)); in mbedtls_rsa_rsaes_oaep_decrypt()
2046 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
2060 ilen = ctx->len; in mbedtls_rsa_rsaes_pkcs1_v15_decrypt()
2062 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) { in mbedtls_rsa_rsaes_pkcs1_v15_decrypt()
2097 switch (ctx->padding) { in mbedtls_rsa_pkcs1_decrypt()
2142 olen = ctx->len; in rsa_rsassa_pss_sign_no_mode_check()
2156 hash_id = (mbedtls_md_type_t) ctx->hash_id; in rsa_rsassa_pss_sign_no_mode_check()
2168 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not in rsa_rsassa_pss_sign_no_mode_check()
2171 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017 in rsa_rsassa_pss_sign_no_mode_check()
2173 min_slen = hlen - 2; in rsa_rsassa_pss_sign_no_mode_check()
2179 slen = olen - hlen - 2; in rsa_rsassa_pss_sign_no_mode_check()
2189 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ in rsa_rsassa_pss_sign_no_mode_check()
2190 msb = mbedtls_mpi_bitlen(&ctx->N) - 1; in rsa_rsassa_pss_sign_no_mode_check()
2191 p += olen - hlen - slen - 2; in rsa_rsassa_pss_sign_no_mode_check()
2214 ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen, hash_id); in rsa_rsassa_pss_sign_no_mode_check()
2219 msb = mbedtls_mpi_bitlen(&ctx->N) - 1; in rsa_rsassa_pss_sign_no_mode_check()
2220 sig[0] &= 0xFF >> (olen * 8 - msb); in rsa_rsassa_pss_sign_no_mode_check()
2225 if (ctx->P.n == 0) in rsa_rsassa_pss_sign_no_mode_check()
2240 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) { in rsa_rsassa_pss_sign()
2243 if ((ctx->hash_id == MBEDTLS_MD_NONE) && (md_alg == MBEDTLS_MD_NONE)) { in rsa_rsassa_pss_sign()
2263 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
2280 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
2297 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
2305 * - md_alg: Identifies the hash algorithm used to generate the given hash;
2307 * - hashlen: Length of hash. Must match md_alg if that's not NONE.
2308 * - hash: Buffer containing the hashed message or the raw data.
2309 * - dst_len: Length of the encoded message.
2310 * - dst: Buffer to hold the encoded message.
2313 * - hash has size hashlen.
2314 * - dst points to a buffer of size at least dst_len.
2343 /* Double-check that 8 + hashlen + oid_size can be used as a in rsa_rsassa_pkcs1_v15_encode()
2344 * 1-byte ASN.1 length encoding and that there's no overflow. */ in rsa_rsassa_pkcs1_v15_encode()
2353 * - Need 10 bytes for five tag-length pairs. in rsa_rsassa_pkcs1_v15_encode()
2354 * (Insist on 1-byte length encodings to protect against variants of in rsa_rsassa_pkcs1_v15_encode()
2356 * - Need hashlen bytes for hash in rsa_rsassa_pkcs1_v15_encode()
2357 * - Need oid_size bytes for hash alg OID. in rsa_rsassa_pkcs1_v15_encode()
2362 nb_pad -= 10 + hashlen + oid_size; in rsa_rsassa_pkcs1_v15_encode()
2368 nb_pad -= hashlen; in rsa_rsassa_pkcs1_v15_encode()
2376 nb_pad -= 3; in rsa_rsassa_pkcs1_v15_encode()
2403 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ] in rsa_rsassa_pkcs1_v15_encode()
2404 * TAG-NULL + LEN [ NULL ] ] in rsa_rsassa_pkcs1_v15_encode()
2405 * TAG-OCTET + LEN [ HASH ] ] in rsa_rsassa_pkcs1_v15_encode()
2422 /* Just a sanity-check, should be automatic in rsa_rsassa_pkcs1_v15_encode()
2450 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) { in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2455 * Prepare PKCS1-v1.5 encoding (padding and hash identifier) in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2459 ctx->len, sig)) != 0) { in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2469 sig_try = mbedtls_calloc(1, ctx->len); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2474 verif = mbedtls_calloc(1, ctx->len); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2483 if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) { in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2488 memcpy(sig, sig_try, ctx->len); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2491 mbedtls_zeroize_and_free(sig_try, ctx->len); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2492 mbedtls_zeroize_and_free(verif, ctx->len); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2495 memset(sig, '!', ctx->len); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
2516 switch (ctx->padding) { in mbedtls_rsa_pkcs1_sign()
2536 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2559 siglen = ctx->len; in mbedtls_rsa_rsassa_pss_verify_ext()
2573 if (buf[siglen - 1] != 0xBC) { in mbedtls_rsa_rsassa_pss_verify_ext()
2595 * Note: EMSA-PSS verification is over the length of N - 1 bits in mbedtls_rsa_rsassa_pss_verify_ext()
2597 msb = mbedtls_mpi_bitlen(&ctx->N) - 1; in mbedtls_rsa_rsassa_pss_verify_ext()
2599 if (buf[0] >> (8 - siglen * 8 + msb)) { in mbedtls_rsa_rsassa_pss_verify_ext()
2606 siglen -= 1; in mbedtls_rsa_rsassa_pss_verify_ext()
2612 hash_start = p + siglen - hlen - 1; in mbedtls_rsa_rsassa_pss_verify_ext()
2614 ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id); in mbedtls_rsa_rsassa_pss_verify_ext()
2619 buf[0] &= 0xFF >> (siglen * 8 - msb); in mbedtls_rsa_rsassa_pss_verify_ext()
2621 while (p < hash_start - 1 && *p == 0) { in mbedtls_rsa_rsassa_pss_verify_ext()
2629 observed_salt_len = (size_t) (hash_start - p); in mbedtls_rsa_rsassa_pss_verify_ext()
2653 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2666 mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE) in mbedtls_rsa_rsassa_pss_verify()
2667 ? (mbedtls_md_type_t) ctx->hash_id in mbedtls_rsa_rsassa_pss_verify()
2681 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2697 sig_len = ctx->len; in mbedtls_rsa_rsassa_pkcs1_v15_verify()
2760 switch (ctx->padding) { in mbedtls_rsa_pkcs1_verify()
2785 dst->len = src->len; in mbedtls_rsa_copy()
2787 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N)); in mbedtls_rsa_copy()
2788 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E)); in mbedtls_rsa_copy()
2790 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D)); in mbedtls_rsa_copy()
2791 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P)); in mbedtls_rsa_copy()
2792 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q)); in mbedtls_rsa_copy()
2795 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP)); in mbedtls_rsa_copy()
2796 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ)); in mbedtls_rsa_copy()
2797 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP)); in mbedtls_rsa_copy()
2798 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP)); in mbedtls_rsa_copy()
2799 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ)); in mbedtls_rsa_copy()
2802 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN)); in mbedtls_rsa_copy()
2804 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi)); in mbedtls_rsa_copy()
2805 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf)); in mbedtls_rsa_copy()
2807 dst->padding = src->padding; in mbedtls_rsa_copy()
2808 dst->hash_id = src->hash_id; in mbedtls_rsa_copy()
2827 mbedtls_mpi_free(&ctx->Vi); in mbedtls_rsa_free()
2828 mbedtls_mpi_free(&ctx->Vf); in mbedtls_rsa_free()
2829 mbedtls_mpi_free(&ctx->RN); in mbedtls_rsa_free()
2830 mbedtls_mpi_free(&ctx->D); in mbedtls_rsa_free()
2831 mbedtls_mpi_free(&ctx->Q); in mbedtls_rsa_free()
2832 mbedtls_mpi_free(&ctx->P); in mbedtls_rsa_free()
2833 mbedtls_mpi_free(&ctx->E); in mbedtls_rsa_free()
2834 mbedtls_mpi_free(&ctx->N); in mbedtls_rsa_free()
2837 mbedtls_mpi_free(&ctx->RQ); in mbedtls_rsa_free()
2838 mbedtls_mpi_free(&ctx->RP); in mbedtls_rsa_free()
2839 mbedtls_mpi_free(&ctx->QP); in mbedtls_rsa_free()
2840 mbedtls_mpi_free(&ctx->DQ); in mbedtls_rsa_free()
2841 mbedtls_mpi_free(&ctx->DP); in mbedtls_rsa_free()
2846 if (ctx->ver != 0) { in mbedtls_rsa_free()
2847 mbedtls_mutex_free(&ctx->mutex); in mbedtls_rsa_free()
2848 ctx->ver = 0; in mbedtls_rsa_free()
2859 * Example RSA-1024 keypair, for test purposes