1817466cbSJens Wiklander /*
2817466cbSJens Wiklander * The RSA public-key cryptosystem
3817466cbSJens Wiklander *
47901324dSJerome Forissier * Copyright The Mbed TLS Contributors
5b0563631STom Van Eyck * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6817466cbSJens Wiklander */
73d3b0591SJens Wiklander
8817466cbSJens Wiklander /*
9817466cbSJens Wiklander * The following sources were referenced in the design of this implementation
10817466cbSJens Wiklander * of the RSA algorithm:
11817466cbSJens Wiklander *
12817466cbSJens Wiklander * [1] A method for obtaining digital signatures and public-key cryptosystems
13817466cbSJens Wiklander * R Rivest, A Shamir, and L Adleman
14817466cbSJens Wiklander * http://people.csail.mit.edu/rivest/pubs.html#RSA78
15817466cbSJens Wiklander *
16817466cbSJens Wiklander * [2] Handbook of Applied Cryptography - 1997, Chapter 8
17817466cbSJens Wiklander * Menezes, van Oorschot and Vanstone
18817466cbSJens Wiklander *
19817466cbSJens Wiklander * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
20817466cbSJens Wiklander * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
21817466cbSJens Wiklander * Stefan Mangard
22817466cbSJens Wiklander * https://arxiv.org/abs/1702.08719v2
23817466cbSJens Wiklander *
24817466cbSJens Wiklander */
25817466cbSJens Wiklander
267901324dSJerome Forissier #include "common.h"
27817466cbSJens Wiklander
28817466cbSJens Wiklander #if defined(MBEDTLS_RSA_C)
29817466cbSJens Wiklander
30817466cbSJens Wiklander #include "mbedtls/rsa.h"
31b0563631STom Van Eyck #include "bignum_core.h"
32*cb034002SJerome Forissier #include "bignum_internal.h"
3332b31808SJens Wiklander #include "rsa_alt_helpers.h"
34b0563631STom Van Eyck #include "rsa_internal.h"
35817466cbSJens Wiklander #include "mbedtls/oid.h"
36b0563631STom Van Eyck #include "mbedtls/asn1write.h"
373d3b0591SJens Wiklander #include "mbedtls/platform_util.h"
3811fa71b9SJerome Forissier #include "mbedtls/error.h"
39039e02dfSJerome Forissier #include "constant_time_internal.h"
40039e02dfSJerome Forissier #include "mbedtls/constant_time.h"
41b0563631STom Van Eyck #include "md_psa.h"
42817466cbSJens Wiklander
43817466cbSJens Wiklander #include <string.h>
44817466cbSJens Wiklander
457901324dSJerome Forissier #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
46817466cbSJens Wiklander #include <stdlib.h>
47817466cbSJens Wiklander #endif
48817466cbSJens Wiklander
49817466cbSJens Wiklander #include "mbedtls/platform.h"
50817466cbSJens Wiklander
51a846630fSJens Wiklander #include <fault_mitigation.h>
52a846630fSJens Wiklander
53b0563631STom Van Eyck /*
54b0563631STom Van Eyck * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
55b0563631STom Van Eyck *
56b0563631STom Van Eyck * The value zero is:
57b0563631STom Van Eyck * - never a valid value for an RSA parameter
58b0563631STom Van Eyck * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
59b0563631STom Van Eyck *
60b0563631STom Van Eyck * Since values can't be omitted in PKCS#1, passing a zero value to
61b0563631STom Van Eyck * rsa_complete() would be incorrect, so reject zero values early.
62b0563631STom Van Eyck */
asn1_get_nonzero_mpi(unsigned char ** p,const unsigned char * end,mbedtls_mpi * X)63b0563631STom Van Eyck static int asn1_get_nonzero_mpi(unsigned char **p,
64b0563631STom Van Eyck const unsigned char *end,
65b0563631STom Van Eyck mbedtls_mpi *X)
66b0563631STom Van Eyck {
67b0563631STom Van Eyck int ret;
68b0563631STom Van Eyck
69b0563631STom Van Eyck ret = mbedtls_asn1_get_mpi(p, end, X);
70b0563631STom Van Eyck if (ret != 0) {
71b0563631STom Van Eyck return ret;
72b0563631STom Van Eyck }
73b0563631STom Van Eyck
74b0563631STom Van Eyck if (mbedtls_mpi_cmp_int(X, 0) == 0) {
75b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
76b0563631STom Van Eyck }
77b0563631STom Van Eyck
78b0563631STom Van Eyck return 0;
79b0563631STom Van Eyck }
80b0563631STom Van Eyck
mbedtls_rsa_parse_key(mbedtls_rsa_context * rsa,const unsigned char * key,size_t keylen)81b0563631STom Van Eyck int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen)
82b0563631STom Van Eyck {
83b0563631STom Van Eyck int ret, version;
84b0563631STom Van Eyck size_t len;
85b0563631STom Van Eyck unsigned char *p, *end;
86b0563631STom Van Eyck
87b0563631STom Van Eyck mbedtls_mpi T;
88b0563631STom Van Eyck mbedtls_mpi_init(&T);
89b0563631STom Van Eyck
90b0563631STom Van Eyck p = (unsigned char *) key;
91b0563631STom Van Eyck end = p + keylen;
92b0563631STom Van Eyck
93b0563631STom Van Eyck /*
94b0563631STom Van Eyck * This function parses the RSAPrivateKey (PKCS#1)
95b0563631STom Van Eyck *
96b0563631STom Van Eyck * RSAPrivateKey ::= SEQUENCE {
97b0563631STom Van Eyck * version Version,
98b0563631STom Van Eyck * modulus INTEGER, -- n
99b0563631STom Van Eyck * publicExponent INTEGER, -- e
100b0563631STom Van Eyck * privateExponent INTEGER, -- d
101b0563631STom Van Eyck * prime1 INTEGER, -- p
102b0563631STom Van Eyck * prime2 INTEGER, -- q
103b0563631STom Van Eyck * exponent1 INTEGER, -- d mod (p-1)
104b0563631STom Van Eyck * exponent2 INTEGER, -- d mod (q-1)
105b0563631STom Van Eyck * coefficient INTEGER, -- (inverse of q) mod p
106b0563631STom Van Eyck * otherPrimeInfos OtherPrimeInfos OPTIONAL
107b0563631STom Van Eyck * }
108b0563631STom Van Eyck */
109b0563631STom Van Eyck if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
110b0563631STom Van Eyck MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
111b0563631STom Van Eyck return ret;
112b0563631STom Van Eyck }
113b0563631STom Van Eyck
114b0563631STom Van Eyck if (end != p + len) {
115b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
116b0563631STom Van Eyck }
117b0563631STom Van Eyck
118b0563631STom Van Eyck if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
119b0563631STom Van Eyck return ret;
120b0563631STom Van Eyck }
121b0563631STom Van Eyck
122b0563631STom Van Eyck if (version != 0) {
123b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
124b0563631STom Van Eyck }
125b0563631STom Van Eyck
126b0563631STom Van Eyck /* Import N */
127b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
128b0563631STom Van Eyck (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL,
129b0563631STom Van Eyck NULL, NULL)) != 0) {
130b0563631STom Van Eyck goto cleanup;
131b0563631STom Van Eyck }
132b0563631STom Van Eyck
133b0563631STom Van Eyck /* Import E */
134b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
135b0563631STom Van Eyck (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
136b0563631STom Van Eyck NULL, &T)) != 0) {
137b0563631STom Van Eyck goto cleanup;
138b0563631STom Van Eyck }
139b0563631STom Van Eyck
140b0563631STom Van Eyck /* Import D */
141b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
142b0563631STom Van Eyck (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
143b0563631STom Van Eyck &T, NULL)) != 0) {
144b0563631STom Van Eyck goto cleanup;
145b0563631STom Van Eyck }
146b0563631STom Van Eyck
147b0563631STom Van Eyck /* Import P */
148b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
149b0563631STom Van Eyck (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL,
150b0563631STom Van Eyck NULL, NULL)) != 0) {
151b0563631STom Van Eyck goto cleanup;
152b0563631STom Van Eyck }
153b0563631STom Van Eyck
154b0563631STom Van Eyck /* Import Q */
155b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
156b0563631STom Van Eyck (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T,
157b0563631STom Van Eyck NULL, NULL)) != 0) {
158b0563631STom Van Eyck goto cleanup;
159b0563631STom Van Eyck }
160b0563631STom Van Eyck
161b0563631STom Van Eyck #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
162b0563631STom Van Eyck /*
163b0563631STom Van Eyck * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
164b0563631STom Van Eyck * that they can be easily recomputed from D, P and Q. However by
165b0563631STom Van Eyck * parsing them from the PKCS1 structure it is possible to avoid
166b0563631STom Van Eyck * recalculating them which both reduces the overhead of loading
167b0563631STom Van Eyck * RSA private keys into memory and also avoids side channels which
168b0563631STom Van Eyck * can arise when computing those values, since all of D, P, and Q
169b0563631STom Van Eyck * are secret. See https://eprint.iacr.org/2020/055 for a
170b0563631STom Van Eyck * description of one such attack.
171b0563631STom Van Eyck */
172b0563631STom Van Eyck
173b0563631STom Van Eyck /* Import DP */
174b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
175b0563631STom Van Eyck (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) {
176b0563631STom Van Eyck goto cleanup;
177b0563631STom Van Eyck }
178b0563631STom Van Eyck
179b0563631STom Van Eyck /* Import DQ */
180b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
181b0563631STom Van Eyck (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) {
182b0563631STom Van Eyck goto cleanup;
183b0563631STom Van Eyck }
184b0563631STom Van Eyck
185b0563631STom Van Eyck /* Import QP */
186b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
187b0563631STom Van Eyck (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) {
188b0563631STom Van Eyck goto cleanup;
189b0563631STom Van Eyck }
190b0563631STom Van Eyck
191b0563631STom Van Eyck #else
192b0563631STom Van Eyck /* Verify existence of the CRT params */
193b0563631STom Van Eyck if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
194b0563631STom Van Eyck (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
195b0563631STom Van Eyck (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) {
196b0563631STom Van Eyck goto cleanup;
197b0563631STom Van Eyck }
198b0563631STom Van Eyck #endif
199b0563631STom Van Eyck
200b0563631STom Van Eyck /* rsa_complete() doesn't complete anything with the default
201b0563631STom Van Eyck * implementation but is still called:
202b0563631STom Van Eyck * - for the benefit of alternative implementation that may want to
203b0563631STom Van Eyck * pre-compute stuff beyond what's provided (eg Montgomery factors)
204b0563631STom Van Eyck * - as is also sanity-checks the key
205b0563631STom Van Eyck *
206b0563631STom Van Eyck * Furthermore, we also check the public part for consistency with
207b0563631STom Van Eyck * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
208b0563631STom Van Eyck */
209b0563631STom Van Eyck if ((ret = mbedtls_rsa_complete(rsa)) != 0 ||
210b0563631STom Van Eyck (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) {
211b0563631STom Van Eyck goto cleanup;
212b0563631STom Van Eyck }
213b0563631STom Van Eyck
214b0563631STom Van Eyck if (p != end) {
215b0563631STom Van Eyck ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
216b0563631STom Van Eyck }
217b0563631STom Van Eyck
218b0563631STom Van Eyck cleanup:
219b0563631STom Van Eyck
220b0563631STom Van Eyck mbedtls_mpi_free(&T);
221b0563631STom Van Eyck
222b0563631STom Van Eyck if (ret != 0) {
223b0563631STom Van Eyck mbedtls_rsa_free(rsa);
224b0563631STom Van Eyck }
225b0563631STom Van Eyck
226b0563631STom Van Eyck return ret;
227b0563631STom Van Eyck }
228b0563631STom Van Eyck
mbedtls_rsa_parse_pubkey(mbedtls_rsa_context * rsa,const unsigned char * key,size_t keylen)229b0563631STom Van Eyck int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen)
230b0563631STom Van Eyck {
231b0563631STom Van Eyck unsigned char *p = (unsigned char *) key;
232b0563631STom Van Eyck unsigned char *end = (unsigned char *) (key + keylen);
233b0563631STom Van Eyck int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
234b0563631STom Van Eyck size_t len;
235b0563631STom Van Eyck
236b0563631STom Van Eyck /*
237b0563631STom Van Eyck * RSAPublicKey ::= SEQUENCE {
238b0563631STom Van Eyck * modulus INTEGER, -- n
239b0563631STom Van Eyck * publicExponent INTEGER -- e
240b0563631STom Van Eyck * }
241b0563631STom Van Eyck */
242b0563631STom Van Eyck
243b0563631STom Van Eyck if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
244b0563631STom Van Eyck MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
245b0563631STom Van Eyck return ret;
246b0563631STom Van Eyck }
247b0563631STom Van Eyck
248b0563631STom Van Eyck if (end != p + len) {
249b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
250b0563631STom Van Eyck }
251b0563631STom Van Eyck
252b0563631STom Van Eyck /* Import N */
253b0563631STom Van Eyck if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
254b0563631STom Van Eyck return ret;
255b0563631STom Van Eyck }
256b0563631STom Van Eyck
257b0563631STom Van Eyck if ((ret = mbedtls_rsa_import_raw(rsa, p, len, NULL, 0, NULL, 0,
258b0563631STom Van Eyck NULL, 0, NULL, 0)) != 0) {
259b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
260b0563631STom Van Eyck }
261b0563631STom Van Eyck
262b0563631STom Van Eyck p += len;
263b0563631STom Van Eyck
264b0563631STom Van Eyck /* Import E */
265b0563631STom Van Eyck if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
266b0563631STom Van Eyck return ret;
267b0563631STom Van Eyck }
268b0563631STom Van Eyck
269b0563631STom Van Eyck if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0,
270b0563631STom Van Eyck NULL, 0, p, len)) != 0) {
271b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
272b0563631STom Van Eyck }
273b0563631STom Van Eyck
274b0563631STom Van Eyck p += len;
275b0563631STom Van Eyck
276b0563631STom Van Eyck if (mbedtls_rsa_complete(rsa) != 0 ||
277b0563631STom Van Eyck mbedtls_rsa_check_pubkey(rsa) != 0) {
278b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
279b0563631STom Van Eyck }
280b0563631STom Van Eyck
281b0563631STom Van Eyck if (p != end) {
282b0563631STom Van Eyck return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
283b0563631STom Van Eyck }
284b0563631STom Van Eyck
285b0563631STom Van Eyck return 0;
286b0563631STom Van Eyck }
287b0563631STom Van Eyck
mbedtls_rsa_write_key(const mbedtls_rsa_context * rsa,unsigned char * start,unsigned char ** p)288b0563631STom Van Eyck int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start,
289b0563631STom Van Eyck unsigned char **p)
290b0563631STom Van Eyck {
291b0563631STom Van Eyck size_t len = 0;
292b0563631STom Van Eyck int ret;
293b0563631STom Van Eyck
294b0563631STom Van Eyck mbedtls_mpi T; /* Temporary holding the exported parameters */
295b0563631STom Van Eyck
296b0563631STom Van Eyck /*
297b0563631STom Van Eyck * Export the parameters one after another to avoid simultaneous copies.
298b0563631STom Van Eyck */
299b0563631STom Van Eyck
300b0563631STom Van Eyck mbedtls_mpi_init(&T);
301b0563631STom Van Eyck
302b0563631STom Van Eyck /* Export QP */
303b0563631STom Van Eyck if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 ||
304b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
305b0563631STom Van Eyck goto end_of_export;
306b0563631STom Van Eyck }
307b0563631STom Van Eyck len += ret;
308b0563631STom Van Eyck
309b0563631STom Van Eyck /* Export DQ */
310b0563631STom Van Eyck if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 ||
311b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
312b0563631STom Van Eyck goto end_of_export;
313b0563631STom Van Eyck }
314b0563631STom Van Eyck len += ret;
315b0563631STom Van Eyck
316b0563631STom Van Eyck /* Export DP */
317b0563631STom Van Eyck if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 ||
318b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
319b0563631STom Van Eyck goto end_of_export;
320b0563631STom Van Eyck }
321b0563631STom Van Eyck len += ret;
322b0563631STom Van Eyck
323b0563631STom Van Eyck /* Export Q */
324b0563631STom Van Eyck if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 ||
325b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
326b0563631STom Van Eyck goto end_of_export;
327b0563631STom Van Eyck }
328b0563631STom Van Eyck len += ret;
329b0563631STom Van Eyck
330b0563631STom Van Eyck /* Export P */
331b0563631STom Van Eyck if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 ||
332b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
333b0563631STom Van Eyck goto end_of_export;
334b0563631STom Van Eyck }
335b0563631STom Van Eyck len += ret;
336b0563631STom Van Eyck
337b0563631STom Van Eyck /* Export D */
338b0563631STom Van Eyck if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 ||
339b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
340b0563631STom Van Eyck goto end_of_export;
341b0563631STom Van Eyck }
342b0563631STom Van Eyck len += ret;
343b0563631STom Van Eyck
344b0563631STom Van Eyck /* Export E */
345b0563631STom Van Eyck if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 ||
346b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
347b0563631STom Van Eyck goto end_of_export;
348b0563631STom Van Eyck }
349b0563631STom Van Eyck len += ret;
350b0563631STom Van Eyck
351b0563631STom Van Eyck /* Export N */
352b0563631STom Van Eyck if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 ||
353b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
354b0563631STom Van Eyck goto end_of_export;
355b0563631STom Van Eyck }
356b0563631STom Van Eyck len += ret;
357b0563631STom Van Eyck
358b0563631STom Van Eyck end_of_export:
359b0563631STom Van Eyck
360b0563631STom Van Eyck mbedtls_mpi_free(&T);
361b0563631STom Van Eyck if (ret < 0) {
362b0563631STom Van Eyck return ret;
363b0563631STom Van Eyck }
364b0563631STom Van Eyck
365b0563631STom Van Eyck MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0));
366b0563631STom Van Eyck MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
367b0563631STom Van Eyck MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
368b0563631STom Van Eyck MBEDTLS_ASN1_CONSTRUCTED |
369b0563631STom Van Eyck MBEDTLS_ASN1_SEQUENCE));
370b0563631STom Van Eyck
371b0563631STom Van Eyck return (int) len;
372b0563631STom Van Eyck }
373b0563631STom Van Eyck
374b0563631STom Van Eyck /*
375b0563631STom Van Eyck * RSAPublicKey ::= SEQUENCE {
376b0563631STom Van Eyck * modulus INTEGER, -- n
377b0563631STom Van Eyck * publicExponent INTEGER -- e
378b0563631STom Van Eyck * }
379b0563631STom Van Eyck */
mbedtls_rsa_write_pubkey(const mbedtls_rsa_context * rsa,unsigned char * start,unsigned char ** p)380b0563631STom Van Eyck int mbedtls_rsa_write_pubkey(const mbedtls_rsa_context *rsa, unsigned char *start,
381b0563631STom Van Eyck unsigned char **p)
382b0563631STom Van Eyck {
383b0563631STom Van Eyck int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
384b0563631STom Van Eyck size_t len = 0;
385b0563631STom Van Eyck mbedtls_mpi T;
386b0563631STom Van Eyck
387b0563631STom Van Eyck mbedtls_mpi_init(&T);
388b0563631STom Van Eyck
389b0563631STom Van Eyck /* Export E */
390b0563631STom Van Eyck if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 ||
391b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
392b0563631STom Van Eyck goto end_of_export;
393b0563631STom Van Eyck }
394b0563631STom Van Eyck len += ret;
395b0563631STom Van Eyck
396b0563631STom Van Eyck /* Export N */
397b0563631STom Van Eyck if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 ||
398b0563631STom Van Eyck (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
399b0563631STom Van Eyck goto end_of_export;
400b0563631STom Van Eyck }
401b0563631STom Van Eyck len += ret;
402b0563631STom Van Eyck
403b0563631STom Van Eyck end_of_export:
404b0563631STom Van Eyck
405b0563631STom Van Eyck mbedtls_mpi_free(&T);
406b0563631STom Van Eyck if (ret < 0) {
407b0563631STom Van Eyck return ret;
408b0563631STom Van Eyck }
409b0563631STom Van Eyck
410b0563631STom Van Eyck MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
411b0563631STom Van Eyck MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED |
412b0563631STom Van Eyck MBEDTLS_ASN1_SEQUENCE));
413b0563631STom Van Eyck
414b0563631STom Van Eyck return (int) len;
415b0563631STom Van Eyck }
416b0563631STom Van Eyck
417b0563631STom Van Eyck #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
418b0563631STom Van Eyck
419b0563631STom Van Eyck /** This function performs the unpadding part of a PKCS#1 v1.5 decryption
420b0563631STom Van Eyck * operation (EME-PKCS1-v1_5 decoding).
421b0563631STom Van Eyck *
422b0563631STom Van Eyck * \note The return value from this function is a sensitive value
423b0563631STom Van Eyck * (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen
424b0563631STom Van Eyck * in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING
425b0563631STom Van Eyck * is often a situation that an attacker can provoke and leaking which
426b0563631STom Van Eyck * one is the result is precisely the information the attacker wants.
427b0563631STom Van Eyck *
428b0563631STom Van Eyck * \param input The input buffer which is the payload inside PKCS#1v1.5
429b0563631STom Van Eyck * encryption padding, called the "encoded message EM"
430b0563631STom Van Eyck * by the terminology.
431b0563631STom Van Eyck * \param ilen The length of the payload in the \p input buffer.
432b0563631STom Van Eyck * \param output The buffer for the payload, called "message M" by the
433b0563631STom Van Eyck * PKCS#1 terminology. This must be a writable buffer of
434b0563631STom Van Eyck * length \p output_max_len bytes.
435b0563631STom Van Eyck * \param olen The address at which to store the length of
436b0563631STom Van Eyck * the payload. This must not be \c NULL.
437b0563631STom Van Eyck * \param output_max_len The length in bytes of the output buffer \p output.
438b0563631STom Van Eyck *
439b0563631STom Van Eyck * \return \c 0 on success.
440b0563631STom Van Eyck * \return #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
441b0563631STom Van Eyck * The output buffer is too small for the unpadded payload.
442b0563631STom Van Eyck * \return #MBEDTLS_ERR_RSA_INVALID_PADDING
443b0563631STom Van Eyck * The input doesn't contain properly formatted padding.
444b0563631STom Van Eyck */
mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char * input,size_t ilen,unsigned char * output,size_t output_max_len,size_t * olen)445b0563631STom Van Eyck static int mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char *input,
446b0563631STom Van Eyck size_t ilen,
447b0563631STom Van Eyck unsigned char *output,
448b0563631STom Van Eyck size_t output_max_len,
449b0563631STom Van Eyck size_t *olen)
450b0563631STom Van Eyck {
451b0563631STom Van Eyck int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
452b0563631STom Van Eyck size_t i, plaintext_max_size;
453b0563631STom Van Eyck
454b0563631STom Van Eyck /* The following variables take sensitive values: their value must
455b0563631STom Van Eyck * not leak into the observable behavior of the function other than
456b0563631STom Van Eyck * the designated outputs (output, olen, return value). Otherwise
457b0563631STom Van Eyck * this would open the execution of the function to
458b0563631STom Van Eyck * side-channel-based variants of the Bleichenbacher padding oracle
459b0563631STom Van Eyck * attack. Potential side channels include overall timing, memory
460b0563631STom Van Eyck * access patterns (especially visible to an adversary who has access
461b0563631STom Van Eyck * to a shared memory cache), and branches (especially visible to
462b0563631STom Van Eyck * an adversary who has access to a shared code cache or to a shared
463b0563631STom Van Eyck * branch predictor). */
464b0563631STom Van Eyck size_t pad_count = 0;
465b0563631STom Van Eyck mbedtls_ct_condition_t bad;
466b0563631STom Van Eyck mbedtls_ct_condition_t pad_done;
467b0563631STom Van Eyck size_t plaintext_size = 0;
468b0563631STom Van Eyck mbedtls_ct_condition_t output_too_large;
469b0563631STom Van Eyck
470b0563631STom Van Eyck plaintext_max_size = (output_max_len > ilen - 11) ? ilen - 11
471b0563631STom Van Eyck : output_max_len;
472b0563631STom Van Eyck
473b0563631STom Van Eyck /* Check and get padding length in constant time and constant
474b0563631STom Van Eyck * memory trace. The first byte must be 0. */
475b0563631STom Van Eyck bad = mbedtls_ct_bool(input[0]);
476b0563631STom Van Eyck
477b0563631STom Van Eyck
478b0563631STom Van Eyck /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
479b0563631STom Van Eyck * where PS must be at least 8 nonzero bytes. */
480b0563631STom Van Eyck bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(input[1], MBEDTLS_RSA_CRYPT));
481b0563631STom Van Eyck
482b0563631STom Van Eyck /* Read the whole buffer. Set pad_done to nonzero if we find
483b0563631STom Van Eyck * the 0x00 byte and remember the padding length in pad_count. */
484b0563631STom Van Eyck pad_done = MBEDTLS_CT_FALSE;
485b0563631STom Van Eyck for (i = 2; i < ilen; i++) {
486b0563631STom Van Eyck mbedtls_ct_condition_t found = mbedtls_ct_uint_eq(input[i], 0);
487b0563631STom Van Eyck pad_done = mbedtls_ct_bool_or(pad_done, found);
488b0563631STom Van Eyck pad_count += mbedtls_ct_uint_if_else_0(mbedtls_ct_bool_not(pad_done), 1);
489b0563631STom Van Eyck }
490b0563631STom Van Eyck
491b0563631STom Van Eyck /* If pad_done is still zero, there's no data, only unfinished padding. */
492b0563631STom Van Eyck bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_not(pad_done));
493b0563631STom Van Eyck
494b0563631STom Van Eyck /* There must be at least 8 bytes of padding. */
495b0563631STom Van Eyck bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_gt(8, pad_count));
496b0563631STom Van Eyck
497b0563631STom Van Eyck /* If the padding is valid, set plaintext_size to the number of
498b0563631STom Van Eyck * remaining bytes after stripping the padding. If the padding
499b0563631STom Van Eyck * is invalid, avoid leaking this fact through the size of the
500b0563631STom Van Eyck * output: use the maximum message size that fits in the output
501b0563631STom Van Eyck * buffer. Do it without branches to avoid leaking the padding
502b0563631STom Van Eyck * validity through timing. RSA keys are small enough that all the
503b0563631STom Van Eyck * size_t values involved fit in unsigned int. */
504b0563631STom Van Eyck plaintext_size = mbedtls_ct_uint_if(
505b0563631STom Van Eyck bad, (unsigned) plaintext_max_size,
506b0563631STom Van Eyck (unsigned) (ilen - pad_count - 3));
507b0563631STom Van Eyck
508b0563631STom Van Eyck /* Set output_too_large to 0 if the plaintext fits in the output
509b0563631STom Van Eyck * buffer and to 1 otherwise. */
510b0563631STom Van Eyck output_too_large = mbedtls_ct_uint_gt(plaintext_size,
511b0563631STom Van Eyck plaintext_max_size);
512b0563631STom Van Eyck
513b0563631STom Van Eyck /* Set ret without branches to avoid timing attacks. Return:
514b0563631STom Van Eyck * - INVALID_PADDING if the padding is bad (bad != 0).
515b0563631STom Van Eyck * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
516b0563631STom Van Eyck * plaintext does not fit in the output buffer.
517b0563631STom Van Eyck * - 0 if the padding is correct. */
518b0563631STom Van Eyck ret = mbedtls_ct_error_if(
519b0563631STom Van Eyck bad,
520b0563631STom Van Eyck MBEDTLS_ERR_RSA_INVALID_PADDING,
521b0563631STom Van Eyck mbedtls_ct_error_if_else_0(output_too_large, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE)
522b0563631STom Van Eyck );
523b0563631STom Van Eyck
524b0563631STom Van Eyck /* If the padding is bad or the plaintext is too large, zero the
525b0563631STom Van Eyck * data that we're about to copy to the output buffer.
526b0563631STom Van Eyck * We need to copy the same amount of data
527b0563631STom Van Eyck * from the same buffer whether the padding is good or not to
528b0563631STom Van Eyck * avoid leaking the padding validity through overall timing or
529b0563631STom Van Eyck * through memory or cache access patterns. */
530b0563631STom Van Eyck mbedtls_ct_zeroize_if(mbedtls_ct_bool_or(bad, output_too_large), input + 11, ilen - 11);
531b0563631STom Van Eyck
532b0563631STom Van Eyck /* If the plaintext is too large, truncate it to the buffer size.
533b0563631STom Van Eyck * Copy anyway to avoid revealing the length through timing, because
534b0563631STom Van Eyck * revealing the length is as bad as revealing the padding validity
535b0563631STom Van Eyck * for a Bleichenbacher attack. */
536b0563631STom Van Eyck plaintext_size = mbedtls_ct_uint_if(output_too_large,
537b0563631STom Van Eyck (unsigned) plaintext_max_size,
538b0563631STom Van Eyck (unsigned) plaintext_size);
539b0563631STom Van Eyck
540b0563631STom Van Eyck /* Move the plaintext to the leftmost position where it can start in
541b0563631STom Van Eyck * the working buffer, i.e. make it start plaintext_max_size from
542b0563631STom Van Eyck * the end of the buffer. Do this with a memory access trace that
543b0563631STom Van Eyck * does not depend on the plaintext size. After this move, the
544b0563631STom Van Eyck * starting location of the plaintext is no longer sensitive
545b0563631STom Van Eyck * information. */
546b0563631STom Van Eyck mbedtls_ct_memmove_left(input + ilen - plaintext_max_size,
547b0563631STom Van Eyck plaintext_max_size,
548b0563631STom Van Eyck plaintext_max_size - plaintext_size);
549b0563631STom Van Eyck
550b0563631STom Van Eyck /* Finally copy the decrypted plaintext plus trailing zeros into the output
551b0563631STom Van Eyck * buffer. If output_max_len is 0, then output may be an invalid pointer
552b0563631STom Van Eyck * and the result of memcpy() would be undefined; prevent undefined
553b0563631STom Van Eyck * behavior making sure to depend only on output_max_len (the size of the
554b0563631STom Van Eyck * user-provided output buffer), which is independent from plaintext
555b0563631STom Van Eyck * length, validity of padding, success of the decryption, and other
556b0563631STom Van Eyck * secrets. */
557b0563631STom Van Eyck if (output_max_len != 0) {
558b0563631STom Van Eyck memcpy(output, input + ilen - plaintext_max_size, plaintext_max_size);
559b0563631STom Van Eyck }
560b0563631STom Van Eyck
561b0563631STom Van Eyck /* Report the amount of data we copied to the output buffer. In case
562b0563631STom Van Eyck * of errors (bad padding or output too large), the value of *olen
563b0563631STom Van Eyck * when this function returns is not specified. Making it equivalent
564b0563631STom Van Eyck * to the good case limits the risks of leaking the padding validity. */
565b0563631STom Van Eyck *olen = plaintext_size;
566b0563631STom Van Eyck
567b0563631STom Van Eyck return ret;
568b0563631STom Van Eyck }
569b0563631STom Van Eyck
570b0563631STom Van Eyck #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
571b0563631STom Van Eyck
5723d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_ALT)
5733d3b0591SJens Wiklander
mbedtls_rsa_import(mbedtls_rsa_context * ctx,const mbedtls_mpi * N,const mbedtls_mpi * P,const mbedtls_mpi * Q,const mbedtls_mpi * D,const mbedtls_mpi * E)5743d3b0591SJens Wiklander int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
5753d3b0591SJens Wiklander const mbedtls_mpi *N,
5763d3b0591SJens Wiklander const mbedtls_mpi *P, const mbedtls_mpi *Q,
5773d3b0591SJens Wiklander const mbedtls_mpi *D, const mbedtls_mpi *E)
5783d3b0591SJens Wiklander {
57911fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5803d3b0591SJens Wiklander
5813d3b0591SJens Wiklander if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
5823d3b0591SJens Wiklander (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
5833d3b0591SJens Wiklander (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||
5843d3b0591SJens Wiklander (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||
58532b31808SJens Wiklander (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
58632b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
5873d3b0591SJens Wiklander }
5883d3b0591SJens Wiklander
58932b31808SJens Wiklander if (N != NULL) {
5903d3b0591SJens Wiklander ctx->len = mbedtls_mpi_size(&ctx->N);
59132b31808SJens Wiklander }
5923d3b0591SJens Wiklander
59332b31808SJens Wiklander return 0;
5943d3b0591SJens Wiklander }
5953d3b0591SJens Wiklander
mbedtls_rsa_import_raw(mbedtls_rsa_context * ctx,unsigned char const * N,size_t N_len,unsigned char const * P,size_t P_len,unsigned char const * Q,size_t Q_len,unsigned char const * D,size_t D_len,unsigned char const * E,size_t E_len)5963d3b0591SJens Wiklander int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
5973d3b0591SJens Wiklander unsigned char const *N, size_t N_len,
5983d3b0591SJens Wiklander unsigned char const *P, size_t P_len,
5993d3b0591SJens Wiklander unsigned char const *Q, size_t Q_len,
6003d3b0591SJens Wiklander unsigned char const *D, size_t D_len,
6013d3b0591SJens Wiklander unsigned char const *E, size_t E_len)
6023d3b0591SJens Wiklander {
6033d3b0591SJens Wiklander int ret = 0;
6043d3b0591SJens Wiklander
60532b31808SJens Wiklander if (N != NULL) {
6063d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
6073d3b0591SJens Wiklander ctx->len = mbedtls_mpi_size(&ctx->N);
6083d3b0591SJens Wiklander }
6093d3b0591SJens Wiklander
61032b31808SJens Wiklander if (P != NULL) {
6113d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
61232b31808SJens Wiklander }
6133d3b0591SJens Wiklander
61432b31808SJens Wiklander if (Q != NULL) {
6153d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
61632b31808SJens Wiklander }
6173d3b0591SJens Wiklander
61832b31808SJens Wiklander if (D != NULL) {
6193d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
62032b31808SJens Wiklander }
6213d3b0591SJens Wiklander
62232b31808SJens Wiklander if (E != NULL) {
6233d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
62432b31808SJens Wiklander }
6253d3b0591SJens Wiklander
6263d3b0591SJens Wiklander cleanup:
6273d3b0591SJens Wiklander
62832b31808SJens Wiklander if (ret != 0) {
62932b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
63032b31808SJens Wiklander }
6313d3b0591SJens Wiklander
63232b31808SJens Wiklander return 0;
6333d3b0591SJens Wiklander }
6343d3b0591SJens Wiklander
6353d3b0591SJens Wiklander /*
6363d3b0591SJens Wiklander * Checks whether the context fields are set in such a way
6373d3b0591SJens Wiklander * that the RSA primitives will be able to execute without error.
6383d3b0591SJens Wiklander * It does *not* make guarantees for consistency of the parameters.
6393d3b0591SJens Wiklander */
rsa_check_context(mbedtls_rsa_context const * ctx,int is_priv,int blinding_needed)6403d3b0591SJens Wiklander static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
6413d3b0591SJens Wiklander int blinding_needed)
6423d3b0591SJens Wiklander {
6433d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
6443d3b0591SJens Wiklander /* blinding_needed is only used for NO_CRT to decide whether
6453d3b0591SJens Wiklander * P,Q need to be present or not. */
6463d3b0591SJens Wiklander ((void) blinding_needed);
6473d3b0591SJens Wiklander #endif
6483d3b0591SJens Wiklander
6493d3b0591SJens Wiklander if (ctx->len != mbedtls_mpi_size(&ctx->N) ||
65032b31808SJens Wiklander ctx->len > MBEDTLS_MPI_MAX_SIZE) {
65132b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
6523d3b0591SJens Wiklander }
6533d3b0591SJens Wiklander
6543d3b0591SJens Wiklander /*
6553d3b0591SJens Wiklander * 1. Modular exponentiation needs positive, odd moduli.
6563d3b0591SJens Wiklander */
6573d3b0591SJens Wiklander
6583d3b0591SJens Wiklander /* Modular exponentiation wrt. N is always used for
6593d3b0591SJens Wiklander * RSA public key operations. */
6603d3b0591SJens Wiklander if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||
66132b31808SJens Wiklander mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
66232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
6633d3b0591SJens Wiklander }
6643d3b0591SJens Wiklander
6653d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
6663d3b0591SJens Wiklander /* Modular exponentiation for P and Q is only
6673d3b0591SJens Wiklander * used for private key operations and if CRT
6683d3b0591SJens Wiklander * is used. */
6693d3b0591SJens Wiklander if (is_priv &&
6703d3b0591SJens Wiklander (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
6713d3b0591SJens Wiklander mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||
6723d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||
67332b31808SJens Wiklander mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
67432b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
6753d3b0591SJens Wiklander }
6763d3b0591SJens Wiklander #endif /* !MBEDTLS_RSA_NO_CRT */
6773d3b0591SJens Wiklander
6783d3b0591SJens Wiklander /*
6793d3b0591SJens Wiklander * 2. Exponents must be positive
6803d3b0591SJens Wiklander */
6813d3b0591SJens Wiklander
6823d3b0591SJens Wiklander /* Always need E for public key operations */
68332b31808SJens Wiklander if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
68432b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
68532b31808SJens Wiklander }
6863d3b0591SJens Wiklander
6873d3b0591SJens Wiklander #if defined(MBEDTLS_RSA_NO_CRT)
6883d3b0591SJens Wiklander /* For private key operations, use D or DP & DQ
6893d3b0591SJens Wiklander * as (unblinded) exponents. */
69032b31808SJens Wiklander if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
69132b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
69232b31808SJens Wiklander }
6933d3b0591SJens Wiklander #else
6943d3b0591SJens Wiklander if (is_priv &&
6953d3b0591SJens Wiklander (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||
69632b31808SJens Wiklander mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
69732b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
6983d3b0591SJens Wiklander }
6993d3b0591SJens Wiklander #endif /* MBEDTLS_RSA_NO_CRT */
7003d3b0591SJens Wiklander
7013d3b0591SJens Wiklander /* Blinding shouldn't make exponents negative either,
7023d3b0591SJens Wiklander * so check that P, Q >= 1 if that hasn't yet been
7033d3b0591SJens Wiklander * done as part of 1. */
7043d3b0591SJens Wiklander #if defined(MBEDTLS_RSA_NO_CRT)
7053d3b0591SJens Wiklander if (is_priv && blinding_needed &&
7063d3b0591SJens Wiklander (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
70732b31808SJens Wiklander mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
70832b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
7093d3b0591SJens Wiklander }
7103d3b0591SJens Wiklander #endif
7113d3b0591SJens Wiklander
7123d3b0591SJens Wiklander /* It wouldn't lead to an error if it wasn't satisfied,
7133d3b0591SJens Wiklander * but check for QP >= 1 nonetheless. */
7143d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
7153d3b0591SJens Wiklander if (is_priv &&
71632b31808SJens Wiklander mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
71732b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
7183d3b0591SJens Wiklander }
7193d3b0591SJens Wiklander #endif
7203d3b0591SJens Wiklander
72132b31808SJens Wiklander return 0;
7223d3b0591SJens Wiklander }
7233d3b0591SJens Wiklander
mbedtls_rsa_complete(mbedtls_rsa_context * ctx)7243d3b0591SJens Wiklander int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
7253d3b0591SJens Wiklander {
7263d3b0591SJens Wiklander int ret = 0;
7273d3b0591SJens Wiklander int have_N, have_P, have_Q, have_D, have_E;
7285b25c76aSJerome Forissier #if !defined(MBEDTLS_RSA_NO_CRT)
7295b25c76aSJerome Forissier int have_DP, have_DQ, have_QP;
7305b25c76aSJerome Forissier #endif
7313d3b0591SJens Wiklander int n_missing, pq_missing, d_missing, is_pub, is_priv;
7323d3b0591SJens Wiklander
7333d3b0591SJens Wiklander have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
7343d3b0591SJens Wiklander have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
7353d3b0591SJens Wiklander have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
7363d3b0591SJens Wiklander have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
7373d3b0591SJens Wiklander have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
7383d3b0591SJens Wiklander
7395b25c76aSJerome Forissier #if !defined(MBEDTLS_RSA_NO_CRT)
7405b25c76aSJerome Forissier have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
7415b25c76aSJerome Forissier have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
7425b25c76aSJerome Forissier have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
7435b25c76aSJerome Forissier #endif
7445b25c76aSJerome Forissier
7453d3b0591SJens Wiklander /*
7463d3b0591SJens Wiklander * Check whether provided parameters are enough
7473d3b0591SJens Wiklander * to deduce all others. The following incomplete
7483d3b0591SJens Wiklander * parameter sets for private keys are supported:
7493d3b0591SJens Wiklander *
7503d3b0591SJens Wiklander * (1) P, Q missing.
7513d3b0591SJens Wiklander * (2) D and potentially N missing.
7523d3b0591SJens Wiklander *
7533d3b0591SJens Wiklander */
7543d3b0591SJens Wiklander
7553d3b0591SJens Wiklander n_missing = have_P && have_Q && have_D && have_E;
7563d3b0591SJens Wiklander pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
7573d3b0591SJens Wiklander d_missing = have_P && have_Q && !have_D && have_E;
7583d3b0591SJens Wiklander is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
7593d3b0591SJens Wiklander
7603d3b0591SJens Wiklander /* These three alternatives are mutually exclusive */
7613d3b0591SJens Wiklander is_priv = n_missing || pq_missing || d_missing;
7623d3b0591SJens Wiklander
76332b31808SJens Wiklander if (!is_priv && !is_pub) {
76432b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
76532b31808SJens Wiklander }
7663d3b0591SJens Wiklander
7673d3b0591SJens Wiklander /*
7683d3b0591SJens Wiklander * Step 1: Deduce N if P, Q are provided.
7693d3b0591SJens Wiklander */
7703d3b0591SJens Wiklander
77132b31808SJens Wiklander if (!have_N && have_P && have_Q) {
7723d3b0591SJens Wiklander if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
77332b31808SJens Wiklander &ctx->Q)) != 0) {
77432b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
7753d3b0591SJens Wiklander }
7763d3b0591SJens Wiklander
7773d3b0591SJens Wiklander ctx->len = mbedtls_mpi_size(&ctx->N);
7783d3b0591SJens Wiklander }
7793d3b0591SJens Wiklander
7803d3b0591SJens Wiklander /*
7813d3b0591SJens Wiklander * Step 2: Deduce and verify all remaining core parameters.
7823d3b0591SJens Wiklander */
7833d3b0591SJens Wiklander
78432b31808SJens Wiklander if (pq_missing) {
7853d3b0591SJens Wiklander ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
7863d3b0591SJens Wiklander &ctx->P, &ctx->Q);
78732b31808SJens Wiklander if (ret != 0) {
78832b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
7893d3b0591SJens Wiklander }
79032b31808SJens Wiklander
79132b31808SJens Wiklander } else if (d_missing) {
7923d3b0591SJens Wiklander if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
7933d3b0591SJens Wiklander &ctx->Q,
7943d3b0591SJens Wiklander &ctx->E,
79532b31808SJens Wiklander &ctx->D)) != 0) {
79632b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
7973d3b0591SJens Wiklander }
7983d3b0591SJens Wiklander }
7993d3b0591SJens Wiklander
8003d3b0591SJens Wiklander /*
8013d3b0591SJens Wiklander * Step 3: Deduce all additional parameters specific
8023d3b0591SJens Wiklander * to our current RSA implementation.
8033d3b0591SJens Wiklander */
8043d3b0591SJens Wiklander
8053d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
80632b31808SJens Wiklander if (is_priv && !(have_DP && have_DQ && have_QP)) {
8073d3b0591SJens Wiklander ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
8083d3b0591SJens Wiklander &ctx->DP, &ctx->DQ, &ctx->QP);
80932b31808SJens Wiklander if (ret != 0) {
81032b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
81132b31808SJens Wiklander }
8123d3b0591SJens Wiklander }
8133d3b0591SJens Wiklander #endif /* MBEDTLS_RSA_NO_CRT */
8143d3b0591SJens Wiklander
8153d3b0591SJens Wiklander /*
8163d3b0591SJens Wiklander * Step 3: Basic sanity checks
8173d3b0591SJens Wiklander */
8183d3b0591SJens Wiklander
81932b31808SJens Wiklander return rsa_check_context(ctx, is_priv, 1);
8203d3b0591SJens Wiklander }
8213d3b0591SJens Wiklander
mbedtls_rsa_export_raw(const mbedtls_rsa_context * ctx,unsigned char * N,size_t N_len,unsigned char * P,size_t P_len,unsigned char * Q,size_t Q_len,unsigned char * D,size_t D_len,unsigned char * E,size_t E_len)8223d3b0591SJens Wiklander int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
8233d3b0591SJens Wiklander unsigned char *N, size_t N_len,
8243d3b0591SJens Wiklander unsigned char *P, size_t P_len,
8253d3b0591SJens Wiklander unsigned char *Q, size_t Q_len,
8263d3b0591SJens Wiklander unsigned char *D, size_t D_len,
8273d3b0591SJens Wiklander unsigned char *E, size_t E_len)
8283d3b0591SJens Wiklander {
8293d3b0591SJens Wiklander int ret = 0;
8303d3b0591SJens Wiklander int is_priv;
8313d3b0591SJens Wiklander
8323d3b0591SJens Wiklander /* Check if key is private or public */
8333d3b0591SJens Wiklander is_priv =
8343d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
8353d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
8363d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
8373d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
8383d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
8393d3b0591SJens Wiklander
84032b31808SJens Wiklander if (!is_priv) {
8413d3b0591SJens Wiklander /* If we're trying to export private parameters for a public key,
8423d3b0591SJens Wiklander * something must be wrong. */
84332b31808SJens Wiklander if (P != NULL || Q != NULL || D != NULL) {
84432b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
84532b31808SJens Wiklander }
8463d3b0591SJens Wiklander
8473d3b0591SJens Wiklander }
8483d3b0591SJens Wiklander
84932b31808SJens Wiklander if (N != NULL) {
8503d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
85132b31808SJens Wiklander }
8523d3b0591SJens Wiklander
85332b31808SJens Wiklander if (P != NULL) {
8543d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
85532b31808SJens Wiklander }
8563d3b0591SJens Wiklander
85732b31808SJens Wiklander if (Q != NULL) {
8583d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
85932b31808SJens Wiklander }
8603d3b0591SJens Wiklander
86132b31808SJens Wiklander if (D != NULL) {
8623d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
86332b31808SJens Wiklander }
8643d3b0591SJens Wiklander
86532b31808SJens Wiklander if (E != NULL) {
8663d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
86732b31808SJens Wiklander }
8683d3b0591SJens Wiklander
8693d3b0591SJens Wiklander cleanup:
8703d3b0591SJens Wiklander
87132b31808SJens Wiklander return ret;
8723d3b0591SJens Wiklander }
8733d3b0591SJens Wiklander
mbedtls_rsa_export(const mbedtls_rsa_context * ctx,mbedtls_mpi * N,mbedtls_mpi * P,mbedtls_mpi * Q,mbedtls_mpi * D,mbedtls_mpi * E)8743d3b0591SJens Wiklander int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
8753d3b0591SJens Wiklander mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
8763d3b0591SJens Wiklander mbedtls_mpi *D, mbedtls_mpi *E)
8773d3b0591SJens Wiklander {
87811fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8793d3b0591SJens Wiklander int is_priv;
8803d3b0591SJens Wiklander
8813d3b0591SJens Wiklander /* Check if key is private or public */
8823d3b0591SJens Wiklander is_priv =
8833d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
8843d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
8853d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
8863d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
8873d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
8883d3b0591SJens Wiklander
88932b31808SJens Wiklander if (!is_priv) {
8903d3b0591SJens Wiklander /* If we're trying to export private parameters for a public key,
8913d3b0591SJens Wiklander * something must be wrong. */
89232b31808SJens Wiklander if (P != NULL || Q != NULL || D != NULL) {
89332b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
89432b31808SJens Wiklander }
8953d3b0591SJens Wiklander
8963d3b0591SJens Wiklander }
8973d3b0591SJens Wiklander
8983d3b0591SJens Wiklander /* Export all requested core parameters. */
8993d3b0591SJens Wiklander
9003d3b0591SJens Wiklander if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||
9013d3b0591SJens Wiklander (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||
9023d3b0591SJens Wiklander (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||
9033d3b0591SJens Wiklander (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||
90432b31808SJens Wiklander (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
90532b31808SJens Wiklander return ret;
9063d3b0591SJens Wiklander }
9073d3b0591SJens Wiklander
90832b31808SJens Wiklander return 0;
9093d3b0591SJens Wiklander }
9103d3b0591SJens Wiklander
9113d3b0591SJens Wiklander /*
9123d3b0591SJens Wiklander * Export CRT parameters
9133d3b0591SJens Wiklander * This must also be implemented if CRT is not used, for being able to
9143d3b0591SJens Wiklander * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
9153d3b0591SJens Wiklander * can be used in this case.
9163d3b0591SJens Wiklander */
mbedtls_rsa_export_crt(const mbedtls_rsa_context * ctx,mbedtls_mpi * DP,mbedtls_mpi * DQ,mbedtls_mpi * QP)9173d3b0591SJens Wiklander int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
9183d3b0591SJens Wiklander mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
9193d3b0591SJens Wiklander {
92011fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9213d3b0591SJens Wiklander int is_priv;
9223d3b0591SJens Wiklander
9233d3b0591SJens Wiklander /* Check if key is private or public */
9243d3b0591SJens Wiklander is_priv =
9253d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
9263d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
9273d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
9283d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
9293d3b0591SJens Wiklander mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
9303d3b0591SJens Wiklander
93132b31808SJens Wiklander if (!is_priv) {
93232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
93332b31808SJens Wiklander }
9343d3b0591SJens Wiklander
9353d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
9363d3b0591SJens Wiklander /* Export all requested blinding parameters. */
9373d3b0591SJens Wiklander if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||
9383d3b0591SJens Wiklander (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||
93932b31808SJens Wiklander (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
94032b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
9413d3b0591SJens Wiklander }
9423d3b0591SJens Wiklander #else
9433d3b0591SJens Wiklander if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
94432b31808SJens Wiklander DP, DQ, QP)) != 0) {
94532b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
9463d3b0591SJens Wiklander }
9473d3b0591SJens Wiklander #endif
9483d3b0591SJens Wiklander
94932b31808SJens Wiklander return 0;
950817466cbSJens Wiklander }
951817466cbSJens Wiklander
952817466cbSJens Wiklander /*
953817466cbSJens Wiklander * Initialize an RSA context
954817466cbSJens Wiklander */
mbedtls_rsa_init(mbedtls_rsa_context * ctx)95532b31808SJens Wiklander void mbedtls_rsa_init(mbedtls_rsa_context *ctx)
956817466cbSJens Wiklander {
957817466cbSJens Wiklander memset(ctx, 0, sizeof(mbedtls_rsa_context));
958817466cbSJens Wiklander
95932b31808SJens Wiklander ctx->padding = MBEDTLS_RSA_PKCS_V15;
96032b31808SJens Wiklander ctx->hash_id = MBEDTLS_MD_NONE;
961817466cbSJens Wiklander
962817466cbSJens Wiklander #if defined(MBEDTLS_THREADING_C)
9637901324dSJerome Forissier /* Set ctx->ver to nonzero to indicate that the mutex has been
9647901324dSJerome Forissier * initialized and will need to be freed. */
9657901324dSJerome Forissier ctx->ver = 1;
966817466cbSJens Wiklander mbedtls_mutex_init(&ctx->mutex);
967817466cbSJens Wiklander #endif
968817466cbSJens Wiklander }
969817466cbSJens Wiklander
970817466cbSJens Wiklander /*
971817466cbSJens Wiklander * Set padding for an existing RSA context
972817466cbSJens Wiklander */
mbedtls_rsa_set_padding(mbedtls_rsa_context * ctx,int padding,mbedtls_md_type_t hash_id)97332b31808SJens Wiklander int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
97432b31808SJens Wiklander mbedtls_md_type_t hash_id)
975817466cbSJens Wiklander {
97632b31808SJens Wiklander switch (padding) {
97732b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
97832b31808SJens Wiklander case MBEDTLS_RSA_PKCS_V15:
97932b31808SJens Wiklander break;
98032b31808SJens Wiklander #endif
98132b31808SJens Wiklander
98232b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
98332b31808SJens Wiklander case MBEDTLS_RSA_PKCS_V21:
98432b31808SJens Wiklander break;
98532b31808SJens Wiklander #endif
98632b31808SJens Wiklander default:
98732b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
98832b31808SJens Wiklander }
98932b31808SJens Wiklander
99032b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
99132b31808SJens Wiklander if ((padding == MBEDTLS_RSA_PKCS_V21) &&
99232b31808SJens Wiklander (hash_id != MBEDTLS_MD_NONE)) {
99332b31808SJens Wiklander /* Just make sure this hash is supported in this build. */
994b0563631STom Van Eyck if (mbedtls_md_info_from_type(hash_id) == NULL) {
99532b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
99632b31808SJens Wiklander }
99732b31808SJens Wiklander }
99832b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */
9993d3b0591SJens Wiklander
1000817466cbSJens Wiklander ctx->padding = padding;
1001817466cbSJens Wiklander ctx->hash_id = hash_id;
100232b31808SJens Wiklander
100332b31808SJens Wiklander return 0;
100432b31808SJens Wiklander }
100532b31808SJens Wiklander
100632b31808SJens Wiklander /*
100732b31808SJens Wiklander * Get padding mode of initialized RSA context
100832b31808SJens Wiklander */
mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context * ctx)100932b31808SJens Wiklander int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx)
101032b31808SJens Wiklander {
101132b31808SJens Wiklander return ctx->padding;
101232b31808SJens Wiklander }
101332b31808SJens Wiklander
101432b31808SJens Wiklander /*
101532b31808SJens Wiklander * Get hash identifier of mbedtls_md_type_t type
101632b31808SJens Wiklander */
mbedtls_rsa_get_md_alg(const mbedtls_rsa_context * ctx)101732b31808SJens Wiklander int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx)
101832b31808SJens Wiklander {
101932b31808SJens Wiklander return ctx->hash_id;
1020817466cbSJens Wiklander }
1021817466cbSJens Wiklander
10223d3b0591SJens Wiklander /*
1023b0563631STom Van Eyck * Get length in bits of RSA modulus
1024b0563631STom Van Eyck */
mbedtls_rsa_get_bitlen(const mbedtls_rsa_context * ctx)1025b0563631STom Van Eyck size_t mbedtls_rsa_get_bitlen(const mbedtls_rsa_context *ctx)
1026b0563631STom Van Eyck {
1027b0563631STom Van Eyck return mbedtls_mpi_bitlen(&ctx->N);
1028b0563631STom Van Eyck }
1029b0563631STom Van Eyck
1030b0563631STom Van Eyck /*
10313d3b0591SJens Wiklander * Get length in bytes of RSA modulus
10323d3b0591SJens Wiklander */
mbedtls_rsa_get_len(const mbedtls_rsa_context * ctx)10333d3b0591SJens Wiklander size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
10343d3b0591SJens Wiklander {
103532b31808SJens Wiklander return ctx->len;
10363d3b0591SJens Wiklander }
10373d3b0591SJens Wiklander
1038817466cbSJens Wiklander #if defined(MBEDTLS_GENPRIME)
1039817466cbSJens Wiklander
1040817466cbSJens Wiklander /*
1041817466cbSJens Wiklander * Generate an RSA keypair
10423d3b0591SJens Wiklander *
10433d3b0591SJens Wiklander * This generation method follows the RSA key pair generation procedure of
10443d3b0591SJens Wiklander * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
1045817466cbSJens Wiklander */
mbedtls_rsa_gen_key(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,unsigned int nbits,int exponent)1046817466cbSJens Wiklander int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
1047817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
1048817466cbSJens Wiklander void *p_rng,
1049817466cbSJens Wiklander unsigned int nbits, int exponent)
1050817466cbSJens Wiklander {
105111fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
10523d3b0591SJens Wiklander mbedtls_mpi H, G, L;
10533d3b0591SJens Wiklander int prime_quality = 0;
1054817466cbSJens Wiklander
10553d3b0591SJens Wiklander /*
10563d3b0591SJens Wiklander * If the modulus is 1024 bit long or shorter, then the security strength of
10573d3b0591SJens Wiklander * the RSA algorithm is less than or equal to 80 bits and therefore an error
10583d3b0591SJens Wiklander * rate of 2^-80 is sufficient.
10593d3b0591SJens Wiklander */
106032b31808SJens Wiklander if (nbits > 1024) {
10613d3b0591SJens Wiklander prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
106232b31808SJens Wiklander }
1063817466cbSJens Wiklander
10643d3b0591SJens Wiklander mbedtls_mpi_init(&H);
10653d3b0591SJens Wiklander mbedtls_mpi_init(&G);
10663d3b0591SJens Wiklander mbedtls_mpi_init(&L);
1067817466cbSJens Wiklander
1068b0563631STom Van Eyck if (exponent < 3 || nbits % 2 != 0) {
1069b0563631STom Van Eyck ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1070b0563631STom Van Eyck goto cleanup;
1071b0563631STom Van Eyck }
1072b0563631STom Van Eyck
1073b0563631STom Van Eyck if (nbits < MBEDTLS_RSA_GEN_KEY_MIN_BITS) {
10747901324dSJerome Forissier ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
10757901324dSJerome Forissier goto cleanup;
10767901324dSJerome Forissier }
10777901324dSJerome Forissier
1078817466cbSJens Wiklander /*
1079817466cbSJens Wiklander * find primes P and Q with Q < P so that:
10803d3b0591SJens Wiklander * 1. |P-Q| > 2^( nbits / 2 - 100 )
10813d3b0591SJens Wiklander * 2. GCD( E, (P-1)*(Q-1) ) == 1
10823d3b0591SJens Wiklander * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
1083817466cbSJens Wiklander */
1084817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
1085817466cbSJens Wiklander
108632b31808SJens Wiklander do {
10873d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
10883d3b0591SJens Wiklander prime_quality, f_rng, p_rng));
1089817466cbSJens Wiklander
10903d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
10913d3b0591SJens Wiklander prime_quality, f_rng, p_rng));
1092817466cbSJens Wiklander
10933d3b0591SJens Wiklander /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
10943d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
109532b31808SJens Wiklander if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
1096817466cbSJens Wiklander continue;
109732b31808SJens Wiklander }
1098817466cbSJens Wiklander
10993d3b0591SJens Wiklander /* not required by any standards, but some users rely on the fact that P > Q */
110032b31808SJens Wiklander if (H.s < 0) {
1101817466cbSJens Wiklander mbedtls_mpi_swap(&ctx->P, &ctx->Q);
110232b31808SJens Wiklander }
1103817466cbSJens Wiklander
11043d3b0591SJens Wiklander /* Temporarily replace P,Q by P-1, Q-1 */
11053d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
11063d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
11073d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
1108817466cbSJens Wiklander
11093d3b0591SJens Wiklander /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
11103d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
111132b31808SJens Wiklander if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
11123d3b0591SJens Wiklander continue;
111332b31808SJens Wiklander }
11143d3b0591SJens Wiklander
11153d3b0591SJens Wiklander /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
11163d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
11173d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
11183d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
11193d3b0591SJens Wiklander
112032b31808SJens Wiklander if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a))
11213d3b0591SJens Wiklander continue;
112232b31808SJens Wiklander }
11233d3b0591SJens Wiklander
11243d3b0591SJens Wiklander break;
112532b31808SJens Wiklander } while (1);
11263d3b0591SJens Wiklander
11273d3b0591SJens Wiklander /* Restore P,Q */
11283d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));
11293d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));
11303d3b0591SJens Wiklander
11313d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
11323d3b0591SJens Wiklander
11333d3b0591SJens Wiklander ctx->len = mbedtls_mpi_size(&ctx->N);
11343d3b0591SJens Wiklander
11353d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
1136817466cbSJens Wiklander /*
1137817466cbSJens Wiklander * DP = D mod (P - 1)
1138817466cbSJens Wiklander * DQ = D mod (Q - 1)
1139817466cbSJens Wiklander * QP = Q^-1 mod P
1140817466cbSJens Wiklander */
11413d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
11423d3b0591SJens Wiklander &ctx->DP, &ctx->DQ, &ctx->QP));
11433d3b0591SJens Wiklander #endif /* MBEDTLS_RSA_NO_CRT */
1144817466cbSJens Wiklander
11453d3b0591SJens Wiklander /* Double-check */
11463d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
1147817466cbSJens Wiklander
1148817466cbSJens Wiklander cleanup:
1149817466cbSJens Wiklander
11503d3b0591SJens Wiklander mbedtls_mpi_free(&H);
11513d3b0591SJens Wiklander mbedtls_mpi_free(&G);
11523d3b0591SJens Wiklander mbedtls_mpi_free(&L);
1153817466cbSJens Wiklander
115432b31808SJens Wiklander if (ret != 0) {
1155817466cbSJens Wiklander mbedtls_rsa_free(ctx);
11567901324dSJerome Forissier
115732b31808SJens Wiklander if ((-ret & ~0x7f) == 0) {
11587901324dSJerome Forissier ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
115932b31808SJens Wiklander }
116032b31808SJens Wiklander return ret;
1161817466cbSJens Wiklander }
1162817466cbSJens Wiklander
116332b31808SJens Wiklander return 0;
1164817466cbSJens Wiklander }
1165817466cbSJens Wiklander
1166817466cbSJens Wiklander #endif /* MBEDTLS_GENPRIME */
1167817466cbSJens Wiklander
1168817466cbSJens Wiklander /*
1169817466cbSJens Wiklander * Check a public RSA key
1170817466cbSJens Wiklander */
mbedtls_rsa_check_pubkey(const mbedtls_rsa_context * ctx)1171817466cbSJens Wiklander int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
1172817466cbSJens Wiklander {
117332b31808SJens Wiklander if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) {
117432b31808SJens Wiklander return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
117532b31808SJens Wiklander }
11763d3b0591SJens Wiklander
117732b31808SJens Wiklander if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
117832b31808SJens Wiklander return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
11793d3b0591SJens Wiklander }
1180817466cbSJens Wiklander
11813d3b0591SJens Wiklander if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||
11823d3b0591SJens Wiklander mbedtls_mpi_bitlen(&ctx->E) < 2 ||
118332b31808SJens Wiklander mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
118432b31808SJens Wiklander return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
11853d3b0591SJens Wiklander }
1186817466cbSJens Wiklander
118732b31808SJens Wiklander return 0;
1188817466cbSJens Wiklander }
1189817466cbSJens Wiklander
1190817466cbSJens Wiklander /*
11913d3b0591SJens Wiklander * Check for the consistency of all fields in an RSA private key context
1192817466cbSJens Wiklander */
mbedtls_rsa_check_privkey(const mbedtls_rsa_context * ctx)1193817466cbSJens Wiklander int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
1194817466cbSJens Wiklander {
11953d3b0591SJens Wiklander if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
119632b31808SJens Wiklander rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
119732b31808SJens Wiklander return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1198817466cbSJens Wiklander }
1199817466cbSJens Wiklander
12003d3b0591SJens Wiklander if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
120132b31808SJens Wiklander &ctx->D, &ctx->E, NULL, NULL) != 0) {
120232b31808SJens Wiklander return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
12033d3b0591SJens Wiklander }
1204817466cbSJens Wiklander
12053d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
12063d3b0591SJens Wiklander else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
120732b31808SJens Wiklander &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
120832b31808SJens Wiklander return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
12093d3b0591SJens Wiklander }
12103d3b0591SJens Wiklander #endif
1211817466cbSJens Wiklander
121232b31808SJens Wiklander return 0;
1213817466cbSJens Wiklander }
1214817466cbSJens Wiklander
1215817466cbSJens Wiklander /*
1216817466cbSJens Wiklander * Check if contexts holding a public and private key match
1217817466cbSJens Wiklander */
mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context * pub,const mbedtls_rsa_context * prv)12183d3b0591SJens Wiklander int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
12193d3b0591SJens Wiklander const mbedtls_rsa_context *prv)
1220817466cbSJens Wiklander {
1221817466cbSJens Wiklander if (mbedtls_rsa_check_pubkey(pub) != 0 ||
122232b31808SJens Wiklander mbedtls_rsa_check_privkey(prv) != 0) {
122332b31808SJens Wiklander return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1224817466cbSJens Wiklander }
1225817466cbSJens Wiklander
1226817466cbSJens Wiklander if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||
122732b31808SJens Wiklander mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
122832b31808SJens Wiklander return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1229817466cbSJens Wiklander }
1230817466cbSJens Wiklander
123132b31808SJens Wiklander return 0;
1232817466cbSJens Wiklander }
1233817466cbSJens Wiklander
1234817466cbSJens Wiklander /*
1235817466cbSJens Wiklander * Do an RSA public key operation
1236817466cbSJens Wiklander */
mbedtls_rsa_public(mbedtls_rsa_context * ctx,const unsigned char * input,unsigned char * output)1237817466cbSJens Wiklander int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
1238817466cbSJens Wiklander const unsigned char *input,
1239817466cbSJens Wiklander unsigned char *output)
1240817466cbSJens Wiklander {
124111fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1242817466cbSJens Wiklander size_t olen;
1243817466cbSJens Wiklander mbedtls_mpi T;
12443d3b0591SJens Wiklander
124532b31808SJens Wiklander if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) {
124632b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
124732b31808SJens Wiklander }
1248817466cbSJens Wiklander
1249817466cbSJens Wiklander mbedtls_mpi_init(&T);
1250817466cbSJens Wiklander
1251817466cbSJens Wiklander #if defined(MBEDTLS_THREADING_C)
125232b31808SJens Wiklander if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
125332b31808SJens Wiklander return ret;
125432b31808SJens Wiklander }
1255817466cbSJens Wiklander #endif
1256817466cbSJens Wiklander
1257817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
1258817466cbSJens Wiklander
125932b31808SJens Wiklander if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
1260817466cbSJens Wiklander ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
1261817466cbSJens Wiklander goto cleanup;
1262817466cbSJens Wiklander }
1263817466cbSJens Wiklander
1264817466cbSJens Wiklander olen = ctx->len;
1265*cb034002SJerome Forissier MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod_unsafe(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
1266817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
1267817466cbSJens Wiklander
1268817466cbSJens Wiklander cleanup:
1269817466cbSJens Wiklander #if defined(MBEDTLS_THREADING_C)
127032b31808SJens Wiklander if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
127132b31808SJens Wiklander return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
127232b31808SJens Wiklander }
1273817466cbSJens Wiklander #endif
1274817466cbSJens Wiklander
1275817466cbSJens Wiklander mbedtls_mpi_free(&T);
1276817466cbSJens Wiklander
127732b31808SJens Wiklander if (ret != 0) {
127832b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
127932b31808SJens Wiklander }
1280817466cbSJens Wiklander
128132b31808SJens Wiklander return 0;
1282817466cbSJens Wiklander }
1283817466cbSJens Wiklander
1284817466cbSJens Wiklander /*
1285817466cbSJens Wiklander * Generate or update blinding values, see section 10 of:
1286817466cbSJens Wiklander * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
1287817466cbSJens Wiklander * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
1288817466cbSJens Wiklander * Berlin Heidelberg, 1996. p. 104-113.
1289817466cbSJens Wiklander */
rsa_prepare_blinding(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1290817466cbSJens Wiklander static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
1291817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1292817466cbSJens Wiklander {
1293817466cbSJens Wiklander int ret, count = 0;
12947901324dSJerome Forissier mbedtls_mpi R;
12957901324dSJerome Forissier
12967901324dSJerome Forissier mbedtls_mpi_init(&R);
1297817466cbSJens Wiklander
129832b31808SJens Wiklander if (ctx->Vf.p != NULL) {
1299817466cbSJens Wiklander /* We already have blinding values, just update them by squaring */
1300817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
1301817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
1302817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
1303817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
1304817466cbSJens Wiklander
1305817466cbSJens Wiklander goto cleanup;
1306817466cbSJens Wiklander }
1307817466cbSJens Wiklander
1308817466cbSJens Wiklander /* Unblinding value: Vf = random number, invertible mod N */
1309817466cbSJens Wiklander do {
131032b31808SJens Wiklander if (count++ > 10) {
13117901324dSJerome Forissier ret = MBEDTLS_ERR_RSA_RNG_FAILED;
13127901324dSJerome Forissier goto cleanup;
13137901324dSJerome Forissier }
1314817466cbSJens Wiklander
1315817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
1316817466cbSJens Wiklander
13177901324dSJerome Forissier /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
13187901324dSJerome Forissier MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
13197901324dSJerome Forissier MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
13207901324dSJerome Forissier MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
13217901324dSJerome Forissier
13227901324dSJerome Forissier /* At this point, Vi is invertible mod N if and only if both Vf and R
13237901324dSJerome Forissier * are invertible mod N. If one of them isn't, we don't need to know
13247901324dSJerome Forissier * which one, we just loop and choose new values for both of them.
13257901324dSJerome Forissier * (Each iteration succeeds with overwhelming probability.) */
13267901324dSJerome Forissier ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
132732b31808SJens Wiklander if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
13287901324dSJerome Forissier goto cleanup;
132932b31808SJens Wiklander }
13307901324dSJerome Forissier
13317901324dSJerome Forissier } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
13327901324dSJerome Forissier
13337901324dSJerome Forissier /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
13347901324dSJerome Forissier MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
13357901324dSJerome Forissier MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
13367901324dSJerome Forissier
13377901324dSJerome Forissier /* Blinding value: Vi = Vf^(-e) mod N
13387901324dSJerome Forissier * (Vi already contains Vf^-1 at this point) */
1339817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
1340817466cbSJens Wiklander
1341817466cbSJens Wiklander
1342817466cbSJens Wiklander cleanup:
13437901324dSJerome Forissier mbedtls_mpi_free(&R);
13447901324dSJerome Forissier
134532b31808SJens Wiklander return ret;
1346817466cbSJens Wiklander }
1347817466cbSJens Wiklander
1348817466cbSJens Wiklander /*
1349b0563631STom Van Eyck * Unblind
1350b0563631STom Van Eyck * T = T * Vf mod N
1351b0563631STom Van Eyck */
rsa_unblind(mbedtls_mpi * T,mbedtls_mpi * Vf,const mbedtls_mpi * N)1352b0563631STom Van Eyck static int rsa_unblind(mbedtls_mpi *T, mbedtls_mpi *Vf, const mbedtls_mpi *N)
1353b0563631STom Van Eyck {
1354b0563631STom Van Eyck int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1355b0563631STom Van Eyck const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
1356b0563631STom Van Eyck const size_t nlimbs = N->n;
1357b0563631STom Van Eyck const size_t tlimbs = mbedtls_mpi_core_montmul_working_limbs(nlimbs);
1358b0563631STom Van Eyck mbedtls_mpi RR, M_T;
1359b0563631STom Van Eyck
1360b0563631STom Van Eyck mbedtls_mpi_init(&RR);
1361b0563631STom Van Eyck mbedtls_mpi_init(&M_T);
1362b0563631STom Van Eyck
1363b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
1364b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&M_T, tlimbs));
1365b0563631STom Van Eyck
1366b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_grow(T, nlimbs));
1367b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Vf, nlimbs));
1368b0563631STom Van Eyck
1369b0563631STom Van Eyck /* T = T * Vf mod N
1370b0563631STom Van Eyck * Reminder: montmul(A, B, N) = A * B * R^-1 mod N
1371b0563631STom Van Eyck * Usually both operands are multiplied by R mod N beforehand (by calling
1372b0563631STom Van Eyck * `to_mont_rep()` on them), yielding a result that's also * R mod N (aka
1373b0563631STom Van Eyck * "in the Montgomery domain"). Here we only multiply one operand by R mod
1374b0563631STom Van Eyck * N, so the result is directly what we want - no need to call
1375b0563631STom Van Eyck * `from_mont_rep()` on it. */
1376b0563631STom Van Eyck mbedtls_mpi_core_to_mont_rep(T->p, T->p, N->p, nlimbs, mm, RR.p, M_T.p);
1377b0563631STom Van Eyck mbedtls_mpi_core_montmul(T->p, T->p, Vf->p, nlimbs, N->p, nlimbs, mm, M_T.p);
1378b0563631STom Van Eyck
1379b0563631STom Van Eyck cleanup:
1380b0563631STom Van Eyck
1381b0563631STom Van Eyck mbedtls_mpi_free(&RR);
1382b0563631STom Van Eyck mbedtls_mpi_free(&M_T);
1383b0563631STom Van Eyck
1384b0563631STom Van Eyck return ret;
1385b0563631STom Van Eyck }
1386b0563631STom Van Eyck
1387b0563631STom Van Eyck /*
1388817466cbSJens Wiklander * Exponent blinding supposed to prevent side-channel attacks using multiple
1389817466cbSJens Wiklander * traces of measurements to recover the RSA key. The more collisions are there,
1390817466cbSJens Wiklander * the more bits of the key can be recovered. See [3].
1391817466cbSJens Wiklander *
1392817466cbSJens Wiklander * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
1393039e02dfSJerome Forissier * observations on average.
1394817466cbSJens Wiklander *
1395817466cbSJens Wiklander * For example with 28 byte blinding to achieve 2 collisions the adversary has
1396039e02dfSJerome Forissier * to make 2^112 observations on average.
1397817466cbSJens Wiklander *
1398817466cbSJens Wiklander * (With the currently (as of 2017 April) known best algorithms breaking 2048
1399817466cbSJens Wiklander * bit RSA requires approximately as much time as trying out 2^112 random keys.
1400817466cbSJens Wiklander * Thus in this sense with 28 byte blinding the security is not reduced by
1401817466cbSJens Wiklander * side-channel attacks like the one in [3])
1402817466cbSJens Wiklander *
1403817466cbSJens Wiklander * This countermeasure does not help if the key recovery is possible with a
1404817466cbSJens Wiklander * single trace.
1405817466cbSJens Wiklander */
1406817466cbSJens Wiklander #define RSA_EXPONENT_BLINDING 28
1407817466cbSJens Wiklander
1408817466cbSJens Wiklander /*
1409817466cbSJens Wiklander * Do an RSA private key operation
1410817466cbSJens Wiklander */
mbedtls_rsa_private(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * input,unsigned char * output)1411817466cbSJens Wiklander int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
1412817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
1413817466cbSJens Wiklander void *p_rng,
1414817466cbSJens Wiklander const unsigned char *input,
1415817466cbSJens Wiklander unsigned char *output)
1416817466cbSJens Wiklander {
141711fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1418817466cbSJens Wiklander size_t olen;
14193d3b0591SJens Wiklander
14203d3b0591SJens Wiklander /* Temporary holding the result */
14213d3b0591SJens Wiklander mbedtls_mpi T;
14223d3b0591SJens Wiklander
14233d3b0591SJens Wiklander /* Temporaries holding P-1, Q-1 and the
14243d3b0591SJens Wiklander * exponent blinding factor, respectively. */
1425817466cbSJens Wiklander mbedtls_mpi P1, Q1, R;
14263d3b0591SJens Wiklander
14273d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
14283d3b0591SJens Wiklander /* Temporaries holding the results mod p resp. mod q. */
14293d3b0591SJens Wiklander mbedtls_mpi TP, TQ;
14303d3b0591SJens Wiklander
14313d3b0591SJens Wiklander /* Temporaries holding the blinded exponents for
14323d3b0591SJens Wiklander * the mod p resp. mod q computation (if used). */
1433817466cbSJens Wiklander mbedtls_mpi DP_blind, DQ_blind;
14343d3b0591SJens Wiklander #else
14353d3b0591SJens Wiklander /* Temporary holding the blinded exponent (if used). */
14363d3b0591SJens Wiklander mbedtls_mpi D_blind;
14373d3b0591SJens Wiklander #endif /* MBEDTLS_RSA_NO_CRT */
14383d3b0591SJens Wiklander
14393d3b0591SJens Wiklander /* Temporaries holding the initial input and the double
14403d3b0591SJens Wiklander * checked result; should be the same in the end. */
1441b0563631STom Van Eyck mbedtls_mpi input_blinded, check_result_blinded;
14423d3b0591SJens Wiklander
144332b31808SJens Wiklander if (f_rng == NULL) {
144432b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
144532b31808SJens Wiklander }
14463d3b0591SJens Wiklander
14473d3b0591SJens Wiklander if (rsa_check_context(ctx, 1 /* private key checks */,
144832b31808SJens Wiklander 1 /* blinding on */) != 0) {
144932b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
14503d3b0591SJens Wiklander }
14513d3b0591SJens Wiklander
14523d3b0591SJens Wiklander #if defined(MBEDTLS_THREADING_C)
145332b31808SJens Wiklander if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
145432b31808SJens Wiklander return ret;
145532b31808SJens Wiklander }
1456817466cbSJens Wiklander #endif
1457817466cbSJens Wiklander
14583d3b0591SJens Wiklander /* MPI Initialization */
14593d3b0591SJens Wiklander mbedtls_mpi_init(&T);
1460817466cbSJens Wiklander
14613d3b0591SJens Wiklander mbedtls_mpi_init(&P1);
14623d3b0591SJens Wiklander mbedtls_mpi_init(&Q1);
14633d3b0591SJens Wiklander mbedtls_mpi_init(&R);
1464817466cbSJens Wiklander
1465817466cbSJens Wiklander #if defined(MBEDTLS_RSA_NO_CRT)
1466817466cbSJens Wiklander mbedtls_mpi_init(&D_blind);
1467817466cbSJens Wiklander #else
1468817466cbSJens Wiklander mbedtls_mpi_init(&DP_blind);
1469817466cbSJens Wiklander mbedtls_mpi_init(&DQ_blind);
1470817466cbSJens Wiklander #endif
1471817466cbSJens Wiklander
14723d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
14733d3b0591SJens Wiklander mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
1474817466cbSJens Wiklander #endif
1475817466cbSJens Wiklander
1476b0563631STom Van Eyck mbedtls_mpi_init(&input_blinded);
1477b0563631STom Van Eyck mbedtls_mpi_init(&check_result_blinded);
14783d3b0591SJens Wiklander
14793d3b0591SJens Wiklander /* End of MPI initialization */
14803d3b0591SJens Wiklander
1481817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
148232b31808SJens Wiklander if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
1483817466cbSJens Wiklander ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
1484817466cbSJens Wiklander goto cleanup;
1485817466cbSJens Wiklander }
1486817466cbSJens Wiklander
1487817466cbSJens Wiklander /*
1488817466cbSJens Wiklander * Blinding
1489817466cbSJens Wiklander * T = T * Vi mod N
1490817466cbSJens Wiklander */
1491817466cbSJens Wiklander MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
1492817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
1493817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
1494817466cbSJens Wiklander
1495b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&input_blinded, &T));
1496b0563631STom Van Eyck
1497817466cbSJens Wiklander /*
1498817466cbSJens Wiklander * Exponent blinding
1499817466cbSJens Wiklander */
1500817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
1501817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
1502817466cbSJens Wiklander
1503817466cbSJens Wiklander #if defined(MBEDTLS_RSA_NO_CRT)
1504817466cbSJens Wiklander /*
1505817466cbSJens Wiklander * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
1506817466cbSJens Wiklander */
1507817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
1508817466cbSJens Wiklander f_rng, p_rng));
1509817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
1510817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
1511817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
1512817466cbSJens Wiklander #else
1513817466cbSJens Wiklander /*
1514817466cbSJens Wiklander * DP_blind = ( P - 1 ) * R + DP
1515817466cbSJens Wiklander */
1516817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
1517817466cbSJens Wiklander f_rng, p_rng));
1518817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
1519817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
1520817466cbSJens Wiklander &ctx->DP));
1521817466cbSJens Wiklander
1522817466cbSJens Wiklander /*
1523817466cbSJens Wiklander * DQ_blind = ( Q - 1 ) * R + DQ
1524817466cbSJens Wiklander */
1525817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
1526817466cbSJens Wiklander f_rng, p_rng));
1527817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
1528817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
1529817466cbSJens Wiklander &ctx->DQ));
1530817466cbSJens Wiklander #endif /* MBEDTLS_RSA_NO_CRT */
1531817466cbSJens Wiklander
1532817466cbSJens Wiklander #if defined(MBEDTLS_RSA_NO_CRT)
1533b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &D_blind, &ctx->N, &ctx->RN));
1534817466cbSJens Wiklander #else
1535817466cbSJens Wiklander /*
1536817466cbSJens Wiklander * Faster decryption using the CRT
1537817466cbSJens Wiklander *
15383d3b0591SJens Wiklander * TP = input ^ dP mod P
15393d3b0591SJens Wiklander * TQ = input ^ dQ mod Q
1540817466cbSJens Wiklander */
15413d3b0591SJens Wiklander
1542b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, &DP_blind, &ctx->P, &ctx->RP));
1543b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, &DQ_blind, &ctx->Q, &ctx->RQ));
1544817466cbSJens Wiklander
1545817466cbSJens Wiklander /*
15463d3b0591SJens Wiklander * T = (TP - TQ) * (Q^-1 mod P) mod P
1547817466cbSJens Wiklander */
15483d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
15493d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
15503d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
1551817466cbSJens Wiklander
1552817466cbSJens Wiklander /*
15533d3b0591SJens Wiklander * T = TQ + T * Q
1554817466cbSJens Wiklander */
15553d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
15563d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
1557817466cbSJens Wiklander #endif /* MBEDTLS_RSA_NO_CRT */
1558817466cbSJens Wiklander
1559b0563631STom Van Eyck /* Verify the result to prevent glitching attacks. */
1560b0563631STom Van Eyck MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&check_result_blinded, &T, &ctx->E,
1561b0563631STom Van Eyck &ctx->N, &ctx->RN));
1562b0563631STom Van Eyck if (mbedtls_mpi_cmp_mpi(&check_result_blinded, &input_blinded) != 0) {
1563b0563631STom Van Eyck ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1564b0563631STom Van Eyck goto cleanup;
1565b0563631STom Van Eyck }
1566b0563631STom Van Eyck
1567817466cbSJens Wiklander /*
1568817466cbSJens Wiklander * Unblind
1569817466cbSJens Wiklander * T = T * Vf mod N
1570817466cbSJens Wiklander */
1571b0563631STom Van Eyck MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
15723d3b0591SJens Wiklander
1573817466cbSJens Wiklander olen = ctx->len;
1574817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
1575817466cbSJens Wiklander
1576817466cbSJens Wiklander cleanup:
1577817466cbSJens Wiklander #if defined(MBEDTLS_THREADING_C)
157832b31808SJens Wiklander if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
157932b31808SJens Wiklander return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
158032b31808SJens Wiklander }
1581817466cbSJens Wiklander #endif
1582817466cbSJens Wiklander
15833d3b0591SJens Wiklander mbedtls_mpi_free(&P1);
15843d3b0591SJens Wiklander mbedtls_mpi_free(&Q1);
15853d3b0591SJens Wiklander mbedtls_mpi_free(&R);
1586817466cbSJens Wiklander
1587817466cbSJens Wiklander #if defined(MBEDTLS_RSA_NO_CRT)
1588817466cbSJens Wiklander mbedtls_mpi_free(&D_blind);
1589817466cbSJens Wiklander #else
1590817466cbSJens Wiklander mbedtls_mpi_free(&DP_blind);
1591817466cbSJens Wiklander mbedtls_mpi_free(&DQ_blind);
1592817466cbSJens Wiklander #endif
1593817466cbSJens Wiklander
15943d3b0591SJens Wiklander mbedtls_mpi_free(&T);
15953d3b0591SJens Wiklander
15963d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
15973d3b0591SJens Wiklander mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
15983d3b0591SJens Wiklander #endif
15993d3b0591SJens Wiklander
1600b0563631STom Van Eyck mbedtls_mpi_free(&check_result_blinded);
1601b0563631STom Van Eyck mbedtls_mpi_free(&input_blinded);
16023d3b0591SJens Wiklander
160332b31808SJens Wiklander if (ret != 0 && ret >= -0x007f) {
160432b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
160532b31808SJens Wiklander }
1606817466cbSJens Wiklander
160732b31808SJens Wiklander return ret;
1608817466cbSJens Wiklander }
1609817466cbSJens Wiklander
1610817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
1611817466cbSJens Wiklander /**
1612817466cbSJens Wiklander * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1613817466cbSJens Wiklander *
1614817466cbSJens Wiklander * \param dst buffer to mask
1615817466cbSJens Wiklander * \param dlen length of destination buffer
1616817466cbSJens Wiklander * \param src source of the mask generation
1617817466cbSJens Wiklander * \param slen length of the source buffer
161832b31808SJens Wiklander * \param md_alg message digest to use
1619817466cbSJens Wiklander */
mgf_mask(unsigned char * dst,size_t dlen,unsigned char * src,size_t slen,mbedtls_md_type_t md_alg)16203d3b0591SJens Wiklander static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
162132b31808SJens Wiklander size_t slen, mbedtls_md_type_t md_alg)
1622817466cbSJens Wiklander {
1623817466cbSJens Wiklander unsigned char counter[4];
1624817466cbSJens Wiklander unsigned char *p;
1625817466cbSJens Wiklander unsigned int hlen;
1626817466cbSJens Wiklander size_t i, use_len;
1627b0563631STom Van Eyck unsigned char mask[MBEDTLS_MD_MAX_SIZE];
16283d3b0591SJens Wiklander int ret = 0;
162932b31808SJens Wiklander const mbedtls_md_info_t *md_info;
163032b31808SJens Wiklander mbedtls_md_context_t md_ctx;
1631817466cbSJens Wiklander
163232b31808SJens Wiklander mbedtls_md_init(&md_ctx);
163332b31808SJens Wiklander md_info = mbedtls_md_info_from_type(md_alg);
163432b31808SJens Wiklander if (md_info == NULL) {
163532b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
163632b31808SJens Wiklander }
163732b31808SJens Wiklander
163832b31808SJens Wiklander mbedtls_md_init(&md_ctx);
163932b31808SJens Wiklander if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
164032b31808SJens Wiklander goto exit;
164132b31808SJens Wiklander }
164232b31808SJens Wiklander
164332b31808SJens Wiklander hlen = mbedtls_md_get_size(md_info);
164432b31808SJens Wiklander
164532b31808SJens Wiklander memset(mask, 0, sizeof(mask));
1646817466cbSJens Wiklander memset(counter, 0, 4);
1647817466cbSJens Wiklander
1648817466cbSJens Wiklander /* Generate and apply dbMask */
1649817466cbSJens Wiklander p = dst;
1650817466cbSJens Wiklander
165132b31808SJens Wiklander while (dlen > 0) {
1652817466cbSJens Wiklander use_len = hlen;
165332b31808SJens Wiklander if (dlen < hlen) {
1654817466cbSJens Wiklander use_len = dlen;
165532b31808SJens Wiklander }
1656817466cbSJens Wiklander
165732b31808SJens Wiklander if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
16583d3b0591SJens Wiklander goto exit;
165932b31808SJens Wiklander }
166032b31808SJens Wiklander if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) {
16613d3b0591SJens Wiklander goto exit;
166232b31808SJens Wiklander }
166332b31808SJens Wiklander if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) {
16643d3b0591SJens Wiklander goto exit;
166532b31808SJens Wiklander }
166632b31808SJens Wiklander if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) {
16673d3b0591SJens Wiklander goto exit;
166832b31808SJens Wiklander }
1669817466cbSJens Wiklander
167032b31808SJens Wiklander for (i = 0; i < use_len; ++i) {
1671817466cbSJens Wiklander *p++ ^= mask[i];
167232b31808SJens Wiklander }
1673817466cbSJens Wiklander
1674817466cbSJens Wiklander counter[3]++;
1675817466cbSJens Wiklander
1676817466cbSJens Wiklander dlen -= use_len;
1677817466cbSJens Wiklander }
1678817466cbSJens Wiklander
16793d3b0591SJens Wiklander exit:
16803d3b0591SJens Wiklander mbedtls_platform_zeroize(mask, sizeof(mask));
168132b31808SJens Wiklander mbedtls_md_free(&md_ctx);
16823d3b0591SJens Wiklander
168332b31808SJens Wiklander return ret;
168432b31808SJens Wiklander }
168532b31808SJens Wiklander
168632b31808SJens Wiklander /**
168732b31808SJens Wiklander * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
168832b31808SJens Wiklander *
168932b31808SJens Wiklander * \param hash the input hash
169032b31808SJens Wiklander * \param hlen length of the input hash
169132b31808SJens Wiklander * \param salt the input salt
169232b31808SJens Wiklander * \param slen length of the input salt
169332b31808SJens Wiklander * \param out the output buffer - must be large enough for \p md_alg
169432b31808SJens Wiklander * \param md_alg message digest to use
169532b31808SJens Wiklander */
hash_mprime(const unsigned char * hash,size_t hlen,const unsigned char * salt,size_t slen,unsigned char * out,mbedtls_md_type_t md_alg)169632b31808SJens Wiklander static int hash_mprime(const unsigned char *hash, size_t hlen,
169732b31808SJens Wiklander const unsigned char *salt, size_t slen,
169832b31808SJens Wiklander unsigned char *out, mbedtls_md_type_t md_alg)
169932b31808SJens Wiklander {
170032b31808SJens Wiklander const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
170132b31808SJens Wiklander
170232b31808SJens Wiklander mbedtls_md_context_t md_ctx;
170332b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
170432b31808SJens Wiklander
170532b31808SJens Wiklander const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
170632b31808SJens Wiklander if (md_info == NULL) {
170732b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
170832b31808SJens Wiklander }
170932b31808SJens Wiklander
171032b31808SJens Wiklander mbedtls_md_init(&md_ctx);
171132b31808SJens Wiklander if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
171232b31808SJens Wiklander goto exit;
171332b31808SJens Wiklander }
171432b31808SJens Wiklander if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
171532b31808SJens Wiklander goto exit;
171632b31808SJens Wiklander }
171732b31808SJens Wiklander if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) {
171832b31808SJens Wiklander goto exit;
171932b31808SJens Wiklander }
172032b31808SJens Wiklander if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) {
172132b31808SJens Wiklander goto exit;
172232b31808SJens Wiklander }
172332b31808SJens Wiklander if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
172432b31808SJens Wiklander goto exit;
172532b31808SJens Wiklander }
172632b31808SJens Wiklander if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) {
172732b31808SJens Wiklander goto exit;
172832b31808SJens Wiklander }
172932b31808SJens Wiklander
173032b31808SJens Wiklander exit:
173132b31808SJens Wiklander mbedtls_md_free(&md_ctx);
173232b31808SJens Wiklander
173332b31808SJens Wiklander return ret;
173432b31808SJens Wiklander }
173532b31808SJens Wiklander
173632b31808SJens Wiklander /**
173732b31808SJens Wiklander * Compute a hash.
173832b31808SJens Wiklander *
173932b31808SJens Wiklander * \param md_alg algorithm to use
174032b31808SJens Wiklander * \param input input message to hash
174132b31808SJens Wiklander * \param ilen input length
174232b31808SJens Wiklander * \param output the output buffer - must be large enough for \p md_alg
174332b31808SJens Wiklander */
compute_hash(mbedtls_md_type_t md_alg,const unsigned char * input,size_t ilen,unsigned char * output)174432b31808SJens Wiklander static int compute_hash(mbedtls_md_type_t md_alg,
174532b31808SJens Wiklander const unsigned char *input, size_t ilen,
174632b31808SJens Wiklander unsigned char *output)
174732b31808SJens Wiklander {
174832b31808SJens Wiklander const mbedtls_md_info_t *md_info;
174932b31808SJens Wiklander
175032b31808SJens Wiklander md_info = mbedtls_md_info_from_type(md_alg);
175132b31808SJens Wiklander if (md_info == NULL) {
175232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
175332b31808SJens Wiklander }
175432b31808SJens Wiklander
175532b31808SJens Wiklander return mbedtls_md(md_info, input, ilen, output);
1756817466cbSJens Wiklander }
1757817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */
1758817466cbSJens Wiklander
1759817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
1760817466cbSJens Wiklander /*
1761817466cbSJens Wiklander * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1762817466cbSJens Wiklander */
mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * label,size_t label_len,size_t ilen,const unsigned char * input,unsigned char * output)1763817466cbSJens Wiklander int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
1764817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
1765817466cbSJens Wiklander void *p_rng,
1766817466cbSJens Wiklander const unsigned char *label, size_t label_len,
1767817466cbSJens Wiklander size_t ilen,
1768817466cbSJens Wiklander const unsigned char *input,
1769817466cbSJens Wiklander unsigned char *output)
1770817466cbSJens Wiklander {
1771817466cbSJens Wiklander size_t olen;
177211fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1773817466cbSJens Wiklander unsigned char *p = output;
1774817466cbSJens Wiklander unsigned int hlen;
1775817466cbSJens Wiklander
177632b31808SJens Wiklander if (f_rng == NULL) {
177732b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
177832b31808SJens Wiklander }
17793d3b0591SJens Wiklander
1780b0563631STom Van Eyck hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
178132b31808SJens Wiklander if (hlen == 0) {
178232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
178332b31808SJens Wiklander }
1784817466cbSJens Wiklander
1785817466cbSJens Wiklander olen = ctx->len;
1786817466cbSJens Wiklander
1787817466cbSJens Wiklander /* first comparison checks for overflow */
178832b31808SJens Wiklander if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) {
178932b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
179032b31808SJens Wiklander }
1791817466cbSJens Wiklander
1792817466cbSJens Wiklander memset(output, 0, olen);
1793817466cbSJens Wiklander
1794817466cbSJens Wiklander *p++ = 0;
1795817466cbSJens Wiklander
1796817466cbSJens Wiklander /* Generate a random octet string seed */
179732b31808SJens Wiklander if ((ret = f_rng(p_rng, p, hlen)) != 0) {
179832b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
179932b31808SJens Wiklander }
1800817466cbSJens Wiklander
1801817466cbSJens Wiklander p += hlen;
1802817466cbSJens Wiklander
1803817466cbSJens Wiklander /* Construct DB */
180432b31808SJens Wiklander ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p);
180532b31808SJens Wiklander if (ret != 0) {
180632b31808SJens Wiklander return ret;
180732b31808SJens Wiklander }
1808817466cbSJens Wiklander p += hlen;
1809817466cbSJens Wiklander p += olen - 2 * hlen - 2 - ilen;
1810817466cbSJens Wiklander *p++ = 1;
181132b31808SJens Wiklander if (ilen != 0) {
1812817466cbSJens Wiklander memcpy(p, input, ilen);
181332b31808SJens Wiklander }
1814817466cbSJens Wiklander
1815817466cbSJens Wiklander /* maskedDB: Apply dbMask to DB */
18163d3b0591SJens Wiklander if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1817b0563631STom Van Eyck (mbedtls_md_type_t) ctx->hash_id)) != 0) {
181832b31808SJens Wiklander return ret;
181932b31808SJens Wiklander }
1820817466cbSJens Wiklander
1821817466cbSJens Wiklander /* maskedSeed: Apply seedMask to seed */
18223d3b0591SJens Wiklander if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1823b0563631STom Van Eyck (mbedtls_md_type_t) ctx->hash_id)) != 0) {
182432b31808SJens Wiklander return ret;
182532b31808SJens Wiklander }
1826817466cbSJens Wiklander
182732b31808SJens Wiklander return mbedtls_rsa_public(ctx, output, output);
1828817466cbSJens Wiklander }
1829817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */
1830817466cbSJens Wiklander
1831817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
1832817466cbSJens Wiklander /*
1833817466cbSJens Wiklander * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1834817466cbSJens Wiklander */
mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,size_t ilen,const unsigned char * input,unsigned char * output)1835817466cbSJens Wiklander int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
1836817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
183732b31808SJens Wiklander void *p_rng, size_t ilen,
1838817466cbSJens Wiklander const unsigned char *input,
1839817466cbSJens Wiklander unsigned char *output)
1840817466cbSJens Wiklander {
1841817466cbSJens Wiklander size_t nb_pad, olen;
184211fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1843817466cbSJens Wiklander unsigned char *p = output;
1844817466cbSJens Wiklander
1845817466cbSJens Wiklander olen = ctx->len;
1846817466cbSJens Wiklander
1847817466cbSJens Wiklander /* first comparison checks for overflow */
184832b31808SJens Wiklander if (ilen + 11 < ilen || olen < ilen + 11) {
184932b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
185032b31808SJens Wiklander }
1851817466cbSJens Wiklander
1852817466cbSJens Wiklander nb_pad = olen - 3 - ilen;
1853817466cbSJens Wiklander
1854817466cbSJens Wiklander *p++ = 0;
185532b31808SJens Wiklander
185632b31808SJens Wiklander if (f_rng == NULL) {
185732b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
185832b31808SJens Wiklander }
18593d3b0591SJens Wiklander
1860817466cbSJens Wiklander *p++ = MBEDTLS_RSA_CRYPT;
1861817466cbSJens Wiklander
186232b31808SJens Wiklander while (nb_pad-- > 0) {
1863817466cbSJens Wiklander int rng_dl = 100;
1864817466cbSJens Wiklander
1865817466cbSJens Wiklander do {
1866817466cbSJens Wiklander ret = f_rng(p_rng, p, 1);
1867817466cbSJens Wiklander } while (*p == 0 && --rng_dl && ret == 0);
1868817466cbSJens Wiklander
1869817466cbSJens Wiklander /* Check if RNG failed to generate data */
187032b31808SJens Wiklander if (rng_dl == 0 || ret != 0) {
187132b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
187232b31808SJens Wiklander }
1873817466cbSJens Wiklander
1874817466cbSJens Wiklander p++;
1875817466cbSJens Wiklander }
1876817466cbSJens Wiklander
1877817466cbSJens Wiklander *p++ = 0;
187832b31808SJens Wiklander if (ilen != 0) {
1879817466cbSJens Wiklander memcpy(p, input, ilen);
188032b31808SJens Wiklander }
1881817466cbSJens Wiklander
188232b31808SJens Wiklander return mbedtls_rsa_public(ctx, output, output);
1883817466cbSJens Wiklander }
1884817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */
1885817466cbSJens Wiklander
1886817466cbSJens Wiklander /*
1887817466cbSJens Wiklander * Add the message padding, then do an RSA operation
1888817466cbSJens Wiklander */
mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,size_t ilen,const unsigned char * input,unsigned char * output)1889817466cbSJens Wiklander int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
1890817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
1891817466cbSJens Wiklander void *p_rng,
189232b31808SJens Wiklander size_t ilen,
1893817466cbSJens Wiklander const unsigned char *input,
1894817466cbSJens Wiklander unsigned char *output)
1895817466cbSJens Wiklander {
189632b31808SJens Wiklander switch (ctx->padding) {
1897817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
1898817466cbSJens Wiklander case MBEDTLS_RSA_PKCS_V15:
189932b31808SJens Wiklander return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng,
190032b31808SJens Wiklander ilen, input, output);
1901817466cbSJens Wiklander #endif
1902817466cbSJens Wiklander
1903817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
1904817466cbSJens Wiklander case MBEDTLS_RSA_PKCS_V21:
190532b31808SJens Wiklander return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,
1906817466cbSJens Wiklander ilen, input, output);
1907817466cbSJens Wiklander #endif
1908817466cbSJens Wiklander
1909817466cbSJens Wiklander default:
191032b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
1911817466cbSJens Wiklander }
1912817466cbSJens Wiklander }
1913817466cbSJens Wiklander
1914817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
1915817466cbSJens Wiklander /*
1916817466cbSJens Wiklander * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1917817466cbSJens Wiklander */
mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * label,size_t label_len,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1918817466cbSJens Wiklander int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
1919817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
1920817466cbSJens Wiklander void *p_rng,
1921817466cbSJens Wiklander const unsigned char *label, size_t label_len,
1922817466cbSJens Wiklander size_t *olen,
1923817466cbSJens Wiklander const unsigned char *input,
1924817466cbSJens Wiklander unsigned char *output,
1925817466cbSJens Wiklander size_t output_max_len)
1926817466cbSJens Wiklander {
192711fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1928817466cbSJens Wiklander size_t ilen, i, pad_len;
1929b0563631STom Van Eyck unsigned char *p;
1930b0563631STom Van Eyck mbedtls_ct_condition_t bad, in_padding;
1931817466cbSJens Wiklander unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1932b0563631STom Van Eyck unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
1933817466cbSJens Wiklander unsigned int hlen;
19343d3b0591SJens Wiklander
1935817466cbSJens Wiklander /*
1936817466cbSJens Wiklander * Parameters sanity checks
1937817466cbSJens Wiklander */
193832b31808SJens Wiklander if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
193932b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
194032b31808SJens Wiklander }
1941817466cbSJens Wiklander
1942817466cbSJens Wiklander ilen = ctx->len;
1943817466cbSJens Wiklander
194432b31808SJens Wiklander if (ilen < 16 || ilen > sizeof(buf)) {
194532b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
194632b31808SJens Wiklander }
1947817466cbSJens Wiklander
1948b0563631STom Van Eyck hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
194932b31808SJens Wiklander if (hlen == 0) {
195032b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
195132b31808SJens Wiklander }
1952817466cbSJens Wiklander
1953817466cbSJens Wiklander // checking for integer underflow
195432b31808SJens Wiklander if (2 * hlen + 2 > ilen) {
195532b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
195632b31808SJens Wiklander }
1957817466cbSJens Wiklander
1958817466cbSJens Wiklander /*
1959817466cbSJens Wiklander * RSA operation
1960817466cbSJens Wiklander */
19618452b181SSummer Qin if( ctx->P.n == 0 )
196232b31808SJens Wiklander ret = mbedtls_rsa_private( ctx, NULL, NULL, input, buf );
19638452b181SSummer Qin else
196432b31808SJens Wiklander ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
1965817466cbSJens Wiklander
196632b31808SJens Wiklander if (ret != 0) {
1967817466cbSJens Wiklander goto cleanup;
196832b31808SJens Wiklander }
1969817466cbSJens Wiklander
1970817466cbSJens Wiklander /*
1971817466cbSJens Wiklander * Unmask data and generate lHash
1972817466cbSJens Wiklander */
1973817466cbSJens Wiklander /* seed: Apply seedMask to maskedSeed */
19743d3b0591SJens Wiklander if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1975b0563631STom Van Eyck (mbedtls_md_type_t) ctx->hash_id)) != 0 ||
1976817466cbSJens Wiklander /* DB: Apply dbMask to maskedDB */
19773d3b0591SJens Wiklander (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1978b0563631STom Van Eyck (mbedtls_md_type_t) ctx->hash_id)) != 0) {
19793d3b0591SJens Wiklander goto cleanup;
19803d3b0591SJens Wiklander }
1981817466cbSJens Wiklander
19823d3b0591SJens Wiklander /* Generate lHash */
198332b31808SJens Wiklander ret = compute_hash((mbedtls_md_type_t) ctx->hash_id,
198432b31808SJens Wiklander label, label_len, lhash);
198532b31808SJens Wiklander if (ret != 0) {
19863d3b0591SJens Wiklander goto cleanup;
198732b31808SJens Wiklander }
19883d3b0591SJens Wiklander
1989817466cbSJens Wiklander /*
1990817466cbSJens Wiklander * Check contents, in "constant-time"
1991817466cbSJens Wiklander */
1992817466cbSJens Wiklander p = buf;
1993817466cbSJens Wiklander
1994b0563631STom Van Eyck bad = mbedtls_ct_bool(*p++); /* First byte must be 0 */
1995817466cbSJens Wiklander
1996817466cbSJens Wiklander p += hlen; /* Skip seed */
1997817466cbSJens Wiklander
1998817466cbSJens Wiklander /* Check lHash */
1999b0563631STom Van Eyck bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool(mbedtls_ct_memcmp(lhash, p, hlen)));
2000b0563631STom Van Eyck p += hlen;
2001817466cbSJens Wiklander
2002817466cbSJens Wiklander /* Get zero-padding len, but always read till end of buffer
2003817466cbSJens Wiklander * (minus one, for the 01 byte) */
2004817466cbSJens Wiklander pad_len = 0;
2005b0563631STom Van Eyck in_padding = MBEDTLS_CT_TRUE;
200632b31808SJens Wiklander for (i = 0; i < ilen - 2 * hlen - 2; i++) {
2007b0563631STom Van Eyck in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_uint_eq(p[i], 0));
2008b0563631STom Van Eyck pad_len += mbedtls_ct_uint_if_else_0(in_padding, 1);
2009817466cbSJens Wiklander }
2010817466cbSJens Wiklander
2011817466cbSJens Wiklander p += pad_len;
2012b0563631STom Van Eyck bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(*p++, 0x01));
2013817466cbSJens Wiklander
2014817466cbSJens Wiklander /*
2015817466cbSJens Wiklander * The only information "leaked" is whether the padding was correct or not
2016817466cbSJens Wiklander * (eg, no data is copied if it was not correct). This meets the
2017817466cbSJens Wiklander * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
2018817466cbSJens Wiklander * the different error conditions.
2019817466cbSJens Wiklander */
2020b0563631STom Van Eyck if (bad != MBEDTLS_CT_FALSE) {
2021817466cbSJens Wiklander ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2022817466cbSJens Wiklander goto cleanup;
2023817466cbSJens Wiklander }
2024817466cbSJens Wiklander
2025b0563631STom Van Eyck if (ilen - ((size_t) (p - buf)) > output_max_len) {
2026817466cbSJens Wiklander ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
2027817466cbSJens Wiklander goto cleanup;
2028817466cbSJens Wiklander }
2029817466cbSJens Wiklander
2030b0563631STom Van Eyck *olen = ilen - ((size_t) (p - buf));
203132b31808SJens Wiklander if (*olen != 0) {
2032817466cbSJens Wiklander memcpy(output, p, *olen);
203332b31808SJens Wiklander }
2034817466cbSJens Wiklander ret = 0;
2035817466cbSJens Wiklander
2036817466cbSJens Wiklander cleanup:
20373d3b0591SJens Wiklander mbedtls_platform_zeroize(buf, sizeof(buf));
20383d3b0591SJens Wiklander mbedtls_platform_zeroize(lhash, sizeof(lhash));
2039817466cbSJens Wiklander
204032b31808SJens Wiklander return ret;
2041817466cbSJens Wiklander }
2042817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */
2043817466cbSJens Wiklander
2044817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
2045817466cbSJens Wiklander /*
2046817466cbSJens Wiklander * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
2047817466cbSJens Wiklander */
mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)2048817466cbSJens Wiklander int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
2049817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
2050817466cbSJens Wiklander void *p_rng,
2051039e02dfSJerome Forissier size_t *olen,
2052817466cbSJens Wiklander const unsigned char *input,
2053817466cbSJens Wiklander unsigned char *output,
2054817466cbSJens Wiklander size_t output_max_len)
2055817466cbSJens Wiklander {
205611fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2057039e02dfSJerome Forissier size_t ilen;
2058817466cbSJens Wiklander unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
20593d3b0591SJens Wiklander
20603d3b0591SJens Wiklander ilen = ctx->len;
2061817466cbSJens Wiklander
206232b31808SJens Wiklander if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
206332b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
206432b31808SJens Wiklander }
2065817466cbSJens Wiklander
206632b31808SJens Wiklander if (ilen < 16 || ilen > sizeof(buf)) {
206732b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
206832b31808SJens Wiklander }
2069817466cbSJens Wiklander
207032b31808SJens Wiklander ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
2071817466cbSJens Wiklander
207232b31808SJens Wiklander if (ret != 0) {
2073817466cbSJens Wiklander goto cleanup;
207432b31808SJens Wiklander }
2075817466cbSJens Wiklander
207632b31808SJens Wiklander ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen,
2077039e02dfSJerome Forissier output, output_max_len, olen);
2078817466cbSJens Wiklander
2079817466cbSJens Wiklander cleanup:
20803d3b0591SJens Wiklander mbedtls_platform_zeroize(buf, sizeof(buf));
2081817466cbSJens Wiklander
208232b31808SJens Wiklander return ret;
2083817466cbSJens Wiklander }
2084817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */
2085817466cbSJens Wiklander
2086817466cbSJens Wiklander /*
2087817466cbSJens Wiklander * Do an RSA operation, then remove the message padding
2088817466cbSJens Wiklander */
mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)2089817466cbSJens Wiklander int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
2090817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
2091817466cbSJens Wiklander void *p_rng,
209232b31808SJens Wiklander size_t *olen,
2093817466cbSJens Wiklander const unsigned char *input,
2094817466cbSJens Wiklander unsigned char *output,
2095817466cbSJens Wiklander size_t output_max_len)
2096817466cbSJens Wiklander {
209732b31808SJens Wiklander switch (ctx->padding) {
2098817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
2099817466cbSJens Wiklander case MBEDTLS_RSA_PKCS_V15:
210032b31808SJens Wiklander return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen,
2101817466cbSJens Wiklander input, output, output_max_len);
2102817466cbSJens Wiklander #endif
2103817466cbSJens Wiklander
2104817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
2105817466cbSJens Wiklander case MBEDTLS_RSA_PKCS_V21:
210632b31808SJens Wiklander return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,
2107817466cbSJens Wiklander olen, input, output,
2108817466cbSJens Wiklander output_max_len);
2109817466cbSJens Wiklander #endif
2110817466cbSJens Wiklander
2111817466cbSJens Wiklander default:
211232b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
2113817466cbSJens Wiklander }
2114817466cbSJens Wiklander }
2115817466cbSJens Wiklander
2116817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)2117b0563631STom Van Eyck static int rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
2118817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
2119817466cbSJens Wiklander void *p_rng,
2120817466cbSJens Wiklander mbedtls_md_type_t md_alg,
2121817466cbSJens Wiklander unsigned int hashlen,
2122817466cbSJens Wiklander const unsigned char *hash,
21237901324dSJerome Forissier int saltlen,
2124817466cbSJens Wiklander unsigned char *sig)
2125817466cbSJens Wiklander {
2126817466cbSJens Wiklander size_t olen;
2127817466cbSJens Wiklander unsigned char *p = sig;
21287901324dSJerome Forissier unsigned char *salt = NULL;
21293d3b0591SJens Wiklander size_t slen, min_slen, hlen, offset = 0;
213011fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2131817466cbSJens Wiklander size_t msb;
2132b0563631STom Van Eyck mbedtls_md_type_t hash_id;
2133817466cbSJens Wiklander
213432b31808SJens Wiklander if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
213532b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
213632b31808SJens Wiklander }
2137817466cbSJens Wiklander
213832b31808SJens Wiklander if (f_rng == NULL) {
213932b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
214032b31808SJens Wiklander }
2141817466cbSJens Wiklander
2142817466cbSJens Wiklander olen = ctx->len;
2143817466cbSJens Wiklander
214432b31808SJens Wiklander if (md_alg != MBEDTLS_MD_NONE) {
2145817466cbSJens Wiklander /* Gather length of hash to sign */
2146b0563631STom Van Eyck size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
214732b31808SJens Wiklander if (exp_hashlen == 0) {
214832b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2149817466cbSJens Wiklander }
2150817466cbSJens Wiklander
215132b31808SJens Wiklander if (hashlen != exp_hashlen) {
215232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
215332b31808SJens Wiklander }
215432b31808SJens Wiklander }
2155817466cbSJens Wiklander
2156b0563631STom Van Eyck hash_id = (mbedtls_md_type_t) ctx->hash_id;
2157b0563631STom Van Eyck if (hash_id == MBEDTLS_MD_NONE) {
2158b0563631STom Van Eyck hash_id = md_alg;
2159b0563631STom Van Eyck }
2160b0563631STom Van Eyck hlen = mbedtls_md_get_size_from_type(hash_id);
216132b31808SJens Wiklander if (hlen == 0) {
216232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
216332b31808SJens Wiklander }
2164817466cbSJens Wiklander
216532b31808SJens Wiklander if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
21667901324dSJerome Forissier /* Calculate the largest possible salt length, up to the hash size.
21677901324dSJerome Forissier * Normally this is the hash length, which is the maximum salt length
21687901324dSJerome Forissier * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
21693d3b0591SJens Wiklander * enough room, use the maximum salt length that fits. The constraint is
21703d3b0591SJens Wiklander * that the hash length plus the salt length plus 2 bytes must be at most
21713d3b0591SJens Wiklander * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
21723d3b0591SJens Wiklander * (PKCS#1 v2.2) §9.1.1 step 3. */
21733d3b0591SJens Wiklander min_slen = hlen - 2;
217432b31808SJens Wiklander if (olen < hlen + min_slen + 2) {
217532b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
217632b31808SJens Wiklander } else if (olen >= hlen + hlen + 2) {
21773d3b0591SJens Wiklander slen = hlen;
217832b31808SJens Wiklander } else {
21793d3b0591SJens Wiklander slen = olen - hlen - 2;
21807901324dSJerome Forissier }
218132b31808SJens Wiklander } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {
218232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
218332b31808SJens Wiklander } else {
21847901324dSJerome Forissier slen = (size_t) saltlen;
21857901324dSJerome Forissier }
2186817466cbSJens Wiklander
2187817466cbSJens Wiklander memset(sig, 0, olen);
2188817466cbSJens Wiklander
2189817466cbSJens Wiklander /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
2190817466cbSJens Wiklander msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
21913d3b0591SJens Wiklander p += olen - hlen - slen - 2;
2192817466cbSJens Wiklander *p++ = 0x01;
21937901324dSJerome Forissier
21947901324dSJerome Forissier /* Generate salt of length slen in place in the encoded message */
21957901324dSJerome Forissier salt = p;
219632b31808SJens Wiklander if ((ret = f_rng(p_rng, salt, slen)) != 0) {
219732b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
219832b31808SJens Wiklander }
21997901324dSJerome Forissier
2200817466cbSJens Wiklander p += slen;
2201817466cbSJens Wiklander
2202817466cbSJens Wiklander /* Generate H = Hash( M' ) */
2203b0563631STom Van Eyck ret = hash_mprime(hash, hashlen, salt, slen, p, hash_id);
220432b31808SJens Wiklander if (ret != 0) {
220532b31808SJens Wiklander return ret;
220632b31808SJens Wiklander }
2207817466cbSJens Wiklander
2208817466cbSJens Wiklander /* Compensate for boundary condition when applying mask */
220932b31808SJens Wiklander if (msb % 8 == 0) {
2210817466cbSJens Wiklander offset = 1;
221132b31808SJens Wiklander }
2212817466cbSJens Wiklander
2213817466cbSJens Wiklander /* maskedDB: Apply dbMask to DB */
2214b0563631STom Van Eyck ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen, hash_id);
221532b31808SJens Wiklander if (ret != 0) {
221632b31808SJens Wiklander return ret;
221732b31808SJens Wiklander }
2218817466cbSJens Wiklander
2219817466cbSJens Wiklander msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
2220817466cbSJens Wiklander sig[0] &= 0xFF >> (olen * 8 - msb);
2221817466cbSJens Wiklander
2222817466cbSJens Wiklander p += hlen;
2223817466cbSJens Wiklander *p++ = 0xBC;
2224817466cbSJens Wiklander
22258452b181SSummer Qin if (ctx->P.n == 0)
222632b31808SJens Wiklander return mbedtls_rsa_private(ctx, NULL, NULL, sig, sig);
222732b31808SJens Wiklander
222832b31808SJens Wiklander return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
2229817466cbSJens Wiklander }
22307901324dSJerome Forissier
rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)2231b0563631STom Van Eyck static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
2232b0563631STom Van Eyck int (*f_rng)(void *, unsigned char *, size_t),
2233b0563631STom Van Eyck void *p_rng,
2234b0563631STom Van Eyck mbedtls_md_type_t md_alg,
2235b0563631STom Van Eyck unsigned int hashlen,
2236b0563631STom Van Eyck const unsigned char *hash,
2237b0563631STom Van Eyck int saltlen,
2238b0563631STom Van Eyck unsigned char *sig)
2239b0563631STom Van Eyck {
2240b0563631STom Van Eyck if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
2241b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2242b0563631STom Van Eyck }
2243b0563631STom Van Eyck if ((ctx->hash_id == MBEDTLS_MD_NONE) && (md_alg == MBEDTLS_MD_NONE)) {
2244b0563631STom Van Eyck return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2245b0563631STom Van Eyck }
2246b0563631STom Van Eyck return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg, hashlen, hash, saltlen,
2247b0563631STom Van Eyck sig);
2248b0563631STom Van Eyck }
2249b0563631STom Van Eyck
mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)2250b0563631STom Van Eyck int mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
2251b0563631STom Van Eyck int (*f_rng)(void *, unsigned char *, size_t),
2252b0563631STom Van Eyck void *p_rng,
2253b0563631STom Van Eyck mbedtls_md_type_t md_alg,
2254b0563631STom Van Eyck unsigned int hashlen,
2255b0563631STom Van Eyck const unsigned char *hash,
2256b0563631STom Van Eyck unsigned char *sig)
2257b0563631STom Van Eyck {
2258b0563631STom Van Eyck return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg,
2259b0563631STom Van Eyck hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
2260b0563631STom Van Eyck }
2261b0563631STom Van Eyck
22627901324dSJerome Forissier /*
22637901324dSJerome Forissier * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
22647901324dSJerome Forissier * the option to pass in the salt length.
22657901324dSJerome Forissier */
mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)22667901324dSJerome Forissier int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
22677901324dSJerome Forissier int (*f_rng)(void *, unsigned char *, size_t),
22687901324dSJerome Forissier void *p_rng,
22697901324dSJerome Forissier mbedtls_md_type_t md_alg,
22707901324dSJerome Forissier unsigned int hashlen,
22717901324dSJerome Forissier const unsigned char *hash,
22727901324dSJerome Forissier int saltlen,
22737901324dSJerome Forissier unsigned char *sig)
22747901324dSJerome Forissier {
227532b31808SJens Wiklander return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
22767901324dSJerome Forissier hashlen, hash, saltlen, sig);
22777901324dSJerome Forissier }
22787901324dSJerome Forissier
22797901324dSJerome Forissier /*
22807901324dSJerome Forissier * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
22817901324dSJerome Forissier */
mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)22827901324dSJerome Forissier int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
22837901324dSJerome Forissier int (*f_rng)(void *, unsigned char *, size_t),
22847901324dSJerome Forissier void *p_rng,
22857901324dSJerome Forissier mbedtls_md_type_t md_alg,
22867901324dSJerome Forissier unsigned int hashlen,
22877901324dSJerome Forissier const unsigned char *hash,
22887901324dSJerome Forissier unsigned char *sig)
22897901324dSJerome Forissier {
229032b31808SJens Wiklander return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
22917901324dSJerome Forissier hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
22927901324dSJerome Forissier }
2293817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */
2294817466cbSJens Wiklander
2295817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
2296817466cbSJens Wiklander /*
2297817466cbSJens Wiklander * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
2298817466cbSJens Wiklander */
22993d3b0591SJens Wiklander
23003d3b0591SJens Wiklander /* Construct a PKCS v1.5 encoding of a hashed message
23013d3b0591SJens Wiklander *
23023d3b0591SJens Wiklander * This is used both for signature generation and verification.
23033d3b0591SJens Wiklander *
23043d3b0591SJens Wiklander * Parameters:
23053d3b0591SJens Wiklander * - md_alg: Identifies the hash algorithm used to generate the given hash;
23063d3b0591SJens Wiklander * MBEDTLS_MD_NONE if raw data is signed.
230732b31808SJens Wiklander * - hashlen: Length of hash. Must match md_alg if that's not NONE.
23083d3b0591SJens Wiklander * - hash: Buffer containing the hashed message or the raw data.
23093d3b0591SJens Wiklander * - dst_len: Length of the encoded message.
23103d3b0591SJens Wiklander * - dst: Buffer to hold the encoded message.
23113d3b0591SJens Wiklander *
23123d3b0591SJens Wiklander * Assumptions:
231332b31808SJens Wiklander * - hash has size hashlen.
23143d3b0591SJens Wiklander * - dst points to a buffer of size at least dst_len.
23153d3b0591SJens Wiklander *
23163d3b0591SJens Wiklander */
rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,size_t dst_len,unsigned char * dst)23173d3b0591SJens Wiklander static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
23183d3b0591SJens Wiklander unsigned int hashlen,
23193d3b0591SJens Wiklander const unsigned char *hash,
23203d3b0591SJens Wiklander size_t dst_len,
23213d3b0591SJens Wiklander unsigned char *dst)
23223d3b0591SJens Wiklander {
23233d3b0591SJens Wiklander size_t oid_size = 0;
23243d3b0591SJens Wiklander size_t nb_pad = dst_len;
23253d3b0591SJens Wiklander unsigned char *p = dst;
23263d3b0591SJens Wiklander const char *oid = NULL;
23273d3b0591SJens Wiklander
23283d3b0591SJens Wiklander /* Are we signing hashed or raw data? */
232932b31808SJens Wiklander if (md_alg != MBEDTLS_MD_NONE) {
2330b0563631STom Van Eyck unsigned char md_size = mbedtls_md_get_size_from_type(md_alg);
233132b31808SJens Wiklander if (md_size == 0) {
233232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
233332b31808SJens Wiklander }
23343d3b0591SJens Wiklander
233532b31808SJens Wiklander if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
233632b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
233732b31808SJens Wiklander }
23383d3b0591SJens Wiklander
233932b31808SJens Wiklander if (hashlen != md_size) {
234032b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
234132b31808SJens Wiklander }
23423d3b0591SJens Wiklander
23433d3b0591SJens Wiklander /* Double-check that 8 + hashlen + oid_size can be used as a
23443d3b0591SJens Wiklander * 1-byte ASN.1 length encoding and that there's no overflow. */
23453d3b0591SJens Wiklander if (8 + hashlen + oid_size >= 0x80 ||
23463d3b0591SJens Wiklander 10 + hashlen < hashlen ||
234732b31808SJens Wiklander 10 + hashlen + oid_size < 10 + hashlen) {
234832b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
234932b31808SJens Wiklander }
23503d3b0591SJens Wiklander
23513d3b0591SJens Wiklander /*
23523d3b0591SJens Wiklander * Static bounds check:
23533d3b0591SJens Wiklander * - Need 10 bytes for five tag-length pairs.
23543d3b0591SJens Wiklander * (Insist on 1-byte length encodings to protect against variants of
23553d3b0591SJens Wiklander * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
23563d3b0591SJens Wiklander * - Need hashlen bytes for hash
23573d3b0591SJens Wiklander * - Need oid_size bytes for hash alg OID.
23583d3b0591SJens Wiklander */
235932b31808SJens Wiklander if (nb_pad < 10 + hashlen + oid_size) {
236032b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
23613d3b0591SJens Wiklander }
236232b31808SJens Wiklander nb_pad -= 10 + hashlen + oid_size;
236332b31808SJens Wiklander } else {
236432b31808SJens Wiklander if (nb_pad < hashlen) {
236532b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
236632b31808SJens Wiklander }
23673d3b0591SJens Wiklander
23683d3b0591SJens Wiklander nb_pad -= hashlen;
23693d3b0591SJens Wiklander }
23703d3b0591SJens Wiklander
23713d3b0591SJens Wiklander /* Need space for signature header and padding delimiter (3 bytes),
23723d3b0591SJens Wiklander * and 8 bytes for the minimal padding */
237332b31808SJens Wiklander if (nb_pad < 3 + 8) {
237432b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
237532b31808SJens Wiklander }
23763d3b0591SJens Wiklander nb_pad -= 3;
23773d3b0591SJens Wiklander
23783d3b0591SJens Wiklander /* Now nb_pad is the amount of memory to be filled
23793d3b0591SJens Wiklander * with padding, and at least 8 bytes long. */
23803d3b0591SJens Wiklander
23813d3b0591SJens Wiklander /* Write signature header and padding */
23823d3b0591SJens Wiklander *p++ = 0;
23833d3b0591SJens Wiklander *p++ = MBEDTLS_RSA_SIGN;
23843d3b0591SJens Wiklander memset(p, 0xFF, nb_pad);
23853d3b0591SJens Wiklander p += nb_pad;
23863d3b0591SJens Wiklander *p++ = 0;
23873d3b0591SJens Wiklander
23883d3b0591SJens Wiklander /* Are we signing raw data? */
238932b31808SJens Wiklander if (md_alg == MBEDTLS_MD_NONE) {
23903d3b0591SJens Wiklander memcpy(p, hash, hashlen);
239132b31808SJens Wiklander return 0;
23923d3b0591SJens Wiklander }
23933d3b0591SJens Wiklander
23943d3b0591SJens Wiklander /* Signing hashed data, add corresponding ASN.1 structure
23953d3b0591SJens Wiklander *
23963d3b0591SJens Wiklander * DigestInfo ::= SEQUENCE {
23973d3b0591SJens Wiklander * digestAlgorithm DigestAlgorithmIdentifier,
23983d3b0591SJens Wiklander * digest Digest }
23993d3b0591SJens Wiklander * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
24003d3b0591SJens Wiklander * Digest ::= OCTET STRING
24013d3b0591SJens Wiklander *
24023d3b0591SJens Wiklander * Schematic:
24033d3b0591SJens Wiklander * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
24043d3b0591SJens Wiklander * TAG-NULL + LEN [ NULL ] ]
24053d3b0591SJens Wiklander * TAG-OCTET + LEN [ HASH ] ]
24063d3b0591SJens Wiklander */
24073d3b0591SJens Wiklander *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
24083d3b0591SJens Wiklander *p++ = (unsigned char) (0x08 + oid_size + hashlen);
24093d3b0591SJens Wiklander *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
24103d3b0591SJens Wiklander *p++ = (unsigned char) (0x04 + oid_size);
24113d3b0591SJens Wiklander *p++ = MBEDTLS_ASN1_OID;
24123d3b0591SJens Wiklander *p++ = (unsigned char) oid_size;
24133d3b0591SJens Wiklander memcpy(p, oid, oid_size);
24143d3b0591SJens Wiklander p += oid_size;
24153d3b0591SJens Wiklander *p++ = MBEDTLS_ASN1_NULL;
24163d3b0591SJens Wiklander *p++ = 0x00;
24173d3b0591SJens Wiklander *p++ = MBEDTLS_ASN1_OCTET_STRING;
24183d3b0591SJens Wiklander *p++ = (unsigned char) hashlen;
24193d3b0591SJens Wiklander memcpy(p, hash, hashlen);
24203d3b0591SJens Wiklander p += hashlen;
24213d3b0591SJens Wiklander
24223d3b0591SJens Wiklander /* Just a sanity-check, should be automatic
24233d3b0591SJens Wiklander * after the initial bounds check. */
242432b31808SJens Wiklander if (p != dst + dst_len) {
24253d3b0591SJens Wiklander mbedtls_platform_zeroize(dst, dst_len);
242632b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
24273d3b0591SJens Wiklander }
24283d3b0591SJens Wiklander
242932b31808SJens Wiklander return 0;
24303d3b0591SJens Wiklander }
24313d3b0591SJens Wiklander
2432817466cbSJens Wiklander /*
2433817466cbSJens Wiklander * Do an RSA operation to sign the message digest
2434817466cbSJens Wiklander */
mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)2435817466cbSJens Wiklander int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
2436817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
2437817466cbSJens Wiklander void *p_rng,
2438817466cbSJens Wiklander mbedtls_md_type_t md_alg,
2439817466cbSJens Wiklander unsigned int hashlen,
2440817466cbSJens Wiklander const unsigned char *hash,
2441817466cbSJens Wiklander unsigned char *sig)
2442817466cbSJens Wiklander {
244311fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
24443d3b0591SJens Wiklander unsigned char *sig_try = NULL, *verif = NULL;
24453d3b0591SJens Wiklander
244632b31808SJens Wiklander if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
244732b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
244832b31808SJens Wiklander }
2449817466cbSJens Wiklander
245032b31808SJens Wiklander if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
245132b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
245232b31808SJens Wiklander }
2453817466cbSJens Wiklander
2454817466cbSJens Wiklander /*
24553d3b0591SJens Wiklander * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
2456817466cbSJens Wiklander */
24573d3b0591SJens Wiklander
24583d3b0591SJens Wiklander if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
245932b31808SJens Wiklander ctx->len, sig)) != 0) {
246032b31808SJens Wiklander return ret;
24613d3b0591SJens Wiklander }
2462817466cbSJens Wiklander
24633d3b0591SJens Wiklander /* Private key operation
24643d3b0591SJens Wiklander *
2465817466cbSJens Wiklander * In order to prevent Lenstra's attack, make the signature in a
2466817466cbSJens Wiklander * temporary buffer and check it before returning it.
2467817466cbSJens Wiklander */
24683d3b0591SJens Wiklander
2469817466cbSJens Wiklander sig_try = mbedtls_calloc(1, ctx->len);
247032b31808SJens Wiklander if (sig_try == NULL) {
247132b31808SJens Wiklander return MBEDTLS_ERR_MPI_ALLOC_FAILED;
247232b31808SJens Wiklander }
2473817466cbSJens Wiklander
2474817466cbSJens Wiklander verif = mbedtls_calloc(1, ctx->len);
247532b31808SJens Wiklander if (verif == NULL) {
2476817466cbSJens Wiklander mbedtls_free(sig_try);
247732b31808SJens Wiklander return MBEDTLS_ERR_MPI_ALLOC_FAILED;
2478817466cbSJens Wiklander }
2479817466cbSJens Wiklander
2480817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
2481817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
2482817466cbSJens Wiklander
248332b31808SJens Wiklander if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
2484817466cbSJens Wiklander ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
2485817466cbSJens Wiklander goto cleanup;
2486817466cbSJens Wiklander }
2487817466cbSJens Wiklander
2488817466cbSJens Wiklander memcpy(sig, sig_try, ctx->len);
2489817466cbSJens Wiklander
2490817466cbSJens Wiklander cleanup:
2491b0563631STom Van Eyck mbedtls_zeroize_and_free(sig_try, ctx->len);
2492b0563631STom Van Eyck mbedtls_zeroize_and_free(verif, ctx->len);
2493817466cbSJens Wiklander
249432b31808SJens Wiklander if (ret != 0) {
2495039e02dfSJerome Forissier memset(sig, '!', ctx->len);
249632b31808SJens Wiklander }
249732b31808SJens Wiklander return ret;
2498817466cbSJens Wiklander }
2499817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */
2500817466cbSJens Wiklander
2501817466cbSJens Wiklander /*
2502817466cbSJens Wiklander * Do an RSA operation to sign the message digest
2503817466cbSJens Wiklander */
mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)2504817466cbSJens Wiklander int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
2505817466cbSJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
2506817466cbSJens Wiklander void *p_rng,
2507817466cbSJens Wiklander mbedtls_md_type_t md_alg,
2508817466cbSJens Wiklander unsigned int hashlen,
2509817466cbSJens Wiklander const unsigned char *hash,
2510817466cbSJens Wiklander unsigned char *sig)
2511817466cbSJens Wiklander {
251232b31808SJens Wiklander if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
251332b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
251432b31808SJens Wiklander }
25153d3b0591SJens Wiklander
251632b31808SJens Wiklander switch (ctx->padding) {
2517817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
2518817466cbSJens Wiklander case MBEDTLS_RSA_PKCS_V15:
251932b31808SJens Wiklander return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng,
252032b31808SJens Wiklander md_alg, hashlen, hash, sig);
2521817466cbSJens Wiklander #endif
2522817466cbSJens Wiklander
2523817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
2524817466cbSJens Wiklander case MBEDTLS_RSA_PKCS_V21:
252532b31808SJens Wiklander return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
2526817466cbSJens Wiklander hashlen, hash, sig);
2527817466cbSJens Wiklander #endif
2528817466cbSJens Wiklander
2529817466cbSJens Wiklander default:
253032b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
2531817466cbSJens Wiklander }
2532817466cbSJens Wiklander }
2533817466cbSJens Wiklander
2534817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
2535817466cbSJens Wiklander /*
2536817466cbSJens Wiklander * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2537817466cbSJens Wiklander */
mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context * ctx,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,mbedtls_md_type_t mgf1_hash_id,int expected_salt_len,const unsigned char * sig)2538817466cbSJens Wiklander int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
2539817466cbSJens Wiklander mbedtls_md_type_t md_alg,
2540817466cbSJens Wiklander unsigned int hashlen,
2541817466cbSJens Wiklander const unsigned char *hash,
2542817466cbSJens Wiklander mbedtls_md_type_t mgf1_hash_id,
2543817466cbSJens Wiklander int expected_salt_len,
2544817466cbSJens Wiklander const unsigned char *sig)
2545817466cbSJens Wiklander {
254611fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2547817466cbSJens Wiklander size_t siglen;
2548817466cbSJens Wiklander unsigned char *p;
25493d3b0591SJens Wiklander unsigned char *hash_start;
2550b0563631STom Van Eyck unsigned char result[MBEDTLS_MD_MAX_SIZE];
2551817466cbSJens Wiklander unsigned int hlen;
25523d3b0591SJens Wiklander size_t observed_salt_len, msb;
255332b31808SJens Wiklander unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
2554817466cbSJens Wiklander
255532b31808SJens Wiklander if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
255632b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
255732b31808SJens Wiklander }
2558817466cbSJens Wiklander
2559817466cbSJens Wiklander siglen = ctx->len;
2560817466cbSJens Wiklander
256132b31808SJens Wiklander if (siglen < 16 || siglen > sizeof(buf)) {
256232b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
256332b31808SJens Wiklander }
2564817466cbSJens Wiklander
256532b31808SJens Wiklander ret = mbedtls_rsa_public(ctx, sig, buf);
2566817466cbSJens Wiklander
256732b31808SJens Wiklander if (ret != 0) {
256832b31808SJens Wiklander return ret;
256932b31808SJens Wiklander }
2570817466cbSJens Wiklander
2571817466cbSJens Wiklander p = buf;
2572817466cbSJens Wiklander
257332b31808SJens Wiklander if (buf[siglen - 1] != 0xBC) {
257432b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
2575817466cbSJens Wiklander }
2576817466cbSJens Wiklander
257732b31808SJens Wiklander if (md_alg != MBEDTLS_MD_NONE) {
257832b31808SJens Wiklander /* Gather length of hash to sign */
2579b0563631STom Van Eyck size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
258032b31808SJens Wiklander if (exp_hashlen == 0) {
258132b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
258232b31808SJens Wiklander }
2583817466cbSJens Wiklander
258432b31808SJens Wiklander if (hashlen != exp_hashlen) {
258532b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
258632b31808SJens Wiklander }
258732b31808SJens Wiklander }
2588817466cbSJens Wiklander
2589b0563631STom Van Eyck hlen = mbedtls_md_get_size_from_type(mgf1_hash_id);
259032b31808SJens Wiklander if (hlen == 0) {
259132b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
259232b31808SJens Wiklander }
2593817466cbSJens Wiklander
2594817466cbSJens Wiklander /*
2595817466cbSJens Wiklander * Note: EMSA-PSS verification is over the length of N - 1 bits
2596817466cbSJens Wiklander */
2597817466cbSJens Wiklander msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
2598817466cbSJens Wiklander
259932b31808SJens Wiklander if (buf[0] >> (8 - siglen * 8 + msb)) {
260032b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
260132b31808SJens Wiklander }
26023d3b0591SJens Wiklander
2603817466cbSJens Wiklander /* Compensate for boundary condition when applying mask */
260432b31808SJens Wiklander if (msb % 8 == 0) {
2605817466cbSJens Wiklander p++;
2606817466cbSJens Wiklander siglen -= 1;
2607817466cbSJens Wiklander }
26083d3b0591SJens Wiklander
260932b31808SJens Wiklander if (siglen < hlen + 2) {
261032b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
261132b31808SJens Wiklander }
26123d3b0591SJens Wiklander hash_start = p + siglen - hlen - 1;
2613817466cbSJens Wiklander
261432b31808SJens Wiklander ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id);
261532b31808SJens Wiklander if (ret != 0) {
261632b31808SJens Wiklander return ret;
261732b31808SJens Wiklander }
2618817466cbSJens Wiklander
2619817466cbSJens Wiklander buf[0] &= 0xFF >> (siglen * 8 - msb);
2620817466cbSJens Wiklander
262132b31808SJens Wiklander while (p < hash_start - 1 && *p == 0) {
2622817466cbSJens Wiklander p++;
262332b31808SJens Wiklander }
2624817466cbSJens Wiklander
262532b31808SJens Wiklander if (*p++ != 0x01) {
262632b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
2627817466cbSJens Wiklander }
2628817466cbSJens Wiklander
2629b0563631STom Van Eyck observed_salt_len = (size_t) (hash_start - p);
2630817466cbSJens Wiklander
2631817466cbSJens Wiklander if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
263232b31808SJens Wiklander observed_salt_len != (size_t) expected_salt_len) {
263332b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
2634817466cbSJens Wiklander }
2635817466cbSJens Wiklander
2636817466cbSJens Wiklander /*
2637817466cbSJens Wiklander * Generate H = Hash( M' )
2638817466cbSJens Wiklander */
263932b31808SJens Wiklander ret = hash_mprime(hash, hashlen, p, observed_salt_len,
264032b31808SJens Wiklander result, mgf1_hash_id);
264132b31808SJens Wiklander if (ret != 0) {
264232b31808SJens Wiklander return ret;
26433d3b0591SJens Wiklander }
26443d3b0591SJens Wiklander
264532b31808SJens Wiklander if (FTMN_CALLEE_DONE_MEMCMP(memcmp, hash_start, result, hlen) != 0) {
264632b31808SJens Wiklander return MBEDTLS_ERR_RSA_VERIFY_FAILED;
264732b31808SJens Wiklander }
2648817466cbSJens Wiklander
264932b31808SJens Wiklander return 0;
2650817466cbSJens Wiklander }
2651817466cbSJens Wiklander
2652817466cbSJens Wiklander /*
2653817466cbSJens Wiklander * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2654817466cbSJens Wiklander */
mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context * ctx,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2655817466cbSJens Wiklander int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
2656817466cbSJens Wiklander mbedtls_md_type_t md_alg,
2657817466cbSJens Wiklander unsigned int hashlen,
2658817466cbSJens Wiklander const unsigned char *hash,
2659817466cbSJens Wiklander const unsigned char *sig)
2660817466cbSJens Wiklander {
26613d3b0591SJens Wiklander mbedtls_md_type_t mgf1_hash_id;
266232b31808SJens Wiklander if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
266332b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
266432b31808SJens Wiklander }
26653d3b0591SJens Wiklander
26663d3b0591SJens Wiklander mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
2667817466cbSJens Wiklander ? (mbedtls_md_type_t) ctx->hash_id
2668817466cbSJens Wiklander : md_alg;
2669817466cbSJens Wiklander
267032b31808SJens Wiklander return mbedtls_rsa_rsassa_pss_verify_ext(ctx,
2671817466cbSJens Wiklander md_alg, hashlen, hash,
267232b31808SJens Wiklander mgf1_hash_id,
267332b31808SJens Wiklander MBEDTLS_RSA_SALT_LEN_ANY,
267432b31808SJens Wiklander sig);
2675817466cbSJens Wiklander
2676817466cbSJens Wiklander }
2677817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */
2678817466cbSJens Wiklander
2679817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
2680817466cbSJens Wiklander /*
2681817466cbSJens Wiklander * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2682817466cbSJens Wiklander */
mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context * ctx,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2683817466cbSJens Wiklander int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
2684817466cbSJens Wiklander mbedtls_md_type_t md_alg,
2685817466cbSJens Wiklander unsigned int hashlen,
2686817466cbSJens Wiklander const unsigned char *hash,
2687817466cbSJens Wiklander const unsigned char *sig)
2688817466cbSJens Wiklander {
26893d3b0591SJens Wiklander int ret = 0;
26903d3b0591SJens Wiklander size_t sig_len;
26913d3b0591SJens Wiklander unsigned char *encoded = NULL, *encoded_expected = NULL;
26923d3b0591SJens Wiklander
269332b31808SJens Wiklander if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
269432b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
269532b31808SJens Wiklander }
26963d3b0591SJens Wiklander
26973d3b0591SJens Wiklander sig_len = ctx->len;
2698817466cbSJens Wiklander
26993d3b0591SJens Wiklander /*
27003d3b0591SJens Wiklander * Prepare expected PKCS1 v1.5 encoding of hash.
27013d3b0591SJens Wiklander */
2702817466cbSJens Wiklander
27033d3b0591SJens Wiklander if ((encoded = mbedtls_calloc(1, sig_len)) == NULL ||
270432b31808SJens Wiklander (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
27053d3b0591SJens Wiklander ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
27063d3b0591SJens Wiklander goto cleanup;
27073d3b0591SJens Wiklander }
27083d3b0591SJens Wiklander
27093d3b0591SJens Wiklander if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
271032b31808SJens Wiklander encoded_expected)) != 0) {
27113d3b0591SJens Wiklander goto cleanup;
271232b31808SJens Wiklander }
27133d3b0591SJens Wiklander
27143d3b0591SJens Wiklander /*
27153d3b0591SJens Wiklander * Apply RSA primitive to get what should be PKCS1 encoded hash.
27163d3b0591SJens Wiklander */
2717817466cbSJens Wiklander
271832b31808SJens Wiklander ret = mbedtls_rsa_public(ctx, sig, encoded);
271932b31808SJens Wiklander if (ret != 0) {
27203d3b0591SJens Wiklander goto cleanup;
272132b31808SJens Wiklander }
27223d3b0591SJens Wiklander
27233d3b0591SJens Wiklander /*
27243d3b0591SJens Wiklander * Compare
27253d3b0591SJens Wiklander */
27263d3b0591SJens Wiklander
272706de6080SJens Wiklander if ((ret = FTMN_CALLEE_DONE_MEMCMP(mbedtls_ct_memcmp, encoded,
272832b31808SJens Wiklander encoded_expected, sig_len )) != 0) {
27293d3b0591SJens Wiklander ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
27303d3b0591SJens Wiklander goto cleanup;
27313d3b0591SJens Wiklander }
27323d3b0591SJens Wiklander
27333d3b0591SJens Wiklander cleanup:
27343d3b0591SJens Wiklander
273532b31808SJens Wiklander if (encoded != NULL) {
2736b0563631STom Van Eyck mbedtls_zeroize_and_free(encoded, sig_len);
27373d3b0591SJens Wiklander }
27383d3b0591SJens Wiklander
273932b31808SJens Wiklander if (encoded_expected != NULL) {
2740b0563631STom Van Eyck mbedtls_zeroize_and_free(encoded_expected, sig_len);
27413d3b0591SJens Wiklander }
27423d3b0591SJens Wiklander
274332b31808SJens Wiklander return ret;
2744817466cbSJens Wiklander }
2745817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */
2746817466cbSJens Wiklander
2747817466cbSJens Wiklander /*
2748817466cbSJens Wiklander * Do an RSA operation and check the message digest
2749817466cbSJens Wiklander */
mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context * ctx,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2750817466cbSJens Wiklander int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
2751817466cbSJens Wiklander mbedtls_md_type_t md_alg,
2752817466cbSJens Wiklander unsigned int hashlen,
2753817466cbSJens Wiklander const unsigned char *hash,
2754817466cbSJens Wiklander const unsigned char *sig)
2755817466cbSJens Wiklander {
275632b31808SJens Wiklander if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
275732b31808SJens Wiklander return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
275832b31808SJens Wiklander }
27593d3b0591SJens Wiklander
276032b31808SJens Wiklander switch (ctx->padding) {
2761817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
2762817466cbSJens Wiklander case MBEDTLS_RSA_PKCS_V15:
276332b31808SJens Wiklander return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg,
2764817466cbSJens Wiklander hashlen, hash, sig);
2765817466cbSJens Wiklander #endif
2766817466cbSJens Wiklander
2767817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
2768817466cbSJens Wiklander case MBEDTLS_RSA_PKCS_V21:
276932b31808SJens Wiklander return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg,
2770817466cbSJens Wiklander hashlen, hash, sig);
2771817466cbSJens Wiklander #endif
2772817466cbSJens Wiklander
2773817466cbSJens Wiklander default:
277432b31808SJens Wiklander return MBEDTLS_ERR_RSA_INVALID_PADDING;
2775817466cbSJens Wiklander }
2776817466cbSJens Wiklander }
2777817466cbSJens Wiklander
2778817466cbSJens Wiklander /*
2779817466cbSJens Wiklander * Copy the components of an RSA key
2780817466cbSJens Wiklander */
mbedtls_rsa_copy(mbedtls_rsa_context * dst,const mbedtls_rsa_context * src)2781817466cbSJens Wiklander int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
2782817466cbSJens Wiklander {
278311fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2784817466cbSJens Wiklander
2785817466cbSJens Wiklander dst->len = src->len;
2786817466cbSJens Wiklander
2787817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
2788817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
2789817466cbSJens Wiklander
2790817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
2791817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
2792817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
27933d3b0591SJens Wiklander
27943d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
2795817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
2796817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
2797817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
2798817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
2799817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
28003d3b0591SJens Wiklander #endif
28013d3b0591SJens Wiklander
28023d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
2803817466cbSJens Wiklander
2804817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
2805817466cbSJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
2806817466cbSJens Wiklander
2807817466cbSJens Wiklander dst->padding = src->padding;
2808817466cbSJens Wiklander dst->hash_id = src->hash_id;
2809817466cbSJens Wiklander
2810817466cbSJens Wiklander cleanup:
281132b31808SJens Wiklander if (ret != 0) {
2812817466cbSJens Wiklander mbedtls_rsa_free(dst);
281332b31808SJens Wiklander }
2814817466cbSJens Wiklander
281532b31808SJens Wiklander return ret;
2816817466cbSJens Wiklander }
2817817466cbSJens Wiklander
2818817466cbSJens Wiklander /*
2819817466cbSJens Wiklander * Free the components of an RSA key
2820817466cbSJens Wiklander */
mbedtls_rsa_free(mbedtls_rsa_context * ctx)2821817466cbSJens Wiklander void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
2822817466cbSJens Wiklander {
282332b31808SJens Wiklander if (ctx == NULL) {
28243d3b0591SJens Wiklander return;
282532b31808SJens Wiklander }
28263d3b0591SJens Wiklander
28273d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->Vi);
28283d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->Vf);
28293d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->RN);
28303d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->D);
28313d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->Q);
28323d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->P);
28333d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->E);
28343d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->N);
28353d3b0591SJens Wiklander
28363d3b0591SJens Wiklander #if !defined(MBEDTLS_RSA_NO_CRT)
28373d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->RQ);
28383d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->RP);
28393d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->QP);
28403d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->DQ);
28413d3b0591SJens Wiklander mbedtls_mpi_free(&ctx->DP);
28423d3b0591SJens Wiklander #endif /* MBEDTLS_RSA_NO_CRT */
2843817466cbSJens Wiklander
2844817466cbSJens Wiklander #if defined(MBEDTLS_THREADING_C)
28457901324dSJerome Forissier /* Free the mutex, but only if it hasn't been freed already. */
284632b31808SJens Wiklander if (ctx->ver != 0) {
2847817466cbSJens Wiklander mbedtls_mutex_free(&ctx->mutex);
28487901324dSJerome Forissier ctx->ver = 0;
28497901324dSJerome Forissier }
2850817466cbSJens Wiklander #endif
2851817466cbSJens Wiklander }
2852817466cbSJens Wiklander
28533d3b0591SJens Wiklander #endif /* !MBEDTLS_RSA_ALT */
28543d3b0591SJens Wiklander
2855817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST)
2856817466cbSJens Wiklander
2857817466cbSJens Wiklander
2858817466cbSJens Wiklander /*
2859817466cbSJens Wiklander * Example RSA-1024 keypair, for test purposes
2860817466cbSJens Wiklander */
2861817466cbSJens Wiklander #define KEY_LEN 128
2862817466cbSJens Wiklander
2863817466cbSJens Wiklander #define RSA_N "9292758453063D803DD603D5E777D788" \
2864817466cbSJens Wiklander "8ED1D5BF35786190FA2F23EBC0848AEA" \
2865817466cbSJens Wiklander "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2866817466cbSJens Wiklander "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2867817466cbSJens Wiklander "93A89813FBF3C4F8066D2D800F7C38A8" \
2868817466cbSJens Wiklander "1AE31942917403FF4946B0A83D3D3E05" \
2869817466cbSJens Wiklander "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2870817466cbSJens Wiklander "5E94BB77B07507233A0BC7BAC8F90F79"
2871817466cbSJens Wiklander
2872817466cbSJens Wiklander #define RSA_E "10001"
2873817466cbSJens Wiklander
2874817466cbSJens Wiklander #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2875817466cbSJens Wiklander "66CA472BC44D253102F8B4A9D3BFA750" \
2876817466cbSJens Wiklander "91386C0077937FE33FA3252D28855837" \
2877817466cbSJens Wiklander "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2878817466cbSJens Wiklander "DF79C5CE07EE72C7F123142198164234" \
2879817466cbSJens Wiklander "CABB724CF78B8173B9F880FC86322407" \
2880817466cbSJens Wiklander "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2881817466cbSJens Wiklander "071513A1E85B5DFA031F21ECAE91A34D"
2882817466cbSJens Wiklander
2883817466cbSJens Wiklander #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2884817466cbSJens Wiklander "2C01CAD19EA484A87EA4377637E75500" \
2885817466cbSJens Wiklander "FCB2005C5C7DD6EC4AC023CDA285D796" \
2886817466cbSJens Wiklander "C3D9E75E1EFC42488BB4F1D13AC30A57"
2887817466cbSJens Wiklander
2888817466cbSJens Wiklander #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2889817466cbSJens Wiklander "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2890817466cbSJens Wiklander "910E4168387E3C30AA1E00C339A79508" \
2891817466cbSJens Wiklander "8452DD96A9A5EA5D9DCA68DA636032AF"
2892817466cbSJens Wiklander
2893817466cbSJens Wiklander #define PT_LEN 24
2894817466cbSJens Wiklander #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2895817466cbSJens Wiklander "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2896817466cbSJens Wiklander
2897817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
myrand(void * rng_state,unsigned char * output,size_t len)2898817466cbSJens Wiklander static int myrand(void *rng_state, unsigned char *output, size_t len)
2899817466cbSJens Wiklander {
29007901324dSJerome Forissier #if !defined(__OpenBSD__) && !defined(__NetBSD__)
2901817466cbSJens Wiklander size_t i;
2902817466cbSJens Wiklander
290332b31808SJens Wiklander if (rng_state != NULL) {
2904817466cbSJens Wiklander rng_state = NULL;
290532b31808SJens Wiklander }
2906817466cbSJens Wiklander
290732b31808SJens Wiklander for (i = 0; i < len; ++i) {
2908817466cbSJens Wiklander output[i] = rand();
290932b31808SJens Wiklander }
2910817466cbSJens Wiklander #else
291132b31808SJens Wiklander if (rng_state != NULL) {
2912817466cbSJens Wiklander rng_state = NULL;
291332b31808SJens Wiklander }
2914817466cbSJens Wiklander
2915817466cbSJens Wiklander arc4random_buf(output, len);
29167901324dSJerome Forissier #endif /* !OpenBSD && !NetBSD */
2917817466cbSJens Wiklander
291832b31808SJens Wiklander return 0;
2919817466cbSJens Wiklander }
2920817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */
2921817466cbSJens Wiklander
2922817466cbSJens Wiklander /*
2923817466cbSJens Wiklander * Checkup routine
2924817466cbSJens Wiklander */
mbedtls_rsa_self_test(int verbose)2925817466cbSJens Wiklander int mbedtls_rsa_self_test(int verbose)
2926817466cbSJens Wiklander {
2927817466cbSJens Wiklander int ret = 0;
2928817466cbSJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
2929817466cbSJens Wiklander size_t len;
2930817466cbSJens Wiklander mbedtls_rsa_context rsa;
2931817466cbSJens Wiklander unsigned char rsa_plaintext[PT_LEN];
2932817466cbSJens Wiklander unsigned char rsa_decrypted[PT_LEN];
2933817466cbSJens Wiklander unsigned char rsa_ciphertext[KEY_LEN];
2934b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA1)
2935817466cbSJens Wiklander unsigned char sha1sum[20];
2936817466cbSJens Wiklander #endif
2937817466cbSJens Wiklander
29383d3b0591SJens Wiklander mbedtls_mpi K;
29393d3b0591SJens Wiklander
29403d3b0591SJens Wiklander mbedtls_mpi_init(&K);
294132b31808SJens Wiklander mbedtls_rsa_init(&rsa);
2942817466cbSJens Wiklander
29433d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
29443d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
29453d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
29463d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
29473d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
29483d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
29493d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
29503d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
29513d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
29523d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
29533d3b0591SJens Wiklander
29543d3b0591SJens Wiklander MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
2955817466cbSJens Wiklander
295632b31808SJens Wiklander if (verbose != 0) {
2957817466cbSJens Wiklander mbedtls_printf(" RSA key validation: ");
295832b31808SJens Wiklander }
2959817466cbSJens Wiklander
2960817466cbSJens Wiklander if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||
296132b31808SJens Wiklander mbedtls_rsa_check_privkey(&rsa) != 0) {
296232b31808SJens Wiklander if (verbose != 0) {
2963817466cbSJens Wiklander mbedtls_printf("failed\n");
296432b31808SJens Wiklander }
2965817466cbSJens Wiklander
29663d3b0591SJens Wiklander ret = 1;
29673d3b0591SJens Wiklander goto cleanup;
2968817466cbSJens Wiklander }
2969817466cbSJens Wiklander
297032b31808SJens Wiklander if (verbose != 0) {
2971817466cbSJens Wiklander mbedtls_printf("passed\n PKCS#1 encryption : ");
297232b31808SJens Wiklander }
2973817466cbSJens Wiklander
2974817466cbSJens Wiklander memcpy(rsa_plaintext, RSA_PT, PT_LEN);
2975817466cbSJens Wiklander
297632b31808SJens Wiklander if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL,
29773d3b0591SJens Wiklander PT_LEN, rsa_plaintext,
297832b31808SJens Wiklander rsa_ciphertext) != 0) {
297932b31808SJens Wiklander if (verbose != 0) {
2980817466cbSJens Wiklander mbedtls_printf("failed\n");
298132b31808SJens Wiklander }
2982817466cbSJens Wiklander
29833d3b0591SJens Wiklander ret = 1;
29843d3b0591SJens Wiklander goto cleanup;
2985817466cbSJens Wiklander }
2986817466cbSJens Wiklander
298732b31808SJens Wiklander if (verbose != 0) {
2988817466cbSJens Wiklander mbedtls_printf("passed\n PKCS#1 decryption : ");
298932b31808SJens Wiklander }
2990817466cbSJens Wiklander
299132b31808SJens Wiklander if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL,
29923d3b0591SJens Wiklander &len, rsa_ciphertext, rsa_decrypted,
299332b31808SJens Wiklander sizeof(rsa_decrypted)) != 0) {
299432b31808SJens Wiklander if (verbose != 0) {
2995817466cbSJens Wiklander mbedtls_printf("failed\n");
299632b31808SJens Wiklander }
2997817466cbSJens Wiklander
29983d3b0591SJens Wiklander ret = 1;
29993d3b0591SJens Wiklander goto cleanup;
3000817466cbSJens Wiklander }
3001817466cbSJens Wiklander
300232b31808SJens Wiklander if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
300332b31808SJens Wiklander if (verbose != 0) {
3004817466cbSJens Wiklander mbedtls_printf("failed\n");
300532b31808SJens Wiklander }
3006817466cbSJens Wiklander
30073d3b0591SJens Wiklander ret = 1;
30083d3b0591SJens Wiklander goto cleanup;
3009817466cbSJens Wiklander }
3010817466cbSJens Wiklander
301132b31808SJens Wiklander if (verbose != 0) {
3012817466cbSJens Wiklander mbedtls_printf("passed\n");
301332b31808SJens Wiklander }
3014817466cbSJens Wiklander
3015b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA1)
301632b31808SJens Wiklander if (verbose != 0) {
3017817466cbSJens Wiklander mbedtls_printf(" PKCS#1 data sign : ");
301832b31808SJens Wiklander }
3019817466cbSJens Wiklander
302032b31808SJens Wiklander if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
302132b31808SJens Wiklander rsa_plaintext, PT_LEN, sha1sum) != 0) {
302232b31808SJens Wiklander if (verbose != 0) {
3023817466cbSJens Wiklander mbedtls_printf("failed\n");
302432b31808SJens Wiklander }
3025817466cbSJens Wiklander
302632b31808SJens Wiklander return 1;
3027817466cbSJens Wiklander }
3028817466cbSJens Wiklander
30293d3b0591SJens Wiklander if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
303032b31808SJens Wiklander MBEDTLS_MD_SHA1, 20,
303132b31808SJens Wiklander sha1sum, rsa_ciphertext) != 0) {
303232b31808SJens Wiklander if (verbose != 0) {
3033817466cbSJens Wiklander mbedtls_printf("failed\n");
303432b31808SJens Wiklander }
3035817466cbSJens Wiklander
30363d3b0591SJens Wiklander ret = 1;
30373d3b0591SJens Wiklander goto cleanup;
30383d3b0591SJens Wiklander }
30393d3b0591SJens Wiklander
304032b31808SJens Wiklander if (verbose != 0) {
30413d3b0591SJens Wiklander mbedtls_printf("passed\n PKCS#1 sig. verify: ");
304232b31808SJens Wiklander }
30433d3b0591SJens Wiklander
304432b31808SJens Wiklander if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20,
304532b31808SJens Wiklander sha1sum, rsa_ciphertext) != 0) {
304632b31808SJens Wiklander if (verbose != 0) {
30473d3b0591SJens Wiklander mbedtls_printf("failed\n");
304832b31808SJens Wiklander }
30493d3b0591SJens Wiklander
30503d3b0591SJens Wiklander ret = 1;
30513d3b0591SJens Wiklander goto cleanup;
3052817466cbSJens Wiklander }
3053817466cbSJens Wiklander
305432b31808SJens Wiklander if (verbose != 0) {
3055817466cbSJens Wiklander mbedtls_printf("passed\n");
305632b31808SJens Wiklander }
3057b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA1 */
3058817466cbSJens Wiklander
305932b31808SJens Wiklander if (verbose != 0) {
3060817466cbSJens Wiklander mbedtls_printf("\n");
306132b31808SJens Wiklander }
3062817466cbSJens Wiklander
3063817466cbSJens Wiklander cleanup:
30643d3b0591SJens Wiklander mbedtls_mpi_free(&K);
3065817466cbSJens Wiklander mbedtls_rsa_free(&rsa);
3066817466cbSJens Wiklander #else /* MBEDTLS_PKCS1_V15 */
3067817466cbSJens Wiklander ((void) verbose);
3068817466cbSJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */
306932b31808SJens Wiklander return ret;
3070817466cbSJens Wiklander }
3071817466cbSJens Wiklander
3072817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST */
3073817466cbSJens Wiklander
3074817466cbSJens Wiklander #endif /* MBEDTLS_RSA_C */
3075