1 /* 2 * The RSA public-key cryptosystem 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 /* 21 * The following sources were referenced in the design of this implementation 22 * of the RSA algorithm: 23 * 24 * [1] A method for obtaining digital signatures and public-key cryptosystems 25 * R Rivest, A Shamir, and L Adleman 26 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 27 * 28 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 29 * Menezes, van Oorschot and Vanstone 30 * 31 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks 32 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and 33 * Stefan Mangard 34 * https://arxiv.org/abs/1702.08719v2 35 * 36 */ 37 38 #include "common.h" 39 40 #if defined(MBEDTLS_RSA_C) 41 42 #include "mbedtls/rsa.h" 43 #include "mbedtls/rsa_internal.h" 44 #include "mbedtls/oid.h" 45 #include "mbedtls/platform_util.h" 46 #include "mbedtls/error.h" 47 48 #include <string.h> 49 50 #if defined(MBEDTLS_PKCS1_V21) 51 #include "mbedtls/md.h" 52 #endif 53 54 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__) 55 #include <stdlib.h> 56 #endif 57 58 #if defined(MBEDTLS_PLATFORM_C) 59 #include "mbedtls/platform.h" 60 #else 61 #include <stdio.h> 62 #define mbedtls_printf printf 63 #define mbedtls_calloc calloc 64 #define mbedtls_free free 65 #endif 66 67 #if !defined(MBEDTLS_RSA_ALT) 68 69 /* Parameter validation macros */ 70 #define RSA_VALIDATE_RET( cond ) \ 71 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA ) 72 #define RSA_VALIDATE( cond ) \ 73 MBEDTLS_INTERNAL_VALIDATE( cond ) 74 75 #if defined(MBEDTLS_PKCS1_V15) 76 /* constant-time buffer comparison */ 77 static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n ) 78 { 79 size_t i; 80 const unsigned char *A = (const unsigned char *) a; 81 const unsigned char *B = (const unsigned char *) b; 82 unsigned char diff = 0; 83 84 for( i = 0; i < n; i++ ) 85 diff |= A[i] ^ B[i]; 86 87 return( diff ); 88 } 89 #endif /* MBEDTLS_PKCS1_V15 */ 90 91 int mbedtls_rsa_import( mbedtls_rsa_context *ctx, 92 const mbedtls_mpi *N, 93 const mbedtls_mpi *P, const mbedtls_mpi *Q, 94 const mbedtls_mpi *D, const mbedtls_mpi *E ) 95 { 96 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 97 RSA_VALIDATE_RET( ctx != NULL ); 98 99 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) || 100 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) || 101 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) || 102 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) || 103 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) ) 104 { 105 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 106 } 107 108 if( N != NULL ) 109 ctx->len = mbedtls_mpi_size( &ctx->N ); 110 111 return( 0 ); 112 } 113 114 int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx, 115 unsigned char const *N, size_t N_len, 116 unsigned char const *P, size_t P_len, 117 unsigned char const *Q, size_t Q_len, 118 unsigned char const *D, size_t D_len, 119 unsigned char const *E, size_t E_len ) 120 { 121 int ret = 0; 122 RSA_VALIDATE_RET( ctx != NULL ); 123 124 if( N != NULL ) 125 { 126 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) ); 127 ctx->len = mbedtls_mpi_size( &ctx->N ); 128 } 129 130 if( P != NULL ) 131 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) ); 132 133 if( Q != NULL ) 134 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) ); 135 136 if( D != NULL ) 137 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) ); 138 139 if( E != NULL ) 140 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) ); 141 142 cleanup: 143 144 if( ret != 0 ) 145 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 146 147 return( 0 ); 148 } 149 150 /* 151 * Checks whether the context fields are set in such a way 152 * that the RSA primitives will be able to execute without error. 153 * It does *not* make guarantees for consistency of the parameters. 154 */ 155 static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv, 156 int blinding_needed ) 157 { 158 #if !defined(MBEDTLS_RSA_NO_CRT) 159 /* blinding_needed is only used for NO_CRT to decide whether 160 * P,Q need to be present or not. */ 161 ((void) blinding_needed); 162 #endif 163 164 if( ctx->len != mbedtls_mpi_size( &ctx->N ) || 165 ctx->len > MBEDTLS_MPI_MAX_SIZE ) 166 { 167 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 168 } 169 170 /* 171 * 1. Modular exponentiation needs positive, odd moduli. 172 */ 173 174 /* Modular exponentiation wrt. N is always used for 175 * RSA public key operations. */ 176 if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 || 177 mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 ) 178 { 179 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 180 } 181 182 #if !defined(MBEDTLS_RSA_NO_CRT) 183 /* Modular exponentiation for P and Q is only 184 * used for private key operations and if CRT 185 * is used. */ 186 if( is_priv && 187 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || 188 mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 || 189 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 || 190 mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) ) 191 { 192 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 193 } 194 #endif /* !MBEDTLS_RSA_NO_CRT */ 195 196 /* 197 * 2. Exponents must be positive 198 */ 199 200 /* Always need E for public key operations */ 201 if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 ) 202 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 203 204 #if defined(MBEDTLS_RSA_NO_CRT) 205 /* For private key operations, use D or DP & DQ 206 * as (unblinded) exponents. */ 207 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 ) 208 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 209 #else 210 if( is_priv && 211 ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 || 212 mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) ) 213 { 214 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 215 } 216 #endif /* MBEDTLS_RSA_NO_CRT */ 217 218 /* Blinding shouldn't make exponents negative either, 219 * so check that P, Q >= 1 if that hasn't yet been 220 * done as part of 1. */ 221 #if defined(MBEDTLS_RSA_NO_CRT) 222 if( is_priv && blinding_needed && 223 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || 224 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) ) 225 { 226 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 227 } 228 #endif 229 230 /* It wouldn't lead to an error if it wasn't satisfied, 231 * but check for QP >= 1 nonetheless. */ 232 #if !defined(MBEDTLS_RSA_NO_CRT) 233 if( is_priv && 234 mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 ) 235 { 236 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 237 } 238 #endif 239 240 return( 0 ); 241 } 242 243 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ) 244 { 245 int ret = 0; 246 int have_N, have_P, have_Q, have_D, have_E; 247 #if !defined(MBEDTLS_RSA_NO_CRT) 248 int have_DP, have_DQ, have_QP; 249 #endif 250 int n_missing, pq_missing, d_missing, is_pub, is_priv; 251 252 RSA_VALIDATE_RET( ctx != NULL ); 253 254 have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 ); 255 have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 ); 256 have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 ); 257 have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 ); 258 have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 ); 259 260 #if !defined(MBEDTLS_RSA_NO_CRT) 261 have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 ); 262 have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 ); 263 have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 ); 264 #endif 265 266 /* 267 * Check whether provided parameters are enough 268 * to deduce all others. The following incomplete 269 * parameter sets for private keys are supported: 270 * 271 * (1) P, Q missing. 272 * (2) D and potentially N missing. 273 * 274 */ 275 276 n_missing = have_P && have_Q && have_D && have_E; 277 pq_missing = have_N && !have_P && !have_Q && have_D && have_E; 278 d_missing = have_P && have_Q && !have_D && have_E; 279 is_pub = have_N && !have_P && !have_Q && !have_D && have_E; 280 281 /* These three alternatives are mutually exclusive */ 282 is_priv = n_missing || pq_missing || d_missing; 283 284 if( !is_priv && !is_pub ) 285 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 286 287 /* 288 * Step 1: Deduce N if P, Q are provided. 289 */ 290 291 if( !have_N && have_P && have_Q ) 292 { 293 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, 294 &ctx->Q ) ) != 0 ) 295 { 296 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 297 } 298 299 ctx->len = mbedtls_mpi_size( &ctx->N ); 300 } 301 302 /* 303 * Step 2: Deduce and verify all remaining core parameters. 304 */ 305 306 if( pq_missing ) 307 { 308 ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D, 309 &ctx->P, &ctx->Q ); 310 if( ret != 0 ) 311 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 312 313 } 314 else if( d_missing ) 315 { 316 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P, 317 &ctx->Q, 318 &ctx->E, 319 &ctx->D ) ) != 0 ) 320 { 321 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 322 } 323 } 324 325 /* 326 * Step 3: Deduce all additional parameters specific 327 * to our current RSA implementation. 328 */ 329 330 #if !defined(MBEDTLS_RSA_NO_CRT) 331 if( is_priv && ! ( have_DP && have_DQ && have_QP ) ) 332 { 333 ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, 334 &ctx->DP, &ctx->DQ, &ctx->QP ); 335 if( ret != 0 ) 336 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 337 } 338 #endif /* MBEDTLS_RSA_NO_CRT */ 339 340 /* 341 * Step 3: Basic sanity checks 342 */ 343 344 return( rsa_check_context( ctx, is_priv, 1 ) ); 345 } 346 347 int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, 348 unsigned char *N, size_t N_len, 349 unsigned char *P, size_t P_len, 350 unsigned char *Q, size_t Q_len, 351 unsigned char *D, size_t D_len, 352 unsigned char *E, size_t E_len ) 353 { 354 int ret = 0; 355 int is_priv; 356 RSA_VALIDATE_RET( ctx != NULL ); 357 358 /* Check if key is private or public */ 359 is_priv = 360 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && 361 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && 362 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && 363 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && 364 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; 365 366 if( !is_priv ) 367 { 368 /* If we're trying to export private parameters for a public key, 369 * something must be wrong. */ 370 if( P != NULL || Q != NULL || D != NULL ) 371 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 372 373 } 374 375 if( N != NULL ) 376 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) ); 377 378 if( P != NULL ) 379 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) ); 380 381 if( Q != NULL ) 382 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) ); 383 384 if( D != NULL ) 385 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) ); 386 387 if( E != NULL ) 388 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) ); 389 390 cleanup: 391 392 return( ret ); 393 } 394 395 int mbedtls_rsa_export( const mbedtls_rsa_context *ctx, 396 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, 397 mbedtls_mpi *D, mbedtls_mpi *E ) 398 { 399 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 400 int is_priv; 401 RSA_VALIDATE_RET( ctx != NULL ); 402 403 /* Check if key is private or public */ 404 is_priv = 405 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && 406 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && 407 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && 408 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && 409 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; 410 411 if( !is_priv ) 412 { 413 /* If we're trying to export private parameters for a public key, 414 * something must be wrong. */ 415 if( P != NULL || Q != NULL || D != NULL ) 416 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 417 418 } 419 420 /* Export all requested core parameters. */ 421 422 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) || 423 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) || 424 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) || 425 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) || 426 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) ) 427 { 428 return( ret ); 429 } 430 431 return( 0 ); 432 } 433 434 /* 435 * Export CRT parameters 436 * This must also be implemented if CRT is not used, for being able to 437 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt 438 * can be used in this case. 439 */ 440 int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, 441 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP ) 442 { 443 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 444 int is_priv; 445 RSA_VALIDATE_RET( ctx != NULL ); 446 447 /* Check if key is private or public */ 448 is_priv = 449 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && 450 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && 451 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && 452 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && 453 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; 454 455 if( !is_priv ) 456 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 457 458 #if !defined(MBEDTLS_RSA_NO_CRT) 459 /* Export all requested blinding parameters. */ 460 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) || 461 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) || 462 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) ) 463 { 464 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 465 } 466 #else 467 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, 468 DP, DQ, QP ) ) != 0 ) 469 { 470 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 471 } 472 #endif 473 474 return( 0 ); 475 } 476 477 /* 478 * Initialize an RSA context 479 */ 480 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 481 int padding, 482 int hash_id ) 483 { 484 RSA_VALIDATE( ctx != NULL ); 485 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || 486 padding == MBEDTLS_RSA_PKCS_V21 ); 487 488 memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); 489 490 mbedtls_rsa_set_padding( ctx, padding, hash_id ); 491 492 #if defined(MBEDTLS_THREADING_C) 493 /* Set ctx->ver to nonzero to indicate that the mutex has been 494 * initialized and will need to be freed. */ 495 ctx->ver = 1; 496 mbedtls_mutex_init( &ctx->mutex ); 497 #endif 498 } 499 500 /* 501 * Set padding for an existing RSA context 502 */ 503 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, 504 int hash_id ) 505 { 506 RSA_VALIDATE( ctx != NULL ); 507 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || 508 padding == MBEDTLS_RSA_PKCS_V21 ); 509 510 ctx->padding = padding; 511 ctx->hash_id = hash_id; 512 } 513 514 /* 515 * Get length in bytes of RSA modulus 516 */ 517 518 size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx ) 519 { 520 return( ctx->len ); 521 } 522 523 524 #if defined(MBEDTLS_GENPRIME) 525 526 /* 527 * Generate an RSA keypair 528 * 529 * This generation method follows the RSA key pair generation procedure of 530 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072. 531 */ 532 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 533 int (*f_rng)(void *, unsigned char *, size_t), 534 void *p_rng, 535 unsigned int nbits, int exponent ) 536 { 537 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 538 mbedtls_mpi H, G, L; 539 int prime_quality = 0; 540 RSA_VALIDATE_RET( ctx != NULL ); 541 RSA_VALIDATE_RET( f_rng != NULL ); 542 543 /* 544 * If the modulus is 1024 bit long or shorter, then the security strength of 545 * the RSA algorithm is less than or equal to 80 bits and therefore an error 546 * rate of 2^-80 is sufficient. 547 */ 548 if( nbits > 1024 ) 549 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR; 550 551 mbedtls_mpi_init( &H ); 552 mbedtls_mpi_init( &G ); 553 mbedtls_mpi_init( &L ); 554 555 if( nbits < 128 || exponent < 3 || nbits % 2 != 0 ) 556 { 557 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 558 goto cleanup; 559 } 560 561 /* 562 * find primes P and Q with Q < P so that: 563 * 1. |P-Q| > 2^( nbits / 2 - 100 ) 564 * 2. GCD( E, (P-1)*(Q-1) ) == 1 565 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 ) 566 */ 567 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) ); 568 569 do 570 { 571 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 572 prime_quality, f_rng, p_rng ) ); 573 574 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 575 prime_quality, f_rng, p_rng ) ); 576 577 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */ 578 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) ); 579 if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) ) 580 continue; 581 582 /* not required by any standards, but some users rely on the fact that P > Q */ 583 if( H.s < 0 ) 584 mbedtls_mpi_swap( &ctx->P, &ctx->Q ); 585 586 /* Temporarily replace P,Q by P-1, Q-1 */ 587 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) ); 588 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) ); 589 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) ); 590 591 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */ 592 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) ); 593 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) 594 continue; 595 596 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */ 597 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) ); 598 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) ); 599 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) ); 600 601 if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a)) 602 continue; 603 604 break; 605 } 606 while( 1 ); 607 608 /* Restore P,Q */ 609 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) ); 610 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) ); 611 612 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) ); 613 614 ctx->len = mbedtls_mpi_size( &ctx->N ); 615 616 #if !defined(MBEDTLS_RSA_NO_CRT) 617 /* 618 * DP = D mod (P - 1) 619 * DQ = D mod (Q - 1) 620 * QP = Q^-1 mod P 621 */ 622 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, 623 &ctx->DP, &ctx->DQ, &ctx->QP ) ); 624 #endif /* MBEDTLS_RSA_NO_CRT */ 625 626 /* Double-check */ 627 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) ); 628 629 cleanup: 630 631 mbedtls_mpi_free( &H ); 632 mbedtls_mpi_free( &G ); 633 mbedtls_mpi_free( &L ); 634 635 if( ret != 0 ) 636 { 637 mbedtls_rsa_free( ctx ); 638 639 if( ( -ret & ~0x7f ) == 0 ) 640 ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret ); 641 return( ret ); 642 } 643 644 return( 0 ); 645 } 646 647 #endif /* MBEDTLS_GENPRIME */ 648 649 /* 650 * Check a public RSA key 651 */ 652 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) 653 { 654 RSA_VALIDATE_RET( ctx != NULL ); 655 656 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 ) 657 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 658 659 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ) 660 { 661 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 662 } 663 664 if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 || 665 mbedtls_mpi_bitlen( &ctx->E ) < 2 || 666 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 ) 667 { 668 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 669 } 670 671 return( 0 ); 672 } 673 674 /* 675 * Check for the consistency of all fields in an RSA private key context 676 */ 677 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) 678 { 679 RSA_VALIDATE_RET( ctx != NULL ); 680 681 if( mbedtls_rsa_check_pubkey( ctx ) != 0 || 682 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 ) 683 { 684 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 685 } 686 687 if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q, 688 &ctx->D, &ctx->E, NULL, NULL ) != 0 ) 689 { 690 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 691 } 692 693 #if !defined(MBEDTLS_RSA_NO_CRT) 694 else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D, 695 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 ) 696 { 697 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 698 } 699 #endif 700 701 return( 0 ); 702 } 703 704 /* 705 * Check if contexts holding a public and private key match 706 */ 707 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, 708 const mbedtls_rsa_context *prv ) 709 { 710 RSA_VALIDATE_RET( pub != NULL ); 711 RSA_VALIDATE_RET( prv != NULL ); 712 713 if( mbedtls_rsa_check_pubkey( pub ) != 0 || 714 mbedtls_rsa_check_privkey( prv ) != 0 ) 715 { 716 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 717 } 718 719 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 || 720 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 ) 721 { 722 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 723 } 724 725 return( 0 ); 726 } 727 728 /* 729 * Do an RSA public key operation 730 */ 731 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 732 const unsigned char *input, 733 unsigned char *output ) 734 { 735 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 736 size_t olen; 737 mbedtls_mpi T; 738 RSA_VALIDATE_RET( ctx != NULL ); 739 RSA_VALIDATE_RET( input != NULL ); 740 RSA_VALIDATE_RET( output != NULL ); 741 742 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) ) 743 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 744 745 mbedtls_mpi_init( &T ); 746 747 #if defined(MBEDTLS_THREADING_C) 748 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 749 return( ret ); 750 #endif 751 752 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 753 754 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 755 { 756 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 757 goto cleanup; 758 } 759 760 olen = ctx->len; 761 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); 762 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 763 764 cleanup: 765 #if defined(MBEDTLS_THREADING_C) 766 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 767 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 768 #endif 769 770 mbedtls_mpi_free( &T ); 771 772 if( ret != 0 ) 773 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret ) ); 774 775 return( 0 ); 776 } 777 778 /* 779 * Generate or update blinding values, see section 10 of: 780 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 781 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 782 * Berlin Heidelberg, 1996. p. 104-113. 783 */ 784 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, 785 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 786 { 787 int ret, count = 0; 788 mbedtls_mpi R; 789 790 mbedtls_mpi_init( &R ); 791 792 if( ctx->Vf.p != NULL ) 793 { 794 /* We already have blinding values, just update them by squaring */ 795 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) ); 796 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); 797 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); 798 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) ); 799 800 goto cleanup; 801 } 802 803 /* Unblinding value: Vf = random number, invertible mod N */ 804 do { 805 if( count++ > 10 ) 806 { 807 ret = MBEDTLS_ERR_RSA_RNG_FAILED; 808 goto cleanup; 809 } 810 811 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); 812 813 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */ 814 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) ); 815 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) ); 816 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); 817 818 /* At this point, Vi is invertible mod N if and only if both Vf and R 819 * are invertible mod N. If one of them isn't, we don't need to know 820 * which one, we just loop and choose new values for both of them. 821 * (Each iteration succeeds with overwhelming probability.) */ 822 ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N ); 823 if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) 824 goto cleanup; 825 826 } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ); 827 828 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */ 829 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) ); 830 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); 831 832 /* Blinding value: Vi = Vf^(-e) mod N 833 * (Vi already contains Vf^-1 at this point) */ 834 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); 835 836 837 cleanup: 838 mbedtls_mpi_free( &R ); 839 840 return( ret ); 841 } 842 843 /* 844 * Exponent blinding supposed to prevent side-channel attacks using multiple 845 * traces of measurements to recover the RSA key. The more collisions are there, 846 * the more bits of the key can be recovered. See [3]. 847 * 848 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n) 849 * observations on avarage. 850 * 851 * For example with 28 byte blinding to achieve 2 collisions the adversary has 852 * to make 2^112 observations on avarage. 853 * 854 * (With the currently (as of 2017 April) known best algorithms breaking 2048 855 * bit RSA requires approximately as much time as trying out 2^112 random keys. 856 * Thus in this sense with 28 byte blinding the security is not reduced by 857 * side-channel attacks like the one in [3]) 858 * 859 * This countermeasure does not help if the key recovery is possible with a 860 * single trace. 861 */ 862 #define RSA_EXPONENT_BLINDING 28 863 864 /* 865 * Do an RSA private key operation 866 */ 867 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 868 int (*f_rng)(void *, unsigned char *, size_t), 869 void *p_rng, 870 const unsigned char *input, 871 unsigned char *output ) 872 { 873 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 874 size_t olen; 875 876 /* Temporary holding the result */ 877 mbedtls_mpi T; 878 879 /* Temporaries holding P-1, Q-1 and the 880 * exponent blinding factor, respectively. */ 881 mbedtls_mpi P1, Q1, R; 882 883 #if !defined(MBEDTLS_RSA_NO_CRT) 884 /* Temporaries holding the results mod p resp. mod q. */ 885 mbedtls_mpi TP, TQ; 886 887 /* Temporaries holding the blinded exponents for 888 * the mod p resp. mod q computation (if used). */ 889 mbedtls_mpi DP_blind, DQ_blind; 890 891 /* Pointers to actual exponents to be used - either the unblinded 892 * or the blinded ones, depending on the presence of a PRNG. */ 893 mbedtls_mpi *DP = &ctx->DP; 894 mbedtls_mpi *DQ = &ctx->DQ; 895 #else 896 /* Temporary holding the blinded exponent (if used). */ 897 mbedtls_mpi D_blind; 898 899 /* Pointer to actual exponent to be used - either the unblinded 900 * or the blinded one, depending on the presence of a PRNG. */ 901 mbedtls_mpi *D = &ctx->D; 902 #endif /* MBEDTLS_RSA_NO_CRT */ 903 904 /* Temporaries holding the initial input and the double 905 * checked result; should be the same in the end. */ 906 mbedtls_mpi I, C; 907 908 RSA_VALIDATE_RET( ctx != NULL ); 909 RSA_VALIDATE_RET( input != NULL ); 910 RSA_VALIDATE_RET( output != NULL ); 911 912 if( rsa_check_context( ctx, 1 /* private key checks */, 913 f_rng != NULL /* blinding y/n */ ) != 0 ) 914 { 915 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 916 } 917 918 #if defined(MBEDTLS_THREADING_C) 919 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 920 return( ret ); 921 #endif 922 923 /* MPI Initialization */ 924 mbedtls_mpi_init( &T ); 925 926 mbedtls_mpi_init( &P1 ); 927 mbedtls_mpi_init( &Q1 ); 928 mbedtls_mpi_init( &R ); 929 930 if( f_rng != NULL ) 931 { 932 #if defined(MBEDTLS_RSA_NO_CRT) 933 mbedtls_mpi_init( &D_blind ); 934 #else 935 mbedtls_mpi_init( &DP_blind ); 936 mbedtls_mpi_init( &DQ_blind ); 937 #endif 938 } 939 940 #if !defined(MBEDTLS_RSA_NO_CRT) 941 mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ ); 942 #endif 943 944 mbedtls_mpi_init( &I ); 945 mbedtls_mpi_init( &C ); 946 947 /* End of MPI initialization */ 948 949 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 950 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 951 { 952 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 953 goto cleanup; 954 } 955 956 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) ); 957 958 if( f_rng != NULL ) 959 { 960 /* 961 * Blinding 962 * T = T * Vi mod N 963 */ 964 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); 965 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); 966 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 967 968 /* 969 * Exponent blinding 970 */ 971 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) ); 972 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) ); 973 974 #if defined(MBEDTLS_RSA_NO_CRT) 975 /* 976 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D 977 */ 978 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 979 f_rng, p_rng ) ); 980 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) ); 981 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) ); 982 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) ); 983 984 D = &D_blind; 985 #else 986 /* 987 * DP_blind = ( P - 1 ) * R + DP 988 */ 989 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 990 f_rng, p_rng ) ); 991 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) ); 992 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind, 993 &ctx->DP ) ); 994 995 DP = &DP_blind; 996 997 /* 998 * DQ_blind = ( Q - 1 ) * R + DQ 999 */ 1000 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 1001 f_rng, p_rng ) ); 1002 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) ); 1003 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind, 1004 &ctx->DQ ) ); 1005 1006 DQ = &DQ_blind; 1007 #endif /* MBEDTLS_RSA_NO_CRT */ 1008 } 1009 1010 #if defined(MBEDTLS_RSA_NO_CRT) 1011 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) ); 1012 #else 1013 /* 1014 * Faster decryption using the CRT 1015 * 1016 * TP = input ^ dP mod P 1017 * TQ = input ^ dQ mod Q 1018 */ 1019 1020 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) ); 1021 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) ); 1022 1023 /* 1024 * T = (TP - TQ) * (Q^-1 mod P) mod P 1025 */ 1026 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) ); 1027 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) ); 1028 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) ); 1029 1030 /* 1031 * T = TQ + T * Q 1032 */ 1033 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) ); 1034 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) ); 1035 #endif /* MBEDTLS_RSA_NO_CRT */ 1036 1037 if( f_rng != NULL ) 1038 { 1039 /* 1040 * Unblind 1041 * T = T * Vf mod N 1042 */ 1043 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); 1044 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 1045 } 1046 1047 /* Verify the result to prevent glitching attacks. */ 1048 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, 1049 &ctx->N, &ctx->RN ) ); 1050 if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 ) 1051 { 1052 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 1053 goto cleanup; 1054 } 1055 1056 olen = ctx->len; 1057 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 1058 1059 cleanup: 1060 #if defined(MBEDTLS_THREADING_C) 1061 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 1062 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 1063 #endif 1064 1065 mbedtls_mpi_free( &P1 ); 1066 mbedtls_mpi_free( &Q1 ); 1067 mbedtls_mpi_free( &R ); 1068 1069 if( f_rng != NULL ) 1070 { 1071 #if defined(MBEDTLS_RSA_NO_CRT) 1072 mbedtls_mpi_free( &D_blind ); 1073 #else 1074 mbedtls_mpi_free( &DP_blind ); 1075 mbedtls_mpi_free( &DQ_blind ); 1076 #endif 1077 } 1078 1079 mbedtls_mpi_free( &T ); 1080 1081 #if !defined(MBEDTLS_RSA_NO_CRT) 1082 mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ ); 1083 #endif 1084 1085 mbedtls_mpi_free( &C ); 1086 mbedtls_mpi_free( &I ); 1087 1088 if( ret != 0 && ret >= -0x007f ) 1089 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret ) ); 1090 1091 return( ret ); 1092 } 1093 1094 #if defined(MBEDTLS_PKCS1_V21) 1095 /** 1096 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 1097 * 1098 * \param dst buffer to mask 1099 * \param dlen length of destination buffer 1100 * \param src source of the mask generation 1101 * \param slen length of the source buffer 1102 * \param md_ctx message digest context to use 1103 */ 1104 static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 1105 size_t slen, mbedtls_md_context_t *md_ctx ) 1106 { 1107 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 1108 unsigned char counter[4]; 1109 unsigned char *p; 1110 unsigned int hlen; 1111 size_t i, use_len; 1112 int ret = 0; 1113 1114 memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); 1115 memset( counter, 0, 4 ); 1116 1117 hlen = mbedtls_md_get_size( md_ctx->md_info ); 1118 1119 /* Generate and apply dbMask */ 1120 p = dst; 1121 1122 while( dlen > 0 ) 1123 { 1124 use_len = hlen; 1125 if( dlen < hlen ) 1126 use_len = dlen; 1127 1128 if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 ) 1129 goto exit; 1130 if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 ) 1131 goto exit; 1132 if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 ) 1133 goto exit; 1134 if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 ) 1135 goto exit; 1136 1137 for( i = 0; i < use_len; ++i ) 1138 *p++ ^= mask[i]; 1139 1140 counter[3]++; 1141 1142 dlen -= use_len; 1143 } 1144 1145 exit: 1146 mbedtls_platform_zeroize( mask, sizeof( mask ) ); 1147 1148 return( ret ); 1149 } 1150 #endif /* MBEDTLS_PKCS1_V21 */ 1151 1152 #if defined(MBEDTLS_PKCS1_V21) 1153 /* 1154 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 1155 */ 1156 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 1157 int (*f_rng)(void *, unsigned char *, size_t), 1158 void *p_rng, 1159 int mode, 1160 const unsigned char *label, size_t label_len, 1161 size_t ilen, 1162 const unsigned char *input, 1163 unsigned char *output ) 1164 { 1165 size_t olen; 1166 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1167 unsigned char *p = output; 1168 unsigned int hlen; 1169 const mbedtls_md_info_t *md_info; 1170 mbedtls_md_context_t md_ctx; 1171 1172 RSA_VALIDATE_RET( ctx != NULL ); 1173 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1174 mode == MBEDTLS_RSA_PUBLIC ); 1175 RSA_VALIDATE_RET( output != NULL ); 1176 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 1177 RSA_VALIDATE_RET( label_len == 0 || label != NULL ); 1178 1179 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 1180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1181 1182 if( f_rng == NULL ) 1183 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1184 1185 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 1186 if( md_info == NULL ) 1187 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1188 1189 olen = ctx->len; 1190 hlen = mbedtls_md_get_size( md_info ); 1191 1192 /* first comparison checks for overflow */ 1193 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) 1194 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1195 1196 memset( output, 0, olen ); 1197 1198 *p++ = 0; 1199 1200 /* Generate a random octet string seed */ 1201 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 1202 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) ); 1203 1204 p += hlen; 1205 1206 /* Construct DB */ 1207 if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 ) 1208 return( ret ); 1209 p += hlen; 1210 p += olen - 2 * hlen - 2 - ilen; 1211 *p++ = 1; 1212 if( ilen != 0 ) 1213 memcpy( p, input, ilen ); 1214 1215 mbedtls_md_init( &md_ctx ); 1216 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 1217 goto exit; 1218 1219 /* maskedDB: Apply dbMask to DB */ 1220 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 1221 &md_ctx ) ) != 0 ) 1222 goto exit; 1223 1224 /* maskedSeed: Apply seedMask to seed */ 1225 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 1226 &md_ctx ) ) != 0 ) 1227 goto exit; 1228 1229 exit: 1230 mbedtls_md_free( &md_ctx ); 1231 1232 if( ret != 0 ) 1233 return( ret ); 1234 1235 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1236 ? mbedtls_rsa_public( ctx, output, output ) 1237 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 1238 } 1239 #endif /* MBEDTLS_PKCS1_V21 */ 1240 1241 #if defined(MBEDTLS_PKCS1_V15) 1242 /* 1243 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 1244 */ 1245 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 1246 int (*f_rng)(void *, unsigned char *, size_t), 1247 void *p_rng, 1248 int mode, size_t ilen, 1249 const unsigned char *input, 1250 unsigned char *output ) 1251 { 1252 size_t nb_pad, olen; 1253 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1254 unsigned char *p = output; 1255 1256 RSA_VALIDATE_RET( ctx != NULL ); 1257 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1258 mode == MBEDTLS_RSA_PUBLIC ); 1259 RSA_VALIDATE_RET( output != NULL ); 1260 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 1261 1262 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 1263 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1264 1265 olen = ctx->len; 1266 1267 /* first comparison checks for overflow */ 1268 if( ilen + 11 < ilen || olen < ilen + 11 ) 1269 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1270 1271 nb_pad = olen - 3 - ilen; 1272 1273 *p++ = 0; 1274 if( mode == MBEDTLS_RSA_PUBLIC ) 1275 { 1276 if( f_rng == NULL ) 1277 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1278 1279 *p++ = MBEDTLS_RSA_CRYPT; 1280 1281 while( nb_pad-- > 0 ) 1282 { 1283 int rng_dl = 100; 1284 1285 do { 1286 ret = f_rng( p_rng, p, 1 ); 1287 } while( *p == 0 && --rng_dl && ret == 0 ); 1288 1289 /* Check if RNG failed to generate data */ 1290 if( rng_dl == 0 || ret != 0 ) 1291 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) ); 1292 1293 p++; 1294 } 1295 } 1296 else 1297 { 1298 *p++ = MBEDTLS_RSA_SIGN; 1299 1300 while( nb_pad-- > 0 ) 1301 *p++ = 0xFF; 1302 } 1303 1304 *p++ = 0; 1305 if( ilen != 0 ) 1306 memcpy( p, input, ilen ); 1307 1308 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1309 ? mbedtls_rsa_public( ctx, output, output ) 1310 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 1311 } 1312 #endif /* MBEDTLS_PKCS1_V15 */ 1313 1314 /* 1315 * Add the message padding, then do an RSA operation 1316 */ 1317 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 1318 int (*f_rng)(void *, unsigned char *, size_t), 1319 void *p_rng, 1320 int mode, size_t ilen, 1321 const unsigned char *input, 1322 unsigned char *output ) 1323 { 1324 RSA_VALIDATE_RET( ctx != NULL ); 1325 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1326 mode == MBEDTLS_RSA_PUBLIC ); 1327 RSA_VALIDATE_RET( output != NULL ); 1328 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 1329 1330 switch( ctx->padding ) 1331 { 1332 #if defined(MBEDTLS_PKCS1_V15) 1333 case MBEDTLS_RSA_PKCS_V15: 1334 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 1335 input, output ); 1336 #endif 1337 1338 #if defined(MBEDTLS_PKCS1_V21) 1339 case MBEDTLS_RSA_PKCS_V21: 1340 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 1341 ilen, input, output ); 1342 #endif 1343 1344 default: 1345 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1346 } 1347 } 1348 1349 #if defined(MBEDTLS_PKCS1_V21) 1350 /* 1351 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 1352 */ 1353 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 1354 int (*f_rng)(void *, unsigned char *, size_t), 1355 void *p_rng, 1356 int mode, 1357 const unsigned char *label, size_t label_len, 1358 size_t *olen, 1359 const unsigned char *input, 1360 unsigned char *output, 1361 size_t output_max_len ) 1362 { 1363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1364 size_t ilen, i, pad_len; 1365 unsigned char *p, bad, pad_done; 1366 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 1367 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 1368 unsigned int hlen; 1369 const mbedtls_md_info_t *md_info; 1370 mbedtls_md_context_t md_ctx; 1371 1372 RSA_VALIDATE_RET( ctx != NULL ); 1373 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1374 mode == MBEDTLS_RSA_PUBLIC ); 1375 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 1376 RSA_VALIDATE_RET( label_len == 0 || label != NULL ); 1377 RSA_VALIDATE_RET( input != NULL ); 1378 RSA_VALIDATE_RET( olen != NULL ); 1379 1380 /* 1381 * Parameters sanity checks 1382 */ 1383 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 1384 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1385 1386 ilen = ctx->len; 1387 1388 if( ilen < 16 || ilen > sizeof( buf ) ) 1389 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1390 1391 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 1392 if( md_info == NULL ) 1393 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1394 1395 hlen = mbedtls_md_get_size( md_info ); 1396 1397 // checking for integer underflow 1398 if( 2 * hlen + 2 > ilen ) 1399 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1400 1401 /* 1402 * RSA operation 1403 */ 1404 if( ctx->P.n == 0 ) 1405 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 1406 ? mbedtls_rsa_public( ctx, input, buf ) 1407 : mbedtls_rsa_private( ctx, NULL, NULL, input, buf ); 1408 else 1409 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 1410 ? mbedtls_rsa_public( ctx, input, buf ) 1411 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 1412 1413 if( ret != 0 ) 1414 goto cleanup; 1415 1416 /* 1417 * Unmask data and generate lHash 1418 */ 1419 mbedtls_md_init( &md_ctx ); 1420 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 1421 { 1422 mbedtls_md_free( &md_ctx ); 1423 goto cleanup; 1424 } 1425 1426 /* seed: Apply seedMask to maskedSeed */ 1427 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 1428 &md_ctx ) ) != 0 || 1429 /* DB: Apply dbMask to maskedDB */ 1430 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 1431 &md_ctx ) ) != 0 ) 1432 { 1433 mbedtls_md_free( &md_ctx ); 1434 goto cleanup; 1435 } 1436 1437 mbedtls_md_free( &md_ctx ); 1438 1439 /* Generate lHash */ 1440 if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 ) 1441 goto cleanup; 1442 1443 /* 1444 * Check contents, in "constant-time" 1445 */ 1446 p = buf; 1447 bad = 0; 1448 1449 bad |= *p++; /* First byte must be 0 */ 1450 1451 p += hlen; /* Skip seed */ 1452 1453 /* Check lHash */ 1454 for( i = 0; i < hlen; i++ ) 1455 bad |= lhash[i] ^ *p++; 1456 1457 /* Get zero-padding len, but always read till end of buffer 1458 * (minus one, for the 01 byte) */ 1459 pad_len = 0; 1460 pad_done = 0; 1461 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 1462 { 1463 pad_done |= p[i]; 1464 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 1465 } 1466 1467 p += pad_len; 1468 bad |= *p++ ^ 0x01; 1469 1470 /* 1471 * The only information "leaked" is whether the padding was correct or not 1472 * (eg, no data is copied if it was not correct). This meets the 1473 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 1474 * the different error conditions. 1475 */ 1476 if( bad != 0 ) 1477 { 1478 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 1479 goto cleanup; 1480 } 1481 1482 if( ilen - ( p - buf ) > output_max_len ) 1483 { 1484 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 1485 goto cleanup; 1486 } 1487 1488 *olen = ilen - (p - buf); 1489 if( *olen != 0 ) 1490 memcpy( output, p, *olen ); 1491 ret = 0; 1492 1493 cleanup: 1494 mbedtls_platform_zeroize( buf, sizeof( buf ) ); 1495 mbedtls_platform_zeroize( lhash, sizeof( lhash ) ); 1496 1497 return( ret ); 1498 } 1499 #endif /* MBEDTLS_PKCS1_V21 */ 1500 1501 #if defined(MBEDTLS_PKCS1_V15) 1502 /** Turn zero-or-nonzero into zero-or-all-bits-one, without branches. 1503 * 1504 * \param value The value to analyze. 1505 * \return Zero if \p value is zero, otherwise all-bits-one. 1506 */ 1507 static unsigned all_or_nothing_int( unsigned value ) 1508 { 1509 /* MSVC has a warning about unary minus on unsigned, but this is 1510 * well-defined and precisely what we want to do here */ 1511 #if defined(_MSC_VER) 1512 #pragma warning( push ) 1513 #pragma warning( disable : 4146 ) 1514 #endif 1515 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); 1516 #if defined(_MSC_VER) 1517 #pragma warning( pop ) 1518 #endif 1519 } 1520 1521 /** Check whether a size is out of bounds, without branches. 1522 * 1523 * This is equivalent to `size > max`, but is likely to be compiled to 1524 * to code using bitwise operation rather than a branch. 1525 * 1526 * \param size Size to check. 1527 * \param max Maximum desired value for \p size. 1528 * \return \c 0 if `size <= max`. 1529 * \return \c 1 if `size > max`. 1530 */ 1531 static unsigned size_greater_than( size_t size, size_t max ) 1532 { 1533 /* Return the sign bit (1 for negative) of (max - size). */ 1534 return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) ); 1535 } 1536 1537 /** Choose between two integer values, without branches. 1538 * 1539 * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled 1540 * to code using bitwise operation rather than a branch. 1541 * 1542 * \param cond Condition to test. 1543 * \param if1 Value to use if \p cond is nonzero. 1544 * \param if0 Value to use if \p cond is zero. 1545 * \return \c if1 if \p cond is nonzero, otherwise \c if0. 1546 */ 1547 static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 ) 1548 { 1549 unsigned mask = all_or_nothing_int( cond ); 1550 return( ( mask & if1 ) | (~mask & if0 ) ); 1551 } 1552 1553 /** Shift some data towards the left inside a buffer without leaking 1554 * the length of the data through side channels. 1555 * 1556 * `mem_move_to_left(start, total, offset)` is functionally equivalent to 1557 * ``` 1558 * memmove(start, start + offset, total - offset); 1559 * memset(start + offset, 0, total - offset); 1560 * ``` 1561 * but it strives to use a memory access pattern (and thus total timing) 1562 * that does not depend on \p offset. This timing independence comes at 1563 * the expense of performance. 1564 * 1565 * \param start Pointer to the start of the buffer. 1566 * \param total Total size of the buffer. 1567 * \param offset Offset from which to copy \p total - \p offset bytes. 1568 */ 1569 static void mem_move_to_left( void *start, 1570 size_t total, 1571 size_t offset ) 1572 { 1573 volatile unsigned char *buf = start; 1574 size_t i, n; 1575 if( total == 0 ) 1576 return; 1577 for( i = 0; i < total; i++ ) 1578 { 1579 unsigned no_op = size_greater_than( total - offset, i ); 1580 /* The first `total - offset` passes are a no-op. The last 1581 * `offset` passes shift the data one byte to the left and 1582 * zero out the last byte. */ 1583 for( n = 0; n < total - 1; n++ ) 1584 { 1585 unsigned char current = buf[n]; 1586 unsigned char next = buf[n+1]; 1587 buf[n] = if_int( no_op, current, next ); 1588 } 1589 buf[total-1] = if_int( no_op, buf[total-1], 0 ); 1590 } 1591 } 1592 1593 /* 1594 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 1595 */ 1596 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 1597 int (*f_rng)(void *, unsigned char *, size_t), 1598 void *p_rng, 1599 int mode, size_t *olen, 1600 const unsigned char *input, 1601 unsigned char *output, 1602 size_t output_max_len ) 1603 { 1604 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1605 size_t ilen, i, plaintext_max_size; 1606 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 1607 /* The following variables take sensitive values: their value must 1608 * not leak into the observable behavior of the function other than 1609 * the designated outputs (output, olen, return value). Otherwise 1610 * this would open the execution of the function to 1611 * side-channel-based variants of the Bleichenbacher padding oracle 1612 * attack. Potential side channels include overall timing, memory 1613 * access patterns (especially visible to an adversary who has access 1614 * to a shared memory cache), and branches (especially visible to 1615 * an adversary who has access to a shared code cache or to a shared 1616 * branch predictor). */ 1617 size_t pad_count = 0; 1618 unsigned bad = 0; 1619 unsigned char pad_done = 0; 1620 size_t plaintext_size = 0; 1621 unsigned output_too_large; 1622 1623 RSA_VALIDATE_RET( ctx != NULL ); 1624 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1625 mode == MBEDTLS_RSA_PUBLIC ); 1626 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 1627 RSA_VALIDATE_RET( input != NULL ); 1628 RSA_VALIDATE_RET( olen != NULL ); 1629 1630 ilen = ctx->len; 1631 plaintext_max_size = ( output_max_len > ilen - 11 ? 1632 ilen - 11 : 1633 output_max_len ); 1634 1635 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 1636 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1637 1638 if( ilen < 16 || ilen > sizeof( buf ) ) 1639 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1640 1641 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 1642 ? mbedtls_rsa_public( ctx, input, buf ) 1643 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 1644 1645 if( ret != 0 ) 1646 goto cleanup; 1647 1648 /* Check and get padding length in constant time and constant 1649 * memory trace. The first byte must be 0. */ 1650 bad |= buf[0]; 1651 1652 if( mode == MBEDTLS_RSA_PRIVATE ) 1653 { 1654 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 1655 * where PS must be at least 8 nonzero bytes. */ 1656 bad |= buf[1] ^ MBEDTLS_RSA_CRYPT; 1657 1658 /* Read the whole buffer. Set pad_done to nonzero if we find 1659 * the 0x00 byte and remember the padding length in pad_count. */ 1660 for( i = 2; i < ilen; i++ ) 1661 { 1662 pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1; 1663 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 1664 } 1665 } 1666 else 1667 { 1668 /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00 1669 * where PS must be at least 8 bytes with the value 0xFF. */ 1670 bad |= buf[1] ^ MBEDTLS_RSA_SIGN; 1671 1672 /* Read the whole buffer. Set pad_done to nonzero if we find 1673 * the 0x00 byte and remember the padding length in pad_count. 1674 * If there's a non-0xff byte in the padding, the padding is bad. */ 1675 for( i = 2; i < ilen; i++ ) 1676 { 1677 pad_done |= if_int( buf[i], 0, 1 ); 1678 pad_count += if_int( pad_done, 0, 1 ); 1679 bad |= if_int( pad_done, 0, buf[i] ^ 0xFF ); 1680 } 1681 } 1682 1683 /* If pad_done is still zero, there's no data, only unfinished padding. */ 1684 bad |= if_int( pad_done, 0, 1 ); 1685 1686 /* There must be at least 8 bytes of padding. */ 1687 bad |= size_greater_than( 8, pad_count ); 1688 1689 /* If the padding is valid, set plaintext_size to the number of 1690 * remaining bytes after stripping the padding. If the padding 1691 * is invalid, avoid leaking this fact through the size of the 1692 * output: use the maximum message size that fits in the output 1693 * buffer. Do it without branches to avoid leaking the padding 1694 * validity through timing. RSA keys are small enough that all the 1695 * size_t values involved fit in unsigned int. */ 1696 plaintext_size = if_int( bad, 1697 (unsigned) plaintext_max_size, 1698 (unsigned) ( ilen - pad_count - 3 ) ); 1699 1700 /* Set output_too_large to 0 if the plaintext fits in the output 1701 * buffer and to 1 otherwise. */ 1702 output_too_large = size_greater_than( plaintext_size, 1703 plaintext_max_size ); 1704 1705 /* Set ret without branches to avoid timing attacks. Return: 1706 * - INVALID_PADDING if the padding is bad (bad != 0). 1707 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted 1708 * plaintext does not fit in the output buffer. 1709 * - 0 if the padding is correct. */ 1710 ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, 1711 if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, 1712 0 ) ); 1713 1714 /* If the padding is bad or the plaintext is too large, zero the 1715 * data that we're about to copy to the output buffer. 1716 * We need to copy the same amount of data 1717 * from the same buffer whether the padding is good or not to 1718 * avoid leaking the padding validity through overall timing or 1719 * through memory or cache access patterns. */ 1720 bad = all_or_nothing_int( bad | output_too_large ); 1721 for( i = 11; i < ilen; i++ ) 1722 buf[i] &= ~bad; 1723 1724 /* If the plaintext is too large, truncate it to the buffer size. 1725 * Copy anyway to avoid revealing the length through timing, because 1726 * revealing the length is as bad as revealing the padding validity 1727 * for a Bleichenbacher attack. */ 1728 plaintext_size = if_int( output_too_large, 1729 (unsigned) plaintext_max_size, 1730 (unsigned) plaintext_size ); 1731 1732 /* Move the plaintext to the leftmost position where it can start in 1733 * the working buffer, i.e. make it start plaintext_max_size from 1734 * the end of the buffer. Do this with a memory access trace that 1735 * does not depend on the plaintext size. After this move, the 1736 * starting location of the plaintext is no longer sensitive 1737 * information. */ 1738 mem_move_to_left( buf + ilen - plaintext_max_size, 1739 plaintext_max_size, 1740 plaintext_max_size - plaintext_size ); 1741 1742 /* Finally copy the decrypted plaintext plus trailing zeros into the output 1743 * buffer. If output_max_len is 0, then output may be an invalid pointer 1744 * and the result of memcpy() would be undefined; prevent undefined 1745 * behavior making sure to depend only on output_max_len (the size of the 1746 * user-provided output buffer), which is independent from plaintext 1747 * length, validity of padding, success of the decryption, and other 1748 * secrets. */ 1749 if( output_max_len != 0 ) 1750 memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size ); 1751 1752 /* Report the amount of data we copied to the output buffer. In case 1753 * of errors (bad padding or output too large), the value of *olen 1754 * when this function returns is not specified. Making it equivalent 1755 * to the good case limits the risks of leaking the padding validity. */ 1756 *olen = plaintext_size; 1757 1758 cleanup: 1759 mbedtls_platform_zeroize( buf, sizeof( buf ) ); 1760 1761 return( ret ); 1762 } 1763 #endif /* MBEDTLS_PKCS1_V15 */ 1764 1765 /* 1766 * Do an RSA operation, then remove the message padding 1767 */ 1768 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 1769 int (*f_rng)(void *, unsigned char *, size_t), 1770 void *p_rng, 1771 int mode, size_t *olen, 1772 const unsigned char *input, 1773 unsigned char *output, 1774 size_t output_max_len) 1775 { 1776 RSA_VALIDATE_RET( ctx != NULL ); 1777 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1778 mode == MBEDTLS_RSA_PUBLIC ); 1779 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 1780 RSA_VALIDATE_RET( input != NULL ); 1781 RSA_VALIDATE_RET( olen != NULL ); 1782 1783 switch( ctx->padding ) 1784 { 1785 #if defined(MBEDTLS_PKCS1_V15) 1786 case MBEDTLS_RSA_PKCS_V15: 1787 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 1788 input, output, output_max_len ); 1789 #endif 1790 1791 #if defined(MBEDTLS_PKCS1_V21) 1792 case MBEDTLS_RSA_PKCS_V21: 1793 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 1794 olen, input, output, 1795 output_max_len ); 1796 #endif 1797 1798 default: 1799 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1800 } 1801 } 1802 1803 #if defined(MBEDTLS_PKCS1_V21) 1804 static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 1805 int (*f_rng)(void *, unsigned char *, size_t), 1806 void *p_rng, 1807 int mode, 1808 mbedtls_md_type_t md_alg, 1809 unsigned int hashlen, 1810 const unsigned char *hash, 1811 int saltlen, 1812 unsigned char *sig ) 1813 { 1814 size_t olen; 1815 unsigned char *p = sig; 1816 unsigned char *salt = NULL; 1817 size_t slen, min_slen, hlen, offset = 0; 1818 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1819 size_t msb; 1820 const mbedtls_md_info_t *md_info; 1821 mbedtls_md_context_t md_ctx; 1822 RSA_VALIDATE_RET( ctx != NULL ); 1823 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1824 mode == MBEDTLS_RSA_PUBLIC ); 1825 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 1826 hashlen == 0 ) || 1827 hash != NULL ); 1828 RSA_VALIDATE_RET( sig != NULL ); 1829 1830 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 1831 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1832 1833 if( f_rng == NULL ) 1834 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1835 1836 olen = ctx->len; 1837 1838 if( md_alg != MBEDTLS_MD_NONE ) 1839 { 1840 /* Gather length of hash to sign */ 1841 md_info = mbedtls_md_info_from_type( md_alg ); 1842 if( md_info == NULL ) 1843 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1844 1845 hashlen = mbedtls_md_get_size( md_info ); 1846 } 1847 1848 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 1849 if( md_info == NULL ) 1850 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1851 1852 hlen = mbedtls_md_get_size( md_info ); 1853 1854 if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) 1855 { 1856 /* Calculate the largest possible salt length, up to the hash size. 1857 * Normally this is the hash length, which is the maximum salt length 1858 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not 1859 * enough room, use the maximum salt length that fits. The constraint is 1860 * that the hash length plus the salt length plus 2 bytes must be at most 1861 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017 1862 * (PKCS#1 v2.2) §9.1.1 step 3. */ 1863 min_slen = hlen - 2; 1864 if( olen < hlen + min_slen + 2 ) 1865 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1866 else if( olen >= hlen + hlen + 2 ) 1867 slen = hlen; 1868 else 1869 slen = olen - hlen - 2; 1870 } 1871 else if ( (saltlen < 0) || (saltlen + hlen + 2 > olen) ) 1872 { 1873 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1874 } 1875 else 1876 { 1877 slen = (size_t) saltlen; 1878 } 1879 1880 memset( sig, 0, olen ); 1881 1882 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 1883 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 1884 p += olen - hlen - slen - 2; 1885 *p++ = 0x01; 1886 1887 /* Generate salt of length slen in place in the encoded message */ 1888 salt = p; 1889 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 1890 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) ); 1891 1892 p += slen; 1893 1894 mbedtls_md_init( &md_ctx ); 1895 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 1896 goto exit; 1897 1898 /* Generate H = Hash( M' ) */ 1899 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) 1900 goto exit; 1901 if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 ) 1902 goto exit; 1903 if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) 1904 goto exit; 1905 if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 ) 1906 goto exit; 1907 if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 ) 1908 goto exit; 1909 1910 /* Compensate for boundary condition when applying mask */ 1911 if( msb % 8 == 0 ) 1912 offset = 1; 1913 1914 /* maskedDB: Apply dbMask to DB */ 1915 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, 1916 &md_ctx ) ) != 0 ) 1917 goto exit; 1918 1919 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 1920 sig[0] &= 0xFF >> ( olen * 8 - msb ); 1921 1922 p += hlen; 1923 *p++ = 0xBC; 1924 1925 exit: 1926 mbedtls_md_free( &md_ctx ); 1927 1928 if( ret != 0 ) 1929 return( ret ); 1930 1931 if( ctx->P.n == 0) 1932 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1933 ? mbedtls_rsa_public( ctx, sig, sig ) 1934 : mbedtls_rsa_private( ctx, NULL, NULL, sig, sig ) ); 1935 else 1936 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1937 ? mbedtls_rsa_public( ctx, sig, sig ) 1938 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 1939 } 1940 1941 /* 1942 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with 1943 * the option to pass in the salt length. 1944 */ 1945 int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, 1946 int (*f_rng)(void *, unsigned char *, size_t), 1947 void *p_rng, 1948 mbedtls_md_type_t md_alg, 1949 unsigned int hashlen, 1950 const unsigned char *hash, 1951 int saltlen, 1952 unsigned char *sig ) 1953 { 1954 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg, 1955 hashlen, hash, saltlen, sig ); 1956 } 1957 1958 1959 /* 1960 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 1961 */ 1962 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 1963 int (*f_rng)(void *, unsigned char *, size_t), 1964 void *p_rng, 1965 int mode, 1966 mbedtls_md_type_t md_alg, 1967 unsigned int hashlen, 1968 const unsigned char *hash, 1969 unsigned char *sig ) 1970 { 1971 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 1972 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig ); 1973 } 1974 #endif /* MBEDTLS_PKCS1_V21 */ 1975 1976 #if defined(MBEDTLS_PKCS1_V15) 1977 /* 1978 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 1979 */ 1980 1981 /* Construct a PKCS v1.5 encoding of a hashed message 1982 * 1983 * This is used both for signature generation and verification. 1984 * 1985 * Parameters: 1986 * - md_alg: Identifies the hash algorithm used to generate the given hash; 1987 * MBEDTLS_MD_NONE if raw data is signed. 1988 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE. 1989 * - hash: Buffer containing the hashed message or the raw data. 1990 * - dst_len: Length of the encoded message. 1991 * - dst: Buffer to hold the encoded message. 1992 * 1993 * Assumptions: 1994 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE. 1995 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE. 1996 * - dst points to a buffer of size at least dst_len. 1997 * 1998 */ 1999 static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, 2000 unsigned int hashlen, 2001 const unsigned char *hash, 2002 size_t dst_len, 2003 unsigned char *dst ) 2004 { 2005 size_t oid_size = 0; 2006 size_t nb_pad = dst_len; 2007 unsigned char *p = dst; 2008 const char *oid = NULL; 2009 2010 /* Are we signing hashed or raw data? */ 2011 if( md_alg != MBEDTLS_MD_NONE ) 2012 { 2013 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 2014 if( md_info == NULL ) 2015 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2016 2017 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 2018 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2019 2020 hashlen = mbedtls_md_get_size( md_info ); 2021 2022 /* Double-check that 8 + hashlen + oid_size can be used as a 2023 * 1-byte ASN.1 length encoding and that there's no overflow. */ 2024 if( 8 + hashlen + oid_size >= 0x80 || 2025 10 + hashlen < hashlen || 2026 10 + hashlen + oid_size < 10 + hashlen ) 2027 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2028 2029 /* 2030 * Static bounds check: 2031 * - Need 10 bytes for five tag-length pairs. 2032 * (Insist on 1-byte length encodings to protect against variants of 2033 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification) 2034 * - Need hashlen bytes for hash 2035 * - Need oid_size bytes for hash alg OID. 2036 */ 2037 if( nb_pad < 10 + hashlen + oid_size ) 2038 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2039 nb_pad -= 10 + hashlen + oid_size; 2040 } 2041 else 2042 { 2043 if( nb_pad < hashlen ) 2044 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2045 2046 nb_pad -= hashlen; 2047 } 2048 2049 /* Need space for signature header and padding delimiter (3 bytes), 2050 * and 8 bytes for the minimal padding */ 2051 if( nb_pad < 3 + 8 ) 2052 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2053 nb_pad -= 3; 2054 2055 /* Now nb_pad is the amount of memory to be filled 2056 * with padding, and at least 8 bytes long. */ 2057 2058 /* Write signature header and padding */ 2059 *p++ = 0; 2060 *p++ = MBEDTLS_RSA_SIGN; 2061 memset( p, 0xFF, nb_pad ); 2062 p += nb_pad; 2063 *p++ = 0; 2064 2065 /* Are we signing raw data? */ 2066 if( md_alg == MBEDTLS_MD_NONE ) 2067 { 2068 memcpy( p, hash, hashlen ); 2069 return( 0 ); 2070 } 2071 2072 /* Signing hashed data, add corresponding ASN.1 structure 2073 * 2074 * DigestInfo ::= SEQUENCE { 2075 * digestAlgorithm DigestAlgorithmIdentifier, 2076 * digest Digest } 2077 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 2078 * Digest ::= OCTET STRING 2079 * 2080 * Schematic: 2081 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ] 2082 * TAG-NULL + LEN [ NULL ] ] 2083 * TAG-OCTET + LEN [ HASH ] ] 2084 */ 2085 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 2086 *p++ = (unsigned char)( 0x08 + oid_size + hashlen ); 2087 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 2088 *p++ = (unsigned char)( 0x04 + oid_size ); 2089 *p++ = MBEDTLS_ASN1_OID; 2090 *p++ = (unsigned char) oid_size; 2091 memcpy( p, oid, oid_size ); 2092 p += oid_size; 2093 *p++ = MBEDTLS_ASN1_NULL; 2094 *p++ = 0x00; 2095 *p++ = MBEDTLS_ASN1_OCTET_STRING; 2096 *p++ = (unsigned char) hashlen; 2097 memcpy( p, hash, hashlen ); 2098 p += hashlen; 2099 2100 /* Just a sanity-check, should be automatic 2101 * after the initial bounds check. */ 2102 if( p != dst + dst_len ) 2103 { 2104 mbedtls_platform_zeroize( dst, dst_len ); 2105 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2106 } 2107 2108 return( 0 ); 2109 } 2110 2111 /* 2112 * Do an RSA operation to sign the message digest 2113 */ 2114 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 2115 int (*f_rng)(void *, unsigned char *, size_t), 2116 void *p_rng, 2117 int mode, 2118 mbedtls_md_type_t md_alg, 2119 unsigned int hashlen, 2120 const unsigned char *hash, 2121 unsigned char *sig ) 2122 { 2123 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2124 unsigned char *sig_try = NULL, *verif = NULL; 2125 2126 RSA_VALIDATE_RET( ctx != NULL ); 2127 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2128 mode == MBEDTLS_RSA_PUBLIC ); 2129 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2130 hashlen == 0 ) || 2131 hash != NULL ); 2132 RSA_VALIDATE_RET( sig != NULL ); 2133 2134 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 2135 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2136 2137 /* 2138 * Prepare PKCS1-v1.5 encoding (padding and hash identifier) 2139 */ 2140 2141 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, 2142 ctx->len, sig ) ) != 0 ) 2143 return( ret ); 2144 2145 /* 2146 * Call respective RSA primitive 2147 */ 2148 2149 if( mode == MBEDTLS_RSA_PUBLIC ) 2150 { 2151 /* Skip verification on a public key operation */ 2152 return( mbedtls_rsa_public( ctx, sig, sig ) ); 2153 } 2154 2155 /* Private key operation 2156 * 2157 * In order to prevent Lenstra's attack, make the signature in a 2158 * temporary buffer and check it before returning it. 2159 */ 2160 2161 sig_try = mbedtls_calloc( 1, ctx->len ); 2162 if( sig_try == NULL ) 2163 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 2164 2165 verif = mbedtls_calloc( 1, ctx->len ); 2166 if( verif == NULL ) 2167 { 2168 mbedtls_free( sig_try ); 2169 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 2170 } 2171 2172 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); 2173 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); 2174 2175 if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 ) 2176 { 2177 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 2178 goto cleanup; 2179 } 2180 2181 memcpy( sig, sig_try, ctx->len ); 2182 2183 cleanup: 2184 mbedtls_free( sig_try ); 2185 mbedtls_free( verif ); 2186 2187 return( ret ); 2188 } 2189 #endif /* MBEDTLS_PKCS1_V15 */ 2190 2191 /* 2192 * Do an RSA operation to sign the message digest 2193 */ 2194 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 2195 int (*f_rng)(void *, unsigned char *, size_t), 2196 void *p_rng, 2197 int mode, 2198 mbedtls_md_type_t md_alg, 2199 unsigned int hashlen, 2200 const unsigned char *hash, 2201 unsigned char *sig ) 2202 { 2203 RSA_VALIDATE_RET( ctx != NULL ); 2204 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2205 mode == MBEDTLS_RSA_PUBLIC ); 2206 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2207 hashlen == 0 ) || 2208 hash != NULL ); 2209 RSA_VALIDATE_RET( sig != NULL ); 2210 2211 switch( ctx->padding ) 2212 { 2213 #if defined(MBEDTLS_PKCS1_V15) 2214 case MBEDTLS_RSA_PKCS_V15: 2215 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 2216 hashlen, hash, sig ); 2217 #endif 2218 2219 #if defined(MBEDTLS_PKCS1_V21) 2220 case MBEDTLS_RSA_PKCS_V21: 2221 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 2222 hashlen, hash, sig ); 2223 #endif 2224 2225 default: 2226 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 2227 } 2228 } 2229 2230 #if defined(MBEDTLS_PKCS1_V21) 2231 /* 2232 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 2233 */ 2234 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 2235 int (*f_rng)(void *, unsigned char *, size_t), 2236 void *p_rng, 2237 int mode, 2238 mbedtls_md_type_t md_alg, 2239 unsigned int hashlen, 2240 const unsigned char *hash, 2241 mbedtls_md_type_t mgf1_hash_id, 2242 int expected_salt_len, 2243 const unsigned char *sig ) 2244 { 2245 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2246 size_t siglen; 2247 unsigned char *p; 2248 unsigned char *hash_start; 2249 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 2250 unsigned char zeros[8]; 2251 unsigned int hlen; 2252 size_t observed_salt_len, msb; 2253 const mbedtls_md_info_t *md_info; 2254 mbedtls_md_context_t md_ctx; 2255 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 2256 2257 RSA_VALIDATE_RET( ctx != NULL ); 2258 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2259 mode == MBEDTLS_RSA_PUBLIC ); 2260 RSA_VALIDATE_RET( sig != NULL ); 2261 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2262 hashlen == 0 ) || 2263 hash != NULL ); 2264 2265 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 2266 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2267 2268 siglen = ctx->len; 2269 2270 if( siglen < 16 || siglen > sizeof( buf ) ) 2271 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2272 2273 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 2274 ? mbedtls_rsa_public( ctx, sig, buf ) 2275 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 2276 2277 if( ret != 0 ) 2278 return( ret ); 2279 2280 p = buf; 2281 2282 if( buf[siglen - 1] != 0xBC ) 2283 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 2284 2285 if( md_alg != MBEDTLS_MD_NONE ) 2286 { 2287 /* Gather length of hash to sign */ 2288 md_info = mbedtls_md_info_from_type( md_alg ); 2289 if( md_info == NULL ) 2290 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2291 2292 hashlen = mbedtls_md_get_size( md_info ); 2293 } 2294 2295 md_info = mbedtls_md_info_from_type( mgf1_hash_id ); 2296 if( md_info == NULL ) 2297 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2298 2299 hlen = mbedtls_md_get_size( md_info ); 2300 2301 memset( zeros, 0, 8 ); 2302 2303 /* 2304 * Note: EMSA-PSS verification is over the length of N - 1 bits 2305 */ 2306 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 2307 2308 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 2309 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2310 2311 /* Compensate for boundary condition when applying mask */ 2312 if( msb % 8 == 0 ) 2313 { 2314 p++; 2315 siglen -= 1; 2316 } 2317 2318 if( siglen < hlen + 2 ) 2319 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2320 hash_start = p + siglen - hlen - 1; 2321 2322 mbedtls_md_init( &md_ctx ); 2323 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 2324 goto exit; 2325 2326 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx ); 2327 if( ret != 0 ) 2328 goto exit; 2329 2330 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 2331 2332 while( p < hash_start - 1 && *p == 0 ) 2333 p++; 2334 2335 if( *p++ != 0x01 ) 2336 { 2337 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 2338 goto exit; 2339 } 2340 2341 observed_salt_len = hash_start - p; 2342 2343 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 2344 observed_salt_len != (size_t) expected_salt_len ) 2345 { 2346 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 2347 goto exit; 2348 } 2349 2350 /* 2351 * Generate H = Hash( M' ) 2352 */ 2353 ret = mbedtls_md_starts( &md_ctx ); 2354 if ( ret != 0 ) 2355 goto exit; 2356 ret = mbedtls_md_update( &md_ctx, zeros, 8 ); 2357 if ( ret != 0 ) 2358 goto exit; 2359 ret = mbedtls_md_update( &md_ctx, hash, hashlen ); 2360 if ( ret != 0 ) 2361 goto exit; 2362 ret = mbedtls_md_update( &md_ctx, p, observed_salt_len ); 2363 if ( ret != 0 ) 2364 goto exit; 2365 ret = mbedtls_md_finish( &md_ctx, result ); 2366 if ( ret != 0 ) 2367 goto exit; 2368 2369 if( memcmp( hash_start, result, hlen ) != 0 ) 2370 { 2371 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 2372 goto exit; 2373 } 2374 2375 exit: 2376 mbedtls_md_free( &md_ctx ); 2377 2378 return( ret ); 2379 } 2380 2381 /* 2382 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 2383 */ 2384 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 2385 int (*f_rng)(void *, unsigned char *, size_t), 2386 void *p_rng, 2387 int mode, 2388 mbedtls_md_type_t md_alg, 2389 unsigned int hashlen, 2390 const unsigned char *hash, 2391 const unsigned char *sig ) 2392 { 2393 mbedtls_md_type_t mgf1_hash_id; 2394 RSA_VALIDATE_RET( ctx != NULL ); 2395 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2396 mode == MBEDTLS_RSA_PUBLIC ); 2397 RSA_VALIDATE_RET( sig != NULL ); 2398 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2399 hashlen == 0 ) || 2400 hash != NULL ); 2401 2402 mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) 2403 ? (mbedtls_md_type_t) ctx->hash_id 2404 : md_alg; 2405 2406 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, 2407 md_alg, hashlen, hash, 2408 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, 2409 sig ) ); 2410 2411 } 2412 #endif /* MBEDTLS_PKCS1_V21 */ 2413 2414 #if defined(MBEDTLS_PKCS1_V15) 2415 /* 2416 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 2417 */ 2418 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 2419 int (*f_rng)(void *, unsigned char *, size_t), 2420 void *p_rng, 2421 int mode, 2422 mbedtls_md_type_t md_alg, 2423 unsigned int hashlen, 2424 const unsigned char *hash, 2425 const unsigned char *sig ) 2426 { 2427 int ret = 0; 2428 size_t sig_len; 2429 unsigned char *encoded = NULL, *encoded_expected = NULL; 2430 2431 RSA_VALIDATE_RET( ctx != NULL ); 2432 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2433 mode == MBEDTLS_RSA_PUBLIC ); 2434 RSA_VALIDATE_RET( sig != NULL ); 2435 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2436 hashlen == 0 ) || 2437 hash != NULL ); 2438 2439 sig_len = ctx->len; 2440 2441 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 2442 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2443 2444 /* 2445 * Prepare expected PKCS1 v1.5 encoding of hash. 2446 */ 2447 2448 if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL || 2449 ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL ) 2450 { 2451 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; 2452 goto cleanup; 2453 } 2454 2455 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len, 2456 encoded_expected ) ) != 0 ) 2457 goto cleanup; 2458 2459 /* 2460 * Apply RSA primitive to get what should be PKCS1 encoded hash. 2461 */ 2462 2463 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 2464 ? mbedtls_rsa_public( ctx, sig, encoded ) 2465 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded ); 2466 if( ret != 0 ) 2467 goto cleanup; 2468 2469 /* 2470 * Compare 2471 */ 2472 2473 if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected, 2474 sig_len ) ) != 0 ) 2475 { 2476 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 2477 goto cleanup; 2478 } 2479 2480 cleanup: 2481 2482 if( encoded != NULL ) 2483 { 2484 mbedtls_platform_zeroize( encoded, sig_len ); 2485 mbedtls_free( encoded ); 2486 } 2487 2488 if( encoded_expected != NULL ) 2489 { 2490 mbedtls_platform_zeroize( encoded_expected, sig_len ); 2491 mbedtls_free( encoded_expected ); 2492 } 2493 2494 return( ret ); 2495 } 2496 #endif /* MBEDTLS_PKCS1_V15 */ 2497 2498 /* 2499 * Do an RSA operation and check the message digest 2500 */ 2501 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 2502 int (*f_rng)(void *, unsigned char *, size_t), 2503 void *p_rng, 2504 int mode, 2505 mbedtls_md_type_t md_alg, 2506 unsigned int hashlen, 2507 const unsigned char *hash, 2508 const unsigned char *sig ) 2509 { 2510 RSA_VALIDATE_RET( ctx != NULL ); 2511 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2512 mode == MBEDTLS_RSA_PUBLIC ); 2513 RSA_VALIDATE_RET( sig != NULL ); 2514 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2515 hashlen == 0 ) || 2516 hash != NULL ); 2517 2518 switch( ctx->padding ) 2519 { 2520 #if defined(MBEDTLS_PKCS1_V15) 2521 case MBEDTLS_RSA_PKCS_V15: 2522 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 2523 hashlen, hash, sig ); 2524 #endif 2525 2526 #if defined(MBEDTLS_PKCS1_V21) 2527 case MBEDTLS_RSA_PKCS_V21: 2528 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 2529 hashlen, hash, sig ); 2530 #endif 2531 2532 default: 2533 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 2534 } 2535 } 2536 2537 /* 2538 * Copy the components of an RSA key 2539 */ 2540 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) 2541 { 2542 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2543 RSA_VALIDATE_RET( dst != NULL ); 2544 RSA_VALIDATE_RET( src != NULL ); 2545 2546 dst->len = src->len; 2547 2548 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) ); 2549 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) ); 2550 2551 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) ); 2552 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) ); 2553 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) ); 2554 2555 #if !defined(MBEDTLS_RSA_NO_CRT) 2556 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) ); 2557 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) ); 2558 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) ); 2559 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) ); 2560 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) ); 2561 #endif 2562 2563 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) ); 2564 2565 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) ); 2566 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) ); 2567 2568 dst->padding = src->padding; 2569 dst->hash_id = src->hash_id; 2570 2571 cleanup: 2572 if( ret != 0 ) 2573 mbedtls_rsa_free( dst ); 2574 2575 return( ret ); 2576 } 2577 2578 /* 2579 * Free the components of an RSA key 2580 */ 2581 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) 2582 { 2583 if( ctx == NULL ) 2584 return; 2585 2586 mbedtls_mpi_free( &ctx->Vi ); 2587 mbedtls_mpi_free( &ctx->Vf ); 2588 mbedtls_mpi_free( &ctx->RN ); 2589 mbedtls_mpi_free( &ctx->D ); 2590 mbedtls_mpi_free( &ctx->Q ); 2591 mbedtls_mpi_free( &ctx->P ); 2592 mbedtls_mpi_free( &ctx->E ); 2593 mbedtls_mpi_free( &ctx->N ); 2594 2595 #if !defined(MBEDTLS_RSA_NO_CRT) 2596 mbedtls_mpi_free( &ctx->RQ ); 2597 mbedtls_mpi_free( &ctx->RP ); 2598 mbedtls_mpi_free( &ctx->QP ); 2599 mbedtls_mpi_free( &ctx->DQ ); 2600 mbedtls_mpi_free( &ctx->DP ); 2601 #endif /* MBEDTLS_RSA_NO_CRT */ 2602 2603 #if defined(MBEDTLS_THREADING_C) 2604 /* Free the mutex, but only if it hasn't been freed already. */ 2605 if( ctx->ver != 0 ) 2606 { 2607 mbedtls_mutex_free( &ctx->mutex ); 2608 ctx->ver = 0; 2609 } 2610 #endif 2611 } 2612 2613 #endif /* !MBEDTLS_RSA_ALT */ 2614 2615 #if defined(MBEDTLS_SELF_TEST) 2616 2617 #include "mbedtls/sha1.h" 2618 2619 /* 2620 * Example RSA-1024 keypair, for test purposes 2621 */ 2622 #define KEY_LEN 128 2623 2624 #define RSA_N "9292758453063D803DD603D5E777D788" \ 2625 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 2626 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 2627 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 2628 "93A89813FBF3C4F8066D2D800F7C38A8" \ 2629 "1AE31942917403FF4946B0A83D3D3E05" \ 2630 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 2631 "5E94BB77B07507233A0BC7BAC8F90F79" 2632 2633 #define RSA_E "10001" 2634 2635 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 2636 "66CA472BC44D253102F8B4A9D3BFA750" \ 2637 "91386C0077937FE33FA3252D28855837" \ 2638 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 2639 "DF79C5CE07EE72C7F123142198164234" \ 2640 "CABB724CF78B8173B9F880FC86322407" \ 2641 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 2642 "071513A1E85B5DFA031F21ECAE91A34D" 2643 2644 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 2645 "2C01CAD19EA484A87EA4377637E75500" \ 2646 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 2647 "C3D9E75E1EFC42488BB4F1D13AC30A57" 2648 2649 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 2650 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 2651 "910E4168387E3C30AA1E00C339A79508" \ 2652 "8452DD96A9A5EA5D9DCA68DA636032AF" 2653 2654 #define PT_LEN 24 2655 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 2656 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 2657 2658 #if defined(MBEDTLS_PKCS1_V15) 2659 static int myrand( void *rng_state, unsigned char *output, size_t len ) 2660 { 2661 #if !defined(__OpenBSD__) && !defined(__NetBSD__) 2662 size_t i; 2663 2664 if( rng_state != NULL ) 2665 rng_state = NULL; 2666 2667 for( i = 0; i < len; ++i ) 2668 output[i] = rand(); 2669 #else 2670 if( rng_state != NULL ) 2671 rng_state = NULL; 2672 2673 arc4random_buf( output, len ); 2674 #endif /* !OpenBSD && !NetBSD */ 2675 2676 return( 0 ); 2677 } 2678 #endif /* MBEDTLS_PKCS1_V15 */ 2679 2680 /* 2681 * Checkup routine 2682 */ 2683 int mbedtls_rsa_self_test( int verbose ) 2684 { 2685 int ret = 0; 2686 #if defined(MBEDTLS_PKCS1_V15) 2687 size_t len; 2688 mbedtls_rsa_context rsa; 2689 unsigned char rsa_plaintext[PT_LEN]; 2690 unsigned char rsa_decrypted[PT_LEN]; 2691 unsigned char rsa_ciphertext[KEY_LEN]; 2692 #if defined(MBEDTLS_SHA1_C) 2693 unsigned char sha1sum[20]; 2694 #endif 2695 2696 mbedtls_mpi K; 2697 2698 mbedtls_mpi_init( &K ); 2699 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); 2700 2701 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) ); 2702 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) ); 2703 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) ); 2704 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) ); 2705 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) ); 2706 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) ); 2707 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) ); 2708 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) ); 2709 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) ); 2710 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) ); 2711 2712 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) ); 2713 2714 if( verbose != 0 ) 2715 mbedtls_printf( " RSA key validation: " ); 2716 2717 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || 2718 mbedtls_rsa_check_privkey( &rsa ) != 0 ) 2719 { 2720 if( verbose != 0 ) 2721 mbedtls_printf( "failed\n" ); 2722 2723 ret = 1; 2724 goto cleanup; 2725 } 2726 2727 if( verbose != 0 ) 2728 mbedtls_printf( "passed\n PKCS#1 encryption : " ); 2729 2730 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 2731 2732 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, 2733 PT_LEN, rsa_plaintext, 2734 rsa_ciphertext ) != 0 ) 2735 { 2736 if( verbose != 0 ) 2737 mbedtls_printf( "failed\n" ); 2738 2739 ret = 1; 2740 goto cleanup; 2741 } 2742 2743 if( verbose != 0 ) 2744 mbedtls_printf( "passed\n PKCS#1 decryption : " ); 2745 2746 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, 2747 &len, rsa_ciphertext, rsa_decrypted, 2748 sizeof(rsa_decrypted) ) != 0 ) 2749 { 2750 if( verbose != 0 ) 2751 mbedtls_printf( "failed\n" ); 2752 2753 ret = 1; 2754 goto cleanup; 2755 } 2756 2757 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 2758 { 2759 if( verbose != 0 ) 2760 mbedtls_printf( "failed\n" ); 2761 2762 ret = 1; 2763 goto cleanup; 2764 } 2765 2766 if( verbose != 0 ) 2767 mbedtls_printf( "passed\n" ); 2768 2769 #if defined(MBEDTLS_SHA1_C) 2770 if( verbose != 0 ) 2771 mbedtls_printf( " PKCS#1 data sign : " ); 2772 2773 if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 ) 2774 { 2775 if( verbose != 0 ) 2776 mbedtls_printf( "failed\n" ); 2777 2778 return( 1 ); 2779 } 2780 2781 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, 2782 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, 2783 sha1sum, rsa_ciphertext ) != 0 ) 2784 { 2785 if( verbose != 0 ) 2786 mbedtls_printf( "failed\n" ); 2787 2788 ret = 1; 2789 goto cleanup; 2790 } 2791 2792 if( verbose != 0 ) 2793 mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); 2794 2795 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, 2796 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, 2797 sha1sum, rsa_ciphertext ) != 0 ) 2798 { 2799 if( verbose != 0 ) 2800 mbedtls_printf( "failed\n" ); 2801 2802 ret = 1; 2803 goto cleanup; 2804 } 2805 2806 if( verbose != 0 ) 2807 mbedtls_printf( "passed\n" ); 2808 #endif /* MBEDTLS_SHA1_C */ 2809 2810 if( verbose != 0 ) 2811 mbedtls_printf( "\n" ); 2812 2813 cleanup: 2814 mbedtls_mpi_free( &K ); 2815 mbedtls_rsa_free( &rsa ); 2816 #else /* MBEDTLS_PKCS1_V15 */ 2817 ((void) verbose); 2818 #endif /* MBEDTLS_PKCS1_V15 */ 2819 return( ret ); 2820 } 2821 2822 #endif /* MBEDTLS_SELF_TEST */ 2823 2824 #endif /* MBEDTLS_RSA_C */ 2825