1 /* 2 * The RSA public-key cryptosystem 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The following sources were referenced in the design of this implementation 23 * of the RSA algorithm: 24 * 25 * [1] A method for obtaining digital signatures and public-key cryptosystems 26 * R Rivest, A Shamir, and L Adleman 27 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 28 * 29 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 30 * Menezes, van Oorschot and Vanstone 31 * 32 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks 33 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and 34 * Stefan Mangard 35 * https://arxiv.org/abs/1702.08719v2 36 * 37 */ 38 39 #if !defined(MBEDTLS_CONFIG_FILE) 40 #include "mbedtls/config.h" 41 #else 42 #include MBEDTLS_CONFIG_FILE 43 #endif 44 45 #if defined(MBEDTLS_RSA_C) 46 47 #include "mbedtls/rsa.h" 48 #include "mbedtls/oid.h" 49 50 #include <string.h> 51 52 #if defined(MBEDTLS_PKCS1_V21) 53 #include "mbedtls/md.h" 54 #endif 55 56 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) 57 #include <stdlib.h> 58 #endif 59 60 #if defined(MBEDTLS_PLATFORM_C) 61 #include "mbedtls/platform.h" 62 #else 63 #include <stdio.h> 64 #define mbedtls_printf printf 65 #define mbedtls_calloc calloc 66 #define mbedtls_free free 67 #endif 68 69 /* Implementation that should never be optimized out by the compiler */ 70 static void mbedtls_zeroize( void *v, size_t n ) { 71 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 72 } 73 74 /* 75 * Initialize an RSA context 76 */ 77 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 78 int padding, 79 int hash_id ) 80 { 81 memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); 82 83 mbedtls_rsa_set_padding( ctx, padding, hash_id ); 84 85 #if defined(MBEDTLS_THREADING_C) 86 mbedtls_mutex_init( &ctx->mutex ); 87 #endif 88 } 89 90 /* 91 * Set padding for an existing RSA context 92 */ 93 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id ) 94 { 95 ctx->padding = padding; 96 ctx->hash_id = hash_id; 97 } 98 99 #if defined(MBEDTLS_GENPRIME) 100 101 /* 102 * Generate an RSA keypair 103 */ 104 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 105 int (*f_rng)(void *, unsigned char *, size_t), 106 void *p_rng, 107 unsigned int nbits, int exponent ) 108 { 109 int ret; 110 mbedtls_mpi P1, Q1, H, G; 111 112 if( f_rng == NULL || nbits < 128 || exponent < 3 ) 113 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 114 115 if( nbits % 2 ) 116 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 117 118 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 119 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G ); 120 121 /* 122 * find primes P and Q with Q < P so that: 123 * GCD( E, (P-1)*(Q-1) ) == 1 124 */ 125 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) ); 126 127 do 128 { 129 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0, 130 f_rng, p_rng ) ); 131 132 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0, 133 f_rng, p_rng ) ); 134 135 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 ) 136 continue; 137 138 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) ); 139 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits ) 140 continue; 141 142 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 ) 143 mbedtls_mpi_swap( &ctx->P, &ctx->Q ); 144 145 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) ); 146 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) ); 147 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 148 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) ); 149 } 150 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ); 151 152 /* 153 * D = E^-1 mod ((P-1)*(Q-1)) 154 * DP = D mod (P - 1) 155 * DQ = D mod (Q - 1) 156 * QP = Q^-1 mod P 157 */ 158 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) ); 159 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) ); 160 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) ); 161 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) ); 162 163 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3; 164 165 cleanup: 166 167 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); 168 169 if( ret != 0 ) 170 { 171 mbedtls_rsa_free( ctx ); 172 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret ); 173 } 174 175 return( 0 ); 176 } 177 178 #endif /* MBEDTLS_GENPRIME */ 179 180 /* 181 * Check a public RSA key 182 */ 183 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) 184 { 185 if( !ctx->N.p || !ctx->E.p ) 186 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 187 188 if( ( ctx->N.p[0] & 1 ) == 0 || 189 ( ctx->E.p[0] & 1 ) == 0 ) 190 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 191 192 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 || 193 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS ) 194 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 195 196 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 || 197 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 ) 198 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 199 200 return( 0 ); 201 } 202 203 /* 204 * Check a private RSA key 205 */ 206 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) 207 { 208 int ret; 209 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP; 210 211 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 ) 212 return( ret ); 213 214 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p ) 215 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 216 217 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 218 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 ); 219 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ ); 220 mbedtls_mpi_init( &QP ); 221 222 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) ); 223 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) ); 224 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) ); 225 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) ); 226 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 227 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) ); 228 229 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) ); 230 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) ); 231 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) ); 232 233 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) ); 234 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) ); 235 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) ); 236 /* 237 * Check for a valid PKCS1v2 private key 238 */ 239 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 || 240 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 || 241 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 || 242 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 || 243 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 || 244 mbedtls_mpi_cmp_int( &I, 1 ) != 0 || 245 mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) 246 { 247 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 248 } 249 250 cleanup: 251 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); 252 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 ); 253 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ ); 254 mbedtls_mpi_free( &QP ); 255 256 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ) 257 return( ret ); 258 259 if( ret != 0 ) 260 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret ); 261 262 return( 0 ); 263 } 264 265 /* 266 * Check if contexts holding a public and private key match 267 */ 268 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ) 269 { 270 if( mbedtls_rsa_check_pubkey( pub ) != 0 || 271 mbedtls_rsa_check_privkey( prv ) != 0 ) 272 { 273 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 274 } 275 276 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 || 277 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 ) 278 { 279 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 280 } 281 282 return( 0 ); 283 } 284 285 /* 286 * Do an RSA public key operation 287 */ 288 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 289 const unsigned char *input, 290 unsigned char *output ) 291 { 292 int ret; 293 size_t olen; 294 mbedtls_mpi T; 295 296 mbedtls_mpi_init( &T ); 297 298 #if defined(MBEDTLS_THREADING_C) 299 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 300 return( ret ); 301 #endif 302 303 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 304 305 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 306 { 307 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 308 goto cleanup; 309 } 310 311 olen = ctx->len; 312 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); 313 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 314 315 cleanup: 316 #if defined(MBEDTLS_THREADING_C) 317 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 318 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 319 #endif 320 321 mbedtls_mpi_free( &T ); 322 323 if( ret != 0 ) 324 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret ); 325 326 return( 0 ); 327 } 328 329 /* 330 * Generate or update blinding values, see section 10 of: 331 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 332 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 333 * Berlin Heidelberg, 1996. p. 104-113. 334 */ 335 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, 336 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 337 { 338 int ret, count = 0; 339 340 if( ctx->Vf.p != NULL ) 341 { 342 /* We already have blinding values, just update them by squaring */ 343 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) ); 344 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); 345 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); 346 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) ); 347 348 goto cleanup; 349 } 350 351 /* Unblinding value: Vf = random number, invertible mod N */ 352 do { 353 if( count++ > 10 ) 354 return( MBEDTLS_ERR_RSA_RNG_FAILED ); 355 356 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); 357 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) ); 358 } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 ); 359 360 /* Blinding value: Vi = Vf^(-e) mod N */ 361 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) ); 362 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); 363 364 365 cleanup: 366 return( ret ); 367 } 368 369 /* 370 * Exponent blinding supposed to prevent side-channel attacks using multiple 371 * traces of measurements to recover the RSA key. The more collisions are there, 372 * the more bits of the key can be recovered. See [3]. 373 * 374 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n) 375 * observations on avarage. 376 * 377 * For example with 28 byte blinding to achieve 2 collisions the adversary has 378 * to make 2^112 observations on avarage. 379 * 380 * (With the currently (as of 2017 April) known best algorithms breaking 2048 381 * bit RSA requires approximately as much time as trying out 2^112 random keys. 382 * Thus in this sense with 28 byte blinding the security is not reduced by 383 * side-channel attacks like the one in [3]) 384 * 385 * This countermeasure does not help if the key recovery is possible with a 386 * single trace. 387 */ 388 #define RSA_EXPONENT_BLINDING 28 389 390 /* 391 * Do an RSA private key operation 392 */ 393 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 394 int (*f_rng)(void *, unsigned char *, size_t), 395 void *p_rng, 396 const unsigned char *input, 397 unsigned char *output ) 398 { 399 int ret; 400 size_t olen; 401 mbedtls_mpi T, T1, T2; 402 mbedtls_mpi P1, Q1, R; 403 #if defined(MBEDTLS_RSA_NO_CRT) 404 mbedtls_mpi D_blind; 405 mbedtls_mpi *D = &ctx->D; 406 #else 407 mbedtls_mpi DP_blind, DQ_blind; 408 mbedtls_mpi *DP = &ctx->DP; 409 mbedtls_mpi *DQ = &ctx->DQ; 410 #endif 411 412 /* Make sure we have private key info, prevent possible misuse */ 413 if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL ) 414 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 415 416 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); 417 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R ); 418 419 420 if( f_rng != NULL ) 421 { 422 #if defined(MBEDTLS_RSA_NO_CRT) 423 mbedtls_mpi_init( &D_blind ); 424 #else 425 mbedtls_mpi_init( &DP_blind ); 426 mbedtls_mpi_init( &DQ_blind ); 427 #endif 428 } 429 430 431 #if defined(MBEDTLS_THREADING_C) 432 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 433 return( ret ); 434 #endif 435 436 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 437 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 438 { 439 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 440 goto cleanup; 441 } 442 443 if( f_rng != NULL ) 444 { 445 /* 446 * Blinding 447 * T = T * Vi mod N 448 */ 449 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); 450 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); 451 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 452 453 /* 454 * Exponent blinding 455 */ 456 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) ); 457 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) ); 458 459 #if defined(MBEDTLS_RSA_NO_CRT) 460 /* 461 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D 462 */ 463 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 464 f_rng, p_rng ) ); 465 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) ); 466 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) ); 467 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) ); 468 469 D = &D_blind; 470 #else 471 /* 472 * DP_blind = ( P - 1 ) * R + DP 473 */ 474 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 475 f_rng, p_rng ) ); 476 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) ); 477 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind, 478 &ctx->DP ) ); 479 480 DP = &DP_blind; 481 482 /* 483 * DQ_blind = ( Q - 1 ) * R + DQ 484 */ 485 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 486 f_rng, p_rng ) ); 487 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) ); 488 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind, 489 &ctx->DQ ) ); 490 491 DQ = &DQ_blind; 492 #endif /* MBEDTLS_RSA_NO_CRT */ 493 } 494 495 #if defined(MBEDTLS_RSA_NO_CRT) 496 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) ); 497 #else 498 /* 499 * Faster decryption using the CRT 500 * 501 * T1 = input ^ dP mod P 502 * T2 = input ^ dQ mod Q 503 */ 504 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) ); 505 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) ); 506 507 /* 508 * T = (T1 - T2) * (Q^-1 mod P) mod P 509 */ 510 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) ); 511 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) ); 512 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) ); 513 514 /* 515 * T = T2 + T * Q 516 */ 517 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) ); 518 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) ); 519 #endif /* MBEDTLS_RSA_NO_CRT */ 520 521 if( f_rng != NULL ) 522 { 523 /* 524 * Unblind 525 * T = T * Vf mod N 526 */ 527 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); 528 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 529 } 530 531 olen = ctx->len; 532 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 533 534 cleanup: 535 #if defined(MBEDTLS_THREADING_C) 536 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 537 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 538 #endif 539 540 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); 541 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R ); 542 543 if( f_rng != NULL ) 544 { 545 #if defined(MBEDTLS_RSA_NO_CRT) 546 mbedtls_mpi_free( &D_blind ); 547 #else 548 mbedtls_mpi_free( &DP_blind ); 549 mbedtls_mpi_free( &DQ_blind ); 550 #endif 551 } 552 553 if( ret != 0 ) 554 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); 555 556 return( 0 ); 557 } 558 559 #if defined(MBEDTLS_PKCS1_V21) 560 /** 561 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 562 * 563 * \param dst buffer to mask 564 * \param dlen length of destination buffer 565 * \param src source of the mask generation 566 * \param slen length of the source buffer 567 * \param md_ctx message digest context to use 568 */ 569 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 570 size_t slen, mbedtls_md_context_t *md_ctx ) 571 { 572 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 573 unsigned char counter[4]; 574 unsigned char *p; 575 unsigned int hlen; 576 size_t i, use_len; 577 578 memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); 579 memset( counter, 0, 4 ); 580 581 hlen = mbedtls_md_get_size( md_ctx->md_info ); 582 583 /* Generate and apply dbMask */ 584 p = dst; 585 586 while( dlen > 0 ) 587 { 588 use_len = hlen; 589 if( dlen < hlen ) 590 use_len = dlen; 591 592 mbedtls_md_starts( md_ctx ); 593 mbedtls_md_update( md_ctx, src, slen ); 594 mbedtls_md_update( md_ctx, counter, 4 ); 595 mbedtls_md_finish( md_ctx, mask ); 596 597 for( i = 0; i < use_len; ++i ) 598 *p++ ^= mask[i]; 599 600 counter[3]++; 601 602 dlen -= use_len; 603 } 604 605 mbedtls_zeroize( mask, sizeof( mask ) ); 606 } 607 #endif /* MBEDTLS_PKCS1_V21 */ 608 609 #if defined(MBEDTLS_PKCS1_V21) 610 /* 611 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 612 */ 613 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 614 int (*f_rng)(void *, unsigned char *, size_t), 615 void *p_rng, 616 int mode, 617 const unsigned char *label, size_t label_len, 618 size_t ilen, 619 const unsigned char *input, 620 unsigned char *output ) 621 { 622 size_t olen; 623 int ret; 624 unsigned char *p = output; 625 unsigned int hlen; 626 const mbedtls_md_info_t *md_info; 627 mbedtls_md_context_t md_ctx; 628 629 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 630 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 631 632 if( f_rng == NULL ) 633 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 634 635 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 636 if( md_info == NULL ) 637 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 638 639 olen = ctx->len; 640 hlen = mbedtls_md_get_size( md_info ); 641 642 /* first comparison checks for overflow */ 643 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) 644 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 645 646 memset( output, 0, olen ); 647 648 *p++ = 0; 649 650 /* Generate a random octet string seed */ 651 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 652 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 653 654 p += hlen; 655 656 /* Construct DB */ 657 mbedtls_md( md_info, label, label_len, p ); 658 p += hlen; 659 p += olen - 2 * hlen - 2 - ilen; 660 *p++ = 1; 661 memcpy( p, input, ilen ); 662 663 mbedtls_md_init( &md_ctx ); 664 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 665 { 666 mbedtls_md_free( &md_ctx ); 667 return( ret ); 668 } 669 670 /* maskedDB: Apply dbMask to DB */ 671 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 672 &md_ctx ); 673 674 /* maskedSeed: Apply seedMask to seed */ 675 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 676 &md_ctx ); 677 678 mbedtls_md_free( &md_ctx ); 679 680 return( ( mode == MBEDTLS_RSA_PUBLIC ) 681 ? mbedtls_rsa_public( ctx, output, output ) 682 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 683 } 684 #endif /* MBEDTLS_PKCS1_V21 */ 685 686 #if defined(MBEDTLS_PKCS1_V15) 687 /* 688 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 689 */ 690 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 691 int (*f_rng)(void *, unsigned char *, size_t), 692 void *p_rng, 693 int mode, size_t ilen, 694 const unsigned char *input, 695 unsigned char *output ) 696 { 697 size_t nb_pad, olen; 698 int ret; 699 unsigned char *p = output; 700 701 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 702 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 703 704 // We don't check p_rng because it won't be dereferenced here 705 if( f_rng == NULL || input == NULL || output == NULL ) 706 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 707 708 olen = ctx->len; 709 710 /* first comparison checks for overflow */ 711 if( ilen + 11 < ilen || olen < ilen + 11 ) 712 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 713 714 nb_pad = olen - 3 - ilen; 715 716 *p++ = 0; 717 if( mode == MBEDTLS_RSA_PUBLIC ) 718 { 719 *p++ = MBEDTLS_RSA_CRYPT; 720 721 while( nb_pad-- > 0 ) 722 { 723 int rng_dl = 100; 724 725 do { 726 ret = f_rng( p_rng, p, 1 ); 727 } while( *p == 0 && --rng_dl && ret == 0 ); 728 729 /* Check if RNG failed to generate data */ 730 if( rng_dl == 0 || ret != 0 ) 731 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 732 733 p++; 734 } 735 } 736 else 737 { 738 *p++ = MBEDTLS_RSA_SIGN; 739 740 while( nb_pad-- > 0 ) 741 *p++ = 0xFF; 742 } 743 744 *p++ = 0; 745 memcpy( p, input, ilen ); 746 747 return( ( mode == MBEDTLS_RSA_PUBLIC ) 748 ? mbedtls_rsa_public( ctx, output, output ) 749 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 750 } 751 #endif /* MBEDTLS_PKCS1_V15 */ 752 753 /* 754 * Add the message padding, then do an RSA operation 755 */ 756 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 757 int (*f_rng)(void *, unsigned char *, size_t), 758 void *p_rng, 759 int mode, size_t ilen, 760 const unsigned char *input, 761 unsigned char *output ) 762 { 763 switch( ctx->padding ) 764 { 765 #if defined(MBEDTLS_PKCS1_V15) 766 case MBEDTLS_RSA_PKCS_V15: 767 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 768 input, output ); 769 #endif 770 771 #if defined(MBEDTLS_PKCS1_V21) 772 case MBEDTLS_RSA_PKCS_V21: 773 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 774 ilen, input, output ); 775 #endif 776 777 default: 778 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 779 } 780 } 781 782 #if defined(MBEDTLS_PKCS1_V21) 783 /* 784 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 785 */ 786 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 787 int (*f_rng)(void *, unsigned char *, size_t), 788 void *p_rng, 789 int mode, 790 const unsigned char *label, size_t label_len, 791 size_t *olen, 792 const unsigned char *input, 793 unsigned char *output, 794 size_t output_max_len ) 795 { 796 int ret; 797 size_t ilen, i, pad_len; 798 unsigned char *p, bad, pad_done; 799 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 800 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 801 unsigned int hlen; 802 const mbedtls_md_info_t *md_info; 803 mbedtls_md_context_t md_ctx; 804 805 /* 806 * Parameters sanity checks 807 */ 808 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 809 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 810 811 ilen = ctx->len; 812 813 if( ilen < 16 || ilen > sizeof( buf ) ) 814 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 815 816 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 817 if( md_info == NULL ) 818 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 819 820 hlen = mbedtls_md_get_size( md_info ); 821 822 // checking for integer underflow 823 if( 2 * hlen + 2 > ilen ) 824 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 825 826 /* 827 * RSA operation 828 */ 829 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 830 ? mbedtls_rsa_public( ctx, input, buf ) 831 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 832 833 if( ret != 0 ) 834 goto cleanup; 835 836 /* 837 * Unmask data and generate lHash 838 */ 839 mbedtls_md_init( &md_ctx ); 840 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 841 { 842 mbedtls_md_free( &md_ctx ); 843 goto cleanup; 844 } 845 846 847 /* Generate lHash */ 848 mbedtls_md( md_info, label, label_len, lhash ); 849 850 /* seed: Apply seedMask to maskedSeed */ 851 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 852 &md_ctx ); 853 854 /* DB: Apply dbMask to maskedDB */ 855 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 856 &md_ctx ); 857 858 mbedtls_md_free( &md_ctx ); 859 860 /* 861 * Check contents, in "constant-time" 862 */ 863 p = buf; 864 bad = 0; 865 866 bad |= *p++; /* First byte must be 0 */ 867 868 p += hlen; /* Skip seed */ 869 870 /* Check lHash */ 871 for( i = 0; i < hlen; i++ ) 872 bad |= lhash[i] ^ *p++; 873 874 /* Get zero-padding len, but always read till end of buffer 875 * (minus one, for the 01 byte) */ 876 pad_len = 0; 877 pad_done = 0; 878 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 879 { 880 pad_done |= p[i]; 881 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 882 } 883 884 p += pad_len; 885 bad |= *p++ ^ 0x01; 886 887 /* 888 * The only information "leaked" is whether the padding was correct or not 889 * (eg, no data is copied if it was not correct). This meets the 890 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 891 * the different error conditions. 892 */ 893 if( bad != 0 ) 894 { 895 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 896 goto cleanup; 897 } 898 899 if( ilen - ( p - buf ) > output_max_len ) 900 { 901 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 902 goto cleanup; 903 } 904 905 *olen = ilen - (p - buf); 906 memcpy( output, p, *olen ); 907 ret = 0; 908 909 cleanup: 910 mbedtls_zeroize( buf, sizeof( buf ) ); 911 mbedtls_zeroize( lhash, sizeof( lhash ) ); 912 913 return( ret ); 914 } 915 #endif /* MBEDTLS_PKCS1_V21 */ 916 917 #if defined(MBEDTLS_PKCS1_V15) 918 /* 919 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 920 */ 921 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 922 int (*f_rng)(void *, unsigned char *, size_t), 923 void *p_rng, 924 int mode, size_t *olen, 925 const unsigned char *input, 926 unsigned char *output, 927 size_t output_max_len) 928 { 929 int ret; 930 size_t ilen, pad_count = 0, i; 931 unsigned char *p, bad, pad_done = 0; 932 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 933 934 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 935 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 936 937 ilen = ctx->len; 938 939 if( ilen < 16 || ilen > sizeof( buf ) ) 940 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 941 942 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 943 ? mbedtls_rsa_public( ctx, input, buf ) 944 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 945 946 if( ret != 0 ) 947 goto cleanup; 948 949 p = buf; 950 bad = 0; 951 952 /* 953 * Check and get padding len in "constant-time" 954 */ 955 bad |= *p++; /* First byte must be 0 */ 956 957 /* This test does not depend on secret data */ 958 if( mode == MBEDTLS_RSA_PRIVATE ) 959 { 960 bad |= *p++ ^ MBEDTLS_RSA_CRYPT; 961 962 /* Get padding len, but always read till end of buffer 963 * (minus one, for the 00 byte) */ 964 for( i = 0; i < ilen - 3; i++ ) 965 { 966 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1; 967 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 968 } 969 970 p += pad_count; 971 bad |= *p++; /* Must be zero */ 972 } 973 else 974 { 975 bad |= *p++ ^ MBEDTLS_RSA_SIGN; 976 977 /* Get padding len, but always read till end of buffer 978 * (minus one, for the 00 byte) */ 979 for( i = 0; i < ilen - 3; i++ ) 980 { 981 pad_done |= ( p[i] != 0xFF ); 982 pad_count += ( pad_done == 0 ); 983 } 984 985 p += pad_count; 986 bad |= *p++; /* Must be zero */ 987 } 988 989 bad |= ( pad_count < 8 ); 990 991 if( bad ) 992 { 993 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 994 goto cleanup; 995 } 996 997 if( ilen - ( p - buf ) > output_max_len ) 998 { 999 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 1000 goto cleanup; 1001 } 1002 1003 *olen = ilen - (p - buf); 1004 memcpy( output, p, *olen ); 1005 ret = 0; 1006 1007 cleanup: 1008 mbedtls_zeroize( buf, sizeof( buf ) ); 1009 1010 return( ret ); 1011 } 1012 #endif /* MBEDTLS_PKCS1_V15 */ 1013 1014 /* 1015 * Do an RSA operation, then remove the message padding 1016 */ 1017 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 1018 int (*f_rng)(void *, unsigned char *, size_t), 1019 void *p_rng, 1020 int mode, size_t *olen, 1021 const unsigned char *input, 1022 unsigned char *output, 1023 size_t output_max_len) 1024 { 1025 switch( ctx->padding ) 1026 { 1027 #if defined(MBEDTLS_PKCS1_V15) 1028 case MBEDTLS_RSA_PKCS_V15: 1029 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 1030 input, output, output_max_len ); 1031 #endif 1032 1033 #if defined(MBEDTLS_PKCS1_V21) 1034 case MBEDTLS_RSA_PKCS_V21: 1035 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 1036 olen, input, output, 1037 output_max_len ); 1038 #endif 1039 1040 default: 1041 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1042 } 1043 } 1044 1045 #if defined(MBEDTLS_PKCS1_V21) 1046 /* 1047 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 1048 */ 1049 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 1050 int (*f_rng)(void *, unsigned char *, size_t), 1051 void *p_rng, 1052 int mode, 1053 mbedtls_md_type_t md_alg, 1054 unsigned int hashlen, 1055 const unsigned char *hash, 1056 unsigned char *sig ) 1057 { 1058 size_t olen; 1059 unsigned char *p = sig; 1060 unsigned char salt[MBEDTLS_MD_MAX_SIZE]; 1061 unsigned int slen, hlen, offset = 0; 1062 int ret; 1063 size_t msb; 1064 const mbedtls_md_info_t *md_info; 1065 mbedtls_md_context_t md_ctx; 1066 1067 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 1068 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1069 1070 if( f_rng == NULL ) 1071 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1072 1073 olen = ctx->len; 1074 1075 if( md_alg != MBEDTLS_MD_NONE ) 1076 { 1077 /* Gather length of hash to sign */ 1078 md_info = mbedtls_md_info_from_type( md_alg ); 1079 if( md_info == NULL ) 1080 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1081 1082 hashlen = mbedtls_md_get_size( md_info ); 1083 } 1084 1085 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 1086 if( md_info == NULL ) 1087 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1088 1089 hlen = mbedtls_md_get_size( md_info ); 1090 slen = hlen; 1091 1092 if( olen < hlen + slen + 2 ) 1093 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1094 1095 memset( sig, 0, olen ); 1096 1097 /* Generate salt of length slen */ 1098 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 1099 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 1100 1101 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 1102 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 1103 p += olen - hlen * 2 - 2; 1104 *p++ = 0x01; 1105 memcpy( p, salt, slen ); 1106 p += slen; 1107 1108 mbedtls_md_init( &md_ctx ); 1109 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 1110 { 1111 mbedtls_md_free( &md_ctx ); 1112 /* No need to zeroize salt: we didn't use it. */ 1113 return( ret ); 1114 } 1115 1116 /* Generate H = Hash( M' ) */ 1117 mbedtls_md_starts( &md_ctx ); 1118 mbedtls_md_update( &md_ctx, p, 8 ); 1119 mbedtls_md_update( &md_ctx, hash, hashlen ); 1120 mbedtls_md_update( &md_ctx, salt, slen ); 1121 mbedtls_md_finish( &md_ctx, p ); 1122 mbedtls_zeroize( salt, sizeof( salt ) ); 1123 1124 /* Compensate for boundary condition when applying mask */ 1125 if( msb % 8 == 0 ) 1126 offset = 1; 1127 1128 /* maskedDB: Apply dbMask to DB */ 1129 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); 1130 1131 mbedtls_md_free( &md_ctx ); 1132 1133 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 1134 sig[0] &= 0xFF >> ( olen * 8 - msb ); 1135 1136 p += hlen; 1137 *p++ = 0xBC; 1138 1139 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1140 ? mbedtls_rsa_public( ctx, sig, sig ) 1141 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 1142 } 1143 #endif /* MBEDTLS_PKCS1_V21 */ 1144 1145 #if defined(MBEDTLS_PKCS1_V15) 1146 /* 1147 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 1148 */ 1149 /* 1150 * Do an RSA operation to sign the message digest 1151 */ 1152 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 1153 int (*f_rng)(void *, unsigned char *, size_t), 1154 void *p_rng, 1155 int mode, 1156 mbedtls_md_type_t md_alg, 1157 unsigned int hashlen, 1158 const unsigned char *hash, 1159 unsigned char *sig ) 1160 { 1161 size_t nb_pad, olen, oid_size = 0; 1162 unsigned char *p = sig; 1163 const char *oid = NULL; 1164 unsigned char *sig_try = NULL, *verif = NULL; 1165 size_t i; 1166 unsigned char diff; 1167 volatile unsigned char diff_no_optimize; 1168 int ret; 1169 1170 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 1171 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1172 1173 olen = ctx->len; 1174 nb_pad = olen - 3; 1175 1176 if( md_alg != MBEDTLS_MD_NONE ) 1177 { 1178 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 1179 if( md_info == NULL ) 1180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1181 1182 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 1183 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1184 1185 nb_pad -= 10 + oid_size; 1186 1187 hashlen = mbedtls_md_get_size( md_info ); 1188 } 1189 1190 nb_pad -= hashlen; 1191 1192 if( ( nb_pad < 8 ) || ( nb_pad > olen ) ) 1193 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1194 1195 *p++ = 0; 1196 *p++ = MBEDTLS_RSA_SIGN; 1197 memset( p, 0xFF, nb_pad ); 1198 p += nb_pad; 1199 *p++ = 0; 1200 1201 if( md_alg == MBEDTLS_MD_NONE ) 1202 { 1203 memcpy( p, hash, hashlen ); 1204 } 1205 else 1206 { 1207 /* 1208 * DigestInfo ::= SEQUENCE { 1209 * digestAlgorithm DigestAlgorithmIdentifier, 1210 * digest Digest } 1211 * 1212 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1213 * 1214 * Digest ::= OCTET STRING 1215 */ 1216 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 1217 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); 1218 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 1219 *p++ = (unsigned char) ( 0x04 + oid_size ); 1220 *p++ = MBEDTLS_ASN1_OID; 1221 *p++ = oid_size & 0xFF; 1222 memcpy( p, oid, oid_size ); 1223 p += oid_size; 1224 *p++ = MBEDTLS_ASN1_NULL; 1225 *p++ = 0x00; 1226 *p++ = MBEDTLS_ASN1_OCTET_STRING; 1227 *p++ = hashlen; 1228 memcpy( p, hash, hashlen ); 1229 } 1230 1231 if( mode == MBEDTLS_RSA_PUBLIC ) 1232 return( mbedtls_rsa_public( ctx, sig, sig ) ); 1233 1234 /* 1235 * In order to prevent Lenstra's attack, make the signature in a 1236 * temporary buffer and check it before returning it. 1237 */ 1238 sig_try = mbedtls_calloc( 1, ctx->len ); 1239 if( sig_try == NULL ) 1240 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 1241 1242 verif = mbedtls_calloc( 1, ctx->len ); 1243 if( verif == NULL ) 1244 { 1245 mbedtls_free( sig_try ); 1246 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 1247 } 1248 1249 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); 1250 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); 1251 1252 /* Compare in constant time just in case */ 1253 for( diff = 0, i = 0; i < ctx->len; i++ ) 1254 diff |= verif[i] ^ sig[i]; 1255 diff_no_optimize = diff; 1256 1257 if( diff_no_optimize != 0 ) 1258 { 1259 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 1260 goto cleanup; 1261 } 1262 1263 memcpy( sig, sig_try, ctx->len ); 1264 1265 cleanup: 1266 mbedtls_free( sig_try ); 1267 mbedtls_free( verif ); 1268 1269 return( ret ); 1270 } 1271 #endif /* MBEDTLS_PKCS1_V15 */ 1272 1273 /* 1274 * Do an RSA operation to sign the message digest 1275 */ 1276 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 1277 int (*f_rng)(void *, unsigned char *, size_t), 1278 void *p_rng, 1279 int mode, 1280 mbedtls_md_type_t md_alg, 1281 unsigned int hashlen, 1282 const unsigned char *hash, 1283 unsigned char *sig ) 1284 { 1285 switch( ctx->padding ) 1286 { 1287 #if defined(MBEDTLS_PKCS1_V15) 1288 case MBEDTLS_RSA_PKCS_V15: 1289 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 1290 hashlen, hash, sig ); 1291 #endif 1292 1293 #if defined(MBEDTLS_PKCS1_V21) 1294 case MBEDTLS_RSA_PKCS_V21: 1295 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 1296 hashlen, hash, sig ); 1297 #endif 1298 1299 default: 1300 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1301 } 1302 } 1303 1304 #if defined(MBEDTLS_PKCS1_V21) 1305 /* 1306 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 1307 */ 1308 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 1309 int (*f_rng)(void *, unsigned char *, size_t), 1310 void *p_rng, 1311 int mode, 1312 mbedtls_md_type_t md_alg, 1313 unsigned int hashlen, 1314 const unsigned char *hash, 1315 mbedtls_md_type_t mgf1_hash_id, 1316 int expected_salt_len, 1317 const unsigned char *sig ) 1318 { 1319 int ret; 1320 size_t siglen; 1321 unsigned char *p; 1322 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 1323 unsigned char zeros[8]; 1324 unsigned int hlen; 1325 size_t slen, msb; 1326 const mbedtls_md_info_t *md_info; 1327 mbedtls_md_context_t md_ctx; 1328 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 1329 1330 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 1331 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1332 1333 siglen = ctx->len; 1334 1335 if( siglen < 16 || siglen > sizeof( buf ) ) 1336 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1337 1338 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 1339 ? mbedtls_rsa_public( ctx, sig, buf ) 1340 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 1341 1342 if( ret != 0 ) 1343 return( ret ); 1344 1345 p = buf; 1346 1347 if( buf[siglen - 1] != 0xBC ) 1348 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1349 1350 if( md_alg != MBEDTLS_MD_NONE ) 1351 { 1352 /* Gather length of hash to sign */ 1353 md_info = mbedtls_md_info_from_type( md_alg ); 1354 if( md_info == NULL ) 1355 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1356 1357 hashlen = mbedtls_md_get_size( md_info ); 1358 } 1359 1360 md_info = mbedtls_md_info_from_type( mgf1_hash_id ); 1361 if( md_info == NULL ) 1362 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1363 1364 hlen = mbedtls_md_get_size( md_info ); 1365 slen = siglen - hlen - 1; /* Currently length of salt + padding */ 1366 1367 memset( zeros, 0, 8 ); 1368 1369 /* 1370 * Note: EMSA-PSS verification is over the length of N - 1 bits 1371 */ 1372 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 1373 1374 /* Compensate for boundary condition when applying mask */ 1375 if( msb % 8 == 0 ) 1376 { 1377 p++; 1378 siglen -= 1; 1379 } 1380 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 1381 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1382 1383 mbedtls_md_init( &md_ctx ); 1384 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 1385 { 1386 mbedtls_md_free( &md_ctx ); 1387 return( ret ); 1388 } 1389 1390 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); 1391 1392 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 1393 1394 while( p < buf + siglen && *p == 0 ) 1395 p++; 1396 1397 if( p == buf + siglen || 1398 *p++ != 0x01 ) 1399 { 1400 mbedtls_md_free( &md_ctx ); 1401 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1402 } 1403 1404 /* Actual salt len */ 1405 slen -= p - buf; 1406 1407 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 1408 slen != (size_t) expected_salt_len ) 1409 { 1410 mbedtls_md_free( &md_ctx ); 1411 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1412 } 1413 1414 /* 1415 * Generate H = Hash( M' ) 1416 */ 1417 mbedtls_md_starts( &md_ctx ); 1418 mbedtls_md_update( &md_ctx, zeros, 8 ); 1419 mbedtls_md_update( &md_ctx, hash, hashlen ); 1420 mbedtls_md_update( &md_ctx, p, slen ); 1421 mbedtls_md_finish( &md_ctx, result ); 1422 1423 mbedtls_md_free( &md_ctx ); 1424 1425 if( memcmp( p + slen, result, hlen ) == 0 ) 1426 return( 0 ); 1427 else 1428 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1429 } 1430 1431 /* 1432 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 1433 */ 1434 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 1435 int (*f_rng)(void *, unsigned char *, size_t), 1436 void *p_rng, 1437 int mode, 1438 mbedtls_md_type_t md_alg, 1439 unsigned int hashlen, 1440 const unsigned char *hash, 1441 const unsigned char *sig ) 1442 { 1443 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) 1444 ? (mbedtls_md_type_t) ctx->hash_id 1445 : md_alg; 1446 1447 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, 1448 md_alg, hashlen, hash, 1449 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, 1450 sig ) ); 1451 1452 } 1453 #endif /* MBEDTLS_PKCS1_V21 */ 1454 1455 #if defined(MBEDTLS_PKCS1_V15) 1456 /* 1457 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 1458 */ 1459 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 1460 int (*f_rng)(void *, unsigned char *, size_t), 1461 void *p_rng, 1462 int mode, 1463 mbedtls_md_type_t md_alg, 1464 unsigned int hashlen, 1465 const unsigned char *hash, 1466 const unsigned char *sig ) 1467 { 1468 int ret; 1469 size_t len, siglen, asn1_len; 1470 unsigned char *p, *p0, *end; 1471 mbedtls_md_type_t msg_md_alg; 1472 const mbedtls_md_info_t *md_info; 1473 mbedtls_asn1_buf oid; 1474 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 1475 1476 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 1477 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1478 1479 siglen = ctx->len; 1480 1481 if( siglen < 16 || siglen > sizeof( buf ) ) 1482 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1483 1484 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 1485 ? mbedtls_rsa_public( ctx, sig, buf ) 1486 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 1487 1488 if( ret != 0 ) 1489 return( ret ); 1490 1491 p = buf; 1492 1493 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN ) 1494 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1495 1496 while( *p != 0 ) 1497 { 1498 if( p >= buf + siglen - 1 || *p != 0xFF ) 1499 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1500 p++; 1501 } 1502 p++; /* skip 00 byte */ 1503 1504 /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */ 1505 if( p - buf < 11 ) 1506 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1507 1508 len = siglen - ( p - buf ); 1509 1510 if( len == hashlen && md_alg == MBEDTLS_MD_NONE ) 1511 { 1512 if( memcmp( p, hash, hashlen ) == 0 ) 1513 return( 0 ); 1514 else 1515 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1516 } 1517 1518 md_info = mbedtls_md_info_from_type( md_alg ); 1519 if( md_info == NULL ) 1520 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1521 hashlen = mbedtls_md_get_size( md_info ); 1522 1523 end = p + len; 1524 1525 /* 1526 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure. 1527 * Insist on 2-byte length tags, to protect against variants of 1528 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification. 1529 */ 1530 p0 = p; 1531 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 1532 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1533 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1534 if( p != p0 + 2 || asn1_len + 2 != len ) 1535 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1536 1537 p0 = p; 1538 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 1539 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1540 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1541 if( p != p0 + 2 || asn1_len + 6 + hashlen != len ) 1542 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1543 1544 p0 = p; 1545 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) 1546 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1547 if( p != p0 + 2 ) 1548 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1549 1550 oid.p = p; 1551 p += oid.len; 1552 1553 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 ) 1554 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1555 1556 if( md_alg != msg_md_alg ) 1557 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1558 1559 /* 1560 * assume the algorithm parameters must be NULL 1561 */ 1562 p0 = p; 1563 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 ) 1564 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1565 if( p != p0 + 2 ) 1566 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1567 1568 p0 = p; 1569 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1570 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1571 if( p != p0 + 2 || asn1_len != hashlen ) 1572 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1573 1574 if( memcmp( p, hash, hashlen ) != 0 ) 1575 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1576 1577 p += hashlen; 1578 1579 if( p != end ) 1580 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 1581 1582 return( 0 ); 1583 } 1584 #endif /* MBEDTLS_PKCS1_V15 */ 1585 1586 /* 1587 * Do an RSA operation and check the message digest 1588 */ 1589 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 1590 int (*f_rng)(void *, unsigned char *, size_t), 1591 void *p_rng, 1592 int mode, 1593 mbedtls_md_type_t md_alg, 1594 unsigned int hashlen, 1595 const unsigned char *hash, 1596 const unsigned char *sig ) 1597 { 1598 switch( ctx->padding ) 1599 { 1600 #if defined(MBEDTLS_PKCS1_V15) 1601 case MBEDTLS_RSA_PKCS_V15: 1602 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 1603 hashlen, hash, sig ); 1604 #endif 1605 1606 #if defined(MBEDTLS_PKCS1_V21) 1607 case MBEDTLS_RSA_PKCS_V21: 1608 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 1609 hashlen, hash, sig ); 1610 #endif 1611 1612 default: 1613 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1614 } 1615 } 1616 1617 /* 1618 * Copy the components of an RSA key 1619 */ 1620 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) 1621 { 1622 int ret; 1623 1624 dst->ver = src->ver; 1625 dst->len = src->len; 1626 1627 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) ); 1628 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) ); 1629 1630 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) ); 1631 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) ); 1632 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) ); 1633 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) ); 1634 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) ); 1635 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) ); 1636 1637 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) ); 1638 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) ); 1639 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) ); 1640 1641 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) ); 1642 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) ); 1643 1644 dst->padding = src->padding; 1645 dst->hash_id = src->hash_id; 1646 1647 cleanup: 1648 if( ret != 0 ) 1649 mbedtls_rsa_free( dst ); 1650 1651 return( ret ); 1652 } 1653 1654 /* 1655 * Free the components of an RSA key 1656 */ 1657 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) 1658 { 1659 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf ); 1660 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN ); 1661 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP ); 1662 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D ); 1663 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N ); 1664 1665 #if defined(MBEDTLS_THREADING_C) 1666 mbedtls_mutex_free( &ctx->mutex ); 1667 #endif 1668 } 1669 1670 #if defined(MBEDTLS_SELF_TEST) 1671 1672 #include "mbedtls/sha1.h" 1673 1674 /* 1675 * Example RSA-1024 keypair, for test purposes 1676 */ 1677 #define KEY_LEN 128 1678 1679 #define RSA_N "9292758453063D803DD603D5E777D788" \ 1680 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 1681 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 1682 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 1683 "93A89813FBF3C4F8066D2D800F7C38A8" \ 1684 "1AE31942917403FF4946B0A83D3D3E05" \ 1685 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 1686 "5E94BB77B07507233A0BC7BAC8F90F79" 1687 1688 #define RSA_E "10001" 1689 1690 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 1691 "66CA472BC44D253102F8B4A9D3BFA750" \ 1692 "91386C0077937FE33FA3252D28855837" \ 1693 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 1694 "DF79C5CE07EE72C7F123142198164234" \ 1695 "CABB724CF78B8173B9F880FC86322407" \ 1696 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 1697 "071513A1E85B5DFA031F21ECAE91A34D" 1698 1699 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 1700 "2C01CAD19EA484A87EA4377637E75500" \ 1701 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 1702 "C3D9E75E1EFC42488BB4F1D13AC30A57" 1703 1704 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 1705 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 1706 "910E4168387E3C30AA1E00C339A79508" \ 1707 "8452DD96A9A5EA5D9DCA68DA636032AF" 1708 1709 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \ 1710 "3C94D22288ACD763FD8E5600ED4A702D" \ 1711 "F84198A5F06C2E72236AE490C93F07F8" \ 1712 "3CC559CD27BC2D1CA488811730BB5725" 1713 1714 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \ 1715 "D8AAEA56749EA28623272E4F7D0592AF" \ 1716 "7C1F1313CAC9471B5C523BFE592F517B" \ 1717 "407A1BD76C164B93DA2D32A383E58357" 1718 1719 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \ 1720 "F38D18D2B2F0E2DD275AA977E2BF4411" \ 1721 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \ 1722 "A74206CEC169D74BF5A8C50D6F48EA08" 1723 1724 #define PT_LEN 24 1725 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 1726 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 1727 1728 #if defined(MBEDTLS_PKCS1_V15) 1729 static int myrand( void *rng_state, unsigned char *output, size_t len ) 1730 { 1731 #if !defined(__OpenBSD__) 1732 size_t i; 1733 1734 if( rng_state != NULL ) 1735 rng_state = NULL; 1736 1737 for( i = 0; i < len; ++i ) 1738 output[i] = rand(); 1739 #else 1740 if( rng_state != NULL ) 1741 rng_state = NULL; 1742 1743 arc4random_buf( output, len ); 1744 #endif /* !OpenBSD */ 1745 1746 return( 0 ); 1747 } 1748 #endif /* MBEDTLS_PKCS1_V15 */ 1749 1750 /* 1751 * Checkup routine 1752 */ 1753 int mbedtls_rsa_self_test( int verbose ) 1754 { 1755 int ret = 0; 1756 #if defined(MBEDTLS_PKCS1_V15) 1757 size_t len; 1758 mbedtls_rsa_context rsa; 1759 unsigned char rsa_plaintext[PT_LEN]; 1760 unsigned char rsa_decrypted[PT_LEN]; 1761 unsigned char rsa_ciphertext[KEY_LEN]; 1762 #if defined(MBEDTLS_SHA1_C) 1763 unsigned char sha1sum[20]; 1764 #endif 1765 1766 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); 1767 1768 rsa.len = KEY_LEN; 1769 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) ); 1770 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) ); 1771 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) ); 1772 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) ); 1773 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) ); 1774 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) ); 1775 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) ); 1776 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) ); 1777 1778 if( verbose != 0 ) 1779 mbedtls_printf( " RSA key validation: " ); 1780 1781 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || 1782 mbedtls_rsa_check_privkey( &rsa ) != 0 ) 1783 { 1784 if( verbose != 0 ) 1785 mbedtls_printf( "failed\n" ); 1786 1787 return( 1 ); 1788 } 1789 1790 if( verbose != 0 ) 1791 mbedtls_printf( "passed\n PKCS#1 encryption : " ); 1792 1793 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 1794 1795 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN, 1796 rsa_plaintext, rsa_ciphertext ) != 0 ) 1797 { 1798 if( verbose != 0 ) 1799 mbedtls_printf( "failed\n" ); 1800 1801 return( 1 ); 1802 } 1803 1804 if( verbose != 0 ) 1805 mbedtls_printf( "passed\n PKCS#1 decryption : " ); 1806 1807 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len, 1808 rsa_ciphertext, rsa_decrypted, 1809 sizeof(rsa_decrypted) ) != 0 ) 1810 { 1811 if( verbose != 0 ) 1812 mbedtls_printf( "failed\n" ); 1813 1814 return( 1 ); 1815 } 1816 1817 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 1818 { 1819 if( verbose != 0 ) 1820 mbedtls_printf( "failed\n" ); 1821 1822 return( 1 ); 1823 } 1824 1825 if( verbose != 0 ) 1826 mbedtls_printf( "passed\n" ); 1827 1828 #if defined(MBEDTLS_SHA1_C) 1829 if( verbose != 0 ) 1830 mbedtls_printf( " PKCS#1 data sign : " ); 1831 1832 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ); 1833 1834 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, 1835 sha1sum, rsa_ciphertext ) != 0 ) 1836 { 1837 if( verbose != 0 ) 1838 mbedtls_printf( "failed\n" ); 1839 1840 return( 1 ); 1841 } 1842 1843 if( verbose != 0 ) 1844 mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); 1845 1846 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, 1847 sha1sum, rsa_ciphertext ) != 0 ) 1848 { 1849 if( verbose != 0 ) 1850 mbedtls_printf( "failed\n" ); 1851 1852 return( 1 ); 1853 } 1854 1855 if( verbose != 0 ) 1856 mbedtls_printf( "passed\n" ); 1857 #endif /* MBEDTLS_SHA1_C */ 1858 1859 if( verbose != 0 ) 1860 mbedtls_printf( "\n" ); 1861 1862 cleanup: 1863 mbedtls_rsa_free( &rsa ); 1864 #else /* MBEDTLS_PKCS1_V15 */ 1865 ((void) verbose); 1866 #endif /* MBEDTLS_PKCS1_V15 */ 1867 return( ret ); 1868 } 1869 1870 #endif /* MBEDTLS_SELF_TEST */ 1871 1872 #endif /* MBEDTLS_RSA_C */ 1873