1 /* 2 * The RSA public-key cryptosystem 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 /* 21 * The following sources were referenced in the design of this implementation 22 * of the RSA algorithm: 23 * 24 * [1] A method for obtaining digital signatures and public-key cryptosystems 25 * R Rivest, A Shamir, and L Adleman 26 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 27 * 28 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 29 * Menezes, van Oorschot and Vanstone 30 * 31 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks 32 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and 33 * Stefan Mangard 34 * https://arxiv.org/abs/1702.08719v2 35 * 36 */ 37 38 #include "common.h" 39 40 #if defined(MBEDTLS_RSA_C) 41 42 #include "mbedtls/rsa.h" 43 #include "mbedtls/rsa_internal.h" 44 #include "mbedtls/oid.h" 45 #include "mbedtls/platform_util.h" 46 #include "mbedtls/error.h" 47 #include "constant_time_internal.h" 48 #include "mbedtls/constant_time.h" 49 50 #include <string.h> 51 52 #if defined(MBEDTLS_PKCS1_V21) 53 #include "mbedtls/md.h" 54 #endif 55 56 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__) 57 #include <stdlib.h> 58 #endif 59 60 #if defined(MBEDTLS_PLATFORM_C) 61 #include "mbedtls/platform.h" 62 #else 63 #include <stdio.h> 64 #define mbedtls_printf printf 65 #define mbedtls_calloc calloc 66 #define mbedtls_free free 67 #endif 68 69 #include <fault_mitigation.h> 70 71 #if !defined(MBEDTLS_RSA_ALT) 72 73 /* Parameter validation macros */ 74 #define RSA_VALIDATE_RET( cond ) \ 75 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA ) 76 #define RSA_VALIDATE( cond ) \ 77 MBEDTLS_INTERNAL_VALIDATE( cond ) 78 79 int mbedtls_rsa_import( mbedtls_rsa_context *ctx, 80 const mbedtls_mpi *N, 81 const mbedtls_mpi *P, const mbedtls_mpi *Q, 82 const mbedtls_mpi *D, const mbedtls_mpi *E ) 83 { 84 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 85 RSA_VALIDATE_RET( ctx != NULL ); 86 87 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) || 88 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) || 89 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) || 90 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) || 91 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) ) 92 { 93 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 94 } 95 96 if( N != NULL ) 97 ctx->len = mbedtls_mpi_size( &ctx->N ); 98 99 return( 0 ); 100 } 101 102 int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx, 103 unsigned char const *N, size_t N_len, 104 unsigned char const *P, size_t P_len, 105 unsigned char const *Q, size_t Q_len, 106 unsigned char const *D, size_t D_len, 107 unsigned char const *E, size_t E_len ) 108 { 109 int ret = 0; 110 RSA_VALIDATE_RET( ctx != NULL ); 111 112 if( N != NULL ) 113 { 114 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) ); 115 ctx->len = mbedtls_mpi_size( &ctx->N ); 116 } 117 118 if( P != NULL ) 119 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) ); 120 121 if( Q != NULL ) 122 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) ); 123 124 if( D != NULL ) 125 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) ); 126 127 if( E != NULL ) 128 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) ); 129 130 cleanup: 131 132 if( ret != 0 ) 133 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 134 135 return( 0 ); 136 } 137 138 /* 139 * Checks whether the context fields are set in such a way 140 * that the RSA primitives will be able to execute without error. 141 * It does *not* make guarantees for consistency of the parameters. 142 */ 143 static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv, 144 int blinding_needed ) 145 { 146 #if !defined(MBEDTLS_RSA_NO_CRT) 147 /* blinding_needed is only used for NO_CRT to decide whether 148 * P,Q need to be present or not. */ 149 ((void) blinding_needed); 150 #endif 151 152 if( ctx->len != mbedtls_mpi_size( &ctx->N ) || 153 ctx->len > MBEDTLS_MPI_MAX_SIZE ) 154 { 155 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 156 } 157 158 /* 159 * 1. Modular exponentiation needs positive, odd moduli. 160 */ 161 162 /* Modular exponentiation wrt. N is always used for 163 * RSA public key operations. */ 164 if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 || 165 mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 ) 166 { 167 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 168 } 169 170 #if !defined(MBEDTLS_RSA_NO_CRT) 171 /* Modular exponentiation for P and Q is only 172 * used for private key operations and if CRT 173 * is used. */ 174 if( is_priv && 175 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || 176 mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 || 177 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 || 178 mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) ) 179 { 180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 181 } 182 #endif /* !MBEDTLS_RSA_NO_CRT */ 183 184 /* 185 * 2. Exponents must be positive 186 */ 187 188 /* Always need E for public key operations */ 189 if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 ) 190 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 191 192 #if defined(MBEDTLS_RSA_NO_CRT) 193 /* For private key operations, use D or DP & DQ 194 * as (unblinded) exponents. */ 195 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 ) 196 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 197 #else 198 if( is_priv && 199 ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 || 200 mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) ) 201 { 202 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 203 } 204 #endif /* MBEDTLS_RSA_NO_CRT */ 205 206 /* Blinding shouldn't make exponents negative either, 207 * so check that P, Q >= 1 if that hasn't yet been 208 * done as part of 1. */ 209 #if defined(MBEDTLS_RSA_NO_CRT) 210 if( is_priv && blinding_needed && 211 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || 212 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) ) 213 { 214 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 215 } 216 #endif 217 218 /* It wouldn't lead to an error if it wasn't satisfied, 219 * but check for QP >= 1 nonetheless. */ 220 #if !defined(MBEDTLS_RSA_NO_CRT) 221 if( is_priv && 222 mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 ) 223 { 224 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 225 } 226 #endif 227 228 return( 0 ); 229 } 230 231 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ) 232 { 233 int ret = 0; 234 int have_N, have_P, have_Q, have_D, have_E; 235 #if !defined(MBEDTLS_RSA_NO_CRT) 236 int have_DP, have_DQ, have_QP; 237 #endif 238 int n_missing, pq_missing, d_missing, is_pub, is_priv; 239 240 RSA_VALIDATE_RET( ctx != NULL ); 241 242 have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 ); 243 have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 ); 244 have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 ); 245 have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 ); 246 have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 ); 247 248 #if !defined(MBEDTLS_RSA_NO_CRT) 249 have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 ); 250 have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 ); 251 have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 ); 252 #endif 253 254 /* 255 * Check whether provided parameters are enough 256 * to deduce all others. The following incomplete 257 * parameter sets for private keys are supported: 258 * 259 * (1) P, Q missing. 260 * (2) D and potentially N missing. 261 * 262 */ 263 264 n_missing = have_P && have_Q && have_D && have_E; 265 pq_missing = have_N && !have_P && !have_Q && have_D && have_E; 266 d_missing = have_P && have_Q && !have_D && have_E; 267 is_pub = have_N && !have_P && !have_Q && !have_D && have_E; 268 269 /* These three alternatives are mutually exclusive */ 270 is_priv = n_missing || pq_missing || d_missing; 271 272 if( !is_priv && !is_pub ) 273 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 274 275 /* 276 * Step 1: Deduce N if P, Q are provided. 277 */ 278 279 if( !have_N && have_P && have_Q ) 280 { 281 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, 282 &ctx->Q ) ) != 0 ) 283 { 284 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 285 } 286 287 ctx->len = mbedtls_mpi_size( &ctx->N ); 288 } 289 290 /* 291 * Step 2: Deduce and verify all remaining core parameters. 292 */ 293 294 if( pq_missing ) 295 { 296 ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D, 297 &ctx->P, &ctx->Q ); 298 if( ret != 0 ) 299 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 300 301 } 302 else if( d_missing ) 303 { 304 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P, 305 &ctx->Q, 306 &ctx->E, 307 &ctx->D ) ) != 0 ) 308 { 309 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 310 } 311 } 312 313 /* 314 * Step 3: Deduce all additional parameters specific 315 * to our current RSA implementation. 316 */ 317 318 #if !defined(MBEDTLS_RSA_NO_CRT) 319 if( is_priv && ! ( have_DP && have_DQ && have_QP ) ) 320 { 321 ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, 322 &ctx->DP, &ctx->DQ, &ctx->QP ); 323 if( ret != 0 ) 324 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 325 } 326 #endif /* MBEDTLS_RSA_NO_CRT */ 327 328 /* 329 * Step 3: Basic sanity checks 330 */ 331 332 return( rsa_check_context( ctx, is_priv, 1 ) ); 333 } 334 335 int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, 336 unsigned char *N, size_t N_len, 337 unsigned char *P, size_t P_len, 338 unsigned char *Q, size_t Q_len, 339 unsigned char *D, size_t D_len, 340 unsigned char *E, size_t E_len ) 341 { 342 int ret = 0; 343 int is_priv; 344 RSA_VALIDATE_RET( ctx != NULL ); 345 346 /* Check if key is private or public */ 347 is_priv = 348 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && 349 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && 350 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && 351 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && 352 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; 353 354 if( !is_priv ) 355 { 356 /* If we're trying to export private parameters for a public key, 357 * something must be wrong. */ 358 if( P != NULL || Q != NULL || D != NULL ) 359 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 360 361 } 362 363 if( N != NULL ) 364 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) ); 365 366 if( P != NULL ) 367 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) ); 368 369 if( Q != NULL ) 370 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) ); 371 372 if( D != NULL ) 373 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) ); 374 375 if( E != NULL ) 376 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) ); 377 378 cleanup: 379 380 return( ret ); 381 } 382 383 int mbedtls_rsa_export( const mbedtls_rsa_context *ctx, 384 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, 385 mbedtls_mpi *D, mbedtls_mpi *E ) 386 { 387 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 388 int is_priv; 389 RSA_VALIDATE_RET( ctx != NULL ); 390 391 /* Check if key is private or public */ 392 is_priv = 393 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && 394 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && 395 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && 396 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && 397 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; 398 399 if( !is_priv ) 400 { 401 /* If we're trying to export private parameters for a public key, 402 * something must be wrong. */ 403 if( P != NULL || Q != NULL || D != NULL ) 404 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 405 406 } 407 408 /* Export all requested core parameters. */ 409 410 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) || 411 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) || 412 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) || 413 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) || 414 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) ) 415 { 416 return( ret ); 417 } 418 419 return( 0 ); 420 } 421 422 /* 423 * Export CRT parameters 424 * This must also be implemented if CRT is not used, for being able to 425 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt 426 * can be used in this case. 427 */ 428 int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, 429 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP ) 430 { 431 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 432 int is_priv; 433 RSA_VALIDATE_RET( ctx != NULL ); 434 435 /* Check if key is private or public */ 436 is_priv = 437 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && 438 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && 439 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && 440 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && 441 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; 442 443 if( !is_priv ) 444 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 445 446 #if !defined(MBEDTLS_RSA_NO_CRT) 447 /* Export all requested blinding parameters. */ 448 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) || 449 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) || 450 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) ) 451 { 452 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 453 } 454 #else 455 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, 456 DP, DQ, QP ) ) != 0 ) 457 { 458 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) ); 459 } 460 #endif 461 462 return( 0 ); 463 } 464 465 /* 466 * Initialize an RSA context 467 */ 468 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 469 int padding, 470 int hash_id ) 471 { 472 RSA_VALIDATE( ctx != NULL ); 473 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || 474 padding == MBEDTLS_RSA_PKCS_V21 ); 475 476 memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); 477 478 mbedtls_rsa_set_padding( ctx, padding, hash_id ); 479 480 #if defined(MBEDTLS_THREADING_C) 481 /* Set ctx->ver to nonzero to indicate that the mutex has been 482 * initialized and will need to be freed. */ 483 ctx->ver = 1; 484 mbedtls_mutex_init( &ctx->mutex ); 485 #endif 486 } 487 488 /* 489 * Set padding for an existing RSA context 490 */ 491 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, 492 int hash_id ) 493 { 494 RSA_VALIDATE( ctx != NULL ); 495 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || 496 padding == MBEDTLS_RSA_PKCS_V21 ); 497 498 ctx->padding = padding; 499 ctx->hash_id = hash_id; 500 } 501 502 /* 503 * Get length in bytes of RSA modulus 504 */ 505 506 size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx ) 507 { 508 return( ctx->len ); 509 } 510 511 512 #if defined(MBEDTLS_GENPRIME) 513 514 /* 515 * Generate an RSA keypair 516 * 517 * This generation method follows the RSA key pair generation procedure of 518 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072. 519 */ 520 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 521 int (*f_rng)(void *, unsigned char *, size_t), 522 void *p_rng, 523 unsigned int nbits, int exponent ) 524 { 525 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 526 mbedtls_mpi H, G, L; 527 int prime_quality = 0; 528 RSA_VALIDATE_RET( ctx != NULL ); 529 RSA_VALIDATE_RET( f_rng != NULL ); 530 531 /* 532 * If the modulus is 1024 bit long or shorter, then the security strength of 533 * the RSA algorithm is less than or equal to 80 bits and therefore an error 534 * rate of 2^-80 is sufficient. 535 */ 536 if( nbits > 1024 ) 537 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR; 538 539 mbedtls_mpi_init( &H ); 540 mbedtls_mpi_init( &G ); 541 mbedtls_mpi_init( &L ); 542 543 if( nbits < 128 || exponent < 3 || nbits % 2 != 0 ) 544 { 545 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 546 goto cleanup; 547 } 548 549 /* 550 * find primes P and Q with Q < P so that: 551 * 1. |P-Q| > 2^( nbits / 2 - 100 ) 552 * 2. GCD( E, (P-1)*(Q-1) ) == 1 553 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 ) 554 */ 555 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) ); 556 557 do 558 { 559 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 560 prime_quality, f_rng, p_rng ) ); 561 562 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 563 prime_quality, f_rng, p_rng ) ); 564 565 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */ 566 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) ); 567 if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) ) 568 continue; 569 570 /* not required by any standards, but some users rely on the fact that P > Q */ 571 if( H.s < 0 ) 572 mbedtls_mpi_swap( &ctx->P, &ctx->Q ); 573 574 /* Temporarily replace P,Q by P-1, Q-1 */ 575 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) ); 576 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) ); 577 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) ); 578 579 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */ 580 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) ); 581 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) 582 continue; 583 584 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */ 585 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) ); 586 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) ); 587 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) ); 588 589 if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a)) 590 continue; 591 592 break; 593 } 594 while( 1 ); 595 596 /* Restore P,Q */ 597 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) ); 598 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) ); 599 600 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) ); 601 602 ctx->len = mbedtls_mpi_size( &ctx->N ); 603 604 #if !defined(MBEDTLS_RSA_NO_CRT) 605 /* 606 * DP = D mod (P - 1) 607 * DQ = D mod (Q - 1) 608 * QP = Q^-1 mod P 609 */ 610 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, 611 &ctx->DP, &ctx->DQ, &ctx->QP ) ); 612 #endif /* MBEDTLS_RSA_NO_CRT */ 613 614 /* Double-check */ 615 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) ); 616 617 cleanup: 618 619 mbedtls_mpi_free( &H ); 620 mbedtls_mpi_free( &G ); 621 mbedtls_mpi_free( &L ); 622 623 if( ret != 0 ) 624 { 625 mbedtls_rsa_free( ctx ); 626 627 if( ( -ret & ~0x7f ) == 0 ) 628 ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret ); 629 return( ret ); 630 } 631 632 return( 0 ); 633 } 634 635 #endif /* MBEDTLS_GENPRIME */ 636 637 /* 638 * Check a public RSA key 639 */ 640 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) 641 { 642 RSA_VALIDATE_RET( ctx != NULL ); 643 644 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 ) 645 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 646 647 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ) 648 { 649 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 650 } 651 652 if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 || 653 mbedtls_mpi_bitlen( &ctx->E ) < 2 || 654 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 ) 655 { 656 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 657 } 658 659 return( 0 ); 660 } 661 662 /* 663 * Check for the consistency of all fields in an RSA private key context 664 */ 665 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) 666 { 667 RSA_VALIDATE_RET( ctx != NULL ); 668 669 if( mbedtls_rsa_check_pubkey( ctx ) != 0 || 670 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 ) 671 { 672 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 673 } 674 675 if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q, 676 &ctx->D, &ctx->E, NULL, NULL ) != 0 ) 677 { 678 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 679 } 680 681 #if !defined(MBEDTLS_RSA_NO_CRT) 682 else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D, 683 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 ) 684 { 685 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 686 } 687 #endif 688 689 return( 0 ); 690 } 691 692 /* 693 * Check if contexts holding a public and private key match 694 */ 695 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, 696 const mbedtls_rsa_context *prv ) 697 { 698 RSA_VALIDATE_RET( pub != NULL ); 699 RSA_VALIDATE_RET( prv != NULL ); 700 701 if( mbedtls_rsa_check_pubkey( pub ) != 0 || 702 mbedtls_rsa_check_privkey( prv ) != 0 ) 703 { 704 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 705 } 706 707 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 || 708 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 ) 709 { 710 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 711 } 712 713 return( 0 ); 714 } 715 716 /* 717 * Do an RSA public key operation 718 */ 719 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 720 const unsigned char *input, 721 unsigned char *output ) 722 { 723 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 724 size_t olen; 725 mbedtls_mpi T; 726 RSA_VALIDATE_RET( ctx != NULL ); 727 RSA_VALIDATE_RET( input != NULL ); 728 RSA_VALIDATE_RET( output != NULL ); 729 730 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) ) 731 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 732 733 mbedtls_mpi_init( &T ); 734 735 #if defined(MBEDTLS_THREADING_C) 736 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 737 return( ret ); 738 #endif 739 740 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 741 742 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 743 { 744 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 745 goto cleanup; 746 } 747 748 olen = ctx->len; 749 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); 750 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 751 752 cleanup: 753 #if defined(MBEDTLS_THREADING_C) 754 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 755 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 756 #endif 757 758 mbedtls_mpi_free( &T ); 759 760 if( ret != 0 ) 761 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret ) ); 762 763 return( 0 ); 764 } 765 766 /* 767 * Generate or update blinding values, see section 10 of: 768 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 769 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 770 * Berlin Heidelberg, 1996. p. 104-113. 771 */ 772 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, 773 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 774 { 775 int ret, count = 0; 776 mbedtls_mpi R; 777 778 mbedtls_mpi_init( &R ); 779 780 if( ctx->Vf.p != NULL ) 781 { 782 /* We already have blinding values, just update them by squaring */ 783 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) ); 784 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); 785 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); 786 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) ); 787 788 goto cleanup; 789 } 790 791 /* Unblinding value: Vf = random number, invertible mod N */ 792 do { 793 if( count++ > 10 ) 794 { 795 ret = MBEDTLS_ERR_RSA_RNG_FAILED; 796 goto cleanup; 797 } 798 799 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); 800 801 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */ 802 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) ); 803 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) ); 804 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); 805 806 /* At this point, Vi is invertible mod N if and only if both Vf and R 807 * are invertible mod N. If one of them isn't, we don't need to know 808 * which one, we just loop and choose new values for both of them. 809 * (Each iteration succeeds with overwhelming probability.) */ 810 ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N ); 811 if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ) 812 goto cleanup; 813 814 } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE ); 815 816 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */ 817 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) ); 818 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); 819 820 /* Blinding value: Vi = Vf^(-e) mod N 821 * (Vi already contains Vf^-1 at this point) */ 822 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); 823 824 825 cleanup: 826 mbedtls_mpi_free( &R ); 827 828 return( ret ); 829 } 830 831 /* 832 * Exponent blinding supposed to prevent side-channel attacks using multiple 833 * traces of measurements to recover the RSA key. The more collisions are there, 834 * the more bits of the key can be recovered. See [3]. 835 * 836 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n) 837 * observations on average. 838 * 839 * For example with 28 byte blinding to achieve 2 collisions the adversary has 840 * to make 2^112 observations on average. 841 * 842 * (With the currently (as of 2017 April) known best algorithms breaking 2048 843 * bit RSA requires approximately as much time as trying out 2^112 random keys. 844 * Thus in this sense with 28 byte blinding the security is not reduced by 845 * side-channel attacks like the one in [3]) 846 * 847 * This countermeasure does not help if the key recovery is possible with a 848 * single trace. 849 */ 850 #define RSA_EXPONENT_BLINDING 28 851 852 /* 853 * Do an RSA private key operation 854 */ 855 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 856 int (*f_rng)(void *, unsigned char *, size_t), 857 void *p_rng, 858 const unsigned char *input, 859 unsigned char *output ) 860 { 861 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 862 size_t olen; 863 864 /* Temporary holding the result */ 865 mbedtls_mpi T; 866 867 /* Temporaries holding P-1, Q-1 and the 868 * exponent blinding factor, respectively. */ 869 mbedtls_mpi P1, Q1, R; 870 871 #if !defined(MBEDTLS_RSA_NO_CRT) 872 /* Temporaries holding the results mod p resp. mod q. */ 873 mbedtls_mpi TP, TQ; 874 875 /* Temporaries holding the blinded exponents for 876 * the mod p resp. mod q computation (if used). */ 877 mbedtls_mpi DP_blind, DQ_blind; 878 879 /* Pointers to actual exponents to be used - either the unblinded 880 * or the blinded ones, depending on the presence of a PRNG. */ 881 mbedtls_mpi *DP = &ctx->DP; 882 mbedtls_mpi *DQ = &ctx->DQ; 883 #else 884 /* Temporary holding the blinded exponent (if used). */ 885 mbedtls_mpi D_blind; 886 887 /* Pointer to actual exponent to be used - either the unblinded 888 * or the blinded one, depending on the presence of a PRNG. */ 889 mbedtls_mpi *D = &ctx->D; 890 #endif /* MBEDTLS_RSA_NO_CRT */ 891 892 /* Temporaries holding the initial input and the double 893 * checked result; should be the same in the end. */ 894 mbedtls_mpi I, C; 895 896 RSA_VALIDATE_RET( ctx != NULL ); 897 RSA_VALIDATE_RET( input != NULL ); 898 RSA_VALIDATE_RET( output != NULL ); 899 900 if( rsa_check_context( ctx, 1 /* private key checks */, 901 f_rng != NULL /* blinding y/n */ ) != 0 ) 902 { 903 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 904 } 905 906 #if defined(MBEDTLS_THREADING_C) 907 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 908 return( ret ); 909 #endif 910 911 /* MPI Initialization */ 912 mbedtls_mpi_init( &T ); 913 914 mbedtls_mpi_init( &P1 ); 915 mbedtls_mpi_init( &Q1 ); 916 mbedtls_mpi_init( &R ); 917 918 if( f_rng != NULL ) 919 { 920 #if defined(MBEDTLS_RSA_NO_CRT) 921 mbedtls_mpi_init( &D_blind ); 922 #else 923 mbedtls_mpi_init( &DP_blind ); 924 mbedtls_mpi_init( &DQ_blind ); 925 #endif 926 } 927 928 #if !defined(MBEDTLS_RSA_NO_CRT) 929 mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ ); 930 #endif 931 932 mbedtls_mpi_init( &I ); 933 mbedtls_mpi_init( &C ); 934 935 /* End of MPI initialization */ 936 937 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 938 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 939 { 940 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 941 goto cleanup; 942 } 943 944 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) ); 945 946 if( f_rng != NULL ) 947 { 948 /* 949 * Blinding 950 * T = T * Vi mod N 951 */ 952 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); 953 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); 954 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 955 956 /* 957 * Exponent blinding 958 */ 959 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) ); 960 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) ); 961 962 #if defined(MBEDTLS_RSA_NO_CRT) 963 /* 964 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D 965 */ 966 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 967 f_rng, p_rng ) ); 968 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) ); 969 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) ); 970 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) ); 971 972 D = &D_blind; 973 #else 974 /* 975 * DP_blind = ( P - 1 ) * R + DP 976 */ 977 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 978 f_rng, p_rng ) ); 979 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) ); 980 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind, 981 &ctx->DP ) ); 982 983 DP = &DP_blind; 984 985 /* 986 * DQ_blind = ( Q - 1 ) * R + DQ 987 */ 988 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 989 f_rng, p_rng ) ); 990 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) ); 991 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind, 992 &ctx->DQ ) ); 993 994 DQ = &DQ_blind; 995 #endif /* MBEDTLS_RSA_NO_CRT */ 996 } 997 998 #if defined(MBEDTLS_RSA_NO_CRT) 999 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) ); 1000 #else 1001 /* 1002 * Faster decryption using the CRT 1003 * 1004 * TP = input ^ dP mod P 1005 * TQ = input ^ dQ mod Q 1006 */ 1007 1008 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) ); 1009 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) ); 1010 1011 /* 1012 * T = (TP - TQ) * (Q^-1 mod P) mod P 1013 */ 1014 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) ); 1015 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) ); 1016 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) ); 1017 1018 /* 1019 * T = TQ + T * Q 1020 */ 1021 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) ); 1022 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) ); 1023 #endif /* MBEDTLS_RSA_NO_CRT */ 1024 1025 if( f_rng != NULL ) 1026 { 1027 /* 1028 * Unblind 1029 * T = T * Vf mod N 1030 */ 1031 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); 1032 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 1033 } 1034 1035 /* Verify the result to prevent glitching attacks. */ 1036 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, 1037 &ctx->N, &ctx->RN ) ); 1038 if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 ) 1039 { 1040 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 1041 goto cleanup; 1042 } 1043 1044 olen = ctx->len; 1045 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 1046 1047 cleanup: 1048 #if defined(MBEDTLS_THREADING_C) 1049 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 1050 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 1051 #endif 1052 1053 mbedtls_mpi_free( &P1 ); 1054 mbedtls_mpi_free( &Q1 ); 1055 mbedtls_mpi_free( &R ); 1056 1057 if( f_rng != NULL ) 1058 { 1059 #if defined(MBEDTLS_RSA_NO_CRT) 1060 mbedtls_mpi_free( &D_blind ); 1061 #else 1062 mbedtls_mpi_free( &DP_blind ); 1063 mbedtls_mpi_free( &DQ_blind ); 1064 #endif 1065 } 1066 1067 mbedtls_mpi_free( &T ); 1068 1069 #if !defined(MBEDTLS_RSA_NO_CRT) 1070 mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ ); 1071 #endif 1072 1073 mbedtls_mpi_free( &C ); 1074 mbedtls_mpi_free( &I ); 1075 1076 if( ret != 0 && ret >= -0x007f ) 1077 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret ) ); 1078 1079 return( ret ); 1080 } 1081 1082 #if defined(MBEDTLS_PKCS1_V21) 1083 /** 1084 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 1085 * 1086 * \param dst buffer to mask 1087 * \param dlen length of destination buffer 1088 * \param src source of the mask generation 1089 * \param slen length of the source buffer 1090 * \param md_ctx message digest context to use 1091 */ 1092 static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 1093 size_t slen, mbedtls_md_context_t *md_ctx ) 1094 { 1095 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 1096 unsigned char counter[4]; 1097 unsigned char *p; 1098 unsigned int hlen; 1099 size_t i, use_len; 1100 int ret = 0; 1101 1102 memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); 1103 memset( counter, 0, 4 ); 1104 1105 hlen = mbedtls_md_get_size( md_ctx->md_info ); 1106 1107 /* Generate and apply dbMask */ 1108 p = dst; 1109 1110 while( dlen > 0 ) 1111 { 1112 use_len = hlen; 1113 if( dlen < hlen ) 1114 use_len = dlen; 1115 1116 if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 ) 1117 goto exit; 1118 if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 ) 1119 goto exit; 1120 if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 ) 1121 goto exit; 1122 if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 ) 1123 goto exit; 1124 1125 for( i = 0; i < use_len; ++i ) 1126 *p++ ^= mask[i]; 1127 1128 counter[3]++; 1129 1130 dlen -= use_len; 1131 } 1132 1133 exit: 1134 mbedtls_platform_zeroize( mask, sizeof( mask ) ); 1135 1136 return( ret ); 1137 } 1138 #endif /* MBEDTLS_PKCS1_V21 */ 1139 1140 #if defined(MBEDTLS_PKCS1_V21) 1141 /* 1142 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 1143 */ 1144 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 1145 int (*f_rng)(void *, unsigned char *, size_t), 1146 void *p_rng, 1147 int mode, 1148 const unsigned char *label, size_t label_len, 1149 size_t ilen, 1150 const unsigned char *input, 1151 unsigned char *output ) 1152 { 1153 size_t olen; 1154 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1155 unsigned char *p = output; 1156 unsigned int hlen; 1157 const mbedtls_md_info_t *md_info; 1158 mbedtls_md_context_t md_ctx; 1159 1160 RSA_VALIDATE_RET( ctx != NULL ); 1161 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1162 mode == MBEDTLS_RSA_PUBLIC ); 1163 RSA_VALIDATE_RET( output != NULL ); 1164 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 1165 RSA_VALIDATE_RET( label_len == 0 || label != NULL ); 1166 1167 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 1168 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1169 1170 if( f_rng == NULL ) 1171 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1172 1173 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 1174 if( md_info == NULL ) 1175 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1176 1177 olen = ctx->len; 1178 hlen = mbedtls_md_get_size( md_info ); 1179 1180 /* first comparison checks for overflow */ 1181 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) 1182 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1183 1184 memset( output, 0, olen ); 1185 1186 *p++ = 0; 1187 1188 /* Generate a random octet string seed */ 1189 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 1190 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) ); 1191 1192 p += hlen; 1193 1194 /* Construct DB */ 1195 if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 ) 1196 return( ret ); 1197 p += hlen; 1198 p += olen - 2 * hlen - 2 - ilen; 1199 *p++ = 1; 1200 if( ilen != 0 ) 1201 memcpy( p, input, ilen ); 1202 1203 mbedtls_md_init( &md_ctx ); 1204 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 1205 goto exit; 1206 1207 /* maskedDB: Apply dbMask to DB */ 1208 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 1209 &md_ctx ) ) != 0 ) 1210 goto exit; 1211 1212 /* maskedSeed: Apply seedMask to seed */ 1213 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 1214 &md_ctx ) ) != 0 ) 1215 goto exit; 1216 1217 exit: 1218 mbedtls_md_free( &md_ctx ); 1219 1220 if( ret != 0 ) 1221 return( ret ); 1222 1223 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1224 ? mbedtls_rsa_public( ctx, output, output ) 1225 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 1226 } 1227 #endif /* MBEDTLS_PKCS1_V21 */ 1228 1229 #if defined(MBEDTLS_PKCS1_V15) 1230 /* 1231 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 1232 */ 1233 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 1234 int (*f_rng)(void *, unsigned char *, size_t), 1235 void *p_rng, 1236 int mode, size_t ilen, 1237 const unsigned char *input, 1238 unsigned char *output ) 1239 { 1240 size_t nb_pad, olen; 1241 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1242 unsigned char *p = output; 1243 1244 RSA_VALIDATE_RET( ctx != NULL ); 1245 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1246 mode == MBEDTLS_RSA_PUBLIC ); 1247 RSA_VALIDATE_RET( output != NULL ); 1248 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 1249 1250 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 1251 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1252 1253 olen = ctx->len; 1254 1255 /* first comparison checks for overflow */ 1256 if( ilen + 11 < ilen || olen < ilen + 11 ) 1257 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1258 1259 nb_pad = olen - 3 - ilen; 1260 1261 *p++ = 0; 1262 if( mode == MBEDTLS_RSA_PUBLIC ) 1263 { 1264 if( f_rng == NULL ) 1265 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1266 1267 *p++ = MBEDTLS_RSA_CRYPT; 1268 1269 while( nb_pad-- > 0 ) 1270 { 1271 int rng_dl = 100; 1272 1273 do { 1274 ret = f_rng( p_rng, p, 1 ); 1275 } while( *p == 0 && --rng_dl && ret == 0 ); 1276 1277 /* Check if RNG failed to generate data */ 1278 if( rng_dl == 0 || ret != 0 ) 1279 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) ); 1280 1281 p++; 1282 } 1283 } 1284 else 1285 { 1286 *p++ = MBEDTLS_RSA_SIGN; 1287 1288 while( nb_pad-- > 0 ) 1289 *p++ = 0xFF; 1290 } 1291 1292 *p++ = 0; 1293 if( ilen != 0 ) 1294 memcpy( p, input, ilen ); 1295 1296 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1297 ? mbedtls_rsa_public( ctx, output, output ) 1298 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 1299 } 1300 #endif /* MBEDTLS_PKCS1_V15 */ 1301 1302 /* 1303 * Add the message padding, then do an RSA operation 1304 */ 1305 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 1306 int (*f_rng)(void *, unsigned char *, size_t), 1307 void *p_rng, 1308 int mode, size_t ilen, 1309 const unsigned char *input, 1310 unsigned char *output ) 1311 { 1312 RSA_VALIDATE_RET( ctx != NULL ); 1313 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1314 mode == MBEDTLS_RSA_PUBLIC ); 1315 RSA_VALIDATE_RET( output != NULL ); 1316 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 1317 1318 switch( ctx->padding ) 1319 { 1320 #if defined(MBEDTLS_PKCS1_V15) 1321 case MBEDTLS_RSA_PKCS_V15: 1322 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 1323 input, output ); 1324 #endif 1325 1326 #if defined(MBEDTLS_PKCS1_V21) 1327 case MBEDTLS_RSA_PKCS_V21: 1328 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 1329 ilen, input, output ); 1330 #endif 1331 1332 default: 1333 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1334 } 1335 } 1336 1337 #if defined(MBEDTLS_PKCS1_V21) 1338 /* 1339 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 1340 */ 1341 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 1342 int (*f_rng)(void *, unsigned char *, size_t), 1343 void *p_rng, 1344 int mode, 1345 const unsigned char *label, size_t label_len, 1346 size_t *olen, 1347 const unsigned char *input, 1348 unsigned char *output, 1349 size_t output_max_len ) 1350 { 1351 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1352 size_t ilen, i, pad_len; 1353 unsigned char *p, bad, pad_done; 1354 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 1355 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 1356 unsigned int hlen; 1357 const mbedtls_md_info_t *md_info; 1358 mbedtls_md_context_t md_ctx; 1359 1360 RSA_VALIDATE_RET( ctx != NULL ); 1361 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1362 mode == MBEDTLS_RSA_PUBLIC ); 1363 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 1364 RSA_VALIDATE_RET( label_len == 0 || label != NULL ); 1365 RSA_VALIDATE_RET( input != NULL ); 1366 RSA_VALIDATE_RET( olen != NULL ); 1367 1368 /* 1369 * Parameters sanity checks 1370 */ 1371 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 1372 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1373 1374 ilen = ctx->len; 1375 1376 if( ilen < 16 || ilen > sizeof( buf ) ) 1377 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1378 1379 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 1380 if( md_info == NULL ) 1381 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1382 1383 hlen = mbedtls_md_get_size( md_info ); 1384 1385 // checking for integer underflow 1386 if( 2 * hlen + 2 > ilen ) 1387 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1388 1389 /* 1390 * RSA operation 1391 */ 1392 if( ctx->P.n == 0 ) 1393 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 1394 ? mbedtls_rsa_public( ctx, input, buf ) 1395 : mbedtls_rsa_private( ctx, NULL, NULL, input, buf ); 1396 else 1397 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 1398 ? mbedtls_rsa_public( ctx, input, buf ) 1399 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 1400 1401 if( ret != 0 ) 1402 goto cleanup; 1403 1404 /* 1405 * Unmask data and generate lHash 1406 */ 1407 mbedtls_md_init( &md_ctx ); 1408 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 1409 { 1410 mbedtls_md_free( &md_ctx ); 1411 goto cleanup; 1412 } 1413 1414 /* seed: Apply seedMask to maskedSeed */ 1415 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 1416 &md_ctx ) ) != 0 || 1417 /* DB: Apply dbMask to maskedDB */ 1418 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 1419 &md_ctx ) ) != 0 ) 1420 { 1421 mbedtls_md_free( &md_ctx ); 1422 goto cleanup; 1423 } 1424 1425 mbedtls_md_free( &md_ctx ); 1426 1427 /* Generate lHash */ 1428 if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 ) 1429 goto cleanup; 1430 1431 /* 1432 * Check contents, in "constant-time" 1433 */ 1434 p = buf; 1435 bad = 0; 1436 1437 bad |= *p++; /* First byte must be 0 */ 1438 1439 p += hlen; /* Skip seed */ 1440 1441 /* Check lHash */ 1442 for( i = 0; i < hlen; i++ ) 1443 bad |= lhash[i] ^ *p++; 1444 1445 /* Get zero-padding len, but always read till end of buffer 1446 * (minus one, for the 01 byte) */ 1447 pad_len = 0; 1448 pad_done = 0; 1449 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 1450 { 1451 pad_done |= p[i]; 1452 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 1453 } 1454 1455 p += pad_len; 1456 bad |= *p++ ^ 0x01; 1457 1458 /* 1459 * The only information "leaked" is whether the padding was correct or not 1460 * (eg, no data is copied if it was not correct). This meets the 1461 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 1462 * the different error conditions. 1463 */ 1464 if( bad != 0 ) 1465 { 1466 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 1467 goto cleanup; 1468 } 1469 1470 if( ilen - ( p - buf ) > output_max_len ) 1471 { 1472 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 1473 goto cleanup; 1474 } 1475 1476 *olen = ilen - (p - buf); 1477 if( *olen != 0 ) 1478 memcpy( output, p, *olen ); 1479 ret = 0; 1480 1481 cleanup: 1482 mbedtls_platform_zeroize( buf, sizeof( buf ) ); 1483 mbedtls_platform_zeroize( lhash, sizeof( lhash ) ); 1484 1485 return( ret ); 1486 } 1487 #endif /* MBEDTLS_PKCS1_V21 */ 1488 1489 #if defined(MBEDTLS_PKCS1_V15) 1490 /* 1491 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 1492 */ 1493 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 1494 int (*f_rng)(void *, unsigned char *, size_t), 1495 void *p_rng, 1496 int mode, 1497 size_t *olen, 1498 const unsigned char *input, 1499 unsigned char *output, 1500 size_t output_max_len ) 1501 { 1502 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1503 size_t ilen; 1504 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 1505 1506 RSA_VALIDATE_RET( ctx != NULL ); 1507 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1508 mode == MBEDTLS_RSA_PUBLIC ); 1509 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 1510 RSA_VALIDATE_RET( input != NULL ); 1511 RSA_VALIDATE_RET( olen != NULL ); 1512 1513 ilen = ctx->len; 1514 1515 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 1516 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1517 1518 if( ilen < 16 || ilen > sizeof( buf ) ) 1519 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1520 1521 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 1522 ? mbedtls_rsa_public( ctx, input, buf ) 1523 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 1524 1525 if( ret != 0 ) 1526 goto cleanup; 1527 1528 ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding( mode, buf, ilen, 1529 output, output_max_len, olen ); 1530 1531 cleanup: 1532 mbedtls_platform_zeroize( buf, sizeof( buf ) ); 1533 1534 return( ret ); 1535 } 1536 #endif /* MBEDTLS_PKCS1_V15 */ 1537 1538 /* 1539 * Do an RSA operation, then remove the message padding 1540 */ 1541 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 1542 int (*f_rng)(void *, unsigned char *, size_t), 1543 void *p_rng, 1544 int mode, size_t *olen, 1545 const unsigned char *input, 1546 unsigned char *output, 1547 size_t output_max_len) 1548 { 1549 RSA_VALIDATE_RET( ctx != NULL ); 1550 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1551 mode == MBEDTLS_RSA_PUBLIC ); 1552 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 1553 RSA_VALIDATE_RET( input != NULL ); 1554 RSA_VALIDATE_RET( olen != NULL ); 1555 1556 switch( ctx->padding ) 1557 { 1558 #if defined(MBEDTLS_PKCS1_V15) 1559 case MBEDTLS_RSA_PKCS_V15: 1560 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 1561 input, output, output_max_len ); 1562 #endif 1563 1564 #if defined(MBEDTLS_PKCS1_V21) 1565 case MBEDTLS_RSA_PKCS_V21: 1566 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 1567 olen, input, output, 1568 output_max_len ); 1569 #endif 1570 1571 default: 1572 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 1573 } 1574 } 1575 1576 #if defined(MBEDTLS_PKCS1_V21) 1577 static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 1578 int (*f_rng)(void *, unsigned char *, size_t), 1579 void *p_rng, 1580 int mode, 1581 mbedtls_md_type_t md_alg, 1582 unsigned int hashlen, 1583 const unsigned char *hash, 1584 int saltlen, 1585 unsigned char *sig ) 1586 { 1587 size_t olen; 1588 unsigned char *p = sig; 1589 unsigned char *salt = NULL; 1590 size_t slen, min_slen, hlen, offset = 0; 1591 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1592 size_t msb; 1593 const mbedtls_md_info_t *md_info; 1594 mbedtls_md_context_t md_ctx; 1595 RSA_VALIDATE_RET( ctx != NULL ); 1596 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1597 mode == MBEDTLS_RSA_PUBLIC ); 1598 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 1599 hashlen == 0 ) || 1600 hash != NULL ); 1601 RSA_VALIDATE_RET( sig != NULL ); 1602 1603 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 1604 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1605 1606 if( f_rng == NULL ) 1607 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1608 1609 olen = ctx->len; 1610 1611 if( md_alg != MBEDTLS_MD_NONE ) 1612 { 1613 /* Gather length of hash to sign */ 1614 md_info = mbedtls_md_info_from_type( md_alg ); 1615 if( md_info == NULL ) 1616 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1617 1618 hashlen = mbedtls_md_get_size( md_info ); 1619 } 1620 1621 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 1622 if( md_info == NULL ) 1623 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1624 1625 hlen = mbedtls_md_get_size( md_info ); 1626 1627 if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) 1628 { 1629 /* Calculate the largest possible salt length, up to the hash size. 1630 * Normally this is the hash length, which is the maximum salt length 1631 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not 1632 * enough room, use the maximum salt length that fits. The constraint is 1633 * that the hash length plus the salt length plus 2 bytes must be at most 1634 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017 1635 * (PKCS#1 v2.2) §9.1.1 step 3. */ 1636 min_slen = hlen - 2; 1637 if( olen < hlen + min_slen + 2 ) 1638 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1639 else if( olen >= hlen + hlen + 2 ) 1640 slen = hlen; 1641 else 1642 slen = olen - hlen - 2; 1643 } 1644 else if ( (saltlen < 0) || (saltlen + hlen + 2 > olen) ) 1645 { 1646 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1647 } 1648 else 1649 { 1650 slen = (size_t) saltlen; 1651 } 1652 1653 memset( sig, 0, olen ); 1654 1655 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 1656 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 1657 p += olen - hlen - slen - 2; 1658 *p++ = 0x01; 1659 1660 /* Generate salt of length slen in place in the encoded message */ 1661 salt = p; 1662 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 1663 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) ); 1664 1665 p += slen; 1666 1667 mbedtls_md_init( &md_ctx ); 1668 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 1669 goto exit; 1670 1671 /* Generate H = Hash( M' ) */ 1672 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) 1673 goto exit; 1674 if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 ) 1675 goto exit; 1676 if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) 1677 goto exit; 1678 if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 ) 1679 goto exit; 1680 if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 ) 1681 goto exit; 1682 1683 /* Compensate for boundary condition when applying mask */ 1684 if( msb % 8 == 0 ) 1685 offset = 1; 1686 1687 /* maskedDB: Apply dbMask to DB */ 1688 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, 1689 &md_ctx ) ) != 0 ) 1690 goto exit; 1691 1692 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 1693 sig[0] &= 0xFF >> ( olen * 8 - msb ); 1694 1695 p += hlen; 1696 *p++ = 0xBC; 1697 1698 exit: 1699 mbedtls_md_free( &md_ctx ); 1700 1701 if( ret != 0 ) 1702 return( ret ); 1703 1704 if( ctx->P.n == 0) 1705 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1706 ? mbedtls_rsa_public( ctx, sig, sig ) 1707 : mbedtls_rsa_private( ctx, NULL, NULL, sig, sig ) ); 1708 else 1709 return( ( mode == MBEDTLS_RSA_PUBLIC ) 1710 ? mbedtls_rsa_public( ctx, sig, sig ) 1711 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 1712 } 1713 1714 /* 1715 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with 1716 * the option to pass in the salt length. 1717 */ 1718 int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, 1719 int (*f_rng)(void *, unsigned char *, size_t), 1720 void *p_rng, 1721 mbedtls_md_type_t md_alg, 1722 unsigned int hashlen, 1723 const unsigned char *hash, 1724 int saltlen, 1725 unsigned char *sig ) 1726 { 1727 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg, 1728 hashlen, hash, saltlen, sig ); 1729 } 1730 1731 1732 /* 1733 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 1734 */ 1735 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 1736 int (*f_rng)(void *, unsigned char *, size_t), 1737 void *p_rng, 1738 int mode, 1739 mbedtls_md_type_t md_alg, 1740 unsigned int hashlen, 1741 const unsigned char *hash, 1742 unsigned char *sig ) 1743 { 1744 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 1745 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig ); 1746 } 1747 #endif /* MBEDTLS_PKCS1_V21 */ 1748 1749 #if defined(MBEDTLS_PKCS1_V15) 1750 /* 1751 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 1752 */ 1753 1754 /* Construct a PKCS v1.5 encoding of a hashed message 1755 * 1756 * This is used both for signature generation and verification. 1757 * 1758 * Parameters: 1759 * - md_alg: Identifies the hash algorithm used to generate the given hash; 1760 * MBEDTLS_MD_NONE if raw data is signed. 1761 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE. 1762 * - hash: Buffer containing the hashed message or the raw data. 1763 * - dst_len: Length of the encoded message. 1764 * - dst: Buffer to hold the encoded message. 1765 * 1766 * Assumptions: 1767 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE. 1768 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE. 1769 * - dst points to a buffer of size at least dst_len. 1770 * 1771 */ 1772 static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, 1773 unsigned int hashlen, 1774 const unsigned char *hash, 1775 size_t dst_len, 1776 unsigned char *dst ) 1777 { 1778 size_t oid_size = 0; 1779 size_t nb_pad = dst_len; 1780 unsigned char *p = dst; 1781 const char *oid = NULL; 1782 1783 /* Are we signing hashed or raw data? */ 1784 if( md_alg != MBEDTLS_MD_NONE ) 1785 { 1786 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 1787 if( md_info == NULL ) 1788 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1789 1790 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 1791 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1792 1793 hashlen = mbedtls_md_get_size( md_info ); 1794 1795 /* Double-check that 8 + hashlen + oid_size can be used as a 1796 * 1-byte ASN.1 length encoding and that there's no overflow. */ 1797 if( 8 + hashlen + oid_size >= 0x80 || 1798 10 + hashlen < hashlen || 1799 10 + hashlen + oid_size < 10 + hashlen ) 1800 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1801 1802 /* 1803 * Static bounds check: 1804 * - Need 10 bytes for five tag-length pairs. 1805 * (Insist on 1-byte length encodings to protect against variants of 1806 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification) 1807 * - Need hashlen bytes for hash 1808 * - Need oid_size bytes for hash alg OID. 1809 */ 1810 if( nb_pad < 10 + hashlen + oid_size ) 1811 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1812 nb_pad -= 10 + hashlen + oid_size; 1813 } 1814 else 1815 { 1816 if( nb_pad < hashlen ) 1817 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1818 1819 nb_pad -= hashlen; 1820 } 1821 1822 /* Need space for signature header and padding delimiter (3 bytes), 1823 * and 8 bytes for the minimal padding */ 1824 if( nb_pad < 3 + 8 ) 1825 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1826 nb_pad -= 3; 1827 1828 /* Now nb_pad is the amount of memory to be filled 1829 * with padding, and at least 8 bytes long. */ 1830 1831 /* Write signature header and padding */ 1832 *p++ = 0; 1833 *p++ = MBEDTLS_RSA_SIGN; 1834 memset( p, 0xFF, nb_pad ); 1835 p += nb_pad; 1836 *p++ = 0; 1837 1838 /* Are we signing raw data? */ 1839 if( md_alg == MBEDTLS_MD_NONE ) 1840 { 1841 memcpy( p, hash, hashlen ); 1842 return( 0 ); 1843 } 1844 1845 /* Signing hashed data, add corresponding ASN.1 structure 1846 * 1847 * DigestInfo ::= SEQUENCE { 1848 * digestAlgorithm DigestAlgorithmIdentifier, 1849 * digest Digest } 1850 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1851 * Digest ::= OCTET STRING 1852 * 1853 * Schematic: 1854 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ] 1855 * TAG-NULL + LEN [ NULL ] ] 1856 * TAG-OCTET + LEN [ HASH ] ] 1857 */ 1858 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 1859 *p++ = (unsigned char)( 0x08 + oid_size + hashlen ); 1860 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 1861 *p++ = (unsigned char)( 0x04 + oid_size ); 1862 *p++ = MBEDTLS_ASN1_OID; 1863 *p++ = (unsigned char) oid_size; 1864 memcpy( p, oid, oid_size ); 1865 p += oid_size; 1866 *p++ = MBEDTLS_ASN1_NULL; 1867 *p++ = 0x00; 1868 *p++ = MBEDTLS_ASN1_OCTET_STRING; 1869 *p++ = (unsigned char) hashlen; 1870 memcpy( p, hash, hashlen ); 1871 p += hashlen; 1872 1873 /* Just a sanity-check, should be automatic 1874 * after the initial bounds check. */ 1875 if( p != dst + dst_len ) 1876 { 1877 mbedtls_platform_zeroize( dst, dst_len ); 1878 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1879 } 1880 1881 return( 0 ); 1882 } 1883 1884 /* 1885 * Do an RSA operation to sign the message digest 1886 */ 1887 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 1888 int (*f_rng)(void *, unsigned char *, size_t), 1889 void *p_rng, 1890 int mode, 1891 mbedtls_md_type_t md_alg, 1892 unsigned int hashlen, 1893 const unsigned char *hash, 1894 unsigned char *sig ) 1895 { 1896 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1897 unsigned char *sig_try = NULL, *verif = NULL; 1898 1899 RSA_VALIDATE_RET( ctx != NULL ); 1900 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1901 mode == MBEDTLS_RSA_PUBLIC ); 1902 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 1903 hashlen == 0 ) || 1904 hash != NULL ); 1905 RSA_VALIDATE_RET( sig != NULL ); 1906 1907 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 1908 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 1909 1910 /* 1911 * Prepare PKCS1-v1.5 encoding (padding and hash identifier) 1912 */ 1913 1914 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, 1915 ctx->len, sig ) ) != 0 ) 1916 return( ret ); 1917 1918 /* 1919 * Call respective RSA primitive 1920 */ 1921 1922 if( mode == MBEDTLS_RSA_PUBLIC ) 1923 { 1924 /* Skip verification on a public key operation */ 1925 return( mbedtls_rsa_public( ctx, sig, sig ) ); 1926 } 1927 1928 /* Private key operation 1929 * 1930 * In order to prevent Lenstra's attack, make the signature in a 1931 * temporary buffer and check it before returning it. 1932 */ 1933 1934 sig_try = mbedtls_calloc( 1, ctx->len ); 1935 if( sig_try == NULL ) 1936 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 1937 1938 verif = mbedtls_calloc( 1, ctx->len ); 1939 if( verif == NULL ) 1940 { 1941 mbedtls_free( sig_try ); 1942 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 1943 } 1944 1945 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); 1946 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); 1947 1948 if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 ) 1949 { 1950 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 1951 goto cleanup; 1952 } 1953 1954 memcpy( sig, sig_try, ctx->len ); 1955 1956 cleanup: 1957 mbedtls_platform_zeroize( sig_try, ctx->len ); 1958 mbedtls_platform_zeroize( verif, ctx->len ); 1959 mbedtls_free( sig_try ); 1960 mbedtls_free( verif ); 1961 1962 if( ret != 0 ) 1963 memset( sig, '!', ctx->len ); 1964 return( ret ); 1965 } 1966 #endif /* MBEDTLS_PKCS1_V15 */ 1967 1968 /* 1969 * Do an RSA operation to sign the message digest 1970 */ 1971 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 1972 int (*f_rng)(void *, unsigned char *, size_t), 1973 void *p_rng, 1974 int mode, 1975 mbedtls_md_type_t md_alg, 1976 unsigned int hashlen, 1977 const unsigned char *hash, 1978 unsigned char *sig ) 1979 { 1980 RSA_VALIDATE_RET( ctx != NULL ); 1981 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 1982 mode == MBEDTLS_RSA_PUBLIC ); 1983 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 1984 hashlen == 0 ) || 1985 hash != NULL ); 1986 RSA_VALIDATE_RET( sig != NULL ); 1987 1988 switch( ctx->padding ) 1989 { 1990 #if defined(MBEDTLS_PKCS1_V15) 1991 case MBEDTLS_RSA_PKCS_V15: 1992 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 1993 hashlen, hash, sig ); 1994 #endif 1995 1996 #if defined(MBEDTLS_PKCS1_V21) 1997 case MBEDTLS_RSA_PKCS_V21: 1998 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 1999 hashlen, hash, sig ); 2000 #endif 2001 2002 default: 2003 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 2004 } 2005 } 2006 2007 #if defined(MBEDTLS_PKCS1_V21) 2008 /* 2009 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 2010 */ 2011 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 2012 int (*f_rng)(void *, unsigned char *, size_t), 2013 void *p_rng, 2014 int mode, 2015 mbedtls_md_type_t md_alg, 2016 unsigned int hashlen, 2017 const unsigned char *hash, 2018 mbedtls_md_type_t mgf1_hash_id, 2019 int expected_salt_len, 2020 const unsigned char *sig ) 2021 { 2022 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2023 size_t siglen; 2024 unsigned char *p; 2025 unsigned char *hash_start; 2026 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 2027 unsigned char zeros[8]; 2028 unsigned int hlen; 2029 size_t observed_salt_len, msb; 2030 const mbedtls_md_info_t *md_info; 2031 mbedtls_md_context_t md_ctx; 2032 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 2033 2034 RSA_VALIDATE_RET( ctx != NULL ); 2035 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2036 mode == MBEDTLS_RSA_PUBLIC ); 2037 RSA_VALIDATE_RET( sig != NULL ); 2038 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2039 hashlen == 0 ) || 2040 hash != NULL ); 2041 2042 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 2043 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2044 2045 siglen = ctx->len; 2046 2047 if( siglen < 16 || siglen > sizeof( buf ) ) 2048 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2049 2050 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 2051 ? mbedtls_rsa_public( ctx, sig, buf ) 2052 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 2053 2054 if( ret != 0 ) 2055 return( ret ); 2056 2057 p = buf; 2058 2059 if( buf[siglen - 1] != 0xBC ) 2060 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 2061 2062 if( md_alg != MBEDTLS_MD_NONE ) 2063 { 2064 /* Gather length of hash to sign */ 2065 md_info = mbedtls_md_info_from_type( md_alg ); 2066 if( md_info == NULL ) 2067 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2068 2069 hashlen = mbedtls_md_get_size( md_info ); 2070 } 2071 2072 md_info = mbedtls_md_info_from_type( mgf1_hash_id ); 2073 if( md_info == NULL ) 2074 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2075 2076 hlen = mbedtls_md_get_size( md_info ); 2077 2078 memset( zeros, 0, 8 ); 2079 2080 /* 2081 * Note: EMSA-PSS verification is over the length of N - 1 bits 2082 */ 2083 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 2084 2085 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 2086 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2087 2088 /* Compensate for boundary condition when applying mask */ 2089 if( msb % 8 == 0 ) 2090 { 2091 p++; 2092 siglen -= 1; 2093 } 2094 2095 if( siglen < hlen + 2 ) 2096 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2097 hash_start = p + siglen - hlen - 1; 2098 2099 mbedtls_md_init( &md_ctx ); 2100 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 2101 goto exit; 2102 2103 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx ); 2104 if( ret != 0 ) 2105 goto exit; 2106 2107 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 2108 2109 while( p < hash_start - 1 && *p == 0 ) 2110 p++; 2111 2112 if( *p++ != 0x01 ) 2113 { 2114 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 2115 goto exit; 2116 } 2117 2118 observed_salt_len = hash_start - p; 2119 2120 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 2121 observed_salt_len != (size_t) expected_salt_len ) 2122 { 2123 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 2124 goto exit; 2125 } 2126 2127 /* 2128 * Generate H = Hash( M' ) 2129 */ 2130 ret = mbedtls_md_starts( &md_ctx ); 2131 if ( ret != 0 ) 2132 goto exit; 2133 ret = mbedtls_md_update( &md_ctx, zeros, 8 ); 2134 if ( ret != 0 ) 2135 goto exit; 2136 ret = mbedtls_md_update( &md_ctx, hash, hashlen ); 2137 if ( ret != 0 ) 2138 goto exit; 2139 ret = mbedtls_md_update( &md_ctx, p, observed_salt_len ); 2140 if ( ret != 0 ) 2141 goto exit; 2142 ret = mbedtls_md_finish( &md_ctx, result ); 2143 if ( ret != 0 ) 2144 goto exit; 2145 2146 if( FTMN_CALLEE_DONE_MEMCMP( memcmp, hash_start, result, hlen ) != 0 ) 2147 { 2148 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 2149 goto exit; 2150 } 2151 2152 exit: 2153 mbedtls_md_free( &md_ctx ); 2154 2155 return( ret ); 2156 } 2157 2158 /* 2159 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 2160 */ 2161 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 2162 int (*f_rng)(void *, unsigned char *, size_t), 2163 void *p_rng, 2164 int mode, 2165 mbedtls_md_type_t md_alg, 2166 unsigned int hashlen, 2167 const unsigned char *hash, 2168 const unsigned char *sig ) 2169 { 2170 mbedtls_md_type_t mgf1_hash_id; 2171 RSA_VALIDATE_RET( ctx != NULL ); 2172 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2173 mode == MBEDTLS_RSA_PUBLIC ); 2174 RSA_VALIDATE_RET( sig != NULL ); 2175 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2176 hashlen == 0 ) || 2177 hash != NULL ); 2178 2179 mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) 2180 ? (mbedtls_md_type_t) ctx->hash_id 2181 : md_alg; 2182 2183 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, 2184 md_alg, hashlen, hash, 2185 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, 2186 sig ) ); 2187 2188 } 2189 #endif /* MBEDTLS_PKCS1_V21 */ 2190 2191 #if defined(MBEDTLS_PKCS1_V15) 2192 /* 2193 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 2194 */ 2195 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 2196 int (*f_rng)(void *, unsigned char *, size_t), 2197 void *p_rng, 2198 int mode, 2199 mbedtls_md_type_t md_alg, 2200 unsigned int hashlen, 2201 const unsigned char *hash, 2202 const unsigned char *sig ) 2203 { 2204 int ret = 0; 2205 size_t sig_len; 2206 unsigned char *encoded = NULL, *encoded_expected = NULL; 2207 2208 RSA_VALIDATE_RET( ctx != NULL ); 2209 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2210 mode == MBEDTLS_RSA_PUBLIC ); 2211 RSA_VALIDATE_RET( sig != NULL ); 2212 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2213 hashlen == 0 ) || 2214 hash != NULL ); 2215 2216 sig_len = ctx->len; 2217 2218 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 2219 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 2220 2221 /* 2222 * Prepare expected PKCS1 v1.5 encoding of hash. 2223 */ 2224 2225 if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL || 2226 ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL ) 2227 { 2228 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; 2229 goto cleanup; 2230 } 2231 2232 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len, 2233 encoded_expected ) ) != 0 ) 2234 goto cleanup; 2235 2236 /* 2237 * Apply RSA primitive to get what should be PKCS1 encoded hash. 2238 */ 2239 2240 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 2241 ? mbedtls_rsa_public( ctx, sig, encoded ) 2242 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded ); 2243 if( ret != 0 ) 2244 goto cleanup; 2245 2246 /* 2247 * Compare 2248 */ 2249 2250 if( ( ret = FTMN_CALLEE_DONE_MEMCMP(mbedtls_ct_memcmp, encoded, 2251 encoded_expected, sig_len ) ) != 0 ) 2252 { 2253 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 2254 goto cleanup; 2255 } 2256 2257 cleanup: 2258 2259 if( encoded != NULL ) 2260 { 2261 mbedtls_platform_zeroize( encoded, sig_len ); 2262 mbedtls_free( encoded ); 2263 } 2264 2265 if( encoded_expected != NULL ) 2266 { 2267 mbedtls_platform_zeroize( encoded_expected, sig_len ); 2268 mbedtls_free( encoded_expected ); 2269 } 2270 2271 return( ret ); 2272 } 2273 #endif /* MBEDTLS_PKCS1_V15 */ 2274 2275 /* 2276 * Do an RSA operation and check the message digest 2277 */ 2278 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 2279 int (*f_rng)(void *, unsigned char *, size_t), 2280 void *p_rng, 2281 int mode, 2282 mbedtls_md_type_t md_alg, 2283 unsigned int hashlen, 2284 const unsigned char *hash, 2285 const unsigned char *sig ) 2286 { 2287 RSA_VALIDATE_RET( ctx != NULL ); 2288 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 2289 mode == MBEDTLS_RSA_PUBLIC ); 2290 RSA_VALIDATE_RET( sig != NULL ); 2291 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 2292 hashlen == 0 ) || 2293 hash != NULL ); 2294 2295 switch( ctx->padding ) 2296 { 2297 #if defined(MBEDTLS_PKCS1_V15) 2298 case MBEDTLS_RSA_PKCS_V15: 2299 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 2300 hashlen, hash, sig ); 2301 #endif 2302 2303 #if defined(MBEDTLS_PKCS1_V21) 2304 case MBEDTLS_RSA_PKCS_V21: 2305 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 2306 hashlen, hash, sig ); 2307 #endif 2308 2309 default: 2310 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 2311 } 2312 } 2313 2314 /* 2315 * Copy the components of an RSA key 2316 */ 2317 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) 2318 { 2319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2320 RSA_VALIDATE_RET( dst != NULL ); 2321 RSA_VALIDATE_RET( src != NULL ); 2322 2323 dst->len = src->len; 2324 2325 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) ); 2326 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) ); 2327 2328 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) ); 2329 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) ); 2330 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) ); 2331 2332 #if !defined(MBEDTLS_RSA_NO_CRT) 2333 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) ); 2334 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) ); 2335 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) ); 2336 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) ); 2337 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) ); 2338 #endif 2339 2340 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) ); 2341 2342 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) ); 2343 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) ); 2344 2345 dst->padding = src->padding; 2346 dst->hash_id = src->hash_id; 2347 2348 cleanup: 2349 if( ret != 0 ) 2350 mbedtls_rsa_free( dst ); 2351 2352 return( ret ); 2353 } 2354 2355 /* 2356 * Free the components of an RSA key 2357 */ 2358 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) 2359 { 2360 if( ctx == NULL ) 2361 return; 2362 2363 mbedtls_mpi_free( &ctx->Vi ); 2364 mbedtls_mpi_free( &ctx->Vf ); 2365 mbedtls_mpi_free( &ctx->RN ); 2366 mbedtls_mpi_free( &ctx->D ); 2367 mbedtls_mpi_free( &ctx->Q ); 2368 mbedtls_mpi_free( &ctx->P ); 2369 mbedtls_mpi_free( &ctx->E ); 2370 mbedtls_mpi_free( &ctx->N ); 2371 2372 #if !defined(MBEDTLS_RSA_NO_CRT) 2373 mbedtls_mpi_free( &ctx->RQ ); 2374 mbedtls_mpi_free( &ctx->RP ); 2375 mbedtls_mpi_free( &ctx->QP ); 2376 mbedtls_mpi_free( &ctx->DQ ); 2377 mbedtls_mpi_free( &ctx->DP ); 2378 #endif /* MBEDTLS_RSA_NO_CRT */ 2379 2380 #if defined(MBEDTLS_THREADING_C) 2381 /* Free the mutex, but only if it hasn't been freed already. */ 2382 if( ctx->ver != 0 ) 2383 { 2384 mbedtls_mutex_free( &ctx->mutex ); 2385 ctx->ver = 0; 2386 } 2387 #endif 2388 } 2389 2390 #endif /* !MBEDTLS_RSA_ALT */ 2391 2392 #if defined(MBEDTLS_SELF_TEST) 2393 2394 #include "mbedtls/sha1.h" 2395 2396 /* 2397 * Example RSA-1024 keypair, for test purposes 2398 */ 2399 #define KEY_LEN 128 2400 2401 #define RSA_N "9292758453063D803DD603D5E777D788" \ 2402 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 2403 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 2404 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 2405 "93A89813FBF3C4F8066D2D800F7C38A8" \ 2406 "1AE31942917403FF4946B0A83D3D3E05" \ 2407 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 2408 "5E94BB77B07507233A0BC7BAC8F90F79" 2409 2410 #define RSA_E "10001" 2411 2412 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 2413 "66CA472BC44D253102F8B4A9D3BFA750" \ 2414 "91386C0077937FE33FA3252D28855837" \ 2415 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 2416 "DF79C5CE07EE72C7F123142198164234" \ 2417 "CABB724CF78B8173B9F880FC86322407" \ 2418 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 2419 "071513A1E85B5DFA031F21ECAE91A34D" 2420 2421 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 2422 "2C01CAD19EA484A87EA4377637E75500" \ 2423 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 2424 "C3D9E75E1EFC42488BB4F1D13AC30A57" 2425 2426 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 2427 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 2428 "910E4168387E3C30AA1E00C339A79508" \ 2429 "8452DD96A9A5EA5D9DCA68DA636032AF" 2430 2431 #define PT_LEN 24 2432 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 2433 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 2434 2435 #if defined(MBEDTLS_PKCS1_V15) 2436 static int myrand( void *rng_state, unsigned char *output, size_t len ) 2437 { 2438 #if !defined(__OpenBSD__) && !defined(__NetBSD__) 2439 size_t i; 2440 2441 if( rng_state != NULL ) 2442 rng_state = NULL; 2443 2444 for( i = 0; i < len; ++i ) 2445 output[i] = rand(); 2446 #else 2447 if( rng_state != NULL ) 2448 rng_state = NULL; 2449 2450 arc4random_buf( output, len ); 2451 #endif /* !OpenBSD && !NetBSD */ 2452 2453 return( 0 ); 2454 } 2455 #endif /* MBEDTLS_PKCS1_V15 */ 2456 2457 /* 2458 * Checkup routine 2459 */ 2460 int mbedtls_rsa_self_test( int verbose ) 2461 { 2462 int ret = 0; 2463 #if defined(MBEDTLS_PKCS1_V15) 2464 size_t len; 2465 mbedtls_rsa_context rsa; 2466 unsigned char rsa_plaintext[PT_LEN]; 2467 unsigned char rsa_decrypted[PT_LEN]; 2468 unsigned char rsa_ciphertext[KEY_LEN]; 2469 #if defined(MBEDTLS_SHA1_C) 2470 unsigned char sha1sum[20]; 2471 #endif 2472 2473 mbedtls_mpi K; 2474 2475 mbedtls_mpi_init( &K ); 2476 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); 2477 2478 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) ); 2479 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) ); 2480 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) ); 2481 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) ); 2482 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) ); 2483 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) ); 2484 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) ); 2485 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) ); 2486 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) ); 2487 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) ); 2488 2489 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) ); 2490 2491 if( verbose != 0 ) 2492 mbedtls_printf( " RSA key validation: " ); 2493 2494 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || 2495 mbedtls_rsa_check_privkey( &rsa ) != 0 ) 2496 { 2497 if( verbose != 0 ) 2498 mbedtls_printf( "failed\n" ); 2499 2500 ret = 1; 2501 goto cleanup; 2502 } 2503 2504 if( verbose != 0 ) 2505 mbedtls_printf( "passed\n PKCS#1 encryption : " ); 2506 2507 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 2508 2509 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, 2510 PT_LEN, rsa_plaintext, 2511 rsa_ciphertext ) != 0 ) 2512 { 2513 if( verbose != 0 ) 2514 mbedtls_printf( "failed\n" ); 2515 2516 ret = 1; 2517 goto cleanup; 2518 } 2519 2520 if( verbose != 0 ) 2521 mbedtls_printf( "passed\n PKCS#1 decryption : " ); 2522 2523 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, 2524 &len, rsa_ciphertext, rsa_decrypted, 2525 sizeof(rsa_decrypted) ) != 0 ) 2526 { 2527 if( verbose != 0 ) 2528 mbedtls_printf( "failed\n" ); 2529 2530 ret = 1; 2531 goto cleanup; 2532 } 2533 2534 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 2535 { 2536 if( verbose != 0 ) 2537 mbedtls_printf( "failed\n" ); 2538 2539 ret = 1; 2540 goto cleanup; 2541 } 2542 2543 if( verbose != 0 ) 2544 mbedtls_printf( "passed\n" ); 2545 2546 #if defined(MBEDTLS_SHA1_C) 2547 if( verbose != 0 ) 2548 mbedtls_printf( " PKCS#1 data sign : " ); 2549 2550 if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 ) 2551 { 2552 if( verbose != 0 ) 2553 mbedtls_printf( "failed\n" ); 2554 2555 return( 1 ); 2556 } 2557 2558 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, 2559 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, 2560 sha1sum, rsa_ciphertext ) != 0 ) 2561 { 2562 if( verbose != 0 ) 2563 mbedtls_printf( "failed\n" ); 2564 2565 ret = 1; 2566 goto cleanup; 2567 } 2568 2569 if( verbose != 0 ) 2570 mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); 2571 2572 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, 2573 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, 2574 sha1sum, rsa_ciphertext ) != 0 ) 2575 { 2576 if( verbose != 0 ) 2577 mbedtls_printf( "failed\n" ); 2578 2579 ret = 1; 2580 goto cleanup; 2581 } 2582 2583 if( verbose != 0 ) 2584 mbedtls_printf( "passed\n" ); 2585 #endif /* MBEDTLS_SHA1_C */ 2586 2587 if( verbose != 0 ) 2588 mbedtls_printf( "\n" ); 2589 2590 cleanup: 2591 mbedtls_mpi_free( &K ); 2592 mbedtls_rsa_free( &rsa ); 2593 #else /* MBEDTLS_PKCS1_V15 */ 2594 ((void) verbose); 2595 #endif /* MBEDTLS_PKCS1_V15 */ 2596 return( ret ); 2597 } 2598 2599 #endif /* MBEDTLS_SELF_TEST */ 2600 2601 #endif /* MBEDTLS_RSA_C */ 2602