1 /* 2 * The RSA public-key cryptosystem 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 8 /* 9 * The following sources were referenced in the design of this implementation 10 * of the RSA algorithm: 11 * 12 * [1] A method for obtaining digital signatures and public-key cryptosystems 13 * R Rivest, A Shamir, and L Adleman 14 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 15 * 16 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 17 * Menezes, van Oorschot and Vanstone 18 * 19 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks 20 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and 21 * Stefan Mangard 22 * https://arxiv.org/abs/1702.08719v2 23 * 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_RSA_C) 29 30 #include "mbedtls/rsa.h" 31 #include "bignum_core.h" 32 #include "rsa_alt_helpers.h" 33 #include "rsa_internal.h" 34 #include "mbedtls/oid.h" 35 #include "mbedtls/asn1write.h" 36 #include "mbedtls/platform_util.h" 37 #include "mbedtls/error.h" 38 #include "constant_time_internal.h" 39 #include "mbedtls/constant_time.h" 40 #include "md_psa.h" 41 42 #include <string.h> 43 44 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__) 45 #include <stdlib.h> 46 #endif 47 48 #include "mbedtls/platform.h" 49 50 #include <fault_mitigation.h> 51 52 /* 53 * Wrapper around mbedtls_asn1_get_mpi() that rejects zero. 54 * 55 * The value zero is: 56 * - never a valid value for an RSA parameter 57 * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete(). 58 * 59 * Since values can't be omitted in PKCS#1, passing a zero value to 60 * rsa_complete() would be incorrect, so reject zero values early. 61 */ 62 static int asn1_get_nonzero_mpi(unsigned char **p, 63 const unsigned char *end, 64 mbedtls_mpi *X) 65 { 66 int ret; 67 68 ret = mbedtls_asn1_get_mpi(p, end, X); 69 if (ret != 0) { 70 return ret; 71 } 72 73 if (mbedtls_mpi_cmp_int(X, 0) == 0) { 74 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 75 } 76 77 return 0; 78 } 79 80 int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) 81 { 82 int ret, version; 83 size_t len; 84 unsigned char *p, *end; 85 86 mbedtls_mpi T; 87 mbedtls_mpi_init(&T); 88 89 p = (unsigned char *) key; 90 end = p + keylen; 91 92 /* 93 * This function parses the RSAPrivateKey (PKCS#1) 94 * 95 * RSAPrivateKey ::= SEQUENCE { 96 * version Version, 97 * modulus INTEGER, -- n 98 * publicExponent INTEGER, -- e 99 * privateExponent INTEGER, -- d 100 * prime1 INTEGER, -- p 101 * prime2 INTEGER, -- q 102 * exponent1 INTEGER, -- d mod (p-1) 103 * exponent2 INTEGER, -- d mod (q-1) 104 * coefficient INTEGER, -- (inverse of q) mod p 105 * otherPrimeInfos OtherPrimeInfos OPTIONAL 106 * } 107 */ 108 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 109 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 110 return ret; 111 } 112 113 if (end != p + len) { 114 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 115 } 116 117 if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) { 118 return ret; 119 } 120 121 if (version != 0) { 122 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 123 } 124 125 /* Import N */ 126 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 127 (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL, 128 NULL, NULL)) != 0) { 129 goto cleanup; 130 } 131 132 /* Import E */ 133 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 134 (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, 135 NULL, &T)) != 0) { 136 goto cleanup; 137 } 138 139 /* Import D */ 140 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 141 (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL, 142 &T, NULL)) != 0) { 143 goto cleanup; 144 } 145 146 /* Import P */ 147 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 148 (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL, 149 NULL, NULL)) != 0) { 150 goto cleanup; 151 } 152 153 /* Import Q */ 154 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 155 (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T, 156 NULL, NULL)) != 0) { 157 goto cleanup; 158 } 159 160 #if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT) 161 /* 162 * The RSA CRT parameters DP, DQ and QP are nominally redundant, in 163 * that they can be easily recomputed from D, P and Q. However by 164 * parsing them from the PKCS1 structure it is possible to avoid 165 * recalculating them which both reduces the overhead of loading 166 * RSA private keys into memory and also avoids side channels which 167 * can arise when computing those values, since all of D, P, and Q 168 * are secret. See https://eprint.iacr.org/2020/055 for a 169 * description of one such attack. 170 */ 171 172 /* Import DP */ 173 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 174 (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) { 175 goto cleanup; 176 } 177 178 /* Import DQ */ 179 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 180 (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) { 181 goto cleanup; 182 } 183 184 /* Import QP */ 185 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 186 (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) { 187 goto cleanup; 188 } 189 190 #else 191 /* Verify existence of the CRT params */ 192 if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 193 (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 || 194 (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) { 195 goto cleanup; 196 } 197 #endif 198 199 /* rsa_complete() doesn't complete anything with the default 200 * implementation but is still called: 201 * - for the benefit of alternative implementation that may want to 202 * pre-compute stuff beyond what's provided (eg Montgomery factors) 203 * - as is also sanity-checks the key 204 * 205 * Furthermore, we also check the public part for consistency with 206 * mbedtls_pk_parse_pubkey(), as it includes size minima for example. 207 */ 208 if ((ret = mbedtls_rsa_complete(rsa)) != 0 || 209 (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) { 210 goto cleanup; 211 } 212 213 if (p != end) { 214 ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; 215 } 216 217 cleanup: 218 219 mbedtls_mpi_free(&T); 220 221 if (ret != 0) { 222 mbedtls_rsa_free(rsa); 223 } 224 225 return ret; 226 } 227 228 int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen) 229 { 230 unsigned char *p = (unsigned char *) key; 231 unsigned char *end = (unsigned char *) (key + keylen); 232 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 233 size_t len; 234 235 /* 236 * RSAPublicKey ::= SEQUENCE { 237 * modulus INTEGER, -- n 238 * publicExponent INTEGER -- e 239 * } 240 */ 241 242 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 243 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 244 return ret; 245 } 246 247 if (end != p + len) { 248 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 249 } 250 251 /* Import N */ 252 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { 253 return ret; 254 } 255 256 if ((ret = mbedtls_rsa_import_raw(rsa, p, len, NULL, 0, NULL, 0, 257 NULL, 0, NULL, 0)) != 0) { 258 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 259 } 260 261 p += len; 262 263 /* Import E */ 264 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) { 265 return ret; 266 } 267 268 if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0, 269 NULL, 0, p, len)) != 0) { 270 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 271 } 272 273 p += len; 274 275 if (mbedtls_rsa_complete(rsa) != 0 || 276 mbedtls_rsa_check_pubkey(rsa) != 0) { 277 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 278 } 279 280 if (p != end) { 281 return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; 282 } 283 284 return 0; 285 } 286 287 int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start, 288 unsigned char **p) 289 { 290 size_t len = 0; 291 int ret; 292 293 mbedtls_mpi T; /* Temporary holding the exported parameters */ 294 295 /* 296 * Export the parameters one after another to avoid simultaneous copies. 297 */ 298 299 mbedtls_mpi_init(&T); 300 301 /* Export QP */ 302 if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 || 303 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 304 goto end_of_export; 305 } 306 len += ret; 307 308 /* Export DQ */ 309 if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 || 310 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 311 goto end_of_export; 312 } 313 len += ret; 314 315 /* Export DP */ 316 if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 || 317 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 318 goto end_of_export; 319 } 320 len += ret; 321 322 /* Export Q */ 323 if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 || 324 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 325 goto end_of_export; 326 } 327 len += ret; 328 329 /* Export P */ 330 if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 || 331 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 332 goto end_of_export; 333 } 334 len += ret; 335 336 /* Export D */ 337 if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 || 338 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 339 goto end_of_export; 340 } 341 len += ret; 342 343 /* Export E */ 344 if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || 345 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 346 goto end_of_export; 347 } 348 len += ret; 349 350 /* Export N */ 351 if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || 352 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 353 goto end_of_export; 354 } 355 len += ret; 356 357 end_of_export: 358 359 mbedtls_mpi_free(&T); 360 if (ret < 0) { 361 return ret; 362 } 363 364 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0)); 365 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); 366 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, 367 MBEDTLS_ASN1_CONSTRUCTED | 368 MBEDTLS_ASN1_SEQUENCE)); 369 370 return (int) len; 371 } 372 373 /* 374 * RSAPublicKey ::= SEQUENCE { 375 * modulus INTEGER, -- n 376 * publicExponent INTEGER -- e 377 * } 378 */ 379 int mbedtls_rsa_write_pubkey(const mbedtls_rsa_context *rsa, unsigned char *start, 380 unsigned char **p) 381 { 382 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 383 size_t len = 0; 384 mbedtls_mpi T; 385 386 mbedtls_mpi_init(&T); 387 388 /* Export E */ 389 if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 || 390 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 391 goto end_of_export; 392 } 393 len += ret; 394 395 /* Export N */ 396 if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 || 397 (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) { 398 goto end_of_export; 399 } 400 len += ret; 401 402 end_of_export: 403 404 mbedtls_mpi_free(&T); 405 if (ret < 0) { 406 return ret; 407 } 408 409 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); 410 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED | 411 MBEDTLS_ASN1_SEQUENCE)); 412 413 return (int) len; 414 } 415 416 #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) 417 418 /** This function performs the unpadding part of a PKCS#1 v1.5 decryption 419 * operation (EME-PKCS1-v1_5 decoding). 420 * 421 * \note The return value from this function is a sensitive value 422 * (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen 423 * in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING 424 * is often a situation that an attacker can provoke and leaking which 425 * one is the result is precisely the information the attacker wants. 426 * 427 * \param input The input buffer which is the payload inside PKCS#1v1.5 428 * encryption padding, called the "encoded message EM" 429 * by the terminology. 430 * \param ilen The length of the payload in the \p input buffer. 431 * \param output The buffer for the payload, called "message M" by the 432 * PKCS#1 terminology. This must be a writable buffer of 433 * length \p output_max_len bytes. 434 * \param olen The address at which to store the length of 435 * the payload. This must not be \c NULL. 436 * \param output_max_len The length in bytes of the output buffer \p output. 437 * 438 * \return \c 0 on success. 439 * \return #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE 440 * The output buffer is too small for the unpadded payload. 441 * \return #MBEDTLS_ERR_RSA_INVALID_PADDING 442 * The input doesn't contain properly formatted padding. 443 */ 444 static int mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char *input, 445 size_t ilen, 446 unsigned char *output, 447 size_t output_max_len, 448 size_t *olen) 449 { 450 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 451 size_t i, plaintext_max_size; 452 453 /* The following variables take sensitive values: their value must 454 * not leak into the observable behavior of the function other than 455 * the designated outputs (output, olen, return value). Otherwise 456 * this would open the execution of the function to 457 * side-channel-based variants of the Bleichenbacher padding oracle 458 * attack. Potential side channels include overall timing, memory 459 * access patterns (especially visible to an adversary who has access 460 * to a shared memory cache), and branches (especially visible to 461 * an adversary who has access to a shared code cache or to a shared 462 * branch predictor). */ 463 size_t pad_count = 0; 464 mbedtls_ct_condition_t bad; 465 mbedtls_ct_condition_t pad_done; 466 size_t plaintext_size = 0; 467 mbedtls_ct_condition_t output_too_large; 468 469 plaintext_max_size = (output_max_len > ilen - 11) ? ilen - 11 470 : output_max_len; 471 472 /* Check and get padding length in constant time and constant 473 * memory trace. The first byte must be 0. */ 474 bad = mbedtls_ct_bool(input[0]); 475 476 477 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 478 * where PS must be at least 8 nonzero bytes. */ 479 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(input[1], MBEDTLS_RSA_CRYPT)); 480 481 /* Read the whole buffer. Set pad_done to nonzero if we find 482 * the 0x00 byte and remember the padding length in pad_count. */ 483 pad_done = MBEDTLS_CT_FALSE; 484 for (i = 2; i < ilen; i++) { 485 mbedtls_ct_condition_t found = mbedtls_ct_uint_eq(input[i], 0); 486 pad_done = mbedtls_ct_bool_or(pad_done, found); 487 pad_count += mbedtls_ct_uint_if_else_0(mbedtls_ct_bool_not(pad_done), 1); 488 } 489 490 /* If pad_done is still zero, there's no data, only unfinished padding. */ 491 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_not(pad_done)); 492 493 /* There must be at least 8 bytes of padding. */ 494 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_gt(8, pad_count)); 495 496 /* If the padding is valid, set plaintext_size to the number of 497 * remaining bytes after stripping the padding. If the padding 498 * is invalid, avoid leaking this fact through the size of the 499 * output: use the maximum message size that fits in the output 500 * buffer. Do it without branches to avoid leaking the padding 501 * validity through timing. RSA keys are small enough that all the 502 * size_t values involved fit in unsigned int. */ 503 plaintext_size = mbedtls_ct_uint_if( 504 bad, (unsigned) plaintext_max_size, 505 (unsigned) (ilen - pad_count - 3)); 506 507 /* Set output_too_large to 0 if the plaintext fits in the output 508 * buffer and to 1 otherwise. */ 509 output_too_large = mbedtls_ct_uint_gt(plaintext_size, 510 plaintext_max_size); 511 512 /* Set ret without branches to avoid timing attacks. Return: 513 * - INVALID_PADDING if the padding is bad (bad != 0). 514 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted 515 * plaintext does not fit in the output buffer. 516 * - 0 if the padding is correct. */ 517 ret = mbedtls_ct_error_if( 518 bad, 519 MBEDTLS_ERR_RSA_INVALID_PADDING, 520 mbedtls_ct_error_if_else_0(output_too_large, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE) 521 ); 522 523 /* If the padding is bad or the plaintext is too large, zero the 524 * data that we're about to copy to the output buffer. 525 * We need to copy the same amount of data 526 * from the same buffer whether the padding is good or not to 527 * avoid leaking the padding validity through overall timing or 528 * through memory or cache access patterns. */ 529 mbedtls_ct_zeroize_if(mbedtls_ct_bool_or(bad, output_too_large), input + 11, ilen - 11); 530 531 /* If the plaintext is too large, truncate it to the buffer size. 532 * Copy anyway to avoid revealing the length through timing, because 533 * revealing the length is as bad as revealing the padding validity 534 * for a Bleichenbacher attack. */ 535 plaintext_size = mbedtls_ct_uint_if(output_too_large, 536 (unsigned) plaintext_max_size, 537 (unsigned) plaintext_size); 538 539 /* Move the plaintext to the leftmost position where it can start in 540 * the working buffer, i.e. make it start plaintext_max_size from 541 * the end of the buffer. Do this with a memory access trace that 542 * does not depend on the plaintext size. After this move, the 543 * starting location of the plaintext is no longer sensitive 544 * information. */ 545 mbedtls_ct_memmove_left(input + ilen - plaintext_max_size, 546 plaintext_max_size, 547 plaintext_max_size - plaintext_size); 548 549 /* Finally copy the decrypted plaintext plus trailing zeros into the output 550 * buffer. If output_max_len is 0, then output may be an invalid pointer 551 * and the result of memcpy() would be undefined; prevent undefined 552 * behavior making sure to depend only on output_max_len (the size of the 553 * user-provided output buffer), which is independent from plaintext 554 * length, validity of padding, success of the decryption, and other 555 * secrets. */ 556 if (output_max_len != 0) { 557 memcpy(output, input + ilen - plaintext_max_size, plaintext_max_size); 558 } 559 560 /* Report the amount of data we copied to the output buffer. In case 561 * of errors (bad padding or output too large), the value of *olen 562 * when this function returns is not specified. Making it equivalent 563 * to the good case limits the risks of leaking the padding validity. */ 564 *olen = plaintext_size; 565 566 return ret; 567 } 568 569 #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ 570 571 #if !defined(MBEDTLS_RSA_ALT) 572 573 int mbedtls_rsa_import(mbedtls_rsa_context *ctx, 574 const mbedtls_mpi *N, 575 const mbedtls_mpi *P, const mbedtls_mpi *Q, 576 const mbedtls_mpi *D, const mbedtls_mpi *E) 577 { 578 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 579 580 if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) || 581 (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) || 582 (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) || 583 (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) || 584 (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) { 585 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); 586 } 587 588 if (N != NULL) { 589 ctx->len = mbedtls_mpi_size(&ctx->N); 590 } 591 592 return 0; 593 } 594 595 int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx, 596 unsigned char const *N, size_t N_len, 597 unsigned char const *P, size_t P_len, 598 unsigned char const *Q, size_t Q_len, 599 unsigned char const *D, size_t D_len, 600 unsigned char const *E, size_t E_len) 601 { 602 int ret = 0; 603 604 if (N != NULL) { 605 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len)); 606 ctx->len = mbedtls_mpi_size(&ctx->N); 607 } 608 609 if (P != NULL) { 610 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len)); 611 } 612 613 if (Q != NULL) { 614 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len)); 615 } 616 617 if (D != NULL) { 618 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len)); 619 } 620 621 if (E != NULL) { 622 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len)); 623 } 624 625 cleanup: 626 627 if (ret != 0) { 628 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); 629 } 630 631 return 0; 632 } 633 634 /* 635 * Checks whether the context fields are set in such a way 636 * that the RSA primitives will be able to execute without error. 637 * It does *not* make guarantees for consistency of the parameters. 638 */ 639 static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv, 640 int blinding_needed) 641 { 642 #if !defined(MBEDTLS_RSA_NO_CRT) 643 /* blinding_needed is only used for NO_CRT to decide whether 644 * P,Q need to be present or not. */ 645 ((void) blinding_needed); 646 #endif 647 648 if (ctx->len != mbedtls_mpi_size(&ctx->N) || 649 ctx->len > MBEDTLS_MPI_MAX_SIZE) { 650 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 651 } 652 653 /* 654 * 1. Modular exponentiation needs positive, odd moduli. 655 */ 656 657 /* Modular exponentiation wrt. N is always used for 658 * RSA public key operations. */ 659 if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 || 660 mbedtls_mpi_get_bit(&ctx->N, 0) == 0) { 661 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 662 } 663 664 #if !defined(MBEDTLS_RSA_NO_CRT) 665 /* Modular exponentiation for P and Q is only 666 * used for private key operations and if CRT 667 * is used. */ 668 if (is_priv && 669 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 || 670 mbedtls_mpi_get_bit(&ctx->P, 0) == 0 || 671 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 || 672 mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) { 673 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 674 } 675 #endif /* !MBEDTLS_RSA_NO_CRT */ 676 677 /* 678 * 2. Exponents must be positive 679 */ 680 681 /* Always need E for public key operations */ 682 if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) { 683 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 684 } 685 686 #if defined(MBEDTLS_RSA_NO_CRT) 687 /* For private key operations, use D or DP & DQ 688 * as (unblinded) exponents. */ 689 if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) { 690 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 691 } 692 #else 693 if (is_priv && 694 (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 || 695 mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) { 696 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 697 } 698 #endif /* MBEDTLS_RSA_NO_CRT */ 699 700 /* Blinding shouldn't make exponents negative either, 701 * so check that P, Q >= 1 if that hasn't yet been 702 * done as part of 1. */ 703 #if defined(MBEDTLS_RSA_NO_CRT) 704 if (is_priv && blinding_needed && 705 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 || 706 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) { 707 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 708 } 709 #endif 710 711 /* It wouldn't lead to an error if it wasn't satisfied, 712 * but check for QP >= 1 nonetheless. */ 713 #if !defined(MBEDTLS_RSA_NO_CRT) 714 if (is_priv && 715 mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) { 716 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 717 } 718 #endif 719 720 return 0; 721 } 722 723 int mbedtls_rsa_complete(mbedtls_rsa_context *ctx) 724 { 725 int ret = 0; 726 int have_N, have_P, have_Q, have_D, have_E; 727 #if !defined(MBEDTLS_RSA_NO_CRT) 728 int have_DP, have_DQ, have_QP; 729 #endif 730 int n_missing, pq_missing, d_missing, is_pub, is_priv; 731 732 have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0); 733 have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0); 734 have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0); 735 have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0); 736 have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0); 737 738 #if !defined(MBEDTLS_RSA_NO_CRT) 739 have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0); 740 have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0); 741 have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0); 742 #endif 743 744 /* 745 * Check whether provided parameters are enough 746 * to deduce all others. The following incomplete 747 * parameter sets for private keys are supported: 748 * 749 * (1) P, Q missing. 750 * (2) D and potentially N missing. 751 * 752 */ 753 754 n_missing = have_P && have_Q && have_D && have_E; 755 pq_missing = have_N && !have_P && !have_Q && have_D && have_E; 756 d_missing = have_P && have_Q && !have_D && have_E; 757 is_pub = have_N && !have_P && !have_Q && !have_D && have_E; 758 759 /* These three alternatives are mutually exclusive */ 760 is_priv = n_missing || pq_missing || d_missing; 761 762 if (!is_priv && !is_pub) { 763 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 764 } 765 766 /* 767 * Step 1: Deduce N if P, Q are provided. 768 */ 769 770 if (!have_N && have_P && have_Q) { 771 if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, 772 &ctx->Q)) != 0) { 773 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); 774 } 775 776 ctx->len = mbedtls_mpi_size(&ctx->N); 777 } 778 779 /* 780 * Step 2: Deduce and verify all remaining core parameters. 781 */ 782 783 if (pq_missing) { 784 ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D, 785 &ctx->P, &ctx->Q); 786 if (ret != 0) { 787 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); 788 } 789 790 } else if (d_missing) { 791 if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P, 792 &ctx->Q, 793 &ctx->E, 794 &ctx->D)) != 0) { 795 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); 796 } 797 } 798 799 /* 800 * Step 3: Deduce all additional parameters specific 801 * to our current RSA implementation. 802 */ 803 804 #if !defined(MBEDTLS_RSA_NO_CRT) 805 if (is_priv && !(have_DP && have_DQ && have_QP)) { 806 ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, 807 &ctx->DP, &ctx->DQ, &ctx->QP); 808 if (ret != 0) { 809 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); 810 } 811 } 812 #endif /* MBEDTLS_RSA_NO_CRT */ 813 814 /* 815 * Step 3: Basic sanity checks 816 */ 817 818 return rsa_check_context(ctx, is_priv, 1); 819 } 820 821 int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx, 822 unsigned char *N, size_t N_len, 823 unsigned char *P, size_t P_len, 824 unsigned char *Q, size_t Q_len, 825 unsigned char *D, size_t D_len, 826 unsigned char *E, size_t E_len) 827 { 828 int ret = 0; 829 int is_priv; 830 831 /* Check if key is private or public */ 832 is_priv = 833 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && 834 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && 835 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && 836 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && 837 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; 838 839 if (!is_priv) { 840 /* If we're trying to export private parameters for a public key, 841 * something must be wrong. */ 842 if (P != NULL || Q != NULL || D != NULL) { 843 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 844 } 845 846 } 847 848 if (N != NULL) { 849 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len)); 850 } 851 852 if (P != NULL) { 853 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len)); 854 } 855 856 if (Q != NULL) { 857 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len)); 858 } 859 860 if (D != NULL) { 861 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len)); 862 } 863 864 if (E != NULL) { 865 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len)); 866 } 867 868 cleanup: 869 870 return ret; 871 } 872 873 int mbedtls_rsa_export(const mbedtls_rsa_context *ctx, 874 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, 875 mbedtls_mpi *D, mbedtls_mpi *E) 876 { 877 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 878 int is_priv; 879 880 /* Check if key is private or public */ 881 is_priv = 882 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && 883 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && 884 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && 885 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && 886 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; 887 888 if (!is_priv) { 889 /* If we're trying to export private parameters for a public key, 890 * something must be wrong. */ 891 if (P != NULL || Q != NULL || D != NULL) { 892 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 893 } 894 895 } 896 897 /* Export all requested core parameters. */ 898 899 if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) || 900 (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) || 901 (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) || 902 (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) || 903 (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) { 904 return ret; 905 } 906 907 return 0; 908 } 909 910 /* 911 * Export CRT parameters 912 * This must also be implemented if CRT is not used, for being able to 913 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt 914 * can be used in this case. 915 */ 916 int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx, 917 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP) 918 { 919 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 920 int is_priv; 921 922 /* Check if key is private or public */ 923 is_priv = 924 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 && 925 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 && 926 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 && 927 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 && 928 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0; 929 930 if (!is_priv) { 931 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 932 } 933 934 #if !defined(MBEDTLS_RSA_NO_CRT) 935 /* Export all requested blinding parameters. */ 936 if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) || 937 (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) || 938 (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) { 939 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); 940 } 941 #else 942 if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, 943 DP, DQ, QP)) != 0) { 944 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret); 945 } 946 #endif 947 948 return 0; 949 } 950 951 /* 952 * Initialize an RSA context 953 */ 954 void mbedtls_rsa_init(mbedtls_rsa_context *ctx) 955 { 956 memset(ctx, 0, sizeof(mbedtls_rsa_context)); 957 958 ctx->padding = MBEDTLS_RSA_PKCS_V15; 959 ctx->hash_id = MBEDTLS_MD_NONE; 960 961 #if defined(MBEDTLS_THREADING_C) 962 /* Set ctx->ver to nonzero to indicate that the mutex has been 963 * initialized and will need to be freed. */ 964 ctx->ver = 1; 965 mbedtls_mutex_init(&ctx->mutex); 966 #endif 967 } 968 969 /* 970 * Set padding for an existing RSA context 971 */ 972 int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding, 973 mbedtls_md_type_t hash_id) 974 { 975 switch (padding) { 976 #if defined(MBEDTLS_PKCS1_V15) 977 case MBEDTLS_RSA_PKCS_V15: 978 break; 979 #endif 980 981 #if defined(MBEDTLS_PKCS1_V21) 982 case MBEDTLS_RSA_PKCS_V21: 983 break; 984 #endif 985 default: 986 return MBEDTLS_ERR_RSA_INVALID_PADDING; 987 } 988 989 #if defined(MBEDTLS_PKCS1_V21) 990 if ((padding == MBEDTLS_RSA_PKCS_V21) && 991 (hash_id != MBEDTLS_MD_NONE)) { 992 /* Just make sure this hash is supported in this build. */ 993 if (mbedtls_md_info_from_type(hash_id) == NULL) { 994 return MBEDTLS_ERR_RSA_INVALID_PADDING; 995 } 996 } 997 #endif /* MBEDTLS_PKCS1_V21 */ 998 999 ctx->padding = padding; 1000 ctx->hash_id = hash_id; 1001 1002 return 0; 1003 } 1004 1005 /* 1006 * Get padding mode of initialized RSA context 1007 */ 1008 int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx) 1009 { 1010 return ctx->padding; 1011 } 1012 1013 /* 1014 * Get hash identifier of mbedtls_md_type_t type 1015 */ 1016 int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx) 1017 { 1018 return ctx->hash_id; 1019 } 1020 1021 /* 1022 * Get length in bits of RSA modulus 1023 */ 1024 size_t mbedtls_rsa_get_bitlen(const mbedtls_rsa_context *ctx) 1025 { 1026 return mbedtls_mpi_bitlen(&ctx->N); 1027 } 1028 1029 /* 1030 * Get length in bytes of RSA modulus 1031 */ 1032 size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx) 1033 { 1034 return ctx->len; 1035 } 1036 1037 #if defined(MBEDTLS_GENPRIME) 1038 1039 /* 1040 * Generate an RSA keypair 1041 * 1042 * This generation method follows the RSA key pair generation procedure of 1043 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072. 1044 */ 1045 int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx, 1046 int (*f_rng)(void *, unsigned char *, size_t), 1047 void *p_rng, 1048 unsigned int nbits, int exponent) 1049 { 1050 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1051 mbedtls_mpi H, G, L; 1052 int prime_quality = 0; 1053 1054 /* 1055 * If the modulus is 1024 bit long or shorter, then the security strength of 1056 * the RSA algorithm is less than or equal to 80 bits and therefore an error 1057 * rate of 2^-80 is sufficient. 1058 */ 1059 if (nbits > 1024) { 1060 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR; 1061 } 1062 1063 mbedtls_mpi_init(&H); 1064 mbedtls_mpi_init(&G); 1065 mbedtls_mpi_init(&L); 1066 1067 if (exponent < 3 || nbits % 2 != 0) { 1068 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1069 goto cleanup; 1070 } 1071 1072 if (nbits < MBEDTLS_RSA_GEN_KEY_MIN_BITS) { 1073 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1074 goto cleanup; 1075 } 1076 1077 /* 1078 * find primes P and Q with Q < P so that: 1079 * 1. |P-Q| > 2^( nbits / 2 - 100 ) 1080 * 2. GCD( E, (P-1)*(Q-1) ) == 1 1081 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 ) 1082 */ 1083 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent)); 1084 1085 do { 1086 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1, 1087 prime_quality, f_rng, p_rng)); 1088 1089 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1, 1090 prime_quality, f_rng, p_rng)); 1091 1092 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */ 1093 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q)); 1094 if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) { 1095 continue; 1096 } 1097 1098 /* not required by any standards, but some users rely on the fact that P > Q */ 1099 if (H.s < 0) { 1100 mbedtls_mpi_swap(&ctx->P, &ctx->Q); 1101 } 1102 1103 /* Temporarily replace P,Q by P-1, Q-1 */ 1104 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1)); 1105 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1)); 1106 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q)); 1107 1108 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */ 1109 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H)); 1110 if (mbedtls_mpi_cmp_int(&G, 1) != 0) { 1111 continue; 1112 } 1113 1114 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */ 1115 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q)); 1116 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G)); 1117 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L)); 1118 1119 if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a)) 1120 continue; 1121 } 1122 1123 break; 1124 } while (1); 1125 1126 /* Restore P,Q */ 1127 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1)); 1128 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1)); 1129 1130 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q)); 1131 1132 ctx->len = mbedtls_mpi_size(&ctx->N); 1133 1134 #if !defined(MBEDTLS_RSA_NO_CRT) 1135 /* 1136 * DP = D mod (P - 1) 1137 * DQ = D mod (Q - 1) 1138 * QP = Q^-1 mod P 1139 */ 1140 MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D, 1141 &ctx->DP, &ctx->DQ, &ctx->QP)); 1142 #endif /* MBEDTLS_RSA_NO_CRT */ 1143 1144 /* Double-check */ 1145 MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx)); 1146 1147 cleanup: 1148 1149 mbedtls_mpi_free(&H); 1150 mbedtls_mpi_free(&G); 1151 mbedtls_mpi_free(&L); 1152 1153 if (ret != 0) { 1154 mbedtls_rsa_free(ctx); 1155 1156 if ((-ret & ~0x7f) == 0) { 1157 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret); 1158 } 1159 return ret; 1160 } 1161 1162 return 0; 1163 } 1164 1165 #endif /* MBEDTLS_GENPRIME */ 1166 1167 /* 1168 * Check a public RSA key 1169 */ 1170 int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx) 1171 { 1172 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) { 1173 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1174 } 1175 1176 if (mbedtls_mpi_bitlen(&ctx->N) < 128) { 1177 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1178 } 1179 1180 if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 || 1181 mbedtls_mpi_bitlen(&ctx->E) < 2 || 1182 mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) { 1183 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1184 } 1185 1186 return 0; 1187 } 1188 1189 /* 1190 * Check for the consistency of all fields in an RSA private key context 1191 */ 1192 int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx) 1193 { 1194 if (mbedtls_rsa_check_pubkey(ctx) != 0 || 1195 rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) { 1196 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1197 } 1198 1199 if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q, 1200 &ctx->D, &ctx->E, NULL, NULL) != 0) { 1201 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1202 } 1203 1204 #if !defined(MBEDTLS_RSA_NO_CRT) 1205 else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D, 1206 &ctx->DP, &ctx->DQ, &ctx->QP) != 0) { 1207 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1208 } 1209 #endif 1210 1211 return 0; 1212 } 1213 1214 /* 1215 * Check if contexts holding a public and private key match 1216 */ 1217 int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub, 1218 const mbedtls_rsa_context *prv) 1219 { 1220 if (mbedtls_rsa_check_pubkey(pub) != 0 || 1221 mbedtls_rsa_check_privkey(prv) != 0) { 1222 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1223 } 1224 1225 if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 || 1226 mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) { 1227 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 1228 } 1229 1230 return 0; 1231 } 1232 1233 /* 1234 * Do an RSA public key operation 1235 */ 1236 int mbedtls_rsa_public(mbedtls_rsa_context *ctx, 1237 const unsigned char *input, 1238 unsigned char *output) 1239 { 1240 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1241 size_t olen; 1242 mbedtls_mpi T; 1243 1244 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) { 1245 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1246 } 1247 1248 mbedtls_mpi_init(&T); 1249 1250 #if defined(MBEDTLS_THREADING_C) 1251 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) { 1252 return ret; 1253 } 1254 #endif 1255 1256 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len)); 1257 1258 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) { 1259 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 1260 goto cleanup; 1261 } 1262 1263 olen = ctx->len; 1264 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN)); 1265 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen)); 1266 1267 cleanup: 1268 #if defined(MBEDTLS_THREADING_C) 1269 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) { 1270 return MBEDTLS_ERR_THREADING_MUTEX_ERROR; 1271 } 1272 #endif 1273 1274 mbedtls_mpi_free(&T); 1275 1276 if (ret != 0) { 1277 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret); 1278 } 1279 1280 return 0; 1281 } 1282 1283 /* 1284 * Generate or update blinding values, see section 10 of: 1285 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 1286 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 1287 * Berlin Heidelberg, 1996. p. 104-113. 1288 */ 1289 static int rsa_prepare_blinding(mbedtls_rsa_context *ctx, 1290 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) 1291 { 1292 int ret, count = 0; 1293 mbedtls_mpi R; 1294 1295 mbedtls_mpi_init(&R); 1296 1297 if (ctx->Vf.p != NULL) { 1298 /* We already have blinding values, just update them by squaring */ 1299 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi)); 1300 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N)); 1301 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf)); 1302 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N)); 1303 1304 goto cleanup; 1305 } 1306 1307 /* Unblinding value: Vf = random number, invertible mod N */ 1308 do { 1309 if (count++ > 10) { 1310 ret = MBEDTLS_ERR_RSA_RNG_FAILED; 1311 goto cleanup; 1312 } 1313 1314 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng)); 1315 1316 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */ 1317 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng)); 1318 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R)); 1319 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N)); 1320 1321 /* At this point, Vi is invertible mod N if and only if both Vf and R 1322 * are invertible mod N. If one of them isn't, we don't need to know 1323 * which one, we just loop and choose new values for both of them. 1324 * (Each iteration succeeds with overwhelming probability.) */ 1325 ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N); 1326 if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) { 1327 goto cleanup; 1328 } 1329 1330 } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE); 1331 1332 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */ 1333 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R)); 1334 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N)); 1335 1336 /* Blinding value: Vi = Vf^(-e) mod N 1337 * (Vi already contains Vf^-1 at this point) */ 1338 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN)); 1339 1340 1341 cleanup: 1342 mbedtls_mpi_free(&R); 1343 1344 return ret; 1345 } 1346 1347 /* 1348 * Unblind 1349 * T = T * Vf mod N 1350 */ 1351 static int rsa_unblind(mbedtls_mpi *T, mbedtls_mpi *Vf, const mbedtls_mpi *N) 1352 { 1353 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1354 const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); 1355 const size_t nlimbs = N->n; 1356 const size_t tlimbs = mbedtls_mpi_core_montmul_working_limbs(nlimbs); 1357 mbedtls_mpi RR, M_T; 1358 1359 mbedtls_mpi_init(&RR); 1360 mbedtls_mpi_init(&M_T); 1361 1362 MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N)); 1363 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&M_T, tlimbs)); 1364 1365 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(T, nlimbs)); 1366 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Vf, nlimbs)); 1367 1368 /* T = T * Vf mod N 1369 * Reminder: montmul(A, B, N) = A * B * R^-1 mod N 1370 * Usually both operands are multiplied by R mod N beforehand (by calling 1371 * `to_mont_rep()` on them), yielding a result that's also * R mod N (aka 1372 * "in the Montgomery domain"). Here we only multiply one operand by R mod 1373 * N, so the result is directly what we want - no need to call 1374 * `from_mont_rep()` on it. */ 1375 mbedtls_mpi_core_to_mont_rep(T->p, T->p, N->p, nlimbs, mm, RR.p, M_T.p); 1376 mbedtls_mpi_core_montmul(T->p, T->p, Vf->p, nlimbs, N->p, nlimbs, mm, M_T.p); 1377 1378 cleanup: 1379 1380 mbedtls_mpi_free(&RR); 1381 mbedtls_mpi_free(&M_T); 1382 1383 return ret; 1384 } 1385 1386 /* 1387 * Exponent blinding supposed to prevent side-channel attacks using multiple 1388 * traces of measurements to recover the RSA key. The more collisions are there, 1389 * the more bits of the key can be recovered. See [3]. 1390 * 1391 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n) 1392 * observations on average. 1393 * 1394 * For example with 28 byte blinding to achieve 2 collisions the adversary has 1395 * to make 2^112 observations on average. 1396 * 1397 * (With the currently (as of 2017 April) known best algorithms breaking 2048 1398 * bit RSA requires approximately as much time as trying out 2^112 random keys. 1399 * Thus in this sense with 28 byte blinding the security is not reduced by 1400 * side-channel attacks like the one in [3]) 1401 * 1402 * This countermeasure does not help if the key recovery is possible with a 1403 * single trace. 1404 */ 1405 #define RSA_EXPONENT_BLINDING 28 1406 1407 /* 1408 * Do an RSA private key operation 1409 */ 1410 int mbedtls_rsa_private(mbedtls_rsa_context *ctx, 1411 int (*f_rng)(void *, unsigned char *, size_t), 1412 void *p_rng, 1413 const unsigned char *input, 1414 unsigned char *output) 1415 { 1416 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1417 size_t olen; 1418 1419 /* Temporary holding the result */ 1420 mbedtls_mpi T; 1421 1422 /* Temporaries holding P-1, Q-1 and the 1423 * exponent blinding factor, respectively. */ 1424 mbedtls_mpi P1, Q1, R; 1425 1426 #if !defined(MBEDTLS_RSA_NO_CRT) 1427 /* Temporaries holding the results mod p resp. mod q. */ 1428 mbedtls_mpi TP, TQ; 1429 1430 /* Temporaries holding the blinded exponents for 1431 * the mod p resp. mod q computation (if used). */ 1432 mbedtls_mpi DP_blind, DQ_blind; 1433 #else 1434 /* Temporary holding the blinded exponent (if used). */ 1435 mbedtls_mpi D_blind; 1436 #endif /* MBEDTLS_RSA_NO_CRT */ 1437 1438 /* Temporaries holding the initial input and the double 1439 * checked result; should be the same in the end. */ 1440 mbedtls_mpi input_blinded, check_result_blinded; 1441 1442 if (f_rng == NULL) { 1443 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1444 } 1445 1446 if (rsa_check_context(ctx, 1 /* private key checks */, 1447 1 /* blinding on */) != 0) { 1448 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1449 } 1450 1451 #if defined(MBEDTLS_THREADING_C) 1452 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) { 1453 return ret; 1454 } 1455 #endif 1456 1457 /* MPI Initialization */ 1458 mbedtls_mpi_init(&T); 1459 1460 mbedtls_mpi_init(&P1); 1461 mbedtls_mpi_init(&Q1); 1462 mbedtls_mpi_init(&R); 1463 1464 #if defined(MBEDTLS_RSA_NO_CRT) 1465 mbedtls_mpi_init(&D_blind); 1466 #else 1467 mbedtls_mpi_init(&DP_blind); 1468 mbedtls_mpi_init(&DQ_blind); 1469 #endif 1470 1471 #if !defined(MBEDTLS_RSA_NO_CRT) 1472 mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ); 1473 #endif 1474 1475 mbedtls_mpi_init(&input_blinded); 1476 mbedtls_mpi_init(&check_result_blinded); 1477 1478 /* End of MPI initialization */ 1479 1480 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len)); 1481 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) { 1482 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 1483 goto cleanup; 1484 } 1485 1486 /* 1487 * Blinding 1488 * T = T * Vi mod N 1489 */ 1490 MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng)); 1491 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi)); 1492 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N)); 1493 1494 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&input_blinded, &T)); 1495 1496 /* 1497 * Exponent blinding 1498 */ 1499 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1)); 1500 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1)); 1501 1502 #if defined(MBEDTLS_RSA_NO_CRT) 1503 /* 1504 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D 1505 */ 1506 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING, 1507 f_rng, p_rng)); 1508 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1)); 1509 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R)); 1510 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D)); 1511 #else 1512 /* 1513 * DP_blind = ( P - 1 ) * R + DP 1514 */ 1515 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING, 1516 f_rng, p_rng)); 1517 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R)); 1518 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind, 1519 &ctx->DP)); 1520 1521 /* 1522 * DQ_blind = ( Q - 1 ) * R + DQ 1523 */ 1524 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING, 1525 f_rng, p_rng)); 1526 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R)); 1527 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind, 1528 &ctx->DQ)); 1529 #endif /* MBEDTLS_RSA_NO_CRT */ 1530 1531 #if defined(MBEDTLS_RSA_NO_CRT) 1532 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &D_blind, &ctx->N, &ctx->RN)); 1533 #else 1534 /* 1535 * Faster decryption using the CRT 1536 * 1537 * TP = input ^ dP mod P 1538 * TQ = input ^ dQ mod Q 1539 */ 1540 1541 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, &DP_blind, &ctx->P, &ctx->RP)); 1542 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, &DQ_blind, &ctx->Q, &ctx->RQ)); 1543 1544 /* 1545 * T = (TP - TQ) * (Q^-1 mod P) mod P 1546 */ 1547 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ)); 1548 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP)); 1549 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P)); 1550 1551 /* 1552 * T = TQ + T * Q 1553 */ 1554 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q)); 1555 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP)); 1556 #endif /* MBEDTLS_RSA_NO_CRT */ 1557 1558 /* Verify the result to prevent glitching attacks. */ 1559 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&check_result_blinded, &T, &ctx->E, 1560 &ctx->N, &ctx->RN)); 1561 if (mbedtls_mpi_cmp_mpi(&check_result_blinded, &input_blinded) != 0) { 1562 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 1563 goto cleanup; 1564 } 1565 1566 /* 1567 * Unblind 1568 * T = T * Vf mod N 1569 */ 1570 MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N)); 1571 1572 olen = ctx->len; 1573 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen)); 1574 1575 cleanup: 1576 #if defined(MBEDTLS_THREADING_C) 1577 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) { 1578 return MBEDTLS_ERR_THREADING_MUTEX_ERROR; 1579 } 1580 #endif 1581 1582 mbedtls_mpi_free(&P1); 1583 mbedtls_mpi_free(&Q1); 1584 mbedtls_mpi_free(&R); 1585 1586 #if defined(MBEDTLS_RSA_NO_CRT) 1587 mbedtls_mpi_free(&D_blind); 1588 #else 1589 mbedtls_mpi_free(&DP_blind); 1590 mbedtls_mpi_free(&DQ_blind); 1591 #endif 1592 1593 mbedtls_mpi_free(&T); 1594 1595 #if !defined(MBEDTLS_RSA_NO_CRT) 1596 mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ); 1597 #endif 1598 1599 mbedtls_mpi_free(&check_result_blinded); 1600 mbedtls_mpi_free(&input_blinded); 1601 1602 if (ret != 0 && ret >= -0x007f) { 1603 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret); 1604 } 1605 1606 return ret; 1607 } 1608 1609 #if defined(MBEDTLS_PKCS1_V21) 1610 /** 1611 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 1612 * 1613 * \param dst buffer to mask 1614 * \param dlen length of destination buffer 1615 * \param src source of the mask generation 1616 * \param slen length of the source buffer 1617 * \param md_alg message digest to use 1618 */ 1619 static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src, 1620 size_t slen, mbedtls_md_type_t md_alg) 1621 { 1622 unsigned char counter[4]; 1623 unsigned char *p; 1624 unsigned int hlen; 1625 size_t i, use_len; 1626 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 1627 int ret = 0; 1628 const mbedtls_md_info_t *md_info; 1629 mbedtls_md_context_t md_ctx; 1630 1631 mbedtls_md_init(&md_ctx); 1632 md_info = mbedtls_md_info_from_type(md_alg); 1633 if (md_info == NULL) { 1634 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1635 } 1636 1637 mbedtls_md_init(&md_ctx); 1638 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) { 1639 goto exit; 1640 } 1641 1642 hlen = mbedtls_md_get_size(md_info); 1643 1644 memset(mask, 0, sizeof(mask)); 1645 memset(counter, 0, 4); 1646 1647 /* Generate and apply dbMask */ 1648 p = dst; 1649 1650 while (dlen > 0) { 1651 use_len = hlen; 1652 if (dlen < hlen) { 1653 use_len = dlen; 1654 } 1655 1656 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) { 1657 goto exit; 1658 } 1659 if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) { 1660 goto exit; 1661 } 1662 if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) { 1663 goto exit; 1664 } 1665 if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) { 1666 goto exit; 1667 } 1668 1669 for (i = 0; i < use_len; ++i) { 1670 *p++ ^= mask[i]; 1671 } 1672 1673 counter[3]++; 1674 1675 dlen -= use_len; 1676 } 1677 1678 exit: 1679 mbedtls_platform_zeroize(mask, sizeof(mask)); 1680 mbedtls_md_free(&md_ctx); 1681 1682 return ret; 1683 } 1684 1685 /** 1686 * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6. 1687 * 1688 * \param hash the input hash 1689 * \param hlen length of the input hash 1690 * \param salt the input salt 1691 * \param slen length of the input salt 1692 * \param out the output buffer - must be large enough for \p md_alg 1693 * \param md_alg message digest to use 1694 */ 1695 static int hash_mprime(const unsigned char *hash, size_t hlen, 1696 const unsigned char *salt, size_t slen, 1697 unsigned char *out, mbedtls_md_type_t md_alg) 1698 { 1699 const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 1700 1701 mbedtls_md_context_t md_ctx; 1702 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1703 1704 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg); 1705 if (md_info == NULL) { 1706 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1707 } 1708 1709 mbedtls_md_init(&md_ctx); 1710 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) { 1711 goto exit; 1712 } 1713 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) { 1714 goto exit; 1715 } 1716 if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) { 1717 goto exit; 1718 } 1719 if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) { 1720 goto exit; 1721 } 1722 if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) { 1723 goto exit; 1724 } 1725 if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) { 1726 goto exit; 1727 } 1728 1729 exit: 1730 mbedtls_md_free(&md_ctx); 1731 1732 return ret; 1733 } 1734 1735 /** 1736 * Compute a hash. 1737 * 1738 * \param md_alg algorithm to use 1739 * \param input input message to hash 1740 * \param ilen input length 1741 * \param output the output buffer - must be large enough for \p md_alg 1742 */ 1743 static int compute_hash(mbedtls_md_type_t md_alg, 1744 const unsigned char *input, size_t ilen, 1745 unsigned char *output) 1746 { 1747 const mbedtls_md_info_t *md_info; 1748 1749 md_info = mbedtls_md_info_from_type(md_alg); 1750 if (md_info == NULL) { 1751 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1752 } 1753 1754 return mbedtls_md(md_info, input, ilen, output); 1755 } 1756 #endif /* MBEDTLS_PKCS1_V21 */ 1757 1758 #if defined(MBEDTLS_PKCS1_V21) 1759 /* 1760 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 1761 */ 1762 int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx, 1763 int (*f_rng)(void *, unsigned char *, size_t), 1764 void *p_rng, 1765 const unsigned char *label, size_t label_len, 1766 size_t ilen, 1767 const unsigned char *input, 1768 unsigned char *output) 1769 { 1770 size_t olen; 1771 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1772 unsigned char *p = output; 1773 unsigned int hlen; 1774 1775 if (f_rng == NULL) { 1776 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1777 } 1778 1779 hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id); 1780 if (hlen == 0) { 1781 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1782 } 1783 1784 olen = ctx->len; 1785 1786 /* first comparison checks for overflow */ 1787 if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) { 1788 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1789 } 1790 1791 memset(output, 0, olen); 1792 1793 *p++ = 0; 1794 1795 /* Generate a random octet string seed */ 1796 if ((ret = f_rng(p_rng, p, hlen)) != 0) { 1797 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret); 1798 } 1799 1800 p += hlen; 1801 1802 /* Construct DB */ 1803 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p); 1804 if (ret != 0) { 1805 return ret; 1806 } 1807 p += hlen; 1808 p += olen - 2 * hlen - 2 - ilen; 1809 *p++ = 1; 1810 if (ilen != 0) { 1811 memcpy(p, input, ilen); 1812 } 1813 1814 /* maskedDB: Apply dbMask to DB */ 1815 if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen, 1816 (mbedtls_md_type_t) ctx->hash_id)) != 0) { 1817 return ret; 1818 } 1819 1820 /* maskedSeed: Apply seedMask to seed */ 1821 if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1, 1822 (mbedtls_md_type_t) ctx->hash_id)) != 0) { 1823 return ret; 1824 } 1825 1826 return mbedtls_rsa_public(ctx, output, output); 1827 } 1828 #endif /* MBEDTLS_PKCS1_V21 */ 1829 1830 #if defined(MBEDTLS_PKCS1_V15) 1831 /* 1832 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 1833 */ 1834 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx, 1835 int (*f_rng)(void *, unsigned char *, size_t), 1836 void *p_rng, size_t ilen, 1837 const unsigned char *input, 1838 unsigned char *output) 1839 { 1840 size_t nb_pad, olen; 1841 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1842 unsigned char *p = output; 1843 1844 olen = ctx->len; 1845 1846 /* first comparison checks for overflow */ 1847 if (ilen + 11 < ilen || olen < ilen + 11) { 1848 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1849 } 1850 1851 nb_pad = olen - 3 - ilen; 1852 1853 *p++ = 0; 1854 1855 if (f_rng == NULL) { 1856 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1857 } 1858 1859 *p++ = MBEDTLS_RSA_CRYPT; 1860 1861 while (nb_pad-- > 0) { 1862 int rng_dl = 100; 1863 1864 do { 1865 ret = f_rng(p_rng, p, 1); 1866 } while (*p == 0 && --rng_dl && ret == 0); 1867 1868 /* Check if RNG failed to generate data */ 1869 if (rng_dl == 0 || ret != 0) { 1870 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret); 1871 } 1872 1873 p++; 1874 } 1875 1876 *p++ = 0; 1877 if (ilen != 0) { 1878 memcpy(p, input, ilen); 1879 } 1880 1881 return mbedtls_rsa_public(ctx, output, output); 1882 } 1883 #endif /* MBEDTLS_PKCS1_V15 */ 1884 1885 /* 1886 * Add the message padding, then do an RSA operation 1887 */ 1888 int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx, 1889 int (*f_rng)(void *, unsigned char *, size_t), 1890 void *p_rng, 1891 size_t ilen, 1892 const unsigned char *input, 1893 unsigned char *output) 1894 { 1895 switch (ctx->padding) { 1896 #if defined(MBEDTLS_PKCS1_V15) 1897 case MBEDTLS_RSA_PKCS_V15: 1898 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng, 1899 ilen, input, output); 1900 #endif 1901 1902 #if defined(MBEDTLS_PKCS1_V21) 1903 case MBEDTLS_RSA_PKCS_V21: 1904 return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0, 1905 ilen, input, output); 1906 #endif 1907 1908 default: 1909 return MBEDTLS_ERR_RSA_INVALID_PADDING; 1910 } 1911 } 1912 1913 #if defined(MBEDTLS_PKCS1_V21) 1914 /* 1915 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 1916 */ 1917 int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx, 1918 int (*f_rng)(void *, unsigned char *, size_t), 1919 void *p_rng, 1920 const unsigned char *label, size_t label_len, 1921 size_t *olen, 1922 const unsigned char *input, 1923 unsigned char *output, 1924 size_t output_max_len) 1925 { 1926 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1927 size_t ilen, i, pad_len; 1928 unsigned char *p; 1929 mbedtls_ct_condition_t bad, in_padding; 1930 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 1931 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 1932 unsigned int hlen; 1933 1934 /* 1935 * Parameters sanity checks 1936 */ 1937 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) { 1938 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1939 } 1940 1941 ilen = ctx->len; 1942 1943 if (ilen < 16 || ilen > sizeof(buf)) { 1944 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1945 } 1946 1947 hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id); 1948 if (hlen == 0) { 1949 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1950 } 1951 1952 // checking for integer underflow 1953 if (2 * hlen + 2 > ilen) { 1954 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 1955 } 1956 1957 /* 1958 * RSA operation 1959 */ 1960 if( ctx->P.n == 0 ) 1961 ret = mbedtls_rsa_private( ctx, NULL, NULL, input, buf ); 1962 else 1963 ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf); 1964 1965 if (ret != 0) { 1966 goto cleanup; 1967 } 1968 1969 /* 1970 * Unmask data and generate lHash 1971 */ 1972 /* seed: Apply seedMask to maskedSeed */ 1973 if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 1974 (mbedtls_md_type_t) ctx->hash_id)) != 0 || 1975 /* DB: Apply dbMask to maskedDB */ 1976 (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 1977 (mbedtls_md_type_t) ctx->hash_id)) != 0) { 1978 goto cleanup; 1979 } 1980 1981 /* Generate lHash */ 1982 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, 1983 label, label_len, lhash); 1984 if (ret != 0) { 1985 goto cleanup; 1986 } 1987 1988 /* 1989 * Check contents, in "constant-time" 1990 */ 1991 p = buf; 1992 1993 bad = mbedtls_ct_bool(*p++); /* First byte must be 0 */ 1994 1995 p += hlen; /* Skip seed */ 1996 1997 /* Check lHash */ 1998 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool(mbedtls_ct_memcmp(lhash, p, hlen))); 1999 p += hlen; 2000 2001 /* Get zero-padding len, but always read till end of buffer 2002 * (minus one, for the 01 byte) */ 2003 pad_len = 0; 2004 in_padding = MBEDTLS_CT_TRUE; 2005 for (i = 0; i < ilen - 2 * hlen - 2; i++) { 2006 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_uint_eq(p[i], 0)); 2007 pad_len += mbedtls_ct_uint_if_else_0(in_padding, 1); 2008 } 2009 2010 p += pad_len; 2011 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(*p++, 0x01)); 2012 2013 /* 2014 * The only information "leaked" is whether the padding was correct or not 2015 * (eg, no data is copied if it was not correct). This meets the 2016 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 2017 * the different error conditions. 2018 */ 2019 if (bad != MBEDTLS_CT_FALSE) { 2020 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 2021 goto cleanup; 2022 } 2023 2024 if (ilen - ((size_t) (p - buf)) > output_max_len) { 2025 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 2026 goto cleanup; 2027 } 2028 2029 *olen = ilen - ((size_t) (p - buf)); 2030 if (*olen != 0) { 2031 memcpy(output, p, *olen); 2032 } 2033 ret = 0; 2034 2035 cleanup: 2036 mbedtls_platform_zeroize(buf, sizeof(buf)); 2037 mbedtls_platform_zeroize(lhash, sizeof(lhash)); 2038 2039 return ret; 2040 } 2041 #endif /* MBEDTLS_PKCS1_V21 */ 2042 2043 #if defined(MBEDTLS_PKCS1_V15) 2044 /* 2045 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 2046 */ 2047 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx, 2048 int (*f_rng)(void *, unsigned char *, size_t), 2049 void *p_rng, 2050 size_t *olen, 2051 const unsigned char *input, 2052 unsigned char *output, 2053 size_t output_max_len) 2054 { 2055 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2056 size_t ilen; 2057 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 2058 2059 ilen = ctx->len; 2060 2061 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) { 2062 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2063 } 2064 2065 if (ilen < 16 || ilen > sizeof(buf)) { 2066 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2067 } 2068 2069 ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf); 2070 2071 if (ret != 0) { 2072 goto cleanup; 2073 } 2074 2075 ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen, 2076 output, output_max_len, olen); 2077 2078 cleanup: 2079 mbedtls_platform_zeroize(buf, sizeof(buf)); 2080 2081 return ret; 2082 } 2083 #endif /* MBEDTLS_PKCS1_V15 */ 2084 2085 /* 2086 * Do an RSA operation, then remove the message padding 2087 */ 2088 int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx, 2089 int (*f_rng)(void *, unsigned char *, size_t), 2090 void *p_rng, 2091 size_t *olen, 2092 const unsigned char *input, 2093 unsigned char *output, 2094 size_t output_max_len) 2095 { 2096 switch (ctx->padding) { 2097 #if defined(MBEDTLS_PKCS1_V15) 2098 case MBEDTLS_RSA_PKCS_V15: 2099 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen, 2100 input, output, output_max_len); 2101 #endif 2102 2103 #if defined(MBEDTLS_PKCS1_V21) 2104 case MBEDTLS_RSA_PKCS_V21: 2105 return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0, 2106 olen, input, output, 2107 output_max_len); 2108 #endif 2109 2110 default: 2111 return MBEDTLS_ERR_RSA_INVALID_PADDING; 2112 } 2113 } 2114 2115 #if defined(MBEDTLS_PKCS1_V21) 2116 static int rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx, 2117 int (*f_rng)(void *, unsigned char *, size_t), 2118 void *p_rng, 2119 mbedtls_md_type_t md_alg, 2120 unsigned int hashlen, 2121 const unsigned char *hash, 2122 int saltlen, 2123 unsigned char *sig) 2124 { 2125 size_t olen; 2126 unsigned char *p = sig; 2127 unsigned char *salt = NULL; 2128 size_t slen, min_slen, hlen, offset = 0; 2129 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2130 size_t msb; 2131 mbedtls_md_type_t hash_id; 2132 2133 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) { 2134 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2135 } 2136 2137 if (f_rng == NULL) { 2138 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2139 } 2140 2141 olen = ctx->len; 2142 2143 if (md_alg != MBEDTLS_MD_NONE) { 2144 /* Gather length of hash to sign */ 2145 size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg); 2146 if (exp_hashlen == 0) { 2147 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2148 } 2149 2150 if (hashlen != exp_hashlen) { 2151 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2152 } 2153 } 2154 2155 hash_id = (mbedtls_md_type_t) ctx->hash_id; 2156 if (hash_id == MBEDTLS_MD_NONE) { 2157 hash_id = md_alg; 2158 } 2159 hlen = mbedtls_md_get_size_from_type(hash_id); 2160 if (hlen == 0) { 2161 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2162 } 2163 2164 if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) { 2165 /* Calculate the largest possible salt length, up to the hash size. 2166 * Normally this is the hash length, which is the maximum salt length 2167 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not 2168 * enough room, use the maximum salt length that fits. The constraint is 2169 * that the hash length plus the salt length plus 2 bytes must be at most 2170 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017 2171 * (PKCS#1 v2.2) §9.1.1 step 3. */ 2172 min_slen = hlen - 2; 2173 if (olen < hlen + min_slen + 2) { 2174 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2175 } else if (olen >= hlen + hlen + 2) { 2176 slen = hlen; 2177 } else { 2178 slen = olen - hlen - 2; 2179 } 2180 } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) { 2181 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2182 } else { 2183 slen = (size_t) saltlen; 2184 } 2185 2186 memset(sig, 0, olen); 2187 2188 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 2189 msb = mbedtls_mpi_bitlen(&ctx->N) - 1; 2190 p += olen - hlen - slen - 2; 2191 *p++ = 0x01; 2192 2193 /* Generate salt of length slen in place in the encoded message */ 2194 salt = p; 2195 if ((ret = f_rng(p_rng, salt, slen)) != 0) { 2196 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret); 2197 } 2198 2199 p += slen; 2200 2201 /* Generate H = Hash( M' ) */ 2202 ret = hash_mprime(hash, hashlen, salt, slen, p, hash_id); 2203 if (ret != 0) { 2204 return ret; 2205 } 2206 2207 /* Compensate for boundary condition when applying mask */ 2208 if (msb % 8 == 0) { 2209 offset = 1; 2210 } 2211 2212 /* maskedDB: Apply dbMask to DB */ 2213 ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen, hash_id); 2214 if (ret != 0) { 2215 return ret; 2216 } 2217 2218 msb = mbedtls_mpi_bitlen(&ctx->N) - 1; 2219 sig[0] &= 0xFF >> (olen * 8 - msb); 2220 2221 p += hlen; 2222 *p++ = 0xBC; 2223 2224 if (ctx->P.n == 0) 2225 return mbedtls_rsa_private(ctx, NULL, NULL, sig, sig); 2226 2227 return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig); 2228 } 2229 2230 static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx, 2231 int (*f_rng)(void *, unsigned char *, size_t), 2232 void *p_rng, 2233 mbedtls_md_type_t md_alg, 2234 unsigned int hashlen, 2235 const unsigned char *hash, 2236 int saltlen, 2237 unsigned char *sig) 2238 { 2239 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) { 2240 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2241 } 2242 if ((ctx->hash_id == MBEDTLS_MD_NONE) && (md_alg == MBEDTLS_MD_NONE)) { 2243 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2244 } 2245 return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg, hashlen, hash, saltlen, 2246 sig); 2247 } 2248 2249 int mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx, 2250 int (*f_rng)(void *, unsigned char *, size_t), 2251 void *p_rng, 2252 mbedtls_md_type_t md_alg, 2253 unsigned int hashlen, 2254 const unsigned char *hash, 2255 unsigned char *sig) 2256 { 2257 return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg, 2258 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig); 2259 } 2260 2261 /* 2262 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with 2263 * the option to pass in the salt length. 2264 */ 2265 int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx, 2266 int (*f_rng)(void *, unsigned char *, size_t), 2267 void *p_rng, 2268 mbedtls_md_type_t md_alg, 2269 unsigned int hashlen, 2270 const unsigned char *hash, 2271 int saltlen, 2272 unsigned char *sig) 2273 { 2274 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg, 2275 hashlen, hash, saltlen, sig); 2276 } 2277 2278 /* 2279 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 2280 */ 2281 int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx, 2282 int (*f_rng)(void *, unsigned char *, size_t), 2283 void *p_rng, 2284 mbedtls_md_type_t md_alg, 2285 unsigned int hashlen, 2286 const unsigned char *hash, 2287 unsigned char *sig) 2288 { 2289 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg, 2290 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig); 2291 } 2292 #endif /* MBEDTLS_PKCS1_V21 */ 2293 2294 #if defined(MBEDTLS_PKCS1_V15) 2295 /* 2296 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 2297 */ 2298 2299 /* Construct a PKCS v1.5 encoding of a hashed message 2300 * 2301 * This is used both for signature generation and verification. 2302 * 2303 * Parameters: 2304 * - md_alg: Identifies the hash algorithm used to generate the given hash; 2305 * MBEDTLS_MD_NONE if raw data is signed. 2306 * - hashlen: Length of hash. Must match md_alg if that's not NONE. 2307 * - hash: Buffer containing the hashed message or the raw data. 2308 * - dst_len: Length of the encoded message. 2309 * - dst: Buffer to hold the encoded message. 2310 * 2311 * Assumptions: 2312 * - hash has size hashlen. 2313 * - dst points to a buffer of size at least dst_len. 2314 * 2315 */ 2316 static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg, 2317 unsigned int hashlen, 2318 const unsigned char *hash, 2319 size_t dst_len, 2320 unsigned char *dst) 2321 { 2322 size_t oid_size = 0; 2323 size_t nb_pad = dst_len; 2324 unsigned char *p = dst; 2325 const char *oid = NULL; 2326 2327 /* Are we signing hashed or raw data? */ 2328 if (md_alg != MBEDTLS_MD_NONE) { 2329 unsigned char md_size = mbedtls_md_get_size_from_type(md_alg); 2330 if (md_size == 0) { 2331 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2332 } 2333 2334 if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) { 2335 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2336 } 2337 2338 if (hashlen != md_size) { 2339 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2340 } 2341 2342 /* Double-check that 8 + hashlen + oid_size can be used as a 2343 * 1-byte ASN.1 length encoding and that there's no overflow. */ 2344 if (8 + hashlen + oid_size >= 0x80 || 2345 10 + hashlen < hashlen || 2346 10 + hashlen + oid_size < 10 + hashlen) { 2347 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2348 } 2349 2350 /* 2351 * Static bounds check: 2352 * - Need 10 bytes for five tag-length pairs. 2353 * (Insist on 1-byte length encodings to protect against variants of 2354 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification) 2355 * - Need hashlen bytes for hash 2356 * - Need oid_size bytes for hash alg OID. 2357 */ 2358 if (nb_pad < 10 + hashlen + oid_size) { 2359 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2360 } 2361 nb_pad -= 10 + hashlen + oid_size; 2362 } else { 2363 if (nb_pad < hashlen) { 2364 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2365 } 2366 2367 nb_pad -= hashlen; 2368 } 2369 2370 /* Need space for signature header and padding delimiter (3 bytes), 2371 * and 8 bytes for the minimal padding */ 2372 if (nb_pad < 3 + 8) { 2373 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2374 } 2375 nb_pad -= 3; 2376 2377 /* Now nb_pad is the amount of memory to be filled 2378 * with padding, and at least 8 bytes long. */ 2379 2380 /* Write signature header and padding */ 2381 *p++ = 0; 2382 *p++ = MBEDTLS_RSA_SIGN; 2383 memset(p, 0xFF, nb_pad); 2384 p += nb_pad; 2385 *p++ = 0; 2386 2387 /* Are we signing raw data? */ 2388 if (md_alg == MBEDTLS_MD_NONE) { 2389 memcpy(p, hash, hashlen); 2390 return 0; 2391 } 2392 2393 /* Signing hashed data, add corresponding ASN.1 structure 2394 * 2395 * DigestInfo ::= SEQUENCE { 2396 * digestAlgorithm DigestAlgorithmIdentifier, 2397 * digest Digest } 2398 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 2399 * Digest ::= OCTET STRING 2400 * 2401 * Schematic: 2402 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ] 2403 * TAG-NULL + LEN [ NULL ] ] 2404 * TAG-OCTET + LEN [ HASH ] ] 2405 */ 2406 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 2407 *p++ = (unsigned char) (0x08 + oid_size + hashlen); 2408 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 2409 *p++ = (unsigned char) (0x04 + oid_size); 2410 *p++ = MBEDTLS_ASN1_OID; 2411 *p++ = (unsigned char) oid_size; 2412 memcpy(p, oid, oid_size); 2413 p += oid_size; 2414 *p++ = MBEDTLS_ASN1_NULL; 2415 *p++ = 0x00; 2416 *p++ = MBEDTLS_ASN1_OCTET_STRING; 2417 *p++ = (unsigned char) hashlen; 2418 memcpy(p, hash, hashlen); 2419 p += hashlen; 2420 2421 /* Just a sanity-check, should be automatic 2422 * after the initial bounds check. */ 2423 if (p != dst + dst_len) { 2424 mbedtls_platform_zeroize(dst, dst_len); 2425 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2426 } 2427 2428 return 0; 2429 } 2430 2431 /* 2432 * Do an RSA operation to sign the message digest 2433 */ 2434 int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx, 2435 int (*f_rng)(void *, unsigned char *, size_t), 2436 void *p_rng, 2437 mbedtls_md_type_t md_alg, 2438 unsigned int hashlen, 2439 const unsigned char *hash, 2440 unsigned char *sig) 2441 { 2442 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2443 unsigned char *sig_try = NULL, *verif = NULL; 2444 2445 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) { 2446 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2447 } 2448 2449 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) { 2450 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2451 } 2452 2453 /* 2454 * Prepare PKCS1-v1.5 encoding (padding and hash identifier) 2455 */ 2456 2457 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, 2458 ctx->len, sig)) != 0) { 2459 return ret; 2460 } 2461 2462 /* Private key operation 2463 * 2464 * In order to prevent Lenstra's attack, make the signature in a 2465 * temporary buffer and check it before returning it. 2466 */ 2467 2468 sig_try = mbedtls_calloc(1, ctx->len); 2469 if (sig_try == NULL) { 2470 return MBEDTLS_ERR_MPI_ALLOC_FAILED; 2471 } 2472 2473 verif = mbedtls_calloc(1, ctx->len); 2474 if (verif == NULL) { 2475 mbedtls_free(sig_try); 2476 return MBEDTLS_ERR_MPI_ALLOC_FAILED; 2477 } 2478 2479 MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try)); 2480 MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif)); 2481 2482 if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) { 2483 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 2484 goto cleanup; 2485 } 2486 2487 memcpy(sig, sig_try, ctx->len); 2488 2489 cleanup: 2490 mbedtls_zeroize_and_free(sig_try, ctx->len); 2491 mbedtls_zeroize_and_free(verif, ctx->len); 2492 2493 if (ret != 0) { 2494 memset(sig, '!', ctx->len); 2495 } 2496 return ret; 2497 } 2498 #endif /* MBEDTLS_PKCS1_V15 */ 2499 2500 /* 2501 * Do an RSA operation to sign the message digest 2502 */ 2503 int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx, 2504 int (*f_rng)(void *, unsigned char *, size_t), 2505 void *p_rng, 2506 mbedtls_md_type_t md_alg, 2507 unsigned int hashlen, 2508 const unsigned char *hash, 2509 unsigned char *sig) 2510 { 2511 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) { 2512 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2513 } 2514 2515 switch (ctx->padding) { 2516 #if defined(MBEDTLS_PKCS1_V15) 2517 case MBEDTLS_RSA_PKCS_V15: 2518 return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng, 2519 md_alg, hashlen, hash, sig); 2520 #endif 2521 2522 #if defined(MBEDTLS_PKCS1_V21) 2523 case MBEDTLS_RSA_PKCS_V21: 2524 return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg, 2525 hashlen, hash, sig); 2526 #endif 2527 2528 default: 2529 return MBEDTLS_ERR_RSA_INVALID_PADDING; 2530 } 2531 } 2532 2533 #if defined(MBEDTLS_PKCS1_V21) 2534 /* 2535 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 2536 */ 2537 int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx, 2538 mbedtls_md_type_t md_alg, 2539 unsigned int hashlen, 2540 const unsigned char *hash, 2541 mbedtls_md_type_t mgf1_hash_id, 2542 int expected_salt_len, 2543 const unsigned char *sig) 2544 { 2545 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2546 size_t siglen; 2547 unsigned char *p; 2548 unsigned char *hash_start; 2549 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 2550 unsigned int hlen; 2551 size_t observed_salt_len, msb; 2552 unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 }; 2553 2554 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) { 2555 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2556 } 2557 2558 siglen = ctx->len; 2559 2560 if (siglen < 16 || siglen > sizeof(buf)) { 2561 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2562 } 2563 2564 ret = mbedtls_rsa_public(ctx, sig, buf); 2565 2566 if (ret != 0) { 2567 return ret; 2568 } 2569 2570 p = buf; 2571 2572 if (buf[siglen - 1] != 0xBC) { 2573 return MBEDTLS_ERR_RSA_INVALID_PADDING; 2574 } 2575 2576 if (md_alg != MBEDTLS_MD_NONE) { 2577 /* Gather length of hash to sign */ 2578 size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg); 2579 if (exp_hashlen == 0) { 2580 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2581 } 2582 2583 if (hashlen != exp_hashlen) { 2584 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2585 } 2586 } 2587 2588 hlen = mbedtls_md_get_size_from_type(mgf1_hash_id); 2589 if (hlen == 0) { 2590 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2591 } 2592 2593 /* 2594 * Note: EMSA-PSS verification is over the length of N - 1 bits 2595 */ 2596 msb = mbedtls_mpi_bitlen(&ctx->N) - 1; 2597 2598 if (buf[0] >> (8 - siglen * 8 + msb)) { 2599 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2600 } 2601 2602 /* Compensate for boundary condition when applying mask */ 2603 if (msb % 8 == 0) { 2604 p++; 2605 siglen -= 1; 2606 } 2607 2608 if (siglen < hlen + 2) { 2609 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2610 } 2611 hash_start = p + siglen - hlen - 1; 2612 2613 ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id); 2614 if (ret != 0) { 2615 return ret; 2616 } 2617 2618 buf[0] &= 0xFF >> (siglen * 8 - msb); 2619 2620 while (p < hash_start - 1 && *p == 0) { 2621 p++; 2622 } 2623 2624 if (*p++ != 0x01) { 2625 return MBEDTLS_ERR_RSA_INVALID_PADDING; 2626 } 2627 2628 observed_salt_len = (size_t) (hash_start - p); 2629 2630 if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 2631 observed_salt_len != (size_t) expected_salt_len) { 2632 return MBEDTLS_ERR_RSA_INVALID_PADDING; 2633 } 2634 2635 /* 2636 * Generate H = Hash( M' ) 2637 */ 2638 ret = hash_mprime(hash, hashlen, p, observed_salt_len, 2639 result, mgf1_hash_id); 2640 if (ret != 0) { 2641 return ret; 2642 } 2643 2644 if (FTMN_CALLEE_DONE_MEMCMP(memcmp, hash_start, result, hlen) != 0) { 2645 return MBEDTLS_ERR_RSA_VERIFY_FAILED; 2646 } 2647 2648 return 0; 2649 } 2650 2651 /* 2652 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 2653 */ 2654 int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx, 2655 mbedtls_md_type_t md_alg, 2656 unsigned int hashlen, 2657 const unsigned char *hash, 2658 const unsigned char *sig) 2659 { 2660 mbedtls_md_type_t mgf1_hash_id; 2661 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) { 2662 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2663 } 2664 2665 mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE) 2666 ? (mbedtls_md_type_t) ctx->hash_id 2667 : md_alg; 2668 2669 return mbedtls_rsa_rsassa_pss_verify_ext(ctx, 2670 md_alg, hashlen, hash, 2671 mgf1_hash_id, 2672 MBEDTLS_RSA_SALT_LEN_ANY, 2673 sig); 2674 2675 } 2676 #endif /* MBEDTLS_PKCS1_V21 */ 2677 2678 #if defined(MBEDTLS_PKCS1_V15) 2679 /* 2680 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 2681 */ 2682 int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx, 2683 mbedtls_md_type_t md_alg, 2684 unsigned int hashlen, 2685 const unsigned char *hash, 2686 const unsigned char *sig) 2687 { 2688 int ret = 0; 2689 size_t sig_len; 2690 unsigned char *encoded = NULL, *encoded_expected = NULL; 2691 2692 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) { 2693 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2694 } 2695 2696 sig_len = ctx->len; 2697 2698 /* 2699 * Prepare expected PKCS1 v1.5 encoding of hash. 2700 */ 2701 2702 if ((encoded = mbedtls_calloc(1, sig_len)) == NULL || 2703 (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) { 2704 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; 2705 goto cleanup; 2706 } 2707 2708 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len, 2709 encoded_expected)) != 0) { 2710 goto cleanup; 2711 } 2712 2713 /* 2714 * Apply RSA primitive to get what should be PKCS1 encoded hash. 2715 */ 2716 2717 ret = mbedtls_rsa_public(ctx, sig, encoded); 2718 if (ret != 0) { 2719 goto cleanup; 2720 } 2721 2722 /* 2723 * Compare 2724 */ 2725 2726 if ((ret = FTMN_CALLEE_DONE_MEMCMP(mbedtls_ct_memcmp, encoded, 2727 encoded_expected, sig_len )) != 0) { 2728 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 2729 goto cleanup; 2730 } 2731 2732 cleanup: 2733 2734 if (encoded != NULL) { 2735 mbedtls_zeroize_and_free(encoded, sig_len); 2736 } 2737 2738 if (encoded_expected != NULL) { 2739 mbedtls_zeroize_and_free(encoded_expected, sig_len); 2740 } 2741 2742 return ret; 2743 } 2744 #endif /* MBEDTLS_PKCS1_V15 */ 2745 2746 /* 2747 * Do an RSA operation and check the message digest 2748 */ 2749 int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx, 2750 mbedtls_md_type_t md_alg, 2751 unsigned int hashlen, 2752 const unsigned char *hash, 2753 const unsigned char *sig) 2754 { 2755 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) { 2756 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; 2757 } 2758 2759 switch (ctx->padding) { 2760 #if defined(MBEDTLS_PKCS1_V15) 2761 case MBEDTLS_RSA_PKCS_V15: 2762 return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg, 2763 hashlen, hash, sig); 2764 #endif 2765 2766 #if defined(MBEDTLS_PKCS1_V21) 2767 case MBEDTLS_RSA_PKCS_V21: 2768 return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg, 2769 hashlen, hash, sig); 2770 #endif 2771 2772 default: 2773 return MBEDTLS_ERR_RSA_INVALID_PADDING; 2774 } 2775 } 2776 2777 /* 2778 * Copy the components of an RSA key 2779 */ 2780 int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src) 2781 { 2782 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2783 2784 dst->len = src->len; 2785 2786 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N)); 2787 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E)); 2788 2789 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D)); 2790 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P)); 2791 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q)); 2792 2793 #if !defined(MBEDTLS_RSA_NO_CRT) 2794 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP)); 2795 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ)); 2796 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP)); 2797 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP)); 2798 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ)); 2799 #endif 2800 2801 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN)); 2802 2803 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi)); 2804 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf)); 2805 2806 dst->padding = src->padding; 2807 dst->hash_id = src->hash_id; 2808 2809 cleanup: 2810 if (ret != 0) { 2811 mbedtls_rsa_free(dst); 2812 } 2813 2814 return ret; 2815 } 2816 2817 /* 2818 * Free the components of an RSA key 2819 */ 2820 void mbedtls_rsa_free(mbedtls_rsa_context *ctx) 2821 { 2822 if (ctx == NULL) { 2823 return; 2824 } 2825 2826 mbedtls_mpi_free(&ctx->Vi); 2827 mbedtls_mpi_free(&ctx->Vf); 2828 mbedtls_mpi_free(&ctx->RN); 2829 mbedtls_mpi_free(&ctx->D); 2830 mbedtls_mpi_free(&ctx->Q); 2831 mbedtls_mpi_free(&ctx->P); 2832 mbedtls_mpi_free(&ctx->E); 2833 mbedtls_mpi_free(&ctx->N); 2834 2835 #if !defined(MBEDTLS_RSA_NO_CRT) 2836 mbedtls_mpi_free(&ctx->RQ); 2837 mbedtls_mpi_free(&ctx->RP); 2838 mbedtls_mpi_free(&ctx->QP); 2839 mbedtls_mpi_free(&ctx->DQ); 2840 mbedtls_mpi_free(&ctx->DP); 2841 #endif /* MBEDTLS_RSA_NO_CRT */ 2842 2843 #if defined(MBEDTLS_THREADING_C) 2844 /* Free the mutex, but only if it hasn't been freed already. */ 2845 if (ctx->ver != 0) { 2846 mbedtls_mutex_free(&ctx->mutex); 2847 ctx->ver = 0; 2848 } 2849 #endif 2850 } 2851 2852 #endif /* !MBEDTLS_RSA_ALT */ 2853 2854 #if defined(MBEDTLS_SELF_TEST) 2855 2856 2857 /* 2858 * Example RSA-1024 keypair, for test purposes 2859 */ 2860 #define KEY_LEN 128 2861 2862 #define RSA_N "9292758453063D803DD603D5E777D788" \ 2863 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 2864 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 2865 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 2866 "93A89813FBF3C4F8066D2D800F7C38A8" \ 2867 "1AE31942917403FF4946B0A83D3D3E05" \ 2868 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 2869 "5E94BB77B07507233A0BC7BAC8F90F79" 2870 2871 #define RSA_E "10001" 2872 2873 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 2874 "66CA472BC44D253102F8B4A9D3BFA750" \ 2875 "91386C0077937FE33FA3252D28855837" \ 2876 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 2877 "DF79C5CE07EE72C7F123142198164234" \ 2878 "CABB724CF78B8173B9F880FC86322407" \ 2879 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 2880 "071513A1E85B5DFA031F21ECAE91A34D" 2881 2882 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 2883 "2C01CAD19EA484A87EA4377637E75500" \ 2884 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 2885 "C3D9E75E1EFC42488BB4F1D13AC30A57" 2886 2887 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 2888 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 2889 "910E4168387E3C30AA1E00C339A79508" \ 2890 "8452DD96A9A5EA5D9DCA68DA636032AF" 2891 2892 #define PT_LEN 24 2893 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 2894 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 2895 2896 #if defined(MBEDTLS_PKCS1_V15) 2897 static int myrand(void *rng_state, unsigned char *output, size_t len) 2898 { 2899 #if !defined(__OpenBSD__) && !defined(__NetBSD__) 2900 size_t i; 2901 2902 if (rng_state != NULL) { 2903 rng_state = NULL; 2904 } 2905 2906 for (i = 0; i < len; ++i) { 2907 output[i] = rand(); 2908 } 2909 #else 2910 if (rng_state != NULL) { 2911 rng_state = NULL; 2912 } 2913 2914 arc4random_buf(output, len); 2915 #endif /* !OpenBSD && !NetBSD */ 2916 2917 return 0; 2918 } 2919 #endif /* MBEDTLS_PKCS1_V15 */ 2920 2921 /* 2922 * Checkup routine 2923 */ 2924 int mbedtls_rsa_self_test(int verbose) 2925 { 2926 int ret = 0; 2927 #if defined(MBEDTLS_PKCS1_V15) 2928 size_t len; 2929 mbedtls_rsa_context rsa; 2930 unsigned char rsa_plaintext[PT_LEN]; 2931 unsigned char rsa_decrypted[PT_LEN]; 2932 unsigned char rsa_ciphertext[KEY_LEN]; 2933 #if defined(MBEDTLS_MD_CAN_SHA1) 2934 unsigned char sha1sum[20]; 2935 #endif 2936 2937 mbedtls_mpi K; 2938 2939 mbedtls_mpi_init(&K); 2940 mbedtls_rsa_init(&rsa); 2941 2942 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N)); 2943 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL)); 2944 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P)); 2945 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL)); 2946 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q)); 2947 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL)); 2948 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D)); 2949 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL)); 2950 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E)); 2951 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K)); 2952 2953 MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa)); 2954 2955 if (verbose != 0) { 2956 mbedtls_printf(" RSA key validation: "); 2957 } 2958 2959 if (mbedtls_rsa_check_pubkey(&rsa) != 0 || 2960 mbedtls_rsa_check_privkey(&rsa) != 0) { 2961 if (verbose != 0) { 2962 mbedtls_printf("failed\n"); 2963 } 2964 2965 ret = 1; 2966 goto cleanup; 2967 } 2968 2969 if (verbose != 0) { 2970 mbedtls_printf("passed\n PKCS#1 encryption : "); 2971 } 2972 2973 memcpy(rsa_plaintext, RSA_PT, PT_LEN); 2974 2975 if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL, 2976 PT_LEN, rsa_plaintext, 2977 rsa_ciphertext) != 0) { 2978 if (verbose != 0) { 2979 mbedtls_printf("failed\n"); 2980 } 2981 2982 ret = 1; 2983 goto cleanup; 2984 } 2985 2986 if (verbose != 0) { 2987 mbedtls_printf("passed\n PKCS#1 decryption : "); 2988 } 2989 2990 if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL, 2991 &len, rsa_ciphertext, rsa_decrypted, 2992 sizeof(rsa_decrypted)) != 0) { 2993 if (verbose != 0) { 2994 mbedtls_printf("failed\n"); 2995 } 2996 2997 ret = 1; 2998 goto cleanup; 2999 } 3000 3001 if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) { 3002 if (verbose != 0) { 3003 mbedtls_printf("failed\n"); 3004 } 3005 3006 ret = 1; 3007 goto cleanup; 3008 } 3009 3010 if (verbose != 0) { 3011 mbedtls_printf("passed\n"); 3012 } 3013 3014 #if defined(MBEDTLS_MD_CAN_SHA1) 3015 if (verbose != 0) { 3016 mbedtls_printf(" PKCS#1 data sign : "); 3017 } 3018 3019 if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), 3020 rsa_plaintext, PT_LEN, sha1sum) != 0) { 3021 if (verbose != 0) { 3022 mbedtls_printf("failed\n"); 3023 } 3024 3025 return 1; 3026 } 3027 3028 if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL, 3029 MBEDTLS_MD_SHA1, 20, 3030 sha1sum, rsa_ciphertext) != 0) { 3031 if (verbose != 0) { 3032 mbedtls_printf("failed\n"); 3033 } 3034 3035 ret = 1; 3036 goto cleanup; 3037 } 3038 3039 if (verbose != 0) { 3040 mbedtls_printf("passed\n PKCS#1 sig. verify: "); 3041 } 3042 3043 if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20, 3044 sha1sum, rsa_ciphertext) != 0) { 3045 if (verbose != 0) { 3046 mbedtls_printf("failed\n"); 3047 } 3048 3049 ret = 1; 3050 goto cleanup; 3051 } 3052 3053 if (verbose != 0) { 3054 mbedtls_printf("passed\n"); 3055 } 3056 #endif /* MBEDTLS_MD_CAN_SHA1 */ 3057 3058 if (verbose != 0) { 3059 mbedtls_printf("\n"); 3060 } 3061 3062 cleanup: 3063 mbedtls_mpi_free(&K); 3064 mbedtls_rsa_free(&rsa); 3065 #else /* MBEDTLS_PKCS1_V15 */ 3066 ((void) verbose); 3067 #endif /* MBEDTLS_PKCS1_V15 */ 3068 return ret; 3069 } 3070 3071 #endif /* MBEDTLS_SELF_TEST */ 3072 3073 #endif /* MBEDTLS_RSA_C */ 3074