Arcola / mbedtls

mbed TLS upgraded to 2.6.0

Fork of mbedtls by Mark Radbourne

library/rsa.c@2:bbdeda018a3c, 2017-09-29 (annotated)

Committer:
Jasper Wallace
Date:
Fri Sep 29 19:50:30 2017 +0100
Revision:
2:bbdeda018a3c
Parent:
0:cdf462088d13 
Update to mbedtls 2.6.0, many changes.



Changes to mbedtls sources made:



in include/mbedtls/config.h comment out:



#define MBEDTLS_FS_IO

#define MBEDTLS_NET_C

#define MBEDTLS_TIMING_C



uncomment:



#define MBEDTLS_NO_PLATFORM_ENTROPY



remove the following directorys:



programs

yotta

visualc

Who changed what in which revision?

UserRevisionLine numberNew contents of line
markrad 0:cdf462088d13 1 /*
markrad 0:cdf462088d13 2 * The RSA public-key cryptosystem
markrad 0:cdf462088d13 3 *
markrad 0:cdf462088d13 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
markrad 0:cdf462088d13 5 * SPDX-License-Identifier: Apache-2.0
markrad 0:cdf462088d13 6 *
markrad 0:cdf462088d13 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
markrad 0:cdf462088d13 8 * not use this file except in compliance with the License.
markrad 0:cdf462088d13 9 * You may obtain a copy of the License at
markrad 0:cdf462088d13 10 *
markrad 0:cdf462088d13 11 * http://www.apache.org/licenses/LICENSE-2.0
markrad 0:cdf462088d13 12 *
markrad 0:cdf462088d13 13 * Unless required by applicable law or agreed to in writing, software
markrad 0:cdf462088d13 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
markrad 0:cdf462088d13 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
markrad 0:cdf462088d13 16 * See the License for the specific language governing permissions and
markrad 0:cdf462088d13 17 * limitations under the License.
markrad 0:cdf462088d13 18 *
markrad 0:cdf462088d13 19 * This file is part of mbed TLS (https://tls.mbed.org)
markrad 0:cdf462088d13 20 */
markrad 0:cdf462088d13 21 /*
markrad 0:cdf462088d13 22 * The following sources were referenced in the design of this implementation
markrad 0:cdf462088d13 23 * of the RSA algorithm:
markrad 0:cdf462088d13 24 *
markrad 0:cdf462088d13 25 * [1] A method for obtaining digital signatures and public-key cryptosystems
markrad 0:cdf462088d13 26 * R Rivest, A Shamir, and L Adleman
markrad 0:cdf462088d13 27 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
markrad 0:cdf462088d13 28 *
markrad 0:cdf462088d13 29 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
markrad 0:cdf462088d13 30 * Menezes, van Oorschot and Vanstone
markrad 0:cdf462088d13 31 *
Jasper Wallace 2:bbdeda018a3c 32 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
Jasper Wallace 2:bbdeda018a3c 33 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
Jasper Wallace 2:bbdeda018a3c 34 * Stefan Mangard
Jasper Wallace 2:bbdeda018a3c 35 * https://arxiv.org/abs/1702.08719v2
Jasper Wallace 2:bbdeda018a3c 36 *
markrad 0:cdf462088d13 37 */
markrad 0:cdf462088d13 38
markrad 0:cdf462088d13 39 #if !defined(MBEDTLS_CONFIG_FILE)
markrad 0:cdf462088d13 40 #include "mbedtls/config.h"
markrad 0:cdf462088d13 41 #else
markrad 0:cdf462088d13 42 #include MBEDTLS_CONFIG_FILE
markrad 0:cdf462088d13 43 #endif
markrad 0:cdf462088d13 44
markrad 0:cdf462088d13 45 #if defined(MBEDTLS_RSA_C)
markrad 0:cdf462088d13 46
markrad 0:cdf462088d13 47 #include "mbedtls/rsa.h"
markrad 0:cdf462088d13 48 #include "mbedtls/oid.h"
markrad 0:cdf462088d13 49
markrad 0:cdf462088d13 50 #include <string.h>
markrad 0:cdf462088d13 51
markrad 0:cdf462088d13 52 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 53 #include "mbedtls/md.h"
markrad 0:cdf462088d13 54 #endif
markrad 0:cdf462088d13 55
markrad 0:cdf462088d13 56 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
markrad 0:cdf462088d13 57 #include <stdlib.h>
markrad 0:cdf462088d13 58 #endif
markrad 0:cdf462088d13 59
markrad 0:cdf462088d13 60 #if defined(MBEDTLS_PLATFORM_C)
markrad 0:cdf462088d13 61 #include "mbedtls/platform.h"
markrad 0:cdf462088d13 62 #else
markrad 0:cdf462088d13 63 #include <stdio.h>
markrad 0:cdf462088d13 64 #define mbedtls_printf printf
markrad 0:cdf462088d13 65 #define mbedtls_calloc calloc
markrad 0:cdf462088d13 66 #define mbedtls_free free
markrad 0:cdf462088d13 67 #endif
markrad 0:cdf462088d13 68
Jasper Wallace 2:bbdeda018a3c 69 /* Implementation that should never be optimized out by the compiler */
Jasper Wallace 2:bbdeda018a3c 70 static void mbedtls_zeroize( void *v, size_t n ) {
Jasper Wallace 2:bbdeda018a3c 71 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
Jasper Wallace 2:bbdeda018a3c 72 }
Jasper Wallace 2:bbdeda018a3c 73
markrad 0:cdf462088d13 74 /*
markrad 0:cdf462088d13 75 * Initialize an RSA context
markrad 0:cdf462088d13 76 */
markrad 0:cdf462088d13 77 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 78 int padding,
markrad 0:cdf462088d13 79 int hash_id )
markrad 0:cdf462088d13 80 {
markrad 0:cdf462088d13 81 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
markrad 0:cdf462088d13 82
markrad 0:cdf462088d13 83 mbedtls_rsa_set_padding( ctx, padding, hash_id );
markrad 0:cdf462088d13 84
markrad 0:cdf462088d13 85 #if defined(MBEDTLS_THREADING_C)
markrad 0:cdf462088d13 86 mbedtls_mutex_init( &ctx->mutex );
markrad 0:cdf462088d13 87 #endif
markrad 0:cdf462088d13 88 }
markrad 0:cdf462088d13 89
markrad 0:cdf462088d13 90 /*
markrad 0:cdf462088d13 91 * Set padding for an existing RSA context
markrad 0:cdf462088d13 92 */
markrad 0:cdf462088d13 93 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
markrad 0:cdf462088d13 94 {
markrad 0:cdf462088d13 95 ctx->padding = padding;
markrad 0:cdf462088d13 96 ctx->hash_id = hash_id;
markrad 0:cdf462088d13 97 }
markrad 0:cdf462088d13 98
markrad 0:cdf462088d13 99 #if defined(MBEDTLS_GENPRIME)
markrad 0:cdf462088d13 100
markrad 0:cdf462088d13 101 /*
markrad 0:cdf462088d13 102 * Generate an RSA keypair
markrad 0:cdf462088d13 103 */
markrad 0:cdf462088d13 104 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 105 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 106 void *p_rng,
markrad 0:cdf462088d13 107 unsigned int nbits, int exponent )
markrad 0:cdf462088d13 108 {
markrad 0:cdf462088d13 109 int ret;
markrad 0:cdf462088d13 110 mbedtls_mpi P1, Q1, H, G;
markrad 0:cdf462088d13 111
markrad 0:cdf462088d13 112 if( f_rng == NULL || nbits < 128 || exponent < 3 )
markrad 0:cdf462088d13 113 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 114
markrad 0:cdf462088d13 115 if( nbits % 2 )
markrad 0:cdf462088d13 116 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 117
markrad 0:cdf462088d13 118 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
markrad 0:cdf462088d13 119 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
markrad 0:cdf462088d13 120
markrad 0:cdf462088d13 121 /*
markrad 0:cdf462088d13 122 * find primes P and Q with Q < P so that:
markrad 0:cdf462088d13 123 * GCD( E, (P-1)*(Q-1) ) == 1
markrad 0:cdf462088d13 124 */
markrad 0:cdf462088d13 125 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
markrad 0:cdf462088d13 126
markrad 0:cdf462088d13 127 do
markrad 0:cdf462088d13 128 {
markrad 0:cdf462088d13 129 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
markrad 0:cdf462088d13 130 f_rng, p_rng ) );
markrad 0:cdf462088d13 131
markrad 0:cdf462088d13 132 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
markrad 0:cdf462088d13 133 f_rng, p_rng ) );
markrad 0:cdf462088d13 134
markrad 0:cdf462088d13 135 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
markrad 0:cdf462088d13 136 continue;
markrad 0:cdf462088d13 137
markrad 0:cdf462088d13 138 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
markrad 0:cdf462088d13 139 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
markrad 0:cdf462088d13 140 continue;
markrad 0:cdf462088d13 141
markrad 0:cdf462088d13 142 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
markrad 0:cdf462088d13 143 mbedtls_mpi_swap( &ctx->P, &ctx->Q );
markrad 0:cdf462088d13 144
markrad 0:cdf462088d13 145 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
markrad 0:cdf462088d13 146 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
markrad 0:cdf462088d13 147 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
markrad 0:cdf462088d13 148 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
markrad 0:cdf462088d13 149 }
markrad 0:cdf462088d13 150 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
markrad 0:cdf462088d13 151
markrad 0:cdf462088d13 152 /*
markrad 0:cdf462088d13 153 * D = E^-1 mod ((P-1)*(Q-1))
markrad 0:cdf462088d13 154 * DP = D mod (P - 1)
markrad 0:cdf462088d13 155 * DQ = D mod (Q - 1)
markrad 0:cdf462088d13 156 * QP = Q^-1 mod P
markrad 0:cdf462088d13 157 */
markrad 0:cdf462088d13 158 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
markrad 0:cdf462088d13 159 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
markrad 0:cdf462088d13 160 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
markrad 0:cdf462088d13 161 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
markrad 0:cdf462088d13 162
markrad 0:cdf462088d13 163 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
markrad 0:cdf462088d13 164
markrad 0:cdf462088d13 165 cleanup:
markrad 0:cdf462088d13 166
markrad 0:cdf462088d13 167 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
markrad 0:cdf462088d13 168
markrad 0:cdf462088d13 169 if( ret != 0 )
markrad 0:cdf462088d13 170 {
markrad 0:cdf462088d13 171 mbedtls_rsa_free( ctx );
markrad 0:cdf462088d13 172 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
markrad 0:cdf462088d13 173 }
markrad 0:cdf462088d13 174
markrad 0:cdf462088d13 175 return( 0 );
markrad 0:cdf462088d13 176 }
markrad 0:cdf462088d13 177
markrad 0:cdf462088d13 178 #endif /* MBEDTLS_GENPRIME */
markrad 0:cdf462088d13 179
markrad 0:cdf462088d13 180 /*
markrad 0:cdf462088d13 181 * Check a public RSA key
markrad 0:cdf462088d13 182 */
markrad 0:cdf462088d13 183 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
markrad 0:cdf462088d13 184 {
markrad 0:cdf462088d13 185 if( !ctx->N.p || !ctx->E.p )
markrad 0:cdf462088d13 186 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
markrad 0:cdf462088d13 187
markrad 0:cdf462088d13 188 if( ( ctx->N.p[0] & 1 ) == 0 ||
markrad 0:cdf462088d13 189 ( ctx->E.p[0] & 1 ) == 0 )
markrad 0:cdf462088d13 190 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
markrad 0:cdf462088d13 191
markrad 0:cdf462088d13 192 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
markrad 0:cdf462088d13 193 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
markrad 0:cdf462088d13 194 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
markrad 0:cdf462088d13 195
markrad 0:cdf462088d13 196 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
markrad 0:cdf462088d13 197 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
markrad 0:cdf462088d13 198 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
markrad 0:cdf462088d13 199
markrad 0:cdf462088d13 200 return( 0 );
markrad 0:cdf462088d13 201 }
markrad 0:cdf462088d13 202
markrad 0:cdf462088d13 203 /*
markrad 0:cdf462088d13 204 * Check a private RSA key
markrad 0:cdf462088d13 205 */
markrad 0:cdf462088d13 206 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
markrad 0:cdf462088d13 207 {
markrad 0:cdf462088d13 208 int ret;
markrad 0:cdf462088d13 209 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
markrad 0:cdf462088d13 210
markrad 0:cdf462088d13 211 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
markrad 0:cdf462088d13 212 return( ret );
markrad 0:cdf462088d13 213
markrad 0:cdf462088d13 214 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
markrad 0:cdf462088d13 215 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
markrad 0:cdf462088d13 216
markrad 0:cdf462088d13 217 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
markrad 0:cdf462088d13 218 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
markrad 0:cdf462088d13 219 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
markrad 0:cdf462088d13 220 mbedtls_mpi_init( &QP );
markrad 0:cdf462088d13 221
markrad 0:cdf462088d13 222 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
markrad 0:cdf462088d13 223 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
markrad 0:cdf462088d13 224 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
markrad 0:cdf462088d13 225 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
markrad 0:cdf462088d13 226 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
markrad 0:cdf462088d13 227 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
markrad 0:cdf462088d13 228
markrad 0:cdf462088d13 229 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
markrad 0:cdf462088d13 230 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
markrad 0:cdf462088d13 231 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
markrad 0:cdf462088d13 232
markrad 0:cdf462088d13 233 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
markrad 0:cdf462088d13 234 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
markrad 0:cdf462088d13 235 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
markrad 0:cdf462088d13 236 /*
markrad 0:cdf462088d13 237 * Check for a valid PKCS1v2 private key
markrad 0:cdf462088d13 238 */
markrad 0:cdf462088d13 239 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
markrad 0:cdf462088d13 240 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
markrad 0:cdf462088d13 241 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
markrad 0:cdf462088d13 242 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
markrad 0:cdf462088d13 243 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 ||
markrad 0:cdf462088d13 244 mbedtls_mpi_cmp_int( &I, 1 ) != 0 ||
markrad 0:cdf462088d13 245 mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
markrad 0:cdf462088d13 246 {
markrad 0:cdf462088d13 247 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
markrad 0:cdf462088d13 248 }
markrad 0:cdf462088d13 249
markrad 0:cdf462088d13 250 cleanup:
markrad 0:cdf462088d13 251 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
markrad 0:cdf462088d13 252 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
markrad 0:cdf462088d13 253 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
markrad 0:cdf462088d13 254 mbedtls_mpi_free( &QP );
markrad 0:cdf462088d13 255
markrad 0:cdf462088d13 256 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
markrad 0:cdf462088d13 257 return( ret );
markrad 0:cdf462088d13 258
markrad 0:cdf462088d13 259 if( ret != 0 )
markrad 0:cdf462088d13 260 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
markrad 0:cdf462088d13 261
markrad 0:cdf462088d13 262 return( 0 );
markrad 0:cdf462088d13 263 }
markrad 0:cdf462088d13 264
markrad 0:cdf462088d13 265 /*
markrad 0:cdf462088d13 266 * Check if contexts holding a public and private key match
markrad 0:cdf462088d13 267 */
markrad 0:cdf462088d13 268 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv )
markrad 0:cdf462088d13 269 {
markrad 0:cdf462088d13 270 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
markrad 0:cdf462088d13 271 mbedtls_rsa_check_privkey( prv ) != 0 )
markrad 0:cdf462088d13 272 {
markrad 0:cdf462088d13 273 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
markrad 0:cdf462088d13 274 }
markrad 0:cdf462088d13 275
markrad 0:cdf462088d13 276 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
markrad 0:cdf462088d13 277 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
markrad 0:cdf462088d13 278 {
markrad 0:cdf462088d13 279 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
markrad 0:cdf462088d13 280 }
markrad 0:cdf462088d13 281
markrad 0:cdf462088d13 282 return( 0 );
markrad 0:cdf462088d13 283 }
markrad 0:cdf462088d13 284
markrad 0:cdf462088d13 285 /*
markrad 0:cdf462088d13 286 * Do an RSA public key operation
markrad 0:cdf462088d13 287 */
markrad 0:cdf462088d13 288 int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 289 const unsigned char *input,
markrad 0:cdf462088d13 290 unsigned char *output )
markrad 0:cdf462088d13 291 {
markrad 0:cdf462088d13 292 int ret;
markrad 0:cdf462088d13 293 size_t olen;
markrad 0:cdf462088d13 294 mbedtls_mpi T;
markrad 0:cdf462088d13 295
markrad 0:cdf462088d13 296 mbedtls_mpi_init( &T );
markrad 0:cdf462088d13 297
markrad 0:cdf462088d13 298 #if defined(MBEDTLS_THREADING_C)
markrad 0:cdf462088d13 299 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
markrad 0:cdf462088d13 300 return( ret );
markrad 0:cdf462088d13 301 #endif
markrad 0:cdf462088d13 302
markrad 0:cdf462088d13 303 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
markrad 0:cdf462088d13 304
markrad 0:cdf462088d13 305 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
markrad 0:cdf462088d13 306 {
markrad 0:cdf462088d13 307 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
markrad 0:cdf462088d13 308 goto cleanup;
markrad 0:cdf462088d13 309 }
markrad 0:cdf462088d13 310
markrad 0:cdf462088d13 311 olen = ctx->len;
markrad 0:cdf462088d13 312 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
markrad 0:cdf462088d13 313 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
markrad 0:cdf462088d13 314
markrad 0:cdf462088d13 315 cleanup:
markrad 0:cdf462088d13 316 #if defined(MBEDTLS_THREADING_C)
markrad 0:cdf462088d13 317 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
markrad 0:cdf462088d13 318 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
markrad 0:cdf462088d13 319 #endif
markrad 0:cdf462088d13 320
markrad 0:cdf462088d13 321 mbedtls_mpi_free( &T );
markrad 0:cdf462088d13 322
markrad 0:cdf462088d13 323 if( ret != 0 )
markrad 0:cdf462088d13 324 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
markrad 0:cdf462088d13 325
markrad 0:cdf462088d13 326 return( 0 );
markrad 0:cdf462088d13 327 }
markrad 0:cdf462088d13 328
markrad 0:cdf462088d13 329 /*
markrad 0:cdf462088d13 330 * Generate or update blinding values, see section 10 of:
markrad 0:cdf462088d13 331 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
markrad 0:cdf462088d13 332 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
markrad 0:cdf462088d13 333 * Berlin Heidelberg, 1996. p. 104-113.
markrad 0:cdf462088d13 334 */
markrad 0:cdf462088d13 335 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 336 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
markrad 0:cdf462088d13 337 {
markrad 0:cdf462088d13 338 int ret, count = 0;
markrad 0:cdf462088d13 339
markrad 0:cdf462088d13 340 if( ctx->Vf.p != NULL )
markrad 0:cdf462088d13 341 {
markrad 0:cdf462088d13 342 /* We already have blinding values, just update them by squaring */
markrad 0:cdf462088d13 343 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
markrad 0:cdf462088d13 344 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
markrad 0:cdf462088d13 345 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
markrad 0:cdf462088d13 346 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
markrad 0:cdf462088d13 347
markrad 0:cdf462088d13 348 goto cleanup;
markrad 0:cdf462088d13 349 }
markrad 0:cdf462088d13 350
markrad 0:cdf462088d13 351 /* Unblinding value: Vf = random number, invertible mod N */
markrad 0:cdf462088d13 352 do {
markrad 0:cdf462088d13 353 if( count++ > 10 )
markrad 0:cdf462088d13 354 return( MBEDTLS_ERR_RSA_RNG_FAILED );
markrad 0:cdf462088d13 355
markrad 0:cdf462088d13 356 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
markrad 0:cdf462088d13 357 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
markrad 0:cdf462088d13 358 } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
markrad 0:cdf462088d13 359
markrad 0:cdf462088d13 360 /* Blinding value: Vi = Vf^(-e) mod N */
markrad 0:cdf462088d13 361 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
markrad 0:cdf462088d13 362 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
markrad 0:cdf462088d13 363
markrad 0:cdf462088d13 364
markrad 0:cdf462088d13 365 cleanup:
markrad 0:cdf462088d13 366 return( ret );
markrad 0:cdf462088d13 367 }
markrad 0:cdf462088d13 368
markrad 0:cdf462088d13 369 /*
Jasper Wallace 2:bbdeda018a3c 370 * Exponent blinding supposed to prevent side-channel attacks using multiple
Jasper Wallace 2:bbdeda018a3c 371 * traces of measurements to recover the RSA key. The more collisions are there,
Jasper Wallace 2:bbdeda018a3c 372 * the more bits of the key can be recovered. See [3].
Jasper Wallace 2:bbdeda018a3c 373 *
Jasper Wallace 2:bbdeda018a3c 374 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
Jasper Wallace 2:bbdeda018a3c 375 * observations on avarage.
Jasper Wallace 2:bbdeda018a3c 376 *
Jasper Wallace 2:bbdeda018a3c 377 * For example with 28 byte blinding to achieve 2 collisions the adversary has
Jasper Wallace 2:bbdeda018a3c 378 * to make 2^112 observations on avarage.
Jasper Wallace 2:bbdeda018a3c 379 *
Jasper Wallace 2:bbdeda018a3c 380 * (With the currently (as of 2017 April) known best algorithms breaking 2048
Jasper Wallace 2:bbdeda018a3c 381 * bit RSA requires approximately as much time as trying out 2^112 random keys.
Jasper Wallace 2:bbdeda018a3c 382 * Thus in this sense with 28 byte blinding the security is not reduced by
Jasper Wallace 2:bbdeda018a3c 383 * side-channel attacks like the one in [3])
Jasper Wallace 2:bbdeda018a3c 384 *
Jasper Wallace 2:bbdeda018a3c 385 * This countermeasure does not help if the key recovery is possible with a
Jasper Wallace 2:bbdeda018a3c 386 * single trace.
Jasper Wallace 2:bbdeda018a3c 387 */
Jasper Wallace 2:bbdeda018a3c 388 #define RSA_EXPONENT_BLINDING 28
Jasper Wallace 2:bbdeda018a3c 389
Jasper Wallace 2:bbdeda018a3c 390 /*
markrad 0:cdf462088d13 391 * Do an RSA private key operation
markrad 0:cdf462088d13 392 */
markrad 0:cdf462088d13 393 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 394 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 395 void *p_rng,
markrad 0:cdf462088d13 396 const unsigned char *input,
markrad 0:cdf462088d13 397 unsigned char *output )
markrad 0:cdf462088d13 398 {
markrad 0:cdf462088d13 399 int ret;
markrad 0:cdf462088d13 400 size_t olen;
markrad 0:cdf462088d13 401 mbedtls_mpi T, T1, T2;
Jasper Wallace 2:bbdeda018a3c 402 mbedtls_mpi P1, Q1, R;
Jasper Wallace 2:bbdeda018a3c 403 #if defined(MBEDTLS_RSA_NO_CRT)
Jasper Wallace 2:bbdeda018a3c 404 mbedtls_mpi D_blind;
Jasper Wallace 2:bbdeda018a3c 405 mbedtls_mpi *D = &ctx->D;
Jasper Wallace 2:bbdeda018a3c 406 #else
Jasper Wallace 2:bbdeda018a3c 407 mbedtls_mpi DP_blind, DQ_blind;
Jasper Wallace 2:bbdeda018a3c 408 mbedtls_mpi *DP = &ctx->DP;
Jasper Wallace 2:bbdeda018a3c 409 mbedtls_mpi *DQ = &ctx->DQ;
Jasper Wallace 2:bbdeda018a3c 410 #endif
markrad 0:cdf462088d13 411
markrad 0:cdf462088d13 412 /* Make sure we have private key info, prevent possible misuse */
markrad 0:cdf462088d13 413 if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
markrad 0:cdf462088d13 414 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 415
markrad 0:cdf462088d13 416 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
Jasper Wallace 2:bbdeda018a3c 417 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );
Jasper Wallace 2:bbdeda018a3c 418
Jasper Wallace 2:bbdeda018a3c 419
Jasper Wallace 2:bbdeda018a3c 420 if( f_rng != NULL )
Jasper Wallace 2:bbdeda018a3c 421 {
Jasper Wallace 2:bbdeda018a3c 422 #if defined(MBEDTLS_RSA_NO_CRT)
Jasper Wallace 2:bbdeda018a3c 423 mbedtls_mpi_init( &D_blind );
Jasper Wallace 2:bbdeda018a3c 424 #else
Jasper Wallace 2:bbdeda018a3c 425 mbedtls_mpi_init( &DP_blind );
Jasper Wallace 2:bbdeda018a3c 426 mbedtls_mpi_init( &DQ_blind );
Jasper Wallace 2:bbdeda018a3c 427 #endif
Jasper Wallace 2:bbdeda018a3c 428 }
Jasper Wallace 2:bbdeda018a3c 429
markrad 0:cdf462088d13 430
markrad 0:cdf462088d13 431 #if defined(MBEDTLS_THREADING_C)
markrad 0:cdf462088d13 432 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
markrad 0:cdf462088d13 433 return( ret );
markrad 0:cdf462088d13 434 #endif
markrad 0:cdf462088d13 435
markrad 0:cdf462088d13 436 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
markrad 0:cdf462088d13 437 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
markrad 0:cdf462088d13 438 {
markrad 0:cdf462088d13 439 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
markrad 0:cdf462088d13 440 goto cleanup;
markrad 0:cdf462088d13 441 }
markrad 0:cdf462088d13 442
markrad 0:cdf462088d13 443 if( f_rng != NULL )
markrad 0:cdf462088d13 444 {
markrad 0:cdf462088d13 445 /*
markrad 0:cdf462088d13 446 * Blinding
markrad 0:cdf462088d13 447 * T = T * Vi mod N
markrad 0:cdf462088d13 448 */
markrad 0:cdf462088d13 449 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
markrad 0:cdf462088d13 450 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
markrad 0:cdf462088d13 451 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
Jasper Wallace 2:bbdeda018a3c 452
Jasper Wallace 2:bbdeda018a3c 453 /*
Jasper Wallace 2:bbdeda018a3c 454 * Exponent blinding
Jasper Wallace 2:bbdeda018a3c 455 */
Jasper Wallace 2:bbdeda018a3c 456 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
Jasper Wallace 2:bbdeda018a3c 457 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
Jasper Wallace 2:bbdeda018a3c 458
Jasper Wallace 2:bbdeda018a3c 459 #if defined(MBEDTLS_RSA_NO_CRT)
Jasper Wallace 2:bbdeda018a3c 460 /*
Jasper Wallace 2:bbdeda018a3c 461 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
Jasper Wallace 2:bbdeda018a3c 462 */
Jasper Wallace 2:bbdeda018a3c 463 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
Jasper Wallace 2:bbdeda018a3c 464 f_rng, p_rng ) );
Jasper Wallace 2:bbdeda018a3c 465 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
Jasper Wallace 2:bbdeda018a3c 466 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
Jasper Wallace 2:bbdeda018a3c 467 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
Jasper Wallace 2:bbdeda018a3c 468
Jasper Wallace 2:bbdeda018a3c 469 D = &D_blind;
Jasper Wallace 2:bbdeda018a3c 470 #else
Jasper Wallace 2:bbdeda018a3c 471 /*
Jasper Wallace 2:bbdeda018a3c 472 * DP_blind = ( P - 1 ) * R + DP
Jasper Wallace 2:bbdeda018a3c 473 */
Jasper Wallace 2:bbdeda018a3c 474 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
Jasper Wallace 2:bbdeda018a3c 475 f_rng, p_rng ) );
Jasper Wallace 2:bbdeda018a3c 476 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
Jasper Wallace 2:bbdeda018a3c 477 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
Jasper Wallace 2:bbdeda018a3c 478 &ctx->DP ) );
Jasper Wallace 2:bbdeda018a3c 479
Jasper Wallace 2:bbdeda018a3c 480 DP = &DP_blind;
Jasper Wallace 2:bbdeda018a3c 481
Jasper Wallace 2:bbdeda018a3c 482 /*
Jasper Wallace 2:bbdeda018a3c 483 * DQ_blind = ( Q - 1 ) * R + DQ
Jasper Wallace 2:bbdeda018a3c 484 */
Jasper Wallace 2:bbdeda018a3c 485 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
Jasper Wallace 2:bbdeda018a3c 486 f_rng, p_rng ) );
Jasper Wallace 2:bbdeda018a3c 487 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
Jasper Wallace 2:bbdeda018a3c 488 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
Jasper Wallace 2:bbdeda018a3c 489 &ctx->DQ ) );
Jasper Wallace 2:bbdeda018a3c 490
Jasper Wallace 2:bbdeda018a3c 491 DQ = &DQ_blind;
Jasper Wallace 2:bbdeda018a3c 492 #endif /* MBEDTLS_RSA_NO_CRT */
markrad 0:cdf462088d13 493 }
markrad 0:cdf462088d13 494
markrad 0:cdf462088d13 495 #if defined(MBEDTLS_RSA_NO_CRT)
Jasper Wallace 2:bbdeda018a3c 496 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
markrad 0:cdf462088d13 497 #else
markrad 0:cdf462088d13 498 /*
Jasper Wallace 2:bbdeda018a3c 499 * Faster decryption using the CRT
markrad 0:cdf462088d13 500 *
markrad 0:cdf462088d13 501 * T1 = input ^ dP mod P
markrad 0:cdf462088d13 502 * T2 = input ^ dQ mod Q
markrad 0:cdf462088d13 503 */
Jasper Wallace 2:bbdeda018a3c 504 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );
Jasper Wallace 2:bbdeda018a3c 505 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );
markrad 0:cdf462088d13 506
markrad 0:cdf462088d13 507 /*
markrad 0:cdf462088d13 508 * T = (T1 - T2) * (Q^-1 mod P) mod P
markrad 0:cdf462088d13 509 */
markrad 0:cdf462088d13 510 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
markrad 0:cdf462088d13 511 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
markrad 0:cdf462088d13 512 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
markrad 0:cdf462088d13 513
markrad 0:cdf462088d13 514 /*
markrad 0:cdf462088d13 515 * T = T2 + T * Q
markrad 0:cdf462088d13 516 */
markrad 0:cdf462088d13 517 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
markrad 0:cdf462088d13 518 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
markrad 0:cdf462088d13 519 #endif /* MBEDTLS_RSA_NO_CRT */
markrad 0:cdf462088d13 520
markrad 0:cdf462088d13 521 if( f_rng != NULL )
markrad 0:cdf462088d13 522 {
markrad 0:cdf462088d13 523 /*
markrad 0:cdf462088d13 524 * Unblind
markrad 0:cdf462088d13 525 * T = T * Vf mod N
markrad 0:cdf462088d13 526 */
markrad 0:cdf462088d13 527 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
markrad 0:cdf462088d13 528 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
markrad 0:cdf462088d13 529 }
markrad 0:cdf462088d13 530
markrad 0:cdf462088d13 531 olen = ctx->len;
markrad 0:cdf462088d13 532 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
markrad 0:cdf462088d13 533
markrad 0:cdf462088d13 534 cleanup:
markrad 0:cdf462088d13 535 #if defined(MBEDTLS_THREADING_C)
markrad 0:cdf462088d13 536 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
markrad 0:cdf462088d13 537 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
markrad 0:cdf462088d13 538 #endif
markrad 0:cdf462088d13 539
markrad 0:cdf462088d13 540 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
Jasper Wallace 2:bbdeda018a3c 541 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );
Jasper Wallace 2:bbdeda018a3c 542
Jasper Wallace 2:bbdeda018a3c 543 if( f_rng != NULL )
Jasper Wallace 2:bbdeda018a3c 544 {
Jasper Wallace 2:bbdeda018a3c 545 #if defined(MBEDTLS_RSA_NO_CRT)
Jasper Wallace 2:bbdeda018a3c 546 mbedtls_mpi_free( &D_blind );
Jasper Wallace 2:bbdeda018a3c 547 #else
Jasper Wallace 2:bbdeda018a3c 548 mbedtls_mpi_free( &DP_blind );
Jasper Wallace 2:bbdeda018a3c 549 mbedtls_mpi_free( &DQ_blind );
Jasper Wallace 2:bbdeda018a3c 550 #endif
Jasper Wallace 2:bbdeda018a3c 551 }
markrad 0:cdf462088d13 552
markrad 0:cdf462088d13 553 if( ret != 0 )
markrad 0:cdf462088d13 554 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
markrad 0:cdf462088d13 555
markrad 0:cdf462088d13 556 return( 0 );
markrad 0:cdf462088d13 557 }
markrad 0:cdf462088d13 558
markrad 0:cdf462088d13 559 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 560 /**
markrad 0:cdf462088d13 561 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
markrad 0:cdf462088d13 562 *
markrad 0:cdf462088d13 563 * \param dst buffer to mask
markrad 0:cdf462088d13 564 * \param dlen length of destination buffer
markrad 0:cdf462088d13 565 * \param src source of the mask generation
markrad 0:cdf462088d13 566 * \param slen length of the source buffer
markrad 0:cdf462088d13 567 * \param md_ctx message digest context to use
markrad 0:cdf462088d13 568 */
markrad 0:cdf462088d13 569 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
markrad 0:cdf462088d13 570 size_t slen, mbedtls_md_context_t *md_ctx )
markrad 0:cdf462088d13 571 {
markrad 0:cdf462088d13 572 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
markrad 0:cdf462088d13 573 unsigned char counter[4];
markrad 0:cdf462088d13 574 unsigned char *p;
markrad 0:cdf462088d13 575 unsigned int hlen;
markrad 0:cdf462088d13 576 size_t i, use_len;
markrad 0:cdf462088d13 577
markrad 0:cdf462088d13 578 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
markrad 0:cdf462088d13 579 memset( counter, 0, 4 );
markrad 0:cdf462088d13 580
markrad 0:cdf462088d13 581 hlen = mbedtls_md_get_size( md_ctx->md_info );
markrad 0:cdf462088d13 582
markrad 0:cdf462088d13 583 /* Generate and apply dbMask */
markrad 0:cdf462088d13 584 p = dst;
markrad 0:cdf462088d13 585
markrad 0:cdf462088d13 586 while( dlen > 0 )
markrad 0:cdf462088d13 587 {
markrad 0:cdf462088d13 588 use_len = hlen;
markrad 0:cdf462088d13 589 if( dlen < hlen )
markrad 0:cdf462088d13 590 use_len = dlen;
markrad 0:cdf462088d13 591
markrad 0:cdf462088d13 592 mbedtls_md_starts( md_ctx );
markrad 0:cdf462088d13 593 mbedtls_md_update( md_ctx, src, slen );
markrad 0:cdf462088d13 594 mbedtls_md_update( md_ctx, counter, 4 );
markrad 0:cdf462088d13 595 mbedtls_md_finish( md_ctx, mask );
markrad 0:cdf462088d13 596
markrad 0:cdf462088d13 597 for( i = 0; i < use_len; ++i )
markrad 0:cdf462088d13 598 *p++ ^= mask[i];
markrad 0:cdf462088d13 599
markrad 0:cdf462088d13 600 counter[3]++;
markrad 0:cdf462088d13 601
markrad 0:cdf462088d13 602 dlen -= use_len;
markrad 0:cdf462088d13 603 }
Jasper Wallace 2:bbdeda018a3c 604
Jasper Wallace 2:bbdeda018a3c 605 mbedtls_zeroize( mask, sizeof( mask ) );
markrad 0:cdf462088d13 606 }
markrad 0:cdf462088d13 607 #endif /* MBEDTLS_PKCS1_V21 */
markrad 0:cdf462088d13 608
markrad 0:cdf462088d13 609 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 610 /*
markrad 0:cdf462088d13 611 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
markrad 0:cdf462088d13 612 */
markrad 0:cdf462088d13 613 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 614 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 615 void *p_rng,
markrad 0:cdf462088d13 616 int mode,
markrad 0:cdf462088d13 617 const unsigned char *label, size_t label_len,
markrad 0:cdf462088d13 618 size_t ilen,
markrad 0:cdf462088d13 619 const unsigned char *input,
markrad 0:cdf462088d13 620 unsigned char *output )
markrad 0:cdf462088d13 621 {
markrad 0:cdf462088d13 622 size_t olen;
markrad 0:cdf462088d13 623 int ret;
markrad 0:cdf462088d13 624 unsigned char *p = output;
markrad 0:cdf462088d13 625 unsigned int hlen;
markrad 0:cdf462088d13 626 const mbedtls_md_info_t *md_info;
markrad 0:cdf462088d13 627 mbedtls_md_context_t md_ctx;
markrad 0:cdf462088d13 628
markrad 0:cdf462088d13 629 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
markrad 0:cdf462088d13 630 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 631
markrad 0:cdf462088d13 632 if( f_rng == NULL )
markrad 0:cdf462088d13 633 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 634
markrad 0:cdf462088d13 635 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
markrad 0:cdf462088d13 636 if( md_info == NULL )
markrad 0:cdf462088d13 637 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 638
markrad 0:cdf462088d13 639 olen = ctx->len;
markrad 0:cdf462088d13 640 hlen = mbedtls_md_get_size( md_info );
markrad 0:cdf462088d13 641
markrad 0:cdf462088d13 642 /* first comparison checks for overflow */
markrad 0:cdf462088d13 643 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
markrad 0:cdf462088d13 644 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 645
markrad 0:cdf462088d13 646 memset( output, 0, olen );
markrad 0:cdf462088d13 647
markrad 0:cdf462088d13 648 *p++ = 0;
markrad 0:cdf462088d13 649
markrad 0:cdf462088d13 650 /* Generate a random octet string seed */
markrad 0:cdf462088d13 651 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
markrad 0:cdf462088d13 652 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
markrad 0:cdf462088d13 653
markrad 0:cdf462088d13 654 p += hlen;
markrad 0:cdf462088d13 655
markrad 0:cdf462088d13 656 /* Construct DB */
markrad 0:cdf462088d13 657 mbedtls_md( md_info, label, label_len, p );
markrad 0:cdf462088d13 658 p += hlen;
markrad 0:cdf462088d13 659 p += olen - 2 * hlen - 2 - ilen;
markrad 0:cdf462088d13 660 *p++ = 1;
markrad 0:cdf462088d13 661 memcpy( p, input, ilen );
markrad 0:cdf462088d13 662
markrad 0:cdf462088d13 663 mbedtls_md_init( &md_ctx );
markrad 0:cdf462088d13 664 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
markrad 0:cdf462088d13 665 {
markrad 0:cdf462088d13 666 mbedtls_md_free( &md_ctx );
markrad 0:cdf462088d13 667 return( ret );
markrad 0:cdf462088d13 668 }
markrad 0:cdf462088d13 669
markrad 0:cdf462088d13 670 /* maskedDB: Apply dbMask to DB */
markrad 0:cdf462088d13 671 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
markrad 0:cdf462088d13 672 &md_ctx );
markrad 0:cdf462088d13 673
markrad 0:cdf462088d13 674 /* maskedSeed: Apply seedMask to seed */
markrad 0:cdf462088d13 675 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
markrad 0:cdf462088d13 676 &md_ctx );
markrad 0:cdf462088d13 677
markrad 0:cdf462088d13 678 mbedtls_md_free( &md_ctx );
markrad 0:cdf462088d13 679
markrad 0:cdf462088d13 680 return( ( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 681 ? mbedtls_rsa_public( ctx, output, output )
markrad 0:cdf462088d13 682 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
markrad 0:cdf462088d13 683 }
markrad 0:cdf462088d13 684 #endif /* MBEDTLS_PKCS1_V21 */
markrad 0:cdf462088d13 685
markrad 0:cdf462088d13 686 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 687 /*
markrad 0:cdf462088d13 688 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
markrad 0:cdf462088d13 689 */
markrad 0:cdf462088d13 690 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 691 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 692 void *p_rng,
markrad 0:cdf462088d13 693 int mode, size_t ilen,
markrad 0:cdf462088d13 694 const unsigned char *input,
markrad 0:cdf462088d13 695 unsigned char *output )
markrad 0:cdf462088d13 696 {
markrad 0:cdf462088d13 697 size_t nb_pad, olen;
markrad 0:cdf462088d13 698 int ret;
markrad 0:cdf462088d13 699 unsigned char *p = output;
markrad 0:cdf462088d13 700
markrad 0:cdf462088d13 701 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
markrad 0:cdf462088d13 702 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 703
markrad 0:cdf462088d13 704 // We don't check p_rng because it won't be dereferenced here
markrad 0:cdf462088d13 705 if( f_rng == NULL || input == NULL || output == NULL )
markrad 0:cdf462088d13 706 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 707
markrad 0:cdf462088d13 708 olen = ctx->len;
markrad 0:cdf462088d13 709
markrad 0:cdf462088d13 710 /* first comparison checks for overflow */
markrad 0:cdf462088d13 711 if( ilen + 11 < ilen || olen < ilen + 11 )
markrad 0:cdf462088d13 712 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 713
markrad 0:cdf462088d13 714 nb_pad = olen - 3 - ilen;
markrad 0:cdf462088d13 715
markrad 0:cdf462088d13 716 *p++ = 0;
markrad 0:cdf462088d13 717 if( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 718 {
markrad 0:cdf462088d13 719 *p++ = MBEDTLS_RSA_CRYPT;
markrad 0:cdf462088d13 720
markrad 0:cdf462088d13 721 while( nb_pad-- > 0 )
markrad 0:cdf462088d13 722 {
markrad 0:cdf462088d13 723 int rng_dl = 100;
markrad 0:cdf462088d13 724
markrad 0:cdf462088d13 725 do {
markrad 0:cdf462088d13 726 ret = f_rng( p_rng, p, 1 );
markrad 0:cdf462088d13 727 } while( *p == 0 && --rng_dl && ret == 0 );
markrad 0:cdf462088d13 728
markrad 0:cdf462088d13 729 /* Check if RNG failed to generate data */
markrad 0:cdf462088d13 730 if( rng_dl == 0 || ret != 0 )
markrad 0:cdf462088d13 731 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
markrad 0:cdf462088d13 732
markrad 0:cdf462088d13 733 p++;
markrad 0:cdf462088d13 734 }
markrad 0:cdf462088d13 735 }
markrad 0:cdf462088d13 736 else
markrad 0:cdf462088d13 737 {
markrad 0:cdf462088d13 738 *p++ = MBEDTLS_RSA_SIGN;
markrad 0:cdf462088d13 739
markrad 0:cdf462088d13 740 while( nb_pad-- > 0 )
markrad 0:cdf462088d13 741 *p++ = 0xFF;
markrad 0:cdf462088d13 742 }
markrad 0:cdf462088d13 743
markrad 0:cdf462088d13 744 *p++ = 0;
markrad 0:cdf462088d13 745 memcpy( p, input, ilen );
markrad 0:cdf462088d13 746
markrad 0:cdf462088d13 747 return( ( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 748 ? mbedtls_rsa_public( ctx, output, output )
markrad 0:cdf462088d13 749 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
markrad 0:cdf462088d13 750 }
markrad 0:cdf462088d13 751 #endif /* MBEDTLS_PKCS1_V15 */
markrad 0:cdf462088d13 752
markrad 0:cdf462088d13 753 /*
markrad 0:cdf462088d13 754 * Add the message padding, then do an RSA operation
markrad 0:cdf462088d13 755 */
markrad 0:cdf462088d13 756 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 757 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 758 void *p_rng,
markrad 0:cdf462088d13 759 int mode, size_t ilen,
markrad 0:cdf462088d13 760 const unsigned char *input,
markrad 0:cdf462088d13 761 unsigned char *output )
markrad 0:cdf462088d13 762 {
markrad 0:cdf462088d13 763 switch( ctx->padding )
markrad 0:cdf462088d13 764 {
markrad 0:cdf462088d13 765 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 766 case MBEDTLS_RSA_PKCS_V15:
markrad 0:cdf462088d13 767 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
markrad 0:cdf462088d13 768 input, output );
markrad 0:cdf462088d13 769 #endif
markrad 0:cdf462088d13 770
markrad 0:cdf462088d13 771 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 772 case MBEDTLS_RSA_PKCS_V21:
markrad 0:cdf462088d13 773 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
markrad 0:cdf462088d13 774 ilen, input, output );
markrad 0:cdf462088d13 775 #endif
markrad 0:cdf462088d13 776
markrad 0:cdf462088d13 777 default:
markrad 0:cdf462088d13 778 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 779 }
markrad 0:cdf462088d13 780 }
markrad 0:cdf462088d13 781
markrad 0:cdf462088d13 782 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 783 /*
markrad 0:cdf462088d13 784 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
markrad 0:cdf462088d13 785 */
markrad 0:cdf462088d13 786 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 787 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 788 void *p_rng,
markrad 0:cdf462088d13 789 int mode,
markrad 0:cdf462088d13 790 const unsigned char *label, size_t label_len,
markrad 0:cdf462088d13 791 size_t *olen,
markrad 0:cdf462088d13 792 const unsigned char *input,
markrad 0:cdf462088d13 793 unsigned char *output,
markrad 0:cdf462088d13 794 size_t output_max_len )
markrad 0:cdf462088d13 795 {
markrad 0:cdf462088d13 796 int ret;
markrad 0:cdf462088d13 797 size_t ilen, i, pad_len;
markrad 0:cdf462088d13 798 unsigned char *p, bad, pad_done;
markrad 0:cdf462088d13 799 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
markrad 0:cdf462088d13 800 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
markrad 0:cdf462088d13 801 unsigned int hlen;
markrad 0:cdf462088d13 802 const mbedtls_md_info_t *md_info;
markrad 0:cdf462088d13 803 mbedtls_md_context_t md_ctx;
markrad 0:cdf462088d13 804
markrad 0:cdf462088d13 805 /*
markrad 0:cdf462088d13 806 * Parameters sanity checks
markrad 0:cdf462088d13 807 */
markrad 0:cdf462088d13 808 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
markrad 0:cdf462088d13 809 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 810
markrad 0:cdf462088d13 811 ilen = ctx->len;
markrad 0:cdf462088d13 812
markrad 0:cdf462088d13 813 if( ilen < 16 || ilen > sizeof( buf ) )
markrad 0:cdf462088d13 814 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 815
markrad 0:cdf462088d13 816 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
markrad 0:cdf462088d13 817 if( md_info == NULL )
markrad 0:cdf462088d13 818 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 819
markrad 0:cdf462088d13 820 hlen = mbedtls_md_get_size( md_info );
markrad 0:cdf462088d13 821
markrad 0:cdf462088d13 822 // checking for integer underflow
markrad 0:cdf462088d13 823 if( 2 * hlen + 2 > ilen )
markrad 0:cdf462088d13 824 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 825
markrad 0:cdf462088d13 826 /*
markrad 0:cdf462088d13 827 * RSA operation
markrad 0:cdf462088d13 828 */
markrad 0:cdf462088d13 829 ret = ( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 830 ? mbedtls_rsa_public( ctx, input, buf )
markrad 0:cdf462088d13 831 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
markrad 0:cdf462088d13 832
markrad 0:cdf462088d13 833 if( ret != 0 )
Jasper Wallace 2:bbdeda018a3c 834 goto cleanup;
markrad 0:cdf462088d13 835
markrad 0:cdf462088d13 836 /*
markrad 0:cdf462088d13 837 * Unmask data and generate lHash
markrad 0:cdf462088d13 838 */
markrad 0:cdf462088d13 839 mbedtls_md_init( &md_ctx );
markrad 0:cdf462088d13 840 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
markrad 0:cdf462088d13 841 {
markrad 0:cdf462088d13 842 mbedtls_md_free( &md_ctx );
Jasper Wallace 2:bbdeda018a3c 843 goto cleanup;
markrad 0:cdf462088d13 844 }
markrad 0:cdf462088d13 845
markrad 0:cdf462088d13 846
markrad 0:cdf462088d13 847 /* Generate lHash */
markrad 0:cdf462088d13 848 mbedtls_md( md_info, label, label_len, lhash );
markrad 0:cdf462088d13 849
markrad 0:cdf462088d13 850 /* seed: Apply seedMask to maskedSeed */
markrad 0:cdf462088d13 851 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
markrad 0:cdf462088d13 852 &md_ctx );
markrad 0:cdf462088d13 853
markrad 0:cdf462088d13 854 /* DB: Apply dbMask to maskedDB */
markrad 0:cdf462088d13 855 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
markrad 0:cdf462088d13 856 &md_ctx );
markrad 0:cdf462088d13 857
markrad 0:cdf462088d13 858 mbedtls_md_free( &md_ctx );
markrad 0:cdf462088d13 859
markrad 0:cdf462088d13 860 /*
markrad 0:cdf462088d13 861 * Check contents, in "constant-time"
markrad 0:cdf462088d13 862 */
markrad 0:cdf462088d13 863 p = buf;
markrad 0:cdf462088d13 864 bad = 0;
markrad 0:cdf462088d13 865
markrad 0:cdf462088d13 866 bad |= *p++; /* First byte must be 0 */
markrad 0:cdf462088d13 867
markrad 0:cdf462088d13 868 p += hlen; /* Skip seed */
markrad 0:cdf462088d13 869
markrad 0:cdf462088d13 870 /* Check lHash */
markrad 0:cdf462088d13 871 for( i = 0; i < hlen; i++ )
markrad 0:cdf462088d13 872 bad |= lhash[i] ^ *p++;
markrad 0:cdf462088d13 873
markrad 0:cdf462088d13 874 /* Get zero-padding len, but always read till end of buffer
markrad 0:cdf462088d13 875 * (minus one, for the 01 byte) */
markrad 0:cdf462088d13 876 pad_len = 0;
markrad 0:cdf462088d13 877 pad_done = 0;
markrad 0:cdf462088d13 878 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
markrad 0:cdf462088d13 879 {
markrad 0:cdf462088d13 880 pad_done |= p[i];
markrad 0:cdf462088d13 881 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
markrad 0:cdf462088d13 882 }
markrad 0:cdf462088d13 883
markrad 0:cdf462088d13 884 p += pad_len;
markrad 0:cdf462088d13 885 bad |= *p++ ^ 0x01;
markrad 0:cdf462088d13 886
markrad 0:cdf462088d13 887 /*
markrad 0:cdf462088d13 888 * The only information "leaked" is whether the padding was correct or not
markrad 0:cdf462088d13 889 * (eg, no data is copied if it was not correct). This meets the
markrad 0:cdf462088d13 890 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
markrad 0:cdf462088d13 891 * the different error conditions.
markrad 0:cdf462088d13 892 */
markrad 0:cdf462088d13 893 if( bad != 0 )
Jasper Wallace 2:bbdeda018a3c 894 {
Jasper Wallace 2:bbdeda018a3c 895 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
Jasper Wallace 2:bbdeda018a3c 896 goto cleanup;
Jasper Wallace 2:bbdeda018a3c 897 }
markrad 0:cdf462088d13 898
markrad 0:cdf462088d13 899 if( ilen - ( p - buf ) > output_max_len )
Jasper Wallace 2:bbdeda018a3c 900 {
Jasper Wallace 2:bbdeda018a3c 901 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
Jasper Wallace 2:bbdeda018a3c 902 goto cleanup;
Jasper Wallace 2:bbdeda018a3c 903 }
markrad 0:cdf462088d13 904
markrad 0:cdf462088d13 905 *olen = ilen - (p - buf);
markrad 0:cdf462088d13 906 memcpy( output, p, *olen );
Jasper Wallace 2:bbdeda018a3c 907 ret = 0;
markrad 0:cdf462088d13 908
Jasper Wallace 2:bbdeda018a3c 909 cleanup:
Jasper Wallace 2:bbdeda018a3c 910 mbedtls_zeroize( buf, sizeof( buf ) );
Jasper Wallace 2:bbdeda018a3c 911 mbedtls_zeroize( lhash, sizeof( lhash ) );
Jasper Wallace 2:bbdeda018a3c 912
Jasper Wallace 2:bbdeda018a3c 913 return( ret );
markrad 0:cdf462088d13 914 }
markrad 0:cdf462088d13 915 #endif /* MBEDTLS_PKCS1_V21 */
markrad 0:cdf462088d13 916
markrad 0:cdf462088d13 917 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 918 /*
markrad 0:cdf462088d13 919 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
markrad 0:cdf462088d13 920 */
markrad 0:cdf462088d13 921 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 922 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 923 void *p_rng,
markrad 0:cdf462088d13 924 int mode, size_t *olen,
markrad 0:cdf462088d13 925 const unsigned char *input,
markrad 0:cdf462088d13 926 unsigned char *output,
markrad 0:cdf462088d13 927 size_t output_max_len)
markrad 0:cdf462088d13 928 {
markrad 0:cdf462088d13 929 int ret;
markrad 0:cdf462088d13 930 size_t ilen, pad_count = 0, i;
markrad 0:cdf462088d13 931 unsigned char *p, bad, pad_done = 0;
markrad 0:cdf462088d13 932 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
markrad 0:cdf462088d13 933
markrad 0:cdf462088d13 934 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
markrad 0:cdf462088d13 935 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 936
markrad 0:cdf462088d13 937 ilen = ctx->len;
markrad 0:cdf462088d13 938
markrad 0:cdf462088d13 939 if( ilen < 16 || ilen > sizeof( buf ) )
markrad 0:cdf462088d13 940 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 941
markrad 0:cdf462088d13 942 ret = ( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 943 ? mbedtls_rsa_public( ctx, input, buf )
markrad 0:cdf462088d13 944 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
markrad 0:cdf462088d13 945
markrad 0:cdf462088d13 946 if( ret != 0 )
Jasper Wallace 2:bbdeda018a3c 947 goto cleanup;
markrad 0:cdf462088d13 948
markrad 0:cdf462088d13 949 p = buf;
markrad 0:cdf462088d13 950 bad = 0;
markrad 0:cdf462088d13 951
markrad 0:cdf462088d13 952 /*
markrad 0:cdf462088d13 953 * Check and get padding len in "constant-time"
markrad 0:cdf462088d13 954 */
markrad 0:cdf462088d13 955 bad |= *p++; /* First byte must be 0 */
markrad 0:cdf462088d13 956
markrad 0:cdf462088d13 957 /* This test does not depend on secret data */
markrad 0:cdf462088d13 958 if( mode == MBEDTLS_RSA_PRIVATE )
markrad 0:cdf462088d13 959 {
markrad 0:cdf462088d13 960 bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
markrad 0:cdf462088d13 961
markrad 0:cdf462088d13 962 /* Get padding len, but always read till end of buffer
markrad 0:cdf462088d13 963 * (minus one, for the 00 byte) */
markrad 0:cdf462088d13 964 for( i = 0; i < ilen - 3; i++ )
markrad 0:cdf462088d13 965 {
markrad 0:cdf462088d13 966 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
markrad 0:cdf462088d13 967 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
markrad 0:cdf462088d13 968 }
markrad 0:cdf462088d13 969
markrad 0:cdf462088d13 970 p += pad_count;
markrad 0:cdf462088d13 971 bad |= *p++; /* Must be zero */
markrad 0:cdf462088d13 972 }
markrad 0:cdf462088d13 973 else
markrad 0:cdf462088d13 974 {
markrad 0:cdf462088d13 975 bad |= *p++ ^ MBEDTLS_RSA_SIGN;
markrad 0:cdf462088d13 976
markrad 0:cdf462088d13 977 /* Get padding len, but always read till end of buffer
markrad 0:cdf462088d13 978 * (minus one, for the 00 byte) */
markrad 0:cdf462088d13 979 for( i = 0; i < ilen - 3; i++ )
markrad 0:cdf462088d13 980 {
markrad 0:cdf462088d13 981 pad_done |= ( p[i] != 0xFF );
markrad 0:cdf462088d13 982 pad_count += ( pad_done == 0 );
markrad 0:cdf462088d13 983 }
markrad 0:cdf462088d13 984
markrad 0:cdf462088d13 985 p += pad_count;
markrad 0:cdf462088d13 986 bad |= *p++; /* Must be zero */
markrad 0:cdf462088d13 987 }
markrad 0:cdf462088d13 988
markrad 0:cdf462088d13 989 bad |= ( pad_count < 8 );
markrad 0:cdf462088d13 990
markrad 0:cdf462088d13 991 if( bad )
Jasper Wallace 2:bbdeda018a3c 992 {
Jasper Wallace 2:bbdeda018a3c 993 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
Jasper Wallace 2:bbdeda018a3c 994 goto cleanup;
Jasper Wallace 2:bbdeda018a3c 995 }
markrad 0:cdf462088d13 996
markrad 0:cdf462088d13 997 if( ilen - ( p - buf ) > output_max_len )
Jasper Wallace 2:bbdeda018a3c 998 {
Jasper Wallace 2:bbdeda018a3c 999 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
Jasper Wallace 2:bbdeda018a3c 1000 goto cleanup;
Jasper Wallace 2:bbdeda018a3c 1001 }
markrad 0:cdf462088d13 1002
markrad 0:cdf462088d13 1003 *olen = ilen - (p - buf);
markrad 0:cdf462088d13 1004 memcpy( output, p, *olen );
Jasper Wallace 2:bbdeda018a3c 1005 ret = 0;
markrad 0:cdf462088d13 1006
Jasper Wallace 2:bbdeda018a3c 1007 cleanup:
Jasper Wallace 2:bbdeda018a3c 1008 mbedtls_zeroize( buf, sizeof( buf ) );
Jasper Wallace 2:bbdeda018a3c 1009
Jasper Wallace 2:bbdeda018a3c 1010 return( ret );
markrad 0:cdf462088d13 1011 }
markrad 0:cdf462088d13 1012 #endif /* MBEDTLS_PKCS1_V15 */
markrad 0:cdf462088d13 1013
markrad 0:cdf462088d13 1014 /*
markrad 0:cdf462088d13 1015 * Do an RSA operation, then remove the message padding
markrad 0:cdf462088d13 1016 */
markrad 0:cdf462088d13 1017 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 1018 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 1019 void *p_rng,
markrad 0:cdf462088d13 1020 int mode, size_t *olen,
markrad 0:cdf462088d13 1021 const unsigned char *input,
markrad 0:cdf462088d13 1022 unsigned char *output,
markrad 0:cdf462088d13 1023 size_t output_max_len)
markrad 0:cdf462088d13 1024 {
markrad 0:cdf462088d13 1025 switch( ctx->padding )
markrad 0:cdf462088d13 1026 {
markrad 0:cdf462088d13 1027 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 1028 case MBEDTLS_RSA_PKCS_V15:
markrad 0:cdf462088d13 1029 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
markrad 0:cdf462088d13 1030 input, output, output_max_len );
markrad 0:cdf462088d13 1031 #endif
markrad 0:cdf462088d13 1032
markrad 0:cdf462088d13 1033 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 1034 case MBEDTLS_RSA_PKCS_V21:
markrad 0:cdf462088d13 1035 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
markrad 0:cdf462088d13 1036 olen, input, output,
markrad 0:cdf462088d13 1037 output_max_len );
markrad 0:cdf462088d13 1038 #endif
markrad 0:cdf462088d13 1039
markrad 0:cdf462088d13 1040 default:
markrad 0:cdf462088d13 1041 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1042 }
markrad 0:cdf462088d13 1043 }
markrad 0:cdf462088d13 1044
markrad 0:cdf462088d13 1045 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 1046 /*
markrad 0:cdf462088d13 1047 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
markrad 0:cdf462088d13 1048 */
markrad 0:cdf462088d13 1049 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 1050 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 1051 void *p_rng,
markrad 0:cdf462088d13 1052 int mode,
markrad 0:cdf462088d13 1053 mbedtls_md_type_t md_alg,
markrad 0:cdf462088d13 1054 unsigned int hashlen,
markrad 0:cdf462088d13 1055 const unsigned char *hash,
markrad 0:cdf462088d13 1056 unsigned char *sig )
markrad 0:cdf462088d13 1057 {
markrad 0:cdf462088d13 1058 size_t olen;
markrad 0:cdf462088d13 1059 unsigned char *p = sig;
markrad 0:cdf462088d13 1060 unsigned char salt[MBEDTLS_MD_MAX_SIZE];
markrad 0:cdf462088d13 1061 unsigned int slen, hlen, offset = 0;
markrad 0:cdf462088d13 1062 int ret;
markrad 0:cdf462088d13 1063 size_t msb;
markrad 0:cdf462088d13 1064 const mbedtls_md_info_t *md_info;
markrad 0:cdf462088d13 1065 mbedtls_md_context_t md_ctx;
markrad 0:cdf462088d13 1066
markrad 0:cdf462088d13 1067 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
markrad 0:cdf462088d13 1068 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1069
markrad 0:cdf462088d13 1070 if( f_rng == NULL )
markrad 0:cdf462088d13 1071 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1072
markrad 0:cdf462088d13 1073 olen = ctx->len;
markrad 0:cdf462088d13 1074
markrad 0:cdf462088d13 1075 if( md_alg != MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 1076 {
markrad 0:cdf462088d13 1077 /* Gather length of hash to sign */
markrad 0:cdf462088d13 1078 md_info = mbedtls_md_info_from_type( md_alg );
markrad 0:cdf462088d13 1079 if( md_info == NULL )
markrad 0:cdf462088d13 1080 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1081
markrad 0:cdf462088d13 1082 hashlen = mbedtls_md_get_size( md_info );
markrad 0:cdf462088d13 1083 }
markrad 0:cdf462088d13 1084
markrad 0:cdf462088d13 1085 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
markrad 0:cdf462088d13 1086 if( md_info == NULL )
markrad 0:cdf462088d13 1087 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1088
markrad 0:cdf462088d13 1089 hlen = mbedtls_md_get_size( md_info );
markrad 0:cdf462088d13 1090 slen = hlen;
markrad 0:cdf462088d13 1091
markrad 0:cdf462088d13 1092 if( olen < hlen + slen + 2 )
markrad 0:cdf462088d13 1093 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1094
markrad 0:cdf462088d13 1095 memset( sig, 0, olen );
markrad 0:cdf462088d13 1096
markrad 0:cdf462088d13 1097 /* Generate salt of length slen */
markrad 0:cdf462088d13 1098 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
markrad 0:cdf462088d13 1099 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
markrad 0:cdf462088d13 1100
markrad 0:cdf462088d13 1101 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
markrad 0:cdf462088d13 1102 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
markrad 0:cdf462088d13 1103 p += olen - hlen * 2 - 2;
markrad 0:cdf462088d13 1104 *p++ = 0x01;
markrad 0:cdf462088d13 1105 memcpy( p, salt, slen );
markrad 0:cdf462088d13 1106 p += slen;
markrad 0:cdf462088d13 1107
markrad 0:cdf462088d13 1108 mbedtls_md_init( &md_ctx );
markrad 0:cdf462088d13 1109 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
markrad 0:cdf462088d13 1110 {
markrad 0:cdf462088d13 1111 mbedtls_md_free( &md_ctx );
Jasper Wallace 2:bbdeda018a3c 1112 /* No need to zeroize salt: we didn't use it. */
markrad 0:cdf462088d13 1113 return( ret );
markrad 0:cdf462088d13 1114 }
markrad 0:cdf462088d13 1115
markrad 0:cdf462088d13 1116 /* Generate H = Hash( M' ) */
markrad 0:cdf462088d13 1117 mbedtls_md_starts( &md_ctx );
markrad 0:cdf462088d13 1118 mbedtls_md_update( &md_ctx, p, 8 );
markrad 0:cdf462088d13 1119 mbedtls_md_update( &md_ctx, hash, hashlen );
markrad 0:cdf462088d13 1120 mbedtls_md_update( &md_ctx, salt, slen );
markrad 0:cdf462088d13 1121 mbedtls_md_finish( &md_ctx, p );
Jasper Wallace 2:bbdeda018a3c 1122 mbedtls_zeroize( salt, sizeof( salt ) );
markrad 0:cdf462088d13 1123
markrad 0:cdf462088d13 1124 /* Compensate for boundary condition when applying mask */
markrad 0:cdf462088d13 1125 if( msb % 8 == 0 )
markrad 0:cdf462088d13 1126 offset = 1;
markrad 0:cdf462088d13 1127
markrad 0:cdf462088d13 1128 /* maskedDB: Apply dbMask to DB */
markrad 0:cdf462088d13 1129 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
markrad 0:cdf462088d13 1130
markrad 0:cdf462088d13 1131 mbedtls_md_free( &md_ctx );
markrad 0:cdf462088d13 1132
markrad 0:cdf462088d13 1133 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
markrad 0:cdf462088d13 1134 sig[0] &= 0xFF >> ( olen * 8 - msb );
markrad 0:cdf462088d13 1135
markrad 0:cdf462088d13 1136 p += hlen;
markrad 0:cdf462088d13 1137 *p++ = 0xBC;
markrad 0:cdf462088d13 1138
markrad 0:cdf462088d13 1139 return( ( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 1140 ? mbedtls_rsa_public( ctx, sig, sig )
markrad 0:cdf462088d13 1141 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
markrad 0:cdf462088d13 1142 }
markrad 0:cdf462088d13 1143 #endif /* MBEDTLS_PKCS1_V21 */
markrad 0:cdf462088d13 1144
markrad 0:cdf462088d13 1145 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 1146 /*
markrad 0:cdf462088d13 1147 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
markrad 0:cdf462088d13 1148 */
markrad 0:cdf462088d13 1149 /*
markrad 0:cdf462088d13 1150 * Do an RSA operation to sign the message digest
markrad 0:cdf462088d13 1151 */
markrad 0:cdf462088d13 1152 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 1153 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 1154 void *p_rng,
markrad 0:cdf462088d13 1155 int mode,
markrad 0:cdf462088d13 1156 mbedtls_md_type_t md_alg,
markrad 0:cdf462088d13 1157 unsigned int hashlen,
markrad 0:cdf462088d13 1158 const unsigned char *hash,
markrad 0:cdf462088d13 1159 unsigned char *sig )
markrad 0:cdf462088d13 1160 {
markrad 0:cdf462088d13 1161 size_t nb_pad, olen, oid_size = 0;
markrad 0:cdf462088d13 1162 unsigned char *p = sig;
markrad 0:cdf462088d13 1163 const char *oid = NULL;
markrad 0:cdf462088d13 1164 unsigned char *sig_try = NULL, *verif = NULL;
markrad 0:cdf462088d13 1165 size_t i;
markrad 0:cdf462088d13 1166 unsigned char diff;
markrad 0:cdf462088d13 1167 volatile unsigned char diff_no_optimize;
markrad 0:cdf462088d13 1168 int ret;
markrad 0:cdf462088d13 1169
markrad 0:cdf462088d13 1170 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
markrad 0:cdf462088d13 1171 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1172
markrad 0:cdf462088d13 1173 olen = ctx->len;
markrad 0:cdf462088d13 1174 nb_pad = olen - 3;
markrad 0:cdf462088d13 1175
markrad 0:cdf462088d13 1176 if( md_alg != MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 1177 {
markrad 0:cdf462088d13 1178 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
markrad 0:cdf462088d13 1179 if( md_info == NULL )
markrad 0:cdf462088d13 1180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1181
markrad 0:cdf462088d13 1182 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
markrad 0:cdf462088d13 1183 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1184
markrad 0:cdf462088d13 1185 nb_pad -= 10 + oid_size;
markrad 0:cdf462088d13 1186
markrad 0:cdf462088d13 1187 hashlen = mbedtls_md_get_size( md_info );
markrad 0:cdf462088d13 1188 }
markrad 0:cdf462088d13 1189
markrad 0:cdf462088d13 1190 nb_pad -= hashlen;
markrad 0:cdf462088d13 1191
markrad 0:cdf462088d13 1192 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
markrad 0:cdf462088d13 1193 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1194
markrad 0:cdf462088d13 1195 *p++ = 0;
markrad 0:cdf462088d13 1196 *p++ = MBEDTLS_RSA_SIGN;
markrad 0:cdf462088d13 1197 memset( p, 0xFF, nb_pad );
markrad 0:cdf462088d13 1198 p += nb_pad;
markrad 0:cdf462088d13 1199 *p++ = 0;
markrad 0:cdf462088d13 1200
markrad 0:cdf462088d13 1201 if( md_alg == MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 1202 {
markrad 0:cdf462088d13 1203 memcpy( p, hash, hashlen );
markrad 0:cdf462088d13 1204 }
markrad 0:cdf462088d13 1205 else
markrad 0:cdf462088d13 1206 {
markrad 0:cdf462088d13 1207 /*
markrad 0:cdf462088d13 1208 * DigestInfo ::= SEQUENCE {
markrad 0:cdf462088d13 1209 * digestAlgorithm DigestAlgorithmIdentifier,
markrad 0:cdf462088d13 1210 * digest Digest }
markrad 0:cdf462088d13 1211 *
markrad 0:cdf462088d13 1212 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
markrad 0:cdf462088d13 1213 *
markrad 0:cdf462088d13 1214 * Digest ::= OCTET STRING
markrad 0:cdf462088d13 1215 */
markrad 0:cdf462088d13 1216 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
markrad 0:cdf462088d13 1217 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
markrad 0:cdf462088d13 1218 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
markrad 0:cdf462088d13 1219 *p++ = (unsigned char) ( 0x04 + oid_size );
markrad 0:cdf462088d13 1220 *p++ = MBEDTLS_ASN1_OID;
markrad 0:cdf462088d13 1221 *p++ = oid_size & 0xFF;
markrad 0:cdf462088d13 1222 memcpy( p, oid, oid_size );
markrad 0:cdf462088d13 1223 p += oid_size;
markrad 0:cdf462088d13 1224 *p++ = MBEDTLS_ASN1_NULL;
markrad 0:cdf462088d13 1225 *p++ = 0x00;
markrad 0:cdf462088d13 1226 *p++ = MBEDTLS_ASN1_OCTET_STRING;
markrad 0:cdf462088d13 1227 *p++ = hashlen;
markrad 0:cdf462088d13 1228 memcpy( p, hash, hashlen );
markrad 0:cdf462088d13 1229 }
markrad 0:cdf462088d13 1230
markrad 0:cdf462088d13 1231 if( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 1232 return( mbedtls_rsa_public( ctx, sig, sig ) );
markrad 0:cdf462088d13 1233
markrad 0:cdf462088d13 1234 /*
markrad 0:cdf462088d13 1235 * In order to prevent Lenstra's attack, make the signature in a
markrad 0:cdf462088d13 1236 * temporary buffer and check it before returning it.
markrad 0:cdf462088d13 1237 */
markrad 0:cdf462088d13 1238 sig_try = mbedtls_calloc( 1, ctx->len );
markrad 0:cdf462088d13 1239 if( sig_try == NULL )
markrad 0:cdf462088d13 1240 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
markrad 0:cdf462088d13 1241
markrad 0:cdf462088d13 1242 verif = mbedtls_calloc( 1, ctx->len );
markrad 0:cdf462088d13 1243 if( verif == NULL )
markrad 0:cdf462088d13 1244 {
markrad 0:cdf462088d13 1245 mbedtls_free( sig_try );
markrad 0:cdf462088d13 1246 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
markrad 0:cdf462088d13 1247 }
markrad 0:cdf462088d13 1248
markrad 0:cdf462088d13 1249 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
markrad 0:cdf462088d13 1250 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
markrad 0:cdf462088d13 1251
markrad 0:cdf462088d13 1252 /* Compare in constant time just in case */
markrad 0:cdf462088d13 1253 for( diff = 0, i = 0; i < ctx->len; i++ )
markrad 0:cdf462088d13 1254 diff |= verif[i] ^ sig[i];
markrad 0:cdf462088d13 1255 diff_no_optimize = diff;
markrad 0:cdf462088d13 1256
markrad 0:cdf462088d13 1257 if( diff_no_optimize != 0 )
markrad 0:cdf462088d13 1258 {
markrad 0:cdf462088d13 1259 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
markrad 0:cdf462088d13 1260 goto cleanup;
markrad 0:cdf462088d13 1261 }
markrad 0:cdf462088d13 1262
markrad 0:cdf462088d13 1263 memcpy( sig, sig_try, ctx->len );
markrad 0:cdf462088d13 1264
markrad 0:cdf462088d13 1265 cleanup:
markrad 0:cdf462088d13 1266 mbedtls_free( sig_try );
markrad 0:cdf462088d13 1267 mbedtls_free( verif );
markrad 0:cdf462088d13 1268
markrad 0:cdf462088d13 1269 return( ret );
markrad 0:cdf462088d13 1270 }
markrad 0:cdf462088d13 1271 #endif /* MBEDTLS_PKCS1_V15 */
markrad 0:cdf462088d13 1272
markrad 0:cdf462088d13 1273 /*
markrad 0:cdf462088d13 1274 * Do an RSA operation to sign the message digest
markrad 0:cdf462088d13 1275 */
markrad 0:cdf462088d13 1276 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 1277 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 1278 void *p_rng,
markrad 0:cdf462088d13 1279 int mode,
markrad 0:cdf462088d13 1280 mbedtls_md_type_t md_alg,
markrad 0:cdf462088d13 1281 unsigned int hashlen,
markrad 0:cdf462088d13 1282 const unsigned char *hash,
markrad 0:cdf462088d13 1283 unsigned char *sig )
markrad 0:cdf462088d13 1284 {
markrad 0:cdf462088d13 1285 switch( ctx->padding )
markrad 0:cdf462088d13 1286 {
markrad 0:cdf462088d13 1287 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 1288 case MBEDTLS_RSA_PKCS_V15:
markrad 0:cdf462088d13 1289 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
markrad 0:cdf462088d13 1290 hashlen, hash, sig );
markrad 0:cdf462088d13 1291 #endif
markrad 0:cdf462088d13 1292
markrad 0:cdf462088d13 1293 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 1294 case MBEDTLS_RSA_PKCS_V21:
markrad 0:cdf462088d13 1295 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
markrad 0:cdf462088d13 1296 hashlen, hash, sig );
markrad 0:cdf462088d13 1297 #endif
markrad 0:cdf462088d13 1298
markrad 0:cdf462088d13 1299 default:
markrad 0:cdf462088d13 1300 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1301 }
markrad 0:cdf462088d13 1302 }
markrad 0:cdf462088d13 1303
markrad 0:cdf462088d13 1304 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 1305 /*
markrad 0:cdf462088d13 1306 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
markrad 0:cdf462088d13 1307 */
markrad 0:cdf462088d13 1308 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 1309 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 1310 void *p_rng,
markrad 0:cdf462088d13 1311 int mode,
markrad 0:cdf462088d13 1312 mbedtls_md_type_t md_alg,
markrad 0:cdf462088d13 1313 unsigned int hashlen,
markrad 0:cdf462088d13 1314 const unsigned char *hash,
markrad 0:cdf462088d13 1315 mbedtls_md_type_t mgf1_hash_id,
markrad 0:cdf462088d13 1316 int expected_salt_len,
markrad 0:cdf462088d13 1317 const unsigned char *sig )
markrad 0:cdf462088d13 1318 {
markrad 0:cdf462088d13 1319 int ret;
markrad 0:cdf462088d13 1320 size_t siglen;
markrad 0:cdf462088d13 1321 unsigned char *p;
markrad 0:cdf462088d13 1322 unsigned char result[MBEDTLS_MD_MAX_SIZE];
markrad 0:cdf462088d13 1323 unsigned char zeros[8];
markrad 0:cdf462088d13 1324 unsigned int hlen;
markrad 0:cdf462088d13 1325 size_t slen, msb;
markrad 0:cdf462088d13 1326 const mbedtls_md_info_t *md_info;
markrad 0:cdf462088d13 1327 mbedtls_md_context_t md_ctx;
markrad 0:cdf462088d13 1328 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
markrad 0:cdf462088d13 1329
markrad 0:cdf462088d13 1330 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
markrad 0:cdf462088d13 1331 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1332
markrad 0:cdf462088d13 1333 siglen = ctx->len;
markrad 0:cdf462088d13 1334
markrad 0:cdf462088d13 1335 if( siglen < 16 || siglen > sizeof( buf ) )
markrad 0:cdf462088d13 1336 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1337
markrad 0:cdf462088d13 1338 ret = ( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 1339 ? mbedtls_rsa_public( ctx, sig, buf )
markrad 0:cdf462088d13 1340 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
markrad 0:cdf462088d13 1341
markrad 0:cdf462088d13 1342 if( ret != 0 )
markrad 0:cdf462088d13 1343 return( ret );
markrad 0:cdf462088d13 1344
markrad 0:cdf462088d13 1345 p = buf;
markrad 0:cdf462088d13 1346
markrad 0:cdf462088d13 1347 if( buf[siglen - 1] != 0xBC )
markrad 0:cdf462088d13 1348 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1349
markrad 0:cdf462088d13 1350 if( md_alg != MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 1351 {
markrad 0:cdf462088d13 1352 /* Gather length of hash to sign */
markrad 0:cdf462088d13 1353 md_info = mbedtls_md_info_from_type( md_alg );
markrad 0:cdf462088d13 1354 if( md_info == NULL )
markrad 0:cdf462088d13 1355 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1356
markrad 0:cdf462088d13 1357 hashlen = mbedtls_md_get_size( md_info );
markrad 0:cdf462088d13 1358 }
markrad 0:cdf462088d13 1359
markrad 0:cdf462088d13 1360 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
markrad 0:cdf462088d13 1361 if( md_info == NULL )
markrad 0:cdf462088d13 1362 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1363
markrad 0:cdf462088d13 1364 hlen = mbedtls_md_get_size( md_info );
markrad 0:cdf462088d13 1365 slen = siglen - hlen - 1; /* Currently length of salt + padding */
markrad 0:cdf462088d13 1366
markrad 0:cdf462088d13 1367 memset( zeros, 0, 8 );
markrad 0:cdf462088d13 1368
markrad 0:cdf462088d13 1369 /*
markrad 0:cdf462088d13 1370 * Note: EMSA-PSS verification is over the length of N - 1 bits
markrad 0:cdf462088d13 1371 */
markrad 0:cdf462088d13 1372 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
markrad 0:cdf462088d13 1373
markrad 0:cdf462088d13 1374 /* Compensate for boundary condition when applying mask */
markrad 0:cdf462088d13 1375 if( msb % 8 == 0 )
markrad 0:cdf462088d13 1376 {
markrad 0:cdf462088d13 1377 p++;
markrad 0:cdf462088d13 1378 siglen -= 1;
markrad 0:cdf462088d13 1379 }
markrad 0:cdf462088d13 1380 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
markrad 0:cdf462088d13 1381 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1382
markrad 0:cdf462088d13 1383 mbedtls_md_init( &md_ctx );
markrad 0:cdf462088d13 1384 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
markrad 0:cdf462088d13 1385 {
markrad 0:cdf462088d13 1386 mbedtls_md_free( &md_ctx );
markrad 0:cdf462088d13 1387 return( ret );
markrad 0:cdf462088d13 1388 }
markrad 0:cdf462088d13 1389
markrad 0:cdf462088d13 1390 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
markrad 0:cdf462088d13 1391
markrad 0:cdf462088d13 1392 buf[0] &= 0xFF >> ( siglen * 8 - msb );
markrad 0:cdf462088d13 1393
markrad 0:cdf462088d13 1394 while( p < buf + siglen && *p == 0 )
markrad 0:cdf462088d13 1395 p++;
markrad 0:cdf462088d13 1396
markrad 0:cdf462088d13 1397 if( p == buf + siglen ||
markrad 0:cdf462088d13 1398 *p++ != 0x01 )
markrad 0:cdf462088d13 1399 {
markrad 0:cdf462088d13 1400 mbedtls_md_free( &md_ctx );
markrad 0:cdf462088d13 1401 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1402 }
markrad 0:cdf462088d13 1403
markrad 0:cdf462088d13 1404 /* Actual salt len */
markrad 0:cdf462088d13 1405 slen -= p - buf;
markrad 0:cdf462088d13 1406
markrad 0:cdf462088d13 1407 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
markrad 0:cdf462088d13 1408 slen != (size_t) expected_salt_len )
markrad 0:cdf462088d13 1409 {
markrad 0:cdf462088d13 1410 mbedtls_md_free( &md_ctx );
markrad 0:cdf462088d13 1411 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1412 }
markrad 0:cdf462088d13 1413
markrad 0:cdf462088d13 1414 /*
markrad 0:cdf462088d13 1415 * Generate H = Hash( M' )
markrad 0:cdf462088d13 1416 */
markrad 0:cdf462088d13 1417 mbedtls_md_starts( &md_ctx );
markrad 0:cdf462088d13 1418 mbedtls_md_update( &md_ctx, zeros, 8 );
markrad 0:cdf462088d13 1419 mbedtls_md_update( &md_ctx, hash, hashlen );
markrad 0:cdf462088d13 1420 mbedtls_md_update( &md_ctx, p, slen );
markrad 0:cdf462088d13 1421 mbedtls_md_finish( &md_ctx, result );
markrad 0:cdf462088d13 1422
markrad 0:cdf462088d13 1423 mbedtls_md_free( &md_ctx );
markrad 0:cdf462088d13 1424
markrad 0:cdf462088d13 1425 if( memcmp( p + slen, result, hlen ) == 0 )
markrad 0:cdf462088d13 1426 return( 0 );
markrad 0:cdf462088d13 1427 else
markrad 0:cdf462088d13 1428 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1429 }
markrad 0:cdf462088d13 1430
markrad 0:cdf462088d13 1431 /*
markrad 0:cdf462088d13 1432 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
markrad 0:cdf462088d13 1433 */
markrad 0:cdf462088d13 1434 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 1435 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 1436 void *p_rng,
markrad 0:cdf462088d13 1437 int mode,
markrad 0:cdf462088d13 1438 mbedtls_md_type_t md_alg,
markrad 0:cdf462088d13 1439 unsigned int hashlen,
markrad 0:cdf462088d13 1440 const unsigned char *hash,
markrad 0:cdf462088d13 1441 const unsigned char *sig )
markrad 0:cdf462088d13 1442 {
markrad 0:cdf462088d13 1443 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 1444 ? (mbedtls_md_type_t) ctx->hash_id
markrad 0:cdf462088d13 1445 : md_alg;
markrad 0:cdf462088d13 1446
markrad 0:cdf462088d13 1447 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
markrad 0:cdf462088d13 1448 md_alg, hashlen, hash,
markrad 0:cdf462088d13 1449 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
markrad 0:cdf462088d13 1450 sig ) );
markrad 0:cdf462088d13 1451
markrad 0:cdf462088d13 1452 }
markrad 0:cdf462088d13 1453 #endif /* MBEDTLS_PKCS1_V21 */
markrad 0:cdf462088d13 1454
markrad 0:cdf462088d13 1455 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 1456 /*
markrad 0:cdf462088d13 1457 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
markrad 0:cdf462088d13 1458 */
markrad 0:cdf462088d13 1459 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 1460 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 1461 void *p_rng,
markrad 0:cdf462088d13 1462 int mode,
markrad 0:cdf462088d13 1463 mbedtls_md_type_t md_alg,
markrad 0:cdf462088d13 1464 unsigned int hashlen,
markrad 0:cdf462088d13 1465 const unsigned char *hash,
markrad 0:cdf462088d13 1466 const unsigned char *sig )
markrad 0:cdf462088d13 1467 {
markrad 0:cdf462088d13 1468 int ret;
markrad 0:cdf462088d13 1469 size_t len, siglen, asn1_len;
Jasper Wallace 2:bbdeda018a3c 1470 unsigned char *p, *p0, *end;
markrad 0:cdf462088d13 1471 mbedtls_md_type_t msg_md_alg;
markrad 0:cdf462088d13 1472 const mbedtls_md_info_t *md_info;
markrad 0:cdf462088d13 1473 mbedtls_asn1_buf oid;
markrad 0:cdf462088d13 1474 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
markrad 0:cdf462088d13 1475
markrad 0:cdf462088d13 1476 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
markrad 0:cdf462088d13 1477 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1478
markrad 0:cdf462088d13 1479 siglen = ctx->len;
markrad 0:cdf462088d13 1480
markrad 0:cdf462088d13 1481 if( siglen < 16 || siglen > sizeof( buf ) )
markrad 0:cdf462088d13 1482 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1483
markrad 0:cdf462088d13 1484 ret = ( mode == MBEDTLS_RSA_PUBLIC )
markrad 0:cdf462088d13 1485 ? mbedtls_rsa_public( ctx, sig, buf )
markrad 0:cdf462088d13 1486 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
markrad 0:cdf462088d13 1487
markrad 0:cdf462088d13 1488 if( ret != 0 )
markrad 0:cdf462088d13 1489 return( ret );
markrad 0:cdf462088d13 1490
markrad 0:cdf462088d13 1491 p = buf;
markrad 0:cdf462088d13 1492
markrad 0:cdf462088d13 1493 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )
markrad 0:cdf462088d13 1494 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1495
markrad 0:cdf462088d13 1496 while( *p != 0 )
markrad 0:cdf462088d13 1497 {
markrad 0:cdf462088d13 1498 if( p >= buf + siglen - 1 || *p != 0xFF )
markrad 0:cdf462088d13 1499 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1500 p++;
markrad 0:cdf462088d13 1501 }
Jasper Wallace 2:bbdeda018a3c 1502 p++; /* skip 00 byte */
Jasper Wallace 2:bbdeda018a3c 1503
Jasper Wallace 2:bbdeda018a3c 1504 /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
Jasper Wallace 2:bbdeda018a3c 1505 if( p - buf < 11 )
Jasper Wallace 2:bbdeda018a3c 1506 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1507
markrad 0:cdf462088d13 1508 len = siglen - ( p - buf );
markrad 0:cdf462088d13 1509
markrad 0:cdf462088d13 1510 if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 1511 {
markrad 0:cdf462088d13 1512 if( memcmp( p, hash, hashlen ) == 0 )
markrad 0:cdf462088d13 1513 return( 0 );
markrad 0:cdf462088d13 1514 else
markrad 0:cdf462088d13 1515 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1516 }
markrad 0:cdf462088d13 1517
markrad 0:cdf462088d13 1518 md_info = mbedtls_md_info_from_type( md_alg );
markrad 0:cdf462088d13 1519 if( md_info == NULL )
markrad 0:cdf462088d13 1520 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
markrad 0:cdf462088d13 1521 hashlen = mbedtls_md_get_size( md_info );
markrad 0:cdf462088d13 1522
markrad 0:cdf462088d13 1523 end = p + len;
markrad 0:cdf462088d13 1524
markrad 0:cdf462088d13 1525 /*
Jasper Wallace 2:bbdeda018a3c 1526 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.
Jasper Wallace 2:bbdeda018a3c 1527 * Insist on 2-byte length tags, to protect against variants of
Jasper Wallace 2:bbdeda018a3c 1528 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.
markrad 0:cdf462088d13 1529 */
Jasper Wallace 2:bbdeda018a3c 1530 p0 = p;
markrad 0:cdf462088d13 1531 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
markrad 0:cdf462088d13 1532 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
markrad 0:cdf462088d13 1533 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
Jasper Wallace 2:bbdeda018a3c 1534 if( p != p0 + 2 || asn1_len + 2 != len )
markrad 0:cdf462088d13 1535 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1536
Jasper Wallace 2:bbdeda018a3c 1537 p0 = p;
markrad 0:cdf462088d13 1538 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
markrad 0:cdf462088d13 1539 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
markrad 0:cdf462088d13 1540 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
Jasper Wallace 2:bbdeda018a3c 1541 if( p != p0 + 2 || asn1_len + 6 + hashlen != len )
markrad 0:cdf462088d13 1542 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1543
Jasper Wallace 2:bbdeda018a3c 1544 p0 = p;
markrad 0:cdf462088d13 1545 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
markrad 0:cdf462088d13 1546 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
Jasper Wallace 2:bbdeda018a3c 1547 if( p != p0 + 2 )
Jasper Wallace 2:bbdeda018a3c 1548 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1549
markrad 0:cdf462088d13 1550 oid.p = p;
markrad 0:cdf462088d13 1551 p += oid.len;
markrad 0:cdf462088d13 1552
markrad 0:cdf462088d13 1553 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
markrad 0:cdf462088d13 1554 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1555
markrad 0:cdf462088d13 1556 if( md_alg != msg_md_alg )
markrad 0:cdf462088d13 1557 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1558
markrad 0:cdf462088d13 1559 /*
markrad 0:cdf462088d13 1560 * assume the algorithm parameters must be NULL
markrad 0:cdf462088d13 1561 */
Jasper Wallace 2:bbdeda018a3c 1562 p0 = p;
markrad 0:cdf462088d13 1563 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
markrad 0:cdf462088d13 1564 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
Jasper Wallace 2:bbdeda018a3c 1565 if( p != p0 + 2 )
Jasper Wallace 2:bbdeda018a3c 1566 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1567
Jasper Wallace 2:bbdeda018a3c 1568 p0 = p;
markrad 0:cdf462088d13 1569 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
markrad 0:cdf462088d13 1570 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
Jasper Wallace 2:bbdeda018a3c 1571 if( p != p0 + 2 || asn1_len != hashlen )
markrad 0:cdf462088d13 1572 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1573
markrad 0:cdf462088d13 1574 if( memcmp( p, hash, hashlen ) != 0 )
markrad 0:cdf462088d13 1575 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1576
markrad 0:cdf462088d13 1577 p += hashlen;
markrad 0:cdf462088d13 1578
markrad 0:cdf462088d13 1579 if( p != end )
markrad 0:cdf462088d13 1580 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
markrad 0:cdf462088d13 1581
markrad 0:cdf462088d13 1582 return( 0 );
markrad 0:cdf462088d13 1583 }
markrad 0:cdf462088d13 1584 #endif /* MBEDTLS_PKCS1_V15 */
markrad 0:cdf462088d13 1585
markrad 0:cdf462088d13 1586 /*
markrad 0:cdf462088d13 1587 * Do an RSA operation and check the message digest
markrad 0:cdf462088d13 1588 */
markrad 0:cdf462088d13 1589 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
markrad 0:cdf462088d13 1590 int (*f_rng)(void *, unsigned char *, size_t),
markrad 0:cdf462088d13 1591 void *p_rng,
markrad 0:cdf462088d13 1592 int mode,
markrad 0:cdf462088d13 1593 mbedtls_md_type_t md_alg,
markrad 0:cdf462088d13 1594 unsigned int hashlen,
markrad 0:cdf462088d13 1595 const unsigned char *hash,
markrad 0:cdf462088d13 1596 const unsigned char *sig )
markrad 0:cdf462088d13 1597 {
markrad 0:cdf462088d13 1598 switch( ctx->padding )
markrad 0:cdf462088d13 1599 {
markrad 0:cdf462088d13 1600 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 1601 case MBEDTLS_RSA_PKCS_V15:
markrad 0:cdf462088d13 1602 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
markrad 0:cdf462088d13 1603 hashlen, hash, sig );
markrad 0:cdf462088d13 1604 #endif
markrad 0:cdf462088d13 1605
markrad 0:cdf462088d13 1606 #if defined(MBEDTLS_PKCS1_V21)
markrad 0:cdf462088d13 1607 case MBEDTLS_RSA_PKCS_V21:
markrad 0:cdf462088d13 1608 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
markrad 0:cdf462088d13 1609 hashlen, hash, sig );
markrad 0:cdf462088d13 1610 #endif
markrad 0:cdf462088d13 1611
markrad 0:cdf462088d13 1612 default:
markrad 0:cdf462088d13 1613 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
markrad 0:cdf462088d13 1614 }
markrad 0:cdf462088d13 1615 }
markrad 0:cdf462088d13 1616
markrad 0:cdf462088d13 1617 /*
markrad 0:cdf462088d13 1618 * Copy the components of an RSA key
markrad 0:cdf462088d13 1619 */
markrad 0:cdf462088d13 1620 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
markrad 0:cdf462088d13 1621 {
markrad 0:cdf462088d13 1622 int ret;
markrad 0:cdf462088d13 1623
markrad 0:cdf462088d13 1624 dst->ver = src->ver;
markrad 0:cdf462088d13 1625 dst->len = src->len;
markrad 0:cdf462088d13 1626
markrad 0:cdf462088d13 1627 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
markrad 0:cdf462088d13 1628 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
markrad 0:cdf462088d13 1629
markrad 0:cdf462088d13 1630 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
markrad 0:cdf462088d13 1631 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
markrad 0:cdf462088d13 1632 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
markrad 0:cdf462088d13 1633 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
markrad 0:cdf462088d13 1634 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
markrad 0:cdf462088d13 1635 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
markrad 0:cdf462088d13 1636
markrad 0:cdf462088d13 1637 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
markrad 0:cdf462088d13 1638 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
markrad 0:cdf462088d13 1639 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
markrad 0:cdf462088d13 1640
markrad 0:cdf462088d13 1641 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
markrad 0:cdf462088d13 1642 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
markrad 0:cdf462088d13 1643
markrad 0:cdf462088d13 1644 dst->padding = src->padding;
markrad 0:cdf462088d13 1645 dst->hash_id = src->hash_id;
markrad 0:cdf462088d13 1646
markrad 0:cdf462088d13 1647 cleanup:
markrad 0:cdf462088d13 1648 if( ret != 0 )
markrad 0:cdf462088d13 1649 mbedtls_rsa_free( dst );
markrad 0:cdf462088d13 1650
markrad 0:cdf462088d13 1651 return( ret );
markrad 0:cdf462088d13 1652 }
markrad 0:cdf462088d13 1653
markrad 0:cdf462088d13 1654 /*
markrad 0:cdf462088d13 1655 * Free the components of an RSA key
markrad 0:cdf462088d13 1656 */
markrad 0:cdf462088d13 1657 void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
markrad 0:cdf462088d13 1658 {
markrad 0:cdf462088d13 1659 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
markrad 0:cdf462088d13 1660 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
markrad 0:cdf462088d13 1661 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
markrad 0:cdf462088d13 1662 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
markrad 0:cdf462088d13 1663 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
markrad 0:cdf462088d13 1664
markrad 0:cdf462088d13 1665 #if defined(MBEDTLS_THREADING_C)
markrad 0:cdf462088d13 1666 mbedtls_mutex_free( &ctx->mutex );
markrad 0:cdf462088d13 1667 #endif
markrad 0:cdf462088d13 1668 }
markrad 0:cdf462088d13 1669
markrad 0:cdf462088d13 1670 #if defined(MBEDTLS_SELF_TEST)
markrad 0:cdf462088d13 1671
markrad 0:cdf462088d13 1672 #include "mbedtls/sha1.h"
markrad 0:cdf462088d13 1673
markrad 0:cdf462088d13 1674 /*
markrad 0:cdf462088d13 1675 * Example RSA-1024 keypair, for test purposes
markrad 0:cdf462088d13 1676 */
markrad 0:cdf462088d13 1677 #define KEY_LEN 128
markrad 0:cdf462088d13 1678
markrad 0:cdf462088d13 1679 #define RSA_N "9292758453063D803DD603D5E777D788" \
markrad 0:cdf462088d13 1680 "8ED1D5BF35786190FA2F23EBC0848AEA" \
markrad 0:cdf462088d13 1681 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
markrad 0:cdf462088d13 1682 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
markrad 0:cdf462088d13 1683 "93A89813FBF3C4F8066D2D800F7C38A8" \
markrad 0:cdf462088d13 1684 "1AE31942917403FF4946B0A83D3D3E05" \
markrad 0:cdf462088d13 1685 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
markrad 0:cdf462088d13 1686 "5E94BB77B07507233A0BC7BAC8F90F79"
markrad 0:cdf462088d13 1687
markrad 0:cdf462088d13 1688 #define RSA_E "10001"
markrad 0:cdf462088d13 1689
markrad 0:cdf462088d13 1690 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
markrad 0:cdf462088d13 1691 "66CA472BC44D253102F8B4A9D3BFA750" \
markrad 0:cdf462088d13 1692 "91386C0077937FE33FA3252D28855837" \
markrad 0:cdf462088d13 1693 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
markrad 0:cdf462088d13 1694 "DF79C5CE07EE72C7F123142198164234" \
markrad 0:cdf462088d13 1695 "CABB724CF78B8173B9F880FC86322407" \
markrad 0:cdf462088d13 1696 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
markrad 0:cdf462088d13 1697 "071513A1E85B5DFA031F21ECAE91A34D"
markrad 0:cdf462088d13 1698
markrad 0:cdf462088d13 1699 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
markrad 0:cdf462088d13 1700 "2C01CAD19EA484A87EA4377637E75500" \
markrad 0:cdf462088d13 1701 "FCB2005C5C7DD6EC4AC023CDA285D796" \
markrad 0:cdf462088d13 1702 "C3D9E75E1EFC42488BB4F1D13AC30A57"
markrad 0:cdf462088d13 1703
markrad 0:cdf462088d13 1704 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
markrad 0:cdf462088d13 1705 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
markrad 0:cdf462088d13 1706 "910E4168387E3C30AA1E00C339A79508" \
markrad 0:cdf462088d13 1707 "8452DD96A9A5EA5D9DCA68DA636032AF"
markrad 0:cdf462088d13 1708
markrad 0:cdf462088d13 1709 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
markrad 0:cdf462088d13 1710 "3C94D22288ACD763FD8E5600ED4A702D" \
markrad 0:cdf462088d13 1711 "F84198A5F06C2E72236AE490C93F07F8" \
markrad 0:cdf462088d13 1712 "3CC559CD27BC2D1CA488811730BB5725"
markrad 0:cdf462088d13 1713
markrad 0:cdf462088d13 1714 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
markrad 0:cdf462088d13 1715 "D8AAEA56749EA28623272E4F7D0592AF" \
markrad 0:cdf462088d13 1716 "7C1F1313CAC9471B5C523BFE592F517B" \
markrad 0:cdf462088d13 1717 "407A1BD76C164B93DA2D32A383E58357"
markrad 0:cdf462088d13 1718
markrad 0:cdf462088d13 1719 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
markrad 0:cdf462088d13 1720 "F38D18D2B2F0E2DD275AA977E2BF4411" \
markrad 0:cdf462088d13 1721 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
markrad 0:cdf462088d13 1722 "A74206CEC169D74BF5A8C50D6F48EA08"
markrad 0:cdf462088d13 1723
markrad 0:cdf462088d13 1724 #define PT_LEN 24
markrad 0:cdf462088d13 1725 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
markrad 0:cdf462088d13 1726 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
markrad 0:cdf462088d13 1727
markrad 0:cdf462088d13 1728 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 1729 static int myrand( void *rng_state, unsigned char *output, size_t len )
markrad 0:cdf462088d13 1730 {
markrad 0:cdf462088d13 1731 #if !defined(__OpenBSD__)
markrad 0:cdf462088d13 1732 size_t i;
markrad 0:cdf462088d13 1733
markrad 0:cdf462088d13 1734 if( rng_state != NULL )
markrad 0:cdf462088d13 1735 rng_state = NULL;
markrad 0:cdf462088d13 1736
markrad 0:cdf462088d13 1737 for( i = 0; i < len; ++i )
markrad 0:cdf462088d13 1738 output[i] = rand();
markrad 0:cdf462088d13 1739 #else
markrad 0:cdf462088d13 1740 if( rng_state != NULL )
markrad 0:cdf462088d13 1741 rng_state = NULL;
markrad 0:cdf462088d13 1742
markrad 0:cdf462088d13 1743 arc4random_buf( output, len );
markrad 0:cdf462088d13 1744 #endif /* !OpenBSD */
markrad 0:cdf462088d13 1745
markrad 0:cdf462088d13 1746 return( 0 );
markrad 0:cdf462088d13 1747 }
markrad 0:cdf462088d13 1748 #endif /* MBEDTLS_PKCS1_V15 */
markrad 0:cdf462088d13 1749
markrad 0:cdf462088d13 1750 /*
markrad 0:cdf462088d13 1751 * Checkup routine
markrad 0:cdf462088d13 1752 */
markrad 0:cdf462088d13 1753 int mbedtls_rsa_self_test( int verbose )
markrad 0:cdf462088d13 1754 {
markrad 0:cdf462088d13 1755 int ret = 0;
markrad 0:cdf462088d13 1756 #if defined(MBEDTLS_PKCS1_V15)
markrad 0:cdf462088d13 1757 size_t len;
markrad 0:cdf462088d13 1758 mbedtls_rsa_context rsa;
markrad 0:cdf462088d13 1759 unsigned char rsa_plaintext[PT_LEN];
markrad 0:cdf462088d13 1760 unsigned char rsa_decrypted[PT_LEN];
markrad 0:cdf462088d13 1761 unsigned char rsa_ciphertext[KEY_LEN];
markrad 0:cdf462088d13 1762 #if defined(MBEDTLS_SHA1_C)
markrad 0:cdf462088d13 1763 unsigned char sha1sum[20];
markrad 0:cdf462088d13 1764 #endif
markrad 0:cdf462088d13 1765
markrad 0:cdf462088d13 1766 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
markrad 0:cdf462088d13 1767
markrad 0:cdf462088d13 1768 rsa.len = KEY_LEN;
markrad 0:cdf462088d13 1769 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
markrad 0:cdf462088d13 1770 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
markrad 0:cdf462088d13 1771 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
markrad 0:cdf462088d13 1772 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
markrad 0:cdf462088d13 1773 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
markrad 0:cdf462088d13 1774 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
markrad 0:cdf462088d13 1775 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
markrad 0:cdf462088d13 1776 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
markrad 0:cdf462088d13 1777
markrad 0:cdf462088d13 1778 if( verbose != 0 )
markrad 0:cdf462088d13 1779 mbedtls_printf( " RSA key validation: " );
markrad 0:cdf462088d13 1780
markrad 0:cdf462088d13 1781 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
markrad 0:cdf462088d13 1782 mbedtls_rsa_check_privkey( &rsa ) != 0 )
markrad 0:cdf462088d13 1783 {
markrad 0:cdf462088d13 1784 if( verbose != 0 )
markrad 0:cdf462088d13 1785 mbedtls_printf( "failed\n" );
markrad 0:cdf462088d13 1786
markrad 0:cdf462088d13 1787 return( 1 );
markrad 0:cdf462088d13 1788 }
markrad 0:cdf462088d13 1789
markrad 0:cdf462088d13 1790 if( verbose != 0 )
markrad 0:cdf462088d13 1791 mbedtls_printf( "passed\n PKCS#1 encryption : " );
markrad 0:cdf462088d13 1792
markrad 0:cdf462088d13 1793 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
markrad 0:cdf462088d13 1794
markrad 0:cdf462088d13 1795 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
markrad 0:cdf462088d13 1796 rsa_plaintext, rsa_ciphertext ) != 0 )
markrad 0:cdf462088d13 1797 {
markrad 0:cdf462088d13 1798 if( verbose != 0 )
markrad 0:cdf462088d13 1799 mbedtls_printf( "failed\n" );
markrad 0:cdf462088d13 1800
markrad 0:cdf462088d13 1801 return( 1 );
markrad 0:cdf462088d13 1802 }
markrad 0:cdf462088d13 1803
markrad 0:cdf462088d13 1804 if( verbose != 0 )
markrad 0:cdf462088d13 1805 mbedtls_printf( "passed\n PKCS#1 decryption : " );
markrad 0:cdf462088d13 1806
markrad 0:cdf462088d13 1807 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
markrad 0:cdf462088d13 1808 rsa_ciphertext, rsa_decrypted,
markrad 0:cdf462088d13 1809 sizeof(rsa_decrypted) ) != 0 )
markrad 0:cdf462088d13 1810 {
markrad 0:cdf462088d13 1811 if( verbose != 0 )
markrad 0:cdf462088d13 1812 mbedtls_printf( "failed\n" );
markrad 0:cdf462088d13 1813
markrad 0:cdf462088d13 1814 return( 1 );
markrad 0:cdf462088d13 1815 }
markrad 0:cdf462088d13 1816
markrad 0:cdf462088d13 1817 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
markrad 0:cdf462088d13 1818 {
markrad 0:cdf462088d13 1819 if( verbose != 0 )
markrad 0:cdf462088d13 1820 mbedtls_printf( "failed\n" );
markrad 0:cdf462088d13 1821
markrad 0:cdf462088d13 1822 return( 1 );
markrad 0:cdf462088d13 1823 }
markrad 0:cdf462088d13 1824
markrad 0:cdf462088d13 1825 if( verbose != 0 )
markrad 0:cdf462088d13 1826 mbedtls_printf( "passed\n" );
markrad 0:cdf462088d13 1827
markrad 0:cdf462088d13 1828 #if defined(MBEDTLS_SHA1_C)
markrad 0:cdf462088d13 1829 if( verbose != 0 )
markrad 0:cdf462088d13 1830 mbedtls_printf( " PKCS#1 data sign : " );
markrad 0:cdf462088d13 1831
markrad 0:cdf462088d13 1832 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
markrad 0:cdf462088d13 1833
markrad 0:cdf462088d13 1834 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
markrad 0:cdf462088d13 1835 sha1sum, rsa_ciphertext ) != 0 )
markrad 0:cdf462088d13 1836 {
markrad 0:cdf462088d13 1837 if( verbose != 0 )
markrad 0:cdf462088d13 1838 mbedtls_printf( "failed\n" );
markrad 0:cdf462088d13 1839
markrad 0:cdf462088d13 1840 return( 1 );
markrad 0:cdf462088d13 1841 }
markrad 0:cdf462088d13 1842
markrad 0:cdf462088d13 1843 if( verbose != 0 )
markrad 0:cdf462088d13 1844 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
markrad 0:cdf462088d13 1845
markrad 0:cdf462088d13 1846 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
markrad 0:cdf462088d13 1847 sha1sum, rsa_ciphertext ) != 0 )
markrad 0:cdf462088d13 1848 {
markrad 0:cdf462088d13 1849 if( verbose != 0 )
markrad 0:cdf462088d13 1850 mbedtls_printf( "failed\n" );
markrad 0:cdf462088d13 1851
markrad 0:cdf462088d13 1852 return( 1 );
markrad 0:cdf462088d13 1853 }
markrad 0:cdf462088d13 1854
markrad 0:cdf462088d13 1855 if( verbose != 0 )
markrad 0:cdf462088d13 1856 mbedtls_printf( "passed\n" );
markrad 0:cdf462088d13 1857 #endif /* MBEDTLS_SHA1_C */
markrad 0:cdf462088d13 1858
markrad 0:cdf462088d13 1859 if( verbose != 0 )
markrad 0:cdf462088d13 1860 mbedtls_printf( "\n" );
markrad 0:cdf462088d13 1861
markrad 0:cdf462088d13 1862 cleanup:
markrad 0:cdf462088d13 1863 mbedtls_rsa_free( &rsa );
markrad 0:cdf462088d13 1864 #else /* MBEDTLS_PKCS1_V15 */
markrad 0:cdf462088d13 1865 ((void) verbose);
markrad 0:cdf462088d13 1866 #endif /* MBEDTLS_PKCS1_V15 */
markrad 0:cdf462088d13 1867 return( ret );
markrad 0:cdf462088d13 1868 }
markrad 0:cdf462088d13 1869
markrad 0:cdf462088d13 1870 #endif /* MBEDTLS_SELF_TEST */
markrad 0:cdf462088d13 1871
markrad 0:cdf462088d13 1872 #endif /* MBEDTLS_RSA_C */