Arcola
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Mark Radbourne
Embed:
(wiki syntax)
Show/hide line numbers
rsa.c
00001 /* 00002 * The RSA public-key cryptosystem 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The following sources were referenced in the design of this implementation 00023 * of the RSA algorithm: 00024 * 00025 * [1] A method for obtaining digital signatures and public-key cryptosystems 00026 * R Rivest, A Shamir, and L Adleman 00027 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 00028 * 00029 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 00030 * Menezes, van Oorschot and Vanstone 00031 * 00032 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks 00033 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and 00034 * Stefan Mangard 00035 * https://arxiv.org/abs/1702.08719v2 00036 * 00037 */ 00038 00039 #if !defined(MBEDTLS_CONFIG_FILE) 00040 #include "mbedtls/config.h" 00041 #else 00042 #include MBEDTLS_CONFIG_FILE 00043 #endif 00044 00045 #if defined(MBEDTLS_RSA_C) 00046 00047 #include "mbedtls/rsa.h" 00048 #include "mbedtls/oid.h" 00049 00050 #include <string.h> 00051 00052 #if defined(MBEDTLS_PKCS1_V21) 00053 #include "mbedtls/md.h" 00054 #endif 00055 00056 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) 00057 #include <stdlib.h> 00058 #endif 00059 00060 #if defined(MBEDTLS_PLATFORM_C) 00061 #include "mbedtls/platform.h" 00062 #else 00063 #include <stdio.h> 00064 #define mbedtls_printf printf 00065 #define mbedtls_calloc calloc 00066 #define mbedtls_free free 00067 #endif 00068 00069 /* Implementation that should never be optimized out by the compiler */ 00070 static void mbedtls_zeroize( void *v, size_t n ) { 00071 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 00072 } 00073 00074 /* 00075 * Initialize an RSA context 00076 */ 00077 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 00078 int padding, 00079 int hash_id ) 00080 { 00081 memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); 00082 00083 mbedtls_rsa_set_padding( ctx, padding, hash_id ); 00084 00085 #if defined(MBEDTLS_THREADING_C) 00086 mbedtls_mutex_init( &ctx->mutex ); 00087 #endif 00088 } 00089 00090 /* 00091 * Set padding for an existing RSA context 00092 */ 00093 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id ) 00094 { 00095 ctx->padding = padding; 00096 ctx->hash_id = hash_id; 00097 } 00098 00099 #if defined(MBEDTLS_GENPRIME) 00100 00101 /* 00102 * Generate an RSA keypair 00103 */ 00104 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 00105 int (*f_rng)(void *, unsigned char *, size_t), 00106 void *p_rng, 00107 unsigned int nbits, int exponent ) 00108 { 00109 int ret; 00110 mbedtls_mpi P1, Q1, H, G; 00111 00112 if( f_rng == NULL || nbits < 128 || exponent < 3 ) 00113 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00114 00115 if( nbits % 2 ) 00116 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00117 00118 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 00119 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G ); 00120 00121 /* 00122 * find primes P and Q with Q < P so that: 00123 * GCD( E, (P-1)*(Q-1) ) == 1 00124 */ 00125 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E , exponent ) ); 00126 00127 do 00128 { 00129 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P , nbits >> 1, 0, 00130 f_rng, p_rng ) ); 00131 00132 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , nbits >> 1, 0, 00133 f_rng, p_rng ) ); 00134 00135 if( mbedtls_mpi_cmp_mpi( &ctx->P , &ctx->Q ) == 0 ) 00136 continue; 00137 00138 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P , &ctx->Q ) ); 00139 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits ) 00140 continue; 00141 00142 if( mbedtls_mpi_cmp_mpi( &ctx->P , &ctx->Q ) < 0 ) 00143 mbedtls_mpi_swap( &ctx->P , &ctx->Q ); 00144 00145 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00146 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00147 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 00148 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00149 } 00150 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ); 00151 00152 /* 00153 * D = E^-1 mod ((P-1)*(Q-1)) 00154 * DP = D mod (P - 1) 00155 * DQ = D mod (Q - 1) 00156 * QP = Q^-1 mod P 00157 */ 00158 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E , &H ) ); 00159 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP , &ctx->D , &P1 ) ); 00160 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ , &ctx->D , &Q1 ) ); 00161 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP , &ctx->Q , &ctx->P ) ); 00162 00163 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3; 00164 00165 cleanup: 00166 00167 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); 00168 00169 if( ret != 0 ) 00170 { 00171 mbedtls_rsa_free( ctx ); 00172 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret ); 00173 } 00174 00175 return( 0 ); 00176 } 00177 00178 #endif /* MBEDTLS_GENPRIME */ 00179 00180 /* 00181 * Check a public RSA key 00182 */ 00183 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) 00184 { 00185 if( !ctx->N .p || !ctx->E .p ) 00186 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00187 00188 if( ( ctx->N .p [0] & 1 ) == 0 || 00189 ( ctx->E .p [0] & 1 ) == 0 ) 00190 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00191 00192 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 || 00193 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS ) 00194 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00195 00196 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 || 00197 mbedtls_mpi_cmp_mpi( &ctx->E , &ctx->N ) >= 0 ) 00198 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00199 00200 return( 0 ); 00201 } 00202 00203 /* 00204 * Check a private RSA key 00205 */ 00206 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) 00207 { 00208 int ret; 00209 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP; 00210 00211 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 ) 00212 return( ret ); 00213 00214 if( !ctx->P .p || !ctx->Q .p || !ctx->D .p ) 00215 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00216 00217 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 00218 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 ); 00219 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ ); 00220 mbedtls_mpi_init( &QP ); 00221 00222 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P , &ctx->Q ) ); 00223 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D , &ctx->E ) ); 00224 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00225 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00226 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 00227 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00228 00229 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) ); 00230 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) ); 00231 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) ); 00232 00233 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D , &P1 ) ); 00234 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D , &Q1 ) ); 00235 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q , &ctx->P ) ); 00236 /* 00237 * Check for a valid PKCS1v2 private key 00238 */ 00239 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 || 00240 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 || 00241 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 || 00242 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 || 00243 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 || 00244 mbedtls_mpi_cmp_int( &I, 1 ) != 0 || 00245 mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) 00246 { 00247 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 00248 } 00249 00250 cleanup: 00251 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); 00252 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 ); 00253 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ ); 00254 mbedtls_mpi_free( &QP ); 00255 00256 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ) 00257 return( ret ); 00258 00259 if( ret != 0 ) 00260 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret ); 00261 00262 return( 0 ); 00263 } 00264 00265 /* 00266 * Check if contexts holding a public and private key match 00267 */ 00268 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ) 00269 { 00270 if( mbedtls_rsa_check_pubkey( pub ) != 0 || 00271 mbedtls_rsa_check_privkey( prv ) != 0 ) 00272 { 00273 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00274 } 00275 00276 if( mbedtls_mpi_cmp_mpi( &pub->N , &prv->N ) != 0 || 00277 mbedtls_mpi_cmp_mpi( &pub->E , &prv->E ) != 0 ) 00278 { 00279 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00280 } 00281 00282 return( 0 ); 00283 } 00284 00285 /* 00286 * Do an RSA public key operation 00287 */ 00288 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 00289 const unsigned char *input, 00290 unsigned char *output ) 00291 { 00292 int ret; 00293 size_t olen; 00294 mbedtls_mpi T; 00295 00296 mbedtls_mpi_init( &T ); 00297 00298 #if defined(MBEDTLS_THREADING_C) 00299 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00300 return( ret ); 00301 #endif 00302 00303 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00304 00305 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00306 { 00307 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00308 goto cleanup; 00309 } 00310 00311 olen = ctx->len ; 00312 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E , &ctx->N , &ctx->RN ) ); 00313 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00314 00315 cleanup: 00316 #if defined(MBEDTLS_THREADING_C) 00317 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00318 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00319 #endif 00320 00321 mbedtls_mpi_free( &T ); 00322 00323 if( ret != 0 ) 00324 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret ); 00325 00326 return( 0 ); 00327 } 00328 00329 /* 00330 * Generate or update blinding values, see section 10 of: 00331 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 00332 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 00333 * Berlin Heidelberg, 1996. p. 104-113. 00334 */ 00335 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, 00336 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00337 { 00338 int ret, count = 0; 00339 00340 if( ctx->Vf .p != NULL ) 00341 { 00342 /* We already have blinding values, just update them by squaring */ 00343 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi , &ctx->Vi , &ctx->Vi ) ); 00344 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi , &ctx->Vi , &ctx->N ) ); 00345 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf , &ctx->Vf , &ctx->Vf ) ); 00346 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf , &ctx->Vf , &ctx->N ) ); 00347 00348 goto cleanup; 00349 } 00350 00351 /* Unblinding value: Vf = random number, invertible mod N */ 00352 do { 00353 if( count++ > 10 ) 00354 return( MBEDTLS_ERR_RSA_RNG_FAILED ); 00355 00356 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf , ctx->len - 1, f_rng, p_rng ) ); 00357 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00358 } while( mbedtls_mpi_cmp_int( &ctx->Vi , 1 ) != 0 ); 00359 00360 /* Blinding value: Vi = Vf^(-e) mod N */ 00361 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00362 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi , &ctx->Vi , &ctx->E , &ctx->N , &ctx->RN ) ); 00363 00364 00365 cleanup: 00366 return( ret ); 00367 } 00368 00369 /* 00370 * Exponent blinding supposed to prevent side-channel attacks using multiple 00371 * traces of measurements to recover the RSA key. The more collisions are there, 00372 * the more bits of the key can be recovered. See [3]. 00373 * 00374 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n) 00375 * observations on avarage. 00376 * 00377 * For example with 28 byte blinding to achieve 2 collisions the adversary has 00378 * to make 2^112 observations on avarage. 00379 * 00380 * (With the currently (as of 2017 April) known best algorithms breaking 2048 00381 * bit RSA requires approximately as much time as trying out 2^112 random keys. 00382 * Thus in this sense with 28 byte blinding the security is not reduced by 00383 * side-channel attacks like the one in [3]) 00384 * 00385 * This countermeasure does not help if the key recovery is possible with a 00386 * single trace. 00387 */ 00388 #define RSA_EXPONENT_BLINDING 28 00389 00390 /* 00391 * Do an RSA private key operation 00392 */ 00393 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 00394 int (*f_rng)(void *, unsigned char *, size_t), 00395 void *p_rng, 00396 const unsigned char *input, 00397 unsigned char *output ) 00398 { 00399 int ret; 00400 size_t olen; 00401 mbedtls_mpi T, T1, T2; 00402 mbedtls_mpi P1, Q1, R; 00403 #if defined(MBEDTLS_RSA_NO_CRT) 00404 mbedtls_mpi D_blind; 00405 mbedtls_mpi *D = &ctx->D ; 00406 #else 00407 mbedtls_mpi DP_blind, DQ_blind; 00408 mbedtls_mpi *DP = &ctx->DP ; 00409 mbedtls_mpi *DQ = &ctx->DQ ; 00410 #endif 00411 00412 /* Make sure we have private key info, prevent possible misuse */ 00413 if( ctx->P .p == NULL || ctx->Q .p == NULL || ctx->D .p == NULL ) 00414 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00415 00416 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); 00417 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R ); 00418 00419 00420 if( f_rng != NULL ) 00421 { 00422 #if defined(MBEDTLS_RSA_NO_CRT) 00423 mbedtls_mpi_init( &D_blind ); 00424 #else 00425 mbedtls_mpi_init( &DP_blind ); 00426 mbedtls_mpi_init( &DQ_blind ); 00427 #endif 00428 } 00429 00430 00431 #if defined(MBEDTLS_THREADING_C) 00432 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00433 return( ret ); 00434 #endif 00435 00436 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00437 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00438 { 00439 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00440 goto cleanup; 00441 } 00442 00443 if( f_rng != NULL ) 00444 { 00445 /* 00446 * Blinding 00447 * T = T * Vi mod N 00448 */ 00449 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); 00450 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); 00451 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00452 00453 /* 00454 * Exponent blinding 00455 */ 00456 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00457 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00458 00459 #if defined(MBEDTLS_RSA_NO_CRT) 00460 /* 00461 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D 00462 */ 00463 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 00464 f_rng, p_rng ) ); 00465 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) ); 00466 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) ); 00467 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) ); 00468 00469 D = &D_blind; 00470 #else 00471 /* 00472 * DP_blind = ( P - 1 ) * R + DP 00473 */ 00474 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 00475 f_rng, p_rng ) ); 00476 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) ); 00477 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind, 00478 &ctx->DP ) ); 00479 00480 DP = &DP_blind; 00481 00482 /* 00483 * DQ_blind = ( Q - 1 ) * R + DQ 00484 */ 00485 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 00486 f_rng, p_rng ) ); 00487 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) ); 00488 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind, 00489 &ctx->DQ ) ); 00490 00491 DQ = &DQ_blind; 00492 #endif /* MBEDTLS_RSA_NO_CRT */ 00493 } 00494 00495 #if defined(MBEDTLS_RSA_NO_CRT) 00496 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N , &ctx->RN ) ); 00497 #else 00498 /* 00499 * Faster decryption using the CRT 00500 * 00501 * T1 = input ^ dP mod P 00502 * T2 = input ^ dQ mod Q 00503 */ 00504 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P , &ctx->RP ) ); 00505 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q , &ctx->RQ ) ); 00506 00507 /* 00508 * T = (T1 - T2) * (Q^-1 mod P) mod P 00509 */ 00510 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) ); 00511 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) ); 00512 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) ); 00513 00514 /* 00515 * T = T2 + T * Q 00516 */ 00517 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) ); 00518 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) ); 00519 #endif /* MBEDTLS_RSA_NO_CRT */ 00520 00521 if( f_rng != NULL ) 00522 { 00523 /* 00524 * Unblind 00525 * T = T * Vf mod N 00526 */ 00527 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); 00528 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00529 } 00530 00531 olen = ctx->len ; 00532 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00533 00534 cleanup: 00535 #if defined(MBEDTLS_THREADING_C) 00536 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00537 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00538 #endif 00539 00540 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); 00541 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R ); 00542 00543 if( f_rng != NULL ) 00544 { 00545 #if defined(MBEDTLS_RSA_NO_CRT) 00546 mbedtls_mpi_free( &D_blind ); 00547 #else 00548 mbedtls_mpi_free( &DP_blind ); 00549 mbedtls_mpi_free( &DQ_blind ); 00550 #endif 00551 } 00552 00553 if( ret != 0 ) 00554 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); 00555 00556 return( 0 ); 00557 } 00558 00559 #if defined(MBEDTLS_PKCS1_V21) 00560 /** 00561 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 00562 * 00563 * \param dst buffer to mask 00564 * \param dlen length of destination buffer 00565 * \param src source of the mask generation 00566 * \param slen length of the source buffer 00567 * \param md_ctx message digest context to use 00568 */ 00569 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 00570 size_t slen, mbedtls_md_context_t *md_ctx ) 00571 { 00572 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 00573 unsigned char counter[4]; 00574 unsigned char *p; 00575 unsigned int hlen; 00576 size_t i, use_len; 00577 00578 memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); 00579 memset( counter, 0, 4 ); 00580 00581 hlen = mbedtls_md_get_size( md_ctx->md_info ); 00582 00583 /* Generate and apply dbMask */ 00584 p = dst; 00585 00586 while( dlen > 0 ) 00587 { 00588 use_len = hlen; 00589 if( dlen < hlen ) 00590 use_len = dlen; 00591 00592 mbedtls_md_starts( md_ctx ); 00593 mbedtls_md_update( md_ctx, src, slen ); 00594 mbedtls_md_update( md_ctx, counter, 4 ); 00595 mbedtls_md_finish( md_ctx, mask ); 00596 00597 for( i = 0; i < use_len; ++i ) 00598 *p++ ^= mask[i]; 00599 00600 counter[3]++; 00601 00602 dlen -= use_len; 00603 } 00604 00605 mbedtls_zeroize( mask, sizeof( mask ) ); 00606 } 00607 #endif /* MBEDTLS_PKCS1_V21 */ 00608 00609 #if defined(MBEDTLS_PKCS1_V21) 00610 /* 00611 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 00612 */ 00613 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 00614 int (*f_rng)(void *, unsigned char *, size_t), 00615 void *p_rng, 00616 int mode, 00617 const unsigned char *label, size_t label_len, 00618 size_t ilen, 00619 const unsigned char *input, 00620 unsigned char *output ) 00621 { 00622 size_t olen; 00623 int ret; 00624 unsigned char *p = output; 00625 unsigned int hlen; 00626 const mbedtls_md_info_t *md_info; 00627 mbedtls_md_context_t md_ctx; 00628 00629 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00630 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00631 00632 if( f_rng == NULL ) 00633 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00634 00635 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00636 if( md_info == NULL ) 00637 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00638 00639 olen = ctx->len ; 00640 hlen = mbedtls_md_get_size( md_info ); 00641 00642 /* first comparison checks for overflow */ 00643 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) 00644 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00645 00646 memset( output, 0, olen ); 00647 00648 *p++ = 0; 00649 00650 /* Generate a random octet string seed */ 00651 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 00652 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00653 00654 p += hlen; 00655 00656 /* Construct DB */ 00657 mbedtls_md( md_info, label, label_len, p ); 00658 p += hlen; 00659 p += olen - 2 * hlen - 2 - ilen; 00660 *p++ = 1; 00661 memcpy( p, input, ilen ); 00662 00663 mbedtls_md_init( &md_ctx ); 00664 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00665 { 00666 mbedtls_md_free( &md_ctx ); 00667 return( ret ); 00668 } 00669 00670 /* maskedDB: Apply dbMask to DB */ 00671 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 00672 &md_ctx ); 00673 00674 /* maskedSeed: Apply seedMask to seed */ 00675 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 00676 &md_ctx ); 00677 00678 mbedtls_md_free( &md_ctx ); 00679 00680 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00681 ? mbedtls_rsa_public( ctx, output, output ) 00682 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 00683 } 00684 #endif /* MBEDTLS_PKCS1_V21 */ 00685 00686 #if defined(MBEDTLS_PKCS1_V15) 00687 /* 00688 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 00689 */ 00690 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 00691 int (*f_rng)(void *, unsigned char *, size_t), 00692 void *p_rng, 00693 int mode, size_t ilen, 00694 const unsigned char *input, 00695 unsigned char *output ) 00696 { 00697 size_t nb_pad, olen; 00698 int ret; 00699 unsigned char *p = output; 00700 00701 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 00702 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00703 00704 // We don't check p_rng because it won't be dereferenced here 00705 if( f_rng == NULL || input == NULL || output == NULL ) 00706 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00707 00708 olen = ctx->len ; 00709 00710 /* first comparison checks for overflow */ 00711 if( ilen + 11 < ilen || olen < ilen + 11 ) 00712 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00713 00714 nb_pad = olen - 3 - ilen; 00715 00716 *p++ = 0; 00717 if( mode == MBEDTLS_RSA_PUBLIC ) 00718 { 00719 *p++ = MBEDTLS_RSA_CRYPT; 00720 00721 while( nb_pad-- > 0 ) 00722 { 00723 int rng_dl = 100; 00724 00725 do { 00726 ret = f_rng( p_rng, p, 1 ); 00727 } while( *p == 0 && --rng_dl && ret == 0 ); 00728 00729 /* Check if RNG failed to generate data */ 00730 if( rng_dl == 0 || ret != 0 ) 00731 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00732 00733 p++; 00734 } 00735 } 00736 else 00737 { 00738 *p++ = MBEDTLS_RSA_SIGN; 00739 00740 while( nb_pad-- > 0 ) 00741 *p++ = 0xFF; 00742 } 00743 00744 *p++ = 0; 00745 memcpy( p, input, ilen ); 00746 00747 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00748 ? mbedtls_rsa_public( ctx, output, output ) 00749 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 00750 } 00751 #endif /* MBEDTLS_PKCS1_V15 */ 00752 00753 /* 00754 * Add the message padding, then do an RSA operation 00755 */ 00756 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 00757 int (*f_rng)(void *, unsigned char *, size_t), 00758 void *p_rng, 00759 int mode, size_t ilen, 00760 const unsigned char *input, 00761 unsigned char *output ) 00762 { 00763 switch( ctx->padding ) 00764 { 00765 #if defined(MBEDTLS_PKCS1_V15) 00766 case MBEDTLS_RSA_PKCS_V15: 00767 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 00768 input, output ); 00769 #endif 00770 00771 #if defined(MBEDTLS_PKCS1_V21) 00772 case MBEDTLS_RSA_PKCS_V21: 00773 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00774 ilen, input, output ); 00775 #endif 00776 00777 default: 00778 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00779 } 00780 } 00781 00782 #if defined(MBEDTLS_PKCS1_V21) 00783 /* 00784 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 00785 */ 00786 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 00787 int (*f_rng)(void *, unsigned char *, size_t), 00788 void *p_rng, 00789 int mode, 00790 const unsigned char *label, size_t label_len, 00791 size_t *olen, 00792 const unsigned char *input, 00793 unsigned char *output, 00794 size_t output_max_len ) 00795 { 00796 int ret; 00797 size_t ilen, i, pad_len; 00798 unsigned char *p, bad, pad_done; 00799 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 00800 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 00801 unsigned int hlen; 00802 const mbedtls_md_info_t *md_info; 00803 mbedtls_md_context_t md_ctx; 00804 00805 /* 00806 * Parameters sanity checks 00807 */ 00808 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00809 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00810 00811 ilen = ctx->len ; 00812 00813 if( ilen < 16 || ilen > sizeof( buf ) ) 00814 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00815 00816 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00817 if( md_info == NULL ) 00818 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00819 00820 hlen = mbedtls_md_get_size( md_info ); 00821 00822 // checking for integer underflow 00823 if( 2 * hlen + 2 > ilen ) 00824 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00825 00826 /* 00827 * RSA operation 00828 */ 00829 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 00830 ? mbedtls_rsa_public( ctx, input, buf ) 00831 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 00832 00833 if( ret != 0 ) 00834 goto cleanup; 00835 00836 /* 00837 * Unmask data and generate lHash 00838 */ 00839 mbedtls_md_init( &md_ctx ); 00840 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00841 { 00842 mbedtls_md_free( &md_ctx ); 00843 goto cleanup; 00844 } 00845 00846 00847 /* Generate lHash */ 00848 mbedtls_md( md_info, label, label_len, lhash ); 00849 00850 /* seed: Apply seedMask to maskedSeed */ 00851 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 00852 &md_ctx ); 00853 00854 /* DB: Apply dbMask to maskedDB */ 00855 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 00856 &md_ctx ); 00857 00858 mbedtls_md_free( &md_ctx ); 00859 00860 /* 00861 * Check contents, in "constant-time" 00862 */ 00863 p = buf; 00864 bad = 0; 00865 00866 bad |= *p++; /* First byte must be 0 */ 00867 00868 p += hlen; /* Skip seed */ 00869 00870 /* Check lHash */ 00871 for( i = 0; i < hlen; i++ ) 00872 bad |= lhash[i] ^ *p++; 00873 00874 /* Get zero-padding len, but always read till end of buffer 00875 * (minus one, for the 01 byte) */ 00876 pad_len = 0; 00877 pad_done = 0; 00878 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 00879 { 00880 pad_done |= p[i]; 00881 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 00882 } 00883 00884 p += pad_len; 00885 bad |= *p++ ^ 0x01; 00886 00887 /* 00888 * The only information "leaked" is whether the padding was correct or not 00889 * (eg, no data is copied if it was not correct). This meets the 00890 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 00891 * the different error conditions. 00892 */ 00893 if( bad != 0 ) 00894 { 00895 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 00896 goto cleanup; 00897 } 00898 00899 if( ilen - ( p - buf ) > output_max_len ) 00900 { 00901 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 00902 goto cleanup; 00903 } 00904 00905 *olen = ilen - (p - buf); 00906 memcpy( output, p, *olen ); 00907 ret = 0; 00908 00909 cleanup: 00910 mbedtls_zeroize( buf, sizeof( buf ) ); 00911 mbedtls_zeroize( lhash, sizeof( lhash ) ); 00912 00913 return( ret ); 00914 } 00915 #endif /* MBEDTLS_PKCS1_V21 */ 00916 00917 #if defined(MBEDTLS_PKCS1_V15) 00918 /* 00919 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 00920 */ 00921 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 00922 int (*f_rng)(void *, unsigned char *, size_t), 00923 void *p_rng, 00924 int mode, size_t *olen, 00925 const unsigned char *input, 00926 unsigned char *output, 00927 size_t output_max_len) 00928 { 00929 int ret; 00930 size_t ilen, pad_count = 0, i; 00931 unsigned char *p, bad, pad_done = 0; 00932 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 00933 00934 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 00935 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00936 00937 ilen = ctx->len ; 00938 00939 if( ilen < 16 || ilen > sizeof( buf ) ) 00940 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00941 00942 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 00943 ? mbedtls_rsa_public( ctx, input, buf ) 00944 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 00945 00946 if( ret != 0 ) 00947 goto cleanup; 00948 00949 p = buf; 00950 bad = 0; 00951 00952 /* 00953 * Check and get padding len in "constant-time" 00954 */ 00955 bad |= *p++; /* First byte must be 0 */ 00956 00957 /* This test does not depend on secret data */ 00958 if( mode == MBEDTLS_RSA_PRIVATE ) 00959 { 00960 bad |= *p++ ^ MBEDTLS_RSA_CRYPT; 00961 00962 /* Get padding len, but always read till end of buffer 00963 * (minus one, for the 00 byte) */ 00964 for( i = 0; i < ilen - 3; i++ ) 00965 { 00966 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1; 00967 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 00968 } 00969 00970 p += pad_count; 00971 bad |= *p++; /* Must be zero */ 00972 } 00973 else 00974 { 00975 bad |= *p++ ^ MBEDTLS_RSA_SIGN; 00976 00977 /* Get padding len, but always read till end of buffer 00978 * (minus one, for the 00 byte) */ 00979 for( i = 0; i < ilen - 3; i++ ) 00980 { 00981 pad_done |= ( p[i] != 0xFF ); 00982 pad_count += ( pad_done == 0 ); 00983 } 00984 00985 p += pad_count; 00986 bad |= *p++; /* Must be zero */ 00987 } 00988 00989 bad |= ( pad_count < 8 ); 00990 00991 if( bad ) 00992 { 00993 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 00994 goto cleanup; 00995 } 00996 00997 if( ilen - ( p - buf ) > output_max_len ) 00998 { 00999 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 01000 goto cleanup; 01001 } 01002 01003 *olen = ilen - (p - buf); 01004 memcpy( output, p, *olen ); 01005 ret = 0; 01006 01007 cleanup: 01008 mbedtls_zeroize( buf, sizeof( buf ) ); 01009 01010 return( ret ); 01011 } 01012 #endif /* MBEDTLS_PKCS1_V15 */ 01013 01014 /* 01015 * Do an RSA operation, then remove the message padding 01016 */ 01017 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 01018 int (*f_rng)(void *, unsigned char *, size_t), 01019 void *p_rng, 01020 int mode, size_t *olen, 01021 const unsigned char *input, 01022 unsigned char *output, 01023 size_t output_max_len) 01024 { 01025 switch( ctx->padding ) 01026 { 01027 #if defined(MBEDTLS_PKCS1_V15) 01028 case MBEDTLS_RSA_PKCS_V15: 01029 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 01030 input, output, output_max_len ); 01031 #endif 01032 01033 #if defined(MBEDTLS_PKCS1_V21) 01034 case MBEDTLS_RSA_PKCS_V21: 01035 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 01036 olen, input, output, 01037 output_max_len ); 01038 #endif 01039 01040 default: 01041 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01042 } 01043 } 01044 01045 #if defined(MBEDTLS_PKCS1_V21) 01046 /* 01047 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 01048 */ 01049 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 01050 int (*f_rng)(void *, unsigned char *, size_t), 01051 void *p_rng, 01052 int mode, 01053 mbedtls_md_type_t md_alg, 01054 unsigned int hashlen, 01055 const unsigned char *hash, 01056 unsigned char *sig ) 01057 { 01058 size_t olen; 01059 unsigned char *p = sig; 01060 unsigned char salt[MBEDTLS_MD_MAX_SIZE]; 01061 unsigned int slen, hlen, offset = 0; 01062 int ret; 01063 size_t msb; 01064 const mbedtls_md_info_t *md_info; 01065 mbedtls_md_context_t md_ctx; 01066 01067 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 01068 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01069 01070 if( f_rng == NULL ) 01071 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01072 01073 olen = ctx->len ; 01074 01075 if( md_alg != MBEDTLS_MD_NONE ) 01076 { 01077 /* Gather length of hash to sign */ 01078 md_info = mbedtls_md_info_from_type( md_alg ); 01079 if( md_info == NULL ) 01080 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01081 01082 hashlen = mbedtls_md_get_size( md_info ); 01083 } 01084 01085 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 01086 if( md_info == NULL ) 01087 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01088 01089 hlen = mbedtls_md_get_size( md_info ); 01090 slen = hlen; 01091 01092 if( olen < hlen + slen + 2 ) 01093 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01094 01095 memset( sig, 0, olen ); 01096 01097 /* Generate salt of length slen */ 01098 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 01099 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 01100 01101 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 01102 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01103 p += olen - hlen * 2 - 2; 01104 *p++ = 0x01; 01105 memcpy( p, salt, slen ); 01106 p += slen; 01107 01108 mbedtls_md_init( &md_ctx ); 01109 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 01110 { 01111 mbedtls_md_free( &md_ctx ); 01112 /* No need to zeroize salt: we didn't use it. */ 01113 return( ret ); 01114 } 01115 01116 /* Generate H = Hash( M' ) */ 01117 mbedtls_md_starts( &md_ctx ); 01118 mbedtls_md_update( &md_ctx, p, 8 ); 01119 mbedtls_md_update( &md_ctx, hash, hashlen ); 01120 mbedtls_md_update( &md_ctx, salt, slen ); 01121 mbedtls_md_finish( &md_ctx, p ); 01122 mbedtls_zeroize( salt, sizeof( salt ) ); 01123 01124 /* Compensate for boundary condition when applying mask */ 01125 if( msb % 8 == 0 ) 01126 offset = 1; 01127 01128 /* maskedDB: Apply dbMask to DB */ 01129 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); 01130 01131 mbedtls_md_free( &md_ctx ); 01132 01133 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01134 sig[0] &= 0xFF >> ( olen * 8 - msb ); 01135 01136 p += hlen; 01137 *p++ = 0xBC; 01138 01139 return( ( mode == MBEDTLS_RSA_PUBLIC ) 01140 ? mbedtls_rsa_public( ctx, sig, sig ) 01141 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 01142 } 01143 #endif /* MBEDTLS_PKCS1_V21 */ 01144 01145 #if defined(MBEDTLS_PKCS1_V15) 01146 /* 01147 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 01148 */ 01149 /* 01150 * Do an RSA operation to sign the message digest 01151 */ 01152 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 01153 int (*f_rng)(void *, unsigned char *, size_t), 01154 void *p_rng, 01155 int mode, 01156 mbedtls_md_type_t md_alg, 01157 unsigned int hashlen, 01158 const unsigned char *hash, 01159 unsigned char *sig ) 01160 { 01161 size_t nb_pad, olen, oid_size = 0; 01162 unsigned char *p = sig; 01163 const char *oid = NULL; 01164 unsigned char *sig_try = NULL, *verif = NULL; 01165 size_t i; 01166 unsigned char diff; 01167 volatile unsigned char diff_no_optimize; 01168 int ret; 01169 01170 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01171 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01172 01173 olen = ctx->len ; 01174 nb_pad = olen - 3; 01175 01176 if( md_alg != MBEDTLS_MD_NONE ) 01177 { 01178 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 01179 if( md_info == NULL ) 01180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01181 01182 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 01183 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01184 01185 nb_pad -= 10 + oid_size; 01186 01187 hashlen = mbedtls_md_get_size( md_info ); 01188 } 01189 01190 nb_pad -= hashlen; 01191 01192 if( ( nb_pad < 8 ) || ( nb_pad > olen ) ) 01193 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01194 01195 *p++ = 0; 01196 *p++ = MBEDTLS_RSA_SIGN; 01197 memset( p, 0xFF, nb_pad ); 01198 p += nb_pad; 01199 *p++ = 0; 01200 01201 if( md_alg == MBEDTLS_MD_NONE ) 01202 { 01203 memcpy( p, hash, hashlen ); 01204 } 01205 else 01206 { 01207 /* 01208 * DigestInfo ::= SEQUENCE { 01209 * digestAlgorithm DigestAlgorithmIdentifier, 01210 * digest Digest } 01211 * 01212 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 01213 * 01214 * Digest ::= OCTET STRING 01215 */ 01216 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01217 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); 01218 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01219 *p++ = (unsigned char) ( 0x04 + oid_size ); 01220 *p++ = MBEDTLS_ASN1_OID; 01221 *p++ = oid_size & 0xFF; 01222 memcpy( p, oid, oid_size ); 01223 p += oid_size; 01224 *p++ = MBEDTLS_ASN1_NULL; 01225 *p++ = 0x00; 01226 *p++ = MBEDTLS_ASN1_OCTET_STRING; 01227 *p++ = hashlen; 01228 memcpy( p, hash, hashlen ); 01229 } 01230 01231 if( mode == MBEDTLS_RSA_PUBLIC ) 01232 return( mbedtls_rsa_public( ctx, sig, sig ) ); 01233 01234 /* 01235 * In order to prevent Lenstra's attack, make the signature in a 01236 * temporary buffer and check it before returning it. 01237 */ 01238 sig_try = mbedtls_calloc( 1, ctx->len ); 01239 if( sig_try == NULL ) 01240 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 01241 01242 verif = mbedtls_calloc( 1, ctx->len ); 01243 if( verif == NULL ) 01244 { 01245 mbedtls_free( sig_try ); 01246 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 01247 } 01248 01249 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); 01250 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); 01251 01252 /* Compare in constant time just in case */ 01253 for( diff = 0, i = 0; i < ctx->len ; i++ ) 01254 diff |= verif[i] ^ sig[i]; 01255 diff_no_optimize = diff; 01256 01257 if( diff_no_optimize != 0 ) 01258 { 01259 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 01260 goto cleanup; 01261 } 01262 01263 memcpy( sig, sig_try, ctx->len ); 01264 01265 cleanup: 01266 mbedtls_free( sig_try ); 01267 mbedtls_free( verif ); 01268 01269 return( ret ); 01270 } 01271 #endif /* MBEDTLS_PKCS1_V15 */ 01272 01273 /* 01274 * Do an RSA operation to sign the message digest 01275 */ 01276 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 01277 int (*f_rng)(void *, unsigned char *, size_t), 01278 void *p_rng, 01279 int mode, 01280 mbedtls_md_type_t md_alg, 01281 unsigned int hashlen, 01282 const unsigned char *hash, 01283 unsigned char *sig ) 01284 { 01285 switch( ctx->padding ) 01286 { 01287 #if defined(MBEDTLS_PKCS1_V15) 01288 case MBEDTLS_RSA_PKCS_V15: 01289 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 01290 hashlen, hash, sig ); 01291 #endif 01292 01293 #if defined(MBEDTLS_PKCS1_V21) 01294 case MBEDTLS_RSA_PKCS_V21: 01295 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 01296 hashlen, hash, sig ); 01297 #endif 01298 01299 default: 01300 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01301 } 01302 } 01303 01304 #if defined(MBEDTLS_PKCS1_V21) 01305 /* 01306 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01307 */ 01308 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 01309 int (*f_rng)(void *, unsigned char *, size_t), 01310 void *p_rng, 01311 int mode, 01312 mbedtls_md_type_t md_alg, 01313 unsigned int hashlen, 01314 const unsigned char *hash, 01315 mbedtls_md_type_t mgf1_hash_id, 01316 int expected_salt_len, 01317 const unsigned char *sig ) 01318 { 01319 int ret; 01320 size_t siglen; 01321 unsigned char *p; 01322 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 01323 unsigned char zeros[8]; 01324 unsigned int hlen; 01325 size_t slen, msb; 01326 const mbedtls_md_info_t *md_info; 01327 mbedtls_md_context_t md_ctx; 01328 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01329 01330 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 01331 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01332 01333 siglen = ctx->len ; 01334 01335 if( siglen < 16 || siglen > sizeof( buf ) ) 01336 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01337 01338 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01339 ? mbedtls_rsa_public( ctx, sig, buf ) 01340 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 01341 01342 if( ret != 0 ) 01343 return( ret ); 01344 01345 p = buf; 01346 01347 if( buf[siglen - 1] != 0xBC ) 01348 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01349 01350 if( md_alg != MBEDTLS_MD_NONE ) 01351 { 01352 /* Gather length of hash to sign */ 01353 md_info = mbedtls_md_info_from_type( md_alg ); 01354 if( md_info == NULL ) 01355 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01356 01357 hashlen = mbedtls_md_get_size( md_info ); 01358 } 01359 01360 md_info = mbedtls_md_info_from_type( mgf1_hash_id ); 01361 if( md_info == NULL ) 01362 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01363 01364 hlen = mbedtls_md_get_size( md_info ); 01365 slen = siglen - hlen - 1; /* Currently length of salt + padding */ 01366 01367 memset( zeros, 0, 8 ); 01368 01369 /* 01370 * Note: EMSA-PSS verification is over the length of N - 1 bits 01371 */ 01372 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01373 01374 /* Compensate for boundary condition when applying mask */ 01375 if( msb % 8 == 0 ) 01376 { 01377 p++; 01378 siglen -= 1; 01379 } 01380 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 01381 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01382 01383 mbedtls_md_init( &md_ctx ); 01384 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 01385 { 01386 mbedtls_md_free( &md_ctx ); 01387 return( ret ); 01388 } 01389 01390 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); 01391 01392 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 01393 01394 while( p < buf + siglen && *p == 0 ) 01395 p++; 01396 01397 if( p == buf + siglen || 01398 *p++ != 0x01 ) 01399 { 01400 mbedtls_md_free( &md_ctx ); 01401 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01402 } 01403 01404 /* Actual salt len */ 01405 slen -= p - buf; 01406 01407 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 01408 slen != (size_t) expected_salt_len ) 01409 { 01410 mbedtls_md_free( &md_ctx ); 01411 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01412 } 01413 01414 /* 01415 * Generate H = Hash( M' ) 01416 */ 01417 mbedtls_md_starts( &md_ctx ); 01418 mbedtls_md_update( &md_ctx, zeros, 8 ); 01419 mbedtls_md_update( &md_ctx, hash, hashlen ); 01420 mbedtls_md_update( &md_ctx, p, slen ); 01421 mbedtls_md_finish( &md_ctx, result ); 01422 01423 mbedtls_md_free( &md_ctx ); 01424 01425 if( memcmp( p + slen, result, hlen ) == 0 ) 01426 return( 0 ); 01427 else 01428 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01429 } 01430 01431 /* 01432 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01433 */ 01434 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 01435 int (*f_rng)(void *, unsigned char *, size_t), 01436 void *p_rng, 01437 int mode, 01438 mbedtls_md_type_t md_alg, 01439 unsigned int hashlen, 01440 const unsigned char *hash, 01441 const unsigned char *sig ) 01442 { 01443 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) 01444 ? (mbedtls_md_type_t) ctx->hash_id 01445 : md_alg; 01446 01447 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, 01448 md_alg, hashlen, hash, 01449 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, 01450 sig ) ); 01451 01452 } 01453 #endif /* MBEDTLS_PKCS1_V21 */ 01454 01455 #if defined(MBEDTLS_PKCS1_V15) 01456 /* 01457 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 01458 */ 01459 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 01460 int (*f_rng)(void *, unsigned char *, size_t), 01461 void *p_rng, 01462 int mode, 01463 mbedtls_md_type_t md_alg, 01464 unsigned int hashlen, 01465 const unsigned char *hash, 01466 const unsigned char *sig ) 01467 { 01468 int ret; 01469 size_t len, siglen, asn1_len; 01470 unsigned char *p, *p0, *end; 01471 mbedtls_md_type_t msg_md_alg; 01472 const mbedtls_md_info_t *md_info; 01473 mbedtls_asn1_buf oid; 01474 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01475 01476 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01477 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01478 01479 siglen = ctx->len ; 01480 01481 if( siglen < 16 || siglen > sizeof( buf ) ) 01482 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01483 01484 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01485 ? mbedtls_rsa_public( ctx, sig, buf ) 01486 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 01487 01488 if( ret != 0 ) 01489 return( ret ); 01490 01491 p = buf; 01492 01493 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN ) 01494 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01495 01496 while( *p != 0 ) 01497 { 01498 if( p >= buf + siglen - 1 || *p != 0xFF ) 01499 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01500 p++; 01501 } 01502 p++; /* skip 00 byte */ 01503 01504 /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */ 01505 if( p - buf < 11 ) 01506 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01507 01508 len = siglen - ( p - buf ); 01509 01510 if( len == hashlen && md_alg == MBEDTLS_MD_NONE ) 01511 { 01512 if( memcmp( p, hash, hashlen ) == 0 ) 01513 return( 0 ); 01514 else 01515 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01516 } 01517 01518 md_info = mbedtls_md_info_from_type( md_alg ); 01519 if( md_info == NULL ) 01520 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01521 hashlen = mbedtls_md_get_size( md_info ); 01522 01523 end = p + len; 01524 01525 /* 01526 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure. 01527 * Insist on 2-byte length tags, to protect against variants of 01528 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification. 01529 */ 01530 p0 = p; 01531 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 01532 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 01533 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01534 if( p != p0 + 2 || asn1_len + 2 != len ) 01535 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01536 01537 p0 = p; 01538 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 01539 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 01540 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01541 if( p != p0 + 2 || asn1_len + 6 + hashlen != len ) 01542 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01543 01544 p0 = p; 01545 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) 01546 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01547 if( p != p0 + 2 ) 01548 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01549 01550 oid.p = p; 01551 p += oid.len; 01552 01553 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 ) 01554 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01555 01556 if( md_alg != msg_md_alg ) 01557 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01558 01559 /* 01560 * assume the algorithm parameters must be NULL 01561 */ 01562 p0 = p; 01563 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 ) 01564 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01565 if( p != p0 + 2 ) 01566 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01567 01568 p0 = p; 01569 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 01570 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01571 if( p != p0 + 2 || asn1_len != hashlen ) 01572 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01573 01574 if( memcmp( p, hash, hashlen ) != 0 ) 01575 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01576 01577 p += hashlen; 01578 01579 if( p != end ) 01580 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01581 01582 return( 0 ); 01583 } 01584 #endif /* MBEDTLS_PKCS1_V15 */ 01585 01586 /* 01587 * Do an RSA operation and check the message digest 01588 */ 01589 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 01590 int (*f_rng)(void *, unsigned char *, size_t), 01591 void *p_rng, 01592 int mode, 01593 mbedtls_md_type_t md_alg, 01594 unsigned int hashlen, 01595 const unsigned char *hash, 01596 const unsigned char *sig ) 01597 { 01598 switch( ctx->padding ) 01599 { 01600 #if defined(MBEDTLS_PKCS1_V15) 01601 case MBEDTLS_RSA_PKCS_V15: 01602 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 01603 hashlen, hash, sig ); 01604 #endif 01605 01606 #if defined(MBEDTLS_PKCS1_V21) 01607 case MBEDTLS_RSA_PKCS_V21: 01608 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 01609 hashlen, hash, sig ); 01610 #endif 01611 01612 default: 01613 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01614 } 01615 } 01616 01617 /* 01618 * Copy the components of an RSA key 01619 */ 01620 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) 01621 { 01622 int ret; 01623 01624 dst->ver = src->ver ; 01625 dst->len = src->len ; 01626 01627 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N , &src->N ) ); 01628 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E , &src->E ) ); 01629 01630 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D , &src->D ) ); 01631 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P , &src->P ) ); 01632 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q , &src->Q ) ); 01633 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP , &src->DP ) ); 01634 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ , &src->DQ ) ); 01635 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP , &src->QP ) ); 01636 01637 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN , &src->RN ) ); 01638 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP , &src->RP ) ); 01639 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ , &src->RQ ) ); 01640 01641 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi , &src->Vi ) ); 01642 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf , &src->Vf ) ); 01643 01644 dst->padding = src->padding ; 01645 dst->hash_id = src->hash_id ; 01646 01647 cleanup: 01648 if( ret != 0 ) 01649 mbedtls_rsa_free( dst ); 01650 01651 return( ret ); 01652 } 01653 01654 /* 01655 * Free the components of an RSA key 01656 */ 01657 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) 01658 { 01659 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf ); 01660 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN ); 01661 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP ); 01662 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D ); 01663 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N ); 01664 01665 #if defined(MBEDTLS_THREADING_C) 01666 mbedtls_mutex_free( &ctx->mutex ); 01667 #endif 01668 } 01669 01670 #if defined(MBEDTLS_SELF_TEST) 01671 01672 #include "mbedtls/sha1.h" 01673 01674 /* 01675 * Example RSA-1024 keypair, for test purposes 01676 */ 01677 #define KEY_LEN 128 01678 01679 #define RSA_N "9292758453063D803DD603D5E777D788" \ 01680 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 01681 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 01682 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 01683 "93A89813FBF3C4F8066D2D800F7C38A8" \ 01684 "1AE31942917403FF4946B0A83D3D3E05" \ 01685 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 01686 "5E94BB77B07507233A0BC7BAC8F90F79" 01687 01688 #define RSA_E "10001" 01689 01690 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 01691 "66CA472BC44D253102F8B4A9D3BFA750" \ 01692 "91386C0077937FE33FA3252D28855837" \ 01693 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 01694 "DF79C5CE07EE72C7F123142198164234" \ 01695 "CABB724CF78B8173B9F880FC86322407" \ 01696 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 01697 "071513A1E85B5DFA031F21ECAE91A34D" 01698 01699 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 01700 "2C01CAD19EA484A87EA4377637E75500" \ 01701 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 01702 "C3D9E75E1EFC42488BB4F1D13AC30A57" 01703 01704 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 01705 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 01706 "910E4168387E3C30AA1E00C339A79508" \ 01707 "8452DD96A9A5EA5D9DCA68DA636032AF" 01708 01709 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \ 01710 "3C94D22288ACD763FD8E5600ED4A702D" \ 01711 "F84198A5F06C2E72236AE490C93F07F8" \ 01712 "3CC559CD27BC2D1CA488811730BB5725" 01713 01714 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \ 01715 "D8AAEA56749EA28623272E4F7D0592AF" \ 01716 "7C1F1313CAC9471B5C523BFE592F517B" \ 01717 "407A1BD76C164B93DA2D32A383E58357" 01718 01719 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \ 01720 "F38D18D2B2F0E2DD275AA977E2BF4411" \ 01721 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \ 01722 "A74206CEC169D74BF5A8C50D6F48EA08" 01723 01724 #define PT_LEN 24 01725 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 01726 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 01727 01728 #if defined(MBEDTLS_PKCS1_V15) 01729 static int myrand( void *rng_state, unsigned char *output, size_t len ) 01730 { 01731 #if !defined(__OpenBSD__) 01732 size_t i; 01733 01734 if( rng_state != NULL ) 01735 rng_state = NULL; 01736 01737 for( i = 0; i < len; ++i ) 01738 output[i] = rand(); 01739 #else 01740 if( rng_state != NULL ) 01741 rng_state = NULL; 01742 01743 arc4random_buf( output, len ); 01744 #endif /* !OpenBSD */ 01745 01746 return( 0 ); 01747 } 01748 #endif /* MBEDTLS_PKCS1_V15 */ 01749 01750 /* 01751 * Checkup routine 01752 */ 01753 int mbedtls_rsa_self_test( int verbose ) 01754 { 01755 int ret = 0; 01756 #if defined(MBEDTLS_PKCS1_V15) 01757 size_t len; 01758 mbedtls_rsa_context rsa; 01759 unsigned char rsa_plaintext[PT_LEN]; 01760 unsigned char rsa_decrypted[PT_LEN]; 01761 unsigned char rsa_ciphertext[KEY_LEN]; 01762 #if defined(MBEDTLS_SHA1_C) 01763 unsigned char sha1sum[20]; 01764 #endif 01765 01766 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); 01767 01768 rsa.len = KEY_LEN; 01769 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) ); 01770 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) ); 01771 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) ); 01772 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) ); 01773 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) ); 01774 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP , 16, RSA_DP ) ); 01775 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ , 16, RSA_DQ ) ); 01776 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP , 16, RSA_QP ) ); 01777 01778 if( verbose != 0 ) 01779 mbedtls_printf( " RSA key validation: " ); 01780 01781 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || 01782 mbedtls_rsa_check_privkey( &rsa ) != 0 ) 01783 { 01784 if( verbose != 0 ) 01785 mbedtls_printf( "failed\n" ); 01786 01787 return( 1 ); 01788 } 01789 01790 if( verbose != 0 ) 01791 mbedtls_printf( "passed\n PKCS#1 encryption : " ); 01792 01793 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 01794 01795 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN, 01796 rsa_plaintext, rsa_ciphertext ) != 0 ) 01797 { 01798 if( verbose != 0 ) 01799 mbedtls_printf( "failed\n" ); 01800 01801 return( 1 ); 01802 } 01803 01804 if( verbose != 0 ) 01805 mbedtls_printf( "passed\n PKCS#1 decryption : " ); 01806 01807 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len, 01808 rsa_ciphertext, rsa_decrypted, 01809 sizeof(rsa_decrypted) ) != 0 ) 01810 { 01811 if( verbose != 0 ) 01812 mbedtls_printf( "failed\n" ); 01813 01814 return( 1 ); 01815 } 01816 01817 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 01818 { 01819 if( verbose != 0 ) 01820 mbedtls_printf( "failed\n" ); 01821 01822 return( 1 ); 01823 } 01824 01825 if( verbose != 0 ) 01826 mbedtls_printf( "passed\n" ); 01827 01828 #if defined(MBEDTLS_SHA1_C) 01829 if( verbose != 0 ) 01830 mbedtls_printf( " PKCS#1 data sign : " ); 01831 01832 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ); 01833 01834 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, 01835 sha1sum, rsa_ciphertext ) != 0 ) 01836 { 01837 if( verbose != 0 ) 01838 mbedtls_printf( "failed\n" ); 01839 01840 return( 1 ); 01841 } 01842 01843 if( verbose != 0 ) 01844 mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); 01845 01846 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, 01847 sha1sum, rsa_ciphertext ) != 0 ) 01848 { 01849 if( verbose != 0 ) 01850 mbedtls_printf( "failed\n" ); 01851 01852 return( 1 ); 01853 } 01854 01855 if( verbose != 0 ) 01856 mbedtls_printf( "passed\n" ); 01857 #endif /* MBEDTLS_SHA1_C */ 01858 01859 if( verbose != 0 ) 01860 mbedtls_printf( "\n" ); 01861 01862 cleanup: 01863 mbedtls_rsa_free( &rsa ); 01864 #else /* MBEDTLS_PKCS1_V15 */ 01865 ((void) verbose); 01866 #endif /* MBEDTLS_PKCS1_V15 */ 01867 return( ret ); 01868 } 01869 01870 #endif /* MBEDTLS_SELF_TEST */ 01871 01872 #endif /* MBEDTLS_RSA_C */
Generated on Tue Jul 12 2022 17:25:42 by
1.7.2