The WDCInterface is is a drop-in replacement for an EthernetInterface class that allows the user to connect to the Internet with a Wistron NeWeb Corporation (WNC) M14A2A Series data module using the standard network Socket API's. This interface class is used in the AT&T Cellular IoT Starter Kit which is sold by Avnet (http://cloudconnectkits.org/product/att-cellular-iot-starter-kit).

Dependencies:   WncControllerK64F

Dependents:   WNCProximityMqtt Pubnub_ATT_IoT_SK_WNC_sync BluemixDemo BluemixQS ... more

See the WNCInterface README in the Wiki tab for detailed information on this library.

Committer:
JMF
Date:
Tue Nov 01 14:22:56 2016 +0000
Revision:
12:0071cb144c7a
Adding mbedtls files

Who changed what in which revision?

UserRevisionLine numberNew contents of line
JMF 12:0071cb144c7a 1 /*
JMF 12:0071cb144c7a 2 * The RSA public-key cryptosystem
JMF 12:0071cb144c7a 3 *
JMF 12:0071cb144c7a 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
JMF 12:0071cb144c7a 5 * SPDX-License-Identifier: Apache-2.0
JMF 12:0071cb144c7a 6 *
JMF 12:0071cb144c7a 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
JMF 12:0071cb144c7a 8 * not use this file except in compliance with the License.
JMF 12:0071cb144c7a 9 * You may obtain a copy of the License at
JMF 12:0071cb144c7a 10 *
JMF 12:0071cb144c7a 11 * http://www.apache.org/licenses/LICENSE-2.0
JMF 12:0071cb144c7a 12 *
JMF 12:0071cb144c7a 13 * Unless required by applicable law or agreed to in writing, software
JMF 12:0071cb144c7a 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
JMF 12:0071cb144c7a 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
JMF 12:0071cb144c7a 16 * See the License for the specific language governing permissions and
JMF 12:0071cb144c7a 17 * limitations under the License.
JMF 12:0071cb144c7a 18 *
JMF 12:0071cb144c7a 19 * This file is part of mbed TLS (https://tls.mbed.org)
JMF 12:0071cb144c7a 20 */
JMF 12:0071cb144c7a 21 /*
JMF 12:0071cb144c7a 22 * The following sources were referenced in the design of this implementation
JMF 12:0071cb144c7a 23 * of the RSA algorithm:
JMF 12:0071cb144c7a 24 *
JMF 12:0071cb144c7a 25 * [1] A method for obtaining digital signatures and public-key cryptosystems
JMF 12:0071cb144c7a 26 * R Rivest, A Shamir, and L Adleman
JMF 12:0071cb144c7a 27 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
JMF 12:0071cb144c7a 28 *
JMF 12:0071cb144c7a 29 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
JMF 12:0071cb144c7a 30 * Menezes, van Oorschot and Vanstone
JMF 12:0071cb144c7a 31 *
JMF 12:0071cb144c7a 32 */
JMF 12:0071cb144c7a 33
JMF 12:0071cb144c7a 34 #if !defined(MBEDTLS_CONFIG_FILE)
JMF 12:0071cb144c7a 35 #include "mbedtls/config.h"
JMF 12:0071cb144c7a 36 #else
JMF 12:0071cb144c7a 37 #include MBEDTLS_CONFIG_FILE
JMF 12:0071cb144c7a 38 #endif
JMF 12:0071cb144c7a 39
JMF 12:0071cb144c7a 40 #if defined(MBEDTLS_RSA_C)
JMF 12:0071cb144c7a 41
JMF 12:0071cb144c7a 42 #include "mbedtls/rsa.h"
JMF 12:0071cb144c7a 43 #include "mbedtls/oid.h"
JMF 12:0071cb144c7a 44
JMF 12:0071cb144c7a 45 #include <string.h>
JMF 12:0071cb144c7a 46
JMF 12:0071cb144c7a 47 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 48 #include "mbedtls/md.h"
JMF 12:0071cb144c7a 49 #endif
JMF 12:0071cb144c7a 50
JMF 12:0071cb144c7a 51 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
JMF 12:0071cb144c7a 52 #include <stdlib.h>
JMF 12:0071cb144c7a 53 #endif
JMF 12:0071cb144c7a 54
JMF 12:0071cb144c7a 55 #if defined(MBEDTLS_PLATFORM_C)
JMF 12:0071cb144c7a 56 #include "mbedtls/platform.h"
JMF 12:0071cb144c7a 57 #else
JMF 12:0071cb144c7a 58 #include <stdio.h>
JMF 12:0071cb144c7a 59 #define mbedtls_printf printf
JMF 12:0071cb144c7a 60 #define mbedtls_calloc calloc
JMF 12:0071cb144c7a 61 #define mbedtls_free free
JMF 12:0071cb144c7a 62 #endif
JMF 12:0071cb144c7a 63
JMF 12:0071cb144c7a 64 /*
JMF 12:0071cb144c7a 65 * Initialize an RSA context
JMF 12:0071cb144c7a 66 */
JMF 12:0071cb144c7a 67 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 68 int padding,
JMF 12:0071cb144c7a 69 int hash_id )
JMF 12:0071cb144c7a 70 {
JMF 12:0071cb144c7a 71 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
JMF 12:0071cb144c7a 72
JMF 12:0071cb144c7a 73 mbedtls_rsa_set_padding( ctx, padding, hash_id );
JMF 12:0071cb144c7a 74
JMF 12:0071cb144c7a 75 #if defined(MBEDTLS_THREADING_C)
JMF 12:0071cb144c7a 76 mbedtls_mutex_init( &ctx->mutex );
JMF 12:0071cb144c7a 77 #endif
JMF 12:0071cb144c7a 78 }
JMF 12:0071cb144c7a 79
JMF 12:0071cb144c7a 80 /*
JMF 12:0071cb144c7a 81 * Set padding for an existing RSA context
JMF 12:0071cb144c7a 82 */
JMF 12:0071cb144c7a 83 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
JMF 12:0071cb144c7a 84 {
JMF 12:0071cb144c7a 85 ctx->padding = padding;
JMF 12:0071cb144c7a 86 ctx->hash_id = hash_id;
JMF 12:0071cb144c7a 87 }
JMF 12:0071cb144c7a 88
JMF 12:0071cb144c7a 89 #if defined(MBEDTLS_GENPRIME)
JMF 12:0071cb144c7a 90
JMF 12:0071cb144c7a 91 /*
JMF 12:0071cb144c7a 92 * Generate an RSA keypair
JMF 12:0071cb144c7a 93 */
JMF 12:0071cb144c7a 94 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 95 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 96 void *p_rng,
JMF 12:0071cb144c7a 97 unsigned int nbits, int exponent )
JMF 12:0071cb144c7a 98 {
JMF 12:0071cb144c7a 99 int ret;
JMF 12:0071cb144c7a 100 mbedtls_mpi P1, Q1, H, G;
JMF 12:0071cb144c7a 101
JMF 12:0071cb144c7a 102 if( f_rng == NULL || nbits < 128 || exponent < 3 )
JMF 12:0071cb144c7a 103 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 104
JMF 12:0071cb144c7a 105 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
JMF 12:0071cb144c7a 106 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
JMF 12:0071cb144c7a 107
JMF 12:0071cb144c7a 108 /*
JMF 12:0071cb144c7a 109 * find primes P and Q with Q < P so that:
JMF 12:0071cb144c7a 110 * GCD( E, (P-1)*(Q-1) ) == 1
JMF 12:0071cb144c7a 111 */
JMF 12:0071cb144c7a 112 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
JMF 12:0071cb144c7a 113
JMF 12:0071cb144c7a 114 do
JMF 12:0071cb144c7a 115 {
JMF 12:0071cb144c7a 116 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
JMF 12:0071cb144c7a 117 f_rng, p_rng ) );
JMF 12:0071cb144c7a 118
JMF 12:0071cb144c7a 119 if( nbits % 2 )
JMF 12:0071cb144c7a 120 {
JMF 12:0071cb144c7a 121 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, ( nbits >> 1 ) + 1, 0,
JMF 12:0071cb144c7a 122 f_rng, p_rng ) );
JMF 12:0071cb144c7a 123 }
JMF 12:0071cb144c7a 124 else
JMF 12:0071cb144c7a 125 {
JMF 12:0071cb144c7a 126 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
JMF 12:0071cb144c7a 127 f_rng, p_rng ) );
JMF 12:0071cb144c7a 128 }
JMF 12:0071cb144c7a 129
JMF 12:0071cb144c7a 130 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
JMF 12:0071cb144c7a 131 continue;
JMF 12:0071cb144c7a 132
JMF 12:0071cb144c7a 133 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
JMF 12:0071cb144c7a 134 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
JMF 12:0071cb144c7a 135 continue;
JMF 12:0071cb144c7a 136
JMF 12:0071cb144c7a 137 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
JMF 12:0071cb144c7a 138 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
JMF 12:0071cb144c7a 139 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
JMF 12:0071cb144c7a 140 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
JMF 12:0071cb144c7a 141 }
JMF 12:0071cb144c7a 142 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
JMF 12:0071cb144c7a 143
JMF 12:0071cb144c7a 144 /*
JMF 12:0071cb144c7a 145 * D = E^-1 mod ((P-1)*(Q-1))
JMF 12:0071cb144c7a 146 * DP = D mod (P - 1)
JMF 12:0071cb144c7a 147 * DQ = D mod (Q - 1)
JMF 12:0071cb144c7a 148 * QP = Q^-1 mod P
JMF 12:0071cb144c7a 149 */
JMF 12:0071cb144c7a 150 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
JMF 12:0071cb144c7a 151 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
JMF 12:0071cb144c7a 152 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
JMF 12:0071cb144c7a 153 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
JMF 12:0071cb144c7a 154
JMF 12:0071cb144c7a 155 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
JMF 12:0071cb144c7a 156
JMF 12:0071cb144c7a 157 cleanup:
JMF 12:0071cb144c7a 158
JMF 12:0071cb144c7a 159 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
JMF 12:0071cb144c7a 160
JMF 12:0071cb144c7a 161 if( ret != 0 )
JMF 12:0071cb144c7a 162 {
JMF 12:0071cb144c7a 163 mbedtls_rsa_free( ctx );
JMF 12:0071cb144c7a 164 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
JMF 12:0071cb144c7a 165 }
JMF 12:0071cb144c7a 166
JMF 12:0071cb144c7a 167 return( 0 );
JMF 12:0071cb144c7a 168 }
JMF 12:0071cb144c7a 169
JMF 12:0071cb144c7a 170 #endif /* MBEDTLS_GENPRIME */
JMF 12:0071cb144c7a 171
JMF 12:0071cb144c7a 172 /*
JMF 12:0071cb144c7a 173 * Check a public RSA key
JMF 12:0071cb144c7a 174 */
JMF 12:0071cb144c7a 175 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
JMF 12:0071cb144c7a 176 {
JMF 12:0071cb144c7a 177 if( !ctx->N.p || !ctx->E.p )
JMF 12:0071cb144c7a 178 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
JMF 12:0071cb144c7a 179
JMF 12:0071cb144c7a 180 if( ( ctx->N.p[0] & 1 ) == 0 ||
JMF 12:0071cb144c7a 181 ( ctx->E.p[0] & 1 ) == 0 )
JMF 12:0071cb144c7a 182 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
JMF 12:0071cb144c7a 183
JMF 12:0071cb144c7a 184 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
JMF 12:0071cb144c7a 185 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
JMF 12:0071cb144c7a 186 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
JMF 12:0071cb144c7a 187
JMF 12:0071cb144c7a 188 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
JMF 12:0071cb144c7a 189 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
JMF 12:0071cb144c7a 190 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
JMF 12:0071cb144c7a 191
JMF 12:0071cb144c7a 192 return( 0 );
JMF 12:0071cb144c7a 193 }
JMF 12:0071cb144c7a 194
JMF 12:0071cb144c7a 195 /*
JMF 12:0071cb144c7a 196 * Check a private RSA key
JMF 12:0071cb144c7a 197 */
JMF 12:0071cb144c7a 198 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
JMF 12:0071cb144c7a 199 {
JMF 12:0071cb144c7a 200 int ret;
JMF 12:0071cb144c7a 201 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
JMF 12:0071cb144c7a 202
JMF 12:0071cb144c7a 203 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
JMF 12:0071cb144c7a 204 return( ret );
JMF 12:0071cb144c7a 205
JMF 12:0071cb144c7a 206 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
JMF 12:0071cb144c7a 207 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
JMF 12:0071cb144c7a 208
JMF 12:0071cb144c7a 209 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
JMF 12:0071cb144c7a 210 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
JMF 12:0071cb144c7a 211 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
JMF 12:0071cb144c7a 212 mbedtls_mpi_init( &QP );
JMF 12:0071cb144c7a 213
JMF 12:0071cb144c7a 214 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
JMF 12:0071cb144c7a 215 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
JMF 12:0071cb144c7a 216 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
JMF 12:0071cb144c7a 217 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
JMF 12:0071cb144c7a 218 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
JMF 12:0071cb144c7a 219 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
JMF 12:0071cb144c7a 220
JMF 12:0071cb144c7a 221 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
JMF 12:0071cb144c7a 222 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
JMF 12:0071cb144c7a 223 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
JMF 12:0071cb144c7a 224
JMF 12:0071cb144c7a 225 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
JMF 12:0071cb144c7a 226 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
JMF 12:0071cb144c7a 227 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
JMF 12:0071cb144c7a 228 /*
JMF 12:0071cb144c7a 229 * Check for a valid PKCS1v2 private key
JMF 12:0071cb144c7a 230 */
JMF 12:0071cb144c7a 231 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
JMF 12:0071cb144c7a 232 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
JMF 12:0071cb144c7a 233 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
JMF 12:0071cb144c7a 234 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
JMF 12:0071cb144c7a 235 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 ||
JMF 12:0071cb144c7a 236 mbedtls_mpi_cmp_int( &I, 1 ) != 0 ||
JMF 12:0071cb144c7a 237 mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
JMF 12:0071cb144c7a 238 {
JMF 12:0071cb144c7a 239 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
JMF 12:0071cb144c7a 240 }
JMF 12:0071cb144c7a 241
JMF 12:0071cb144c7a 242 cleanup:
JMF 12:0071cb144c7a 243 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
JMF 12:0071cb144c7a 244 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
JMF 12:0071cb144c7a 245 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
JMF 12:0071cb144c7a 246 mbedtls_mpi_free( &QP );
JMF 12:0071cb144c7a 247
JMF 12:0071cb144c7a 248 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
JMF 12:0071cb144c7a 249 return( ret );
JMF 12:0071cb144c7a 250
JMF 12:0071cb144c7a 251 if( ret != 0 )
JMF 12:0071cb144c7a 252 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
JMF 12:0071cb144c7a 253
JMF 12:0071cb144c7a 254 return( 0 );
JMF 12:0071cb144c7a 255 }
JMF 12:0071cb144c7a 256
JMF 12:0071cb144c7a 257 /*
JMF 12:0071cb144c7a 258 * Check if contexts holding a public and private key match
JMF 12:0071cb144c7a 259 */
JMF 12:0071cb144c7a 260 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv )
JMF 12:0071cb144c7a 261 {
JMF 12:0071cb144c7a 262 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
JMF 12:0071cb144c7a 263 mbedtls_rsa_check_privkey( prv ) != 0 )
JMF 12:0071cb144c7a 264 {
JMF 12:0071cb144c7a 265 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
JMF 12:0071cb144c7a 266 }
JMF 12:0071cb144c7a 267
JMF 12:0071cb144c7a 268 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
JMF 12:0071cb144c7a 269 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
JMF 12:0071cb144c7a 270 {
JMF 12:0071cb144c7a 271 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
JMF 12:0071cb144c7a 272 }
JMF 12:0071cb144c7a 273
JMF 12:0071cb144c7a 274 return( 0 );
JMF 12:0071cb144c7a 275 }
JMF 12:0071cb144c7a 276
JMF 12:0071cb144c7a 277 /*
JMF 12:0071cb144c7a 278 * Do an RSA public key operation
JMF 12:0071cb144c7a 279 */
JMF 12:0071cb144c7a 280 int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 281 const unsigned char *input,
JMF 12:0071cb144c7a 282 unsigned char *output )
JMF 12:0071cb144c7a 283 {
JMF 12:0071cb144c7a 284 int ret;
JMF 12:0071cb144c7a 285 size_t olen;
JMF 12:0071cb144c7a 286 mbedtls_mpi T;
JMF 12:0071cb144c7a 287
JMF 12:0071cb144c7a 288 mbedtls_mpi_init( &T );
JMF 12:0071cb144c7a 289 #if defined(MBEDTLS_THREADING_C)
JMF 12:0071cb144c7a 290 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
JMF 12:0071cb144c7a 291 return( ret );
JMF 12:0071cb144c7a 292 #endif
JMF 12:0071cb144c7a 293
JMF 12:0071cb144c7a 294 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
JMF 12:0071cb144c7a 295
JMF 12:0071cb144c7a 296 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
JMF 12:0071cb144c7a 297 {
JMF 12:0071cb144c7a 298 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
JMF 12:0071cb144c7a 299 goto cleanup;
JMF 12:0071cb144c7a 300 }
JMF 12:0071cb144c7a 301
JMF 12:0071cb144c7a 302 olen = ctx->len;
JMF 12:0071cb144c7a 303 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
JMF 12:0071cb144c7a 304 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
JMF 12:0071cb144c7a 305
JMF 12:0071cb144c7a 306 cleanup:
JMF 12:0071cb144c7a 307 #if defined(MBEDTLS_THREADING_C)
JMF 12:0071cb144c7a 308 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
JMF 12:0071cb144c7a 309 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
JMF 12:0071cb144c7a 310 #endif
JMF 12:0071cb144c7a 311
JMF 12:0071cb144c7a 312 mbedtls_mpi_free( &T );
JMF 12:0071cb144c7a 313
JMF 12:0071cb144c7a 314 if( ret != 0 )
JMF 12:0071cb144c7a 315 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
JMF 12:0071cb144c7a 316
JMF 12:0071cb144c7a 317 return( 0 );
JMF 12:0071cb144c7a 318 }
JMF 12:0071cb144c7a 319
JMF 12:0071cb144c7a 320 /*
JMF 12:0071cb144c7a 321 * Generate or update blinding values, see section 10 of:
JMF 12:0071cb144c7a 322 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
JMF 12:0071cb144c7a 323 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
JMF 12:0071cb144c7a 324 * Berlin Heidelberg, 1996. p. 104-113.
JMF 12:0071cb144c7a 325 */
JMF 12:0071cb144c7a 326 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 327 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
JMF 12:0071cb144c7a 328 {
JMF 12:0071cb144c7a 329 int ret, count = 0;
JMF 12:0071cb144c7a 330
JMF 12:0071cb144c7a 331 if( ctx->Vf.p != NULL )
JMF 12:0071cb144c7a 332 {
JMF 12:0071cb144c7a 333 /* We already have blinding values, just update them by squaring */
JMF 12:0071cb144c7a 334 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
JMF 12:0071cb144c7a 335 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
JMF 12:0071cb144c7a 336 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
JMF 12:0071cb144c7a 337 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
JMF 12:0071cb144c7a 338
JMF 12:0071cb144c7a 339 goto cleanup;
JMF 12:0071cb144c7a 340 }
JMF 12:0071cb144c7a 341
JMF 12:0071cb144c7a 342 /* Unblinding value: Vf = random number, invertible mod N */
JMF 12:0071cb144c7a 343 do {
JMF 12:0071cb144c7a 344 if( count++ > 10 )
JMF 12:0071cb144c7a 345 return( MBEDTLS_ERR_RSA_RNG_FAILED );
JMF 12:0071cb144c7a 346
JMF 12:0071cb144c7a 347 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
JMF 12:0071cb144c7a 348 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
JMF 12:0071cb144c7a 349 } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
JMF 12:0071cb144c7a 350
JMF 12:0071cb144c7a 351 /* Blinding value: Vi = Vf^(-e) mod N */
JMF 12:0071cb144c7a 352 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
JMF 12:0071cb144c7a 353 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
JMF 12:0071cb144c7a 354
JMF 12:0071cb144c7a 355
JMF 12:0071cb144c7a 356 cleanup:
JMF 12:0071cb144c7a 357 return( ret );
JMF 12:0071cb144c7a 358 }
JMF 12:0071cb144c7a 359
JMF 12:0071cb144c7a 360 /*
JMF 12:0071cb144c7a 361 * Do an RSA private key operation
JMF 12:0071cb144c7a 362 */
JMF 12:0071cb144c7a 363 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 364 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 365 void *p_rng,
JMF 12:0071cb144c7a 366 const unsigned char *input,
JMF 12:0071cb144c7a 367 unsigned char *output )
JMF 12:0071cb144c7a 368 {
JMF 12:0071cb144c7a 369 int ret;
JMF 12:0071cb144c7a 370 size_t olen;
JMF 12:0071cb144c7a 371 mbedtls_mpi T, T1, T2;
JMF 12:0071cb144c7a 372 /* Make sure we have private key info, prevent possible misuse */
JMF 12:0071cb144c7a 373 if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
JMF 12:0071cb144c7a 374 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 375 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
JMF 12:0071cb144c7a 376 #if defined(MBEDTLS_THREADING_C)
JMF 12:0071cb144c7a 377 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
JMF 12:0071cb144c7a 378 return( ret );
JMF 12:0071cb144c7a 379 #endif
JMF 12:0071cb144c7a 380 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
JMF 12:0071cb144c7a 381 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
JMF 12:0071cb144c7a 382 {
JMF 12:0071cb144c7a 383 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
JMF 12:0071cb144c7a 384 goto cleanup;
JMF 12:0071cb144c7a 385 }
JMF 12:0071cb144c7a 386 if( f_rng != NULL )
JMF 12:0071cb144c7a 387 {
JMF 12:0071cb144c7a 388 /*
JMF 12:0071cb144c7a 389 * Blinding
JMF 12:0071cb144c7a 390 * T = T * Vi mod N
JMF 12:0071cb144c7a 391 */
JMF 12:0071cb144c7a 392 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
JMF 12:0071cb144c7a 393
JMF 12:0071cb144c7a 394 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
JMF 12:0071cb144c7a 395 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
JMF 12:0071cb144c7a 396 }
JMF 12:0071cb144c7a 397 #if defined(MBEDTLS_RSA_NO_CRT)
JMF 12:0071cb144c7a 398 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
JMF 12:0071cb144c7a 399 #else
JMF 12:0071cb144c7a 400 /*
JMF 12:0071cb144c7a 401 * faster decryption using the CRT
JMF 12:0071cb144c7a 402 *
JMF 12:0071cb144c7a 403 * T1 = input ^ dP mod P
JMF 12:0071cb144c7a 404 * T2 = input ^ dQ mod Q
JMF 12:0071cb144c7a 405 */
JMF 12:0071cb144c7a 406 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
JMF 12:0071cb144c7a 407 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
JMF 12:0071cb144c7a 408 /*
JMF 12:0071cb144c7a 409 * T = (T1 - T2) * (Q^-1 mod P) mod P
JMF 12:0071cb144c7a 410 */
JMF 12:0071cb144c7a 411 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
JMF 12:0071cb144c7a 412 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
JMF 12:0071cb144c7a 413 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
JMF 12:0071cb144c7a 414
JMF 12:0071cb144c7a 415 /*
JMF 12:0071cb144c7a 416 * T = T2 + T * Q
JMF 12:0071cb144c7a 417 */
JMF 12:0071cb144c7a 418 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
JMF 12:0071cb144c7a 419 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
JMF 12:0071cb144c7a 420 #endif /* MBEDTLS_RSA_NO_CRT */
JMF 12:0071cb144c7a 421 if( f_rng != NULL )
JMF 12:0071cb144c7a 422 {
JMF 12:0071cb144c7a 423 /*
JMF 12:0071cb144c7a 424 * Unblind
JMF 12:0071cb144c7a 425 * T = T * Vf mod N
JMF 12:0071cb144c7a 426 */
JMF 12:0071cb144c7a 427 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
JMF 12:0071cb144c7a 428 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
JMF 12:0071cb144c7a 429 }
JMF 12:0071cb144c7a 430 olen = ctx->len;
JMF 12:0071cb144c7a 431 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
JMF 12:0071cb144c7a 432
JMF 12:0071cb144c7a 433 cleanup:
JMF 12:0071cb144c7a 434 #if defined(MBEDTLS_THREADING_C)
JMF 12:0071cb144c7a 435 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
JMF 12:0071cb144c7a 436 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
JMF 12:0071cb144c7a 437 #endif
JMF 12:0071cb144c7a 438 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
JMF 12:0071cb144c7a 439
JMF 12:0071cb144c7a 440 if( ret != 0 )
JMF 12:0071cb144c7a 441 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
JMF 12:0071cb144c7a 442
JMF 12:0071cb144c7a 443 return( 0 );
JMF 12:0071cb144c7a 444 }
JMF 12:0071cb144c7a 445
JMF 12:0071cb144c7a 446 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 447 /**
JMF 12:0071cb144c7a 448 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
JMF 12:0071cb144c7a 449 *
JMF 12:0071cb144c7a 450 * \param dst buffer to mask
JMF 12:0071cb144c7a 451 * \param dlen length of destination buffer
JMF 12:0071cb144c7a 452 * \param src source of the mask generation
JMF 12:0071cb144c7a 453 * \param slen length of the source buffer
JMF 12:0071cb144c7a 454 * \param md_ctx message digest context to use
JMF 12:0071cb144c7a 455 */
JMF 12:0071cb144c7a 456 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
JMF 12:0071cb144c7a 457 size_t slen, mbedtls_md_context_t *md_ctx )
JMF 12:0071cb144c7a 458 {
JMF 12:0071cb144c7a 459 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
JMF 12:0071cb144c7a 460 unsigned char counter[4];
JMF 12:0071cb144c7a 461 unsigned char *p;
JMF 12:0071cb144c7a 462 unsigned int hlen;
JMF 12:0071cb144c7a 463 size_t i, use_len;
JMF 12:0071cb144c7a 464
JMF 12:0071cb144c7a 465 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
JMF 12:0071cb144c7a 466 memset( counter, 0, 4 );
JMF 12:0071cb144c7a 467
JMF 12:0071cb144c7a 468 hlen = mbedtls_md_get_size( md_ctx->md_info );
JMF 12:0071cb144c7a 469
JMF 12:0071cb144c7a 470 /* Generate and apply dbMask */
JMF 12:0071cb144c7a 471 p = dst;
JMF 12:0071cb144c7a 472
JMF 12:0071cb144c7a 473 while( dlen > 0 )
JMF 12:0071cb144c7a 474 {
JMF 12:0071cb144c7a 475 use_len = hlen;
JMF 12:0071cb144c7a 476 if( dlen < hlen )
JMF 12:0071cb144c7a 477 use_len = dlen;
JMF 12:0071cb144c7a 478
JMF 12:0071cb144c7a 479 mbedtls_md_starts( md_ctx );
JMF 12:0071cb144c7a 480 mbedtls_md_update( md_ctx, src, slen );
JMF 12:0071cb144c7a 481 mbedtls_md_update( md_ctx, counter, 4 );
JMF 12:0071cb144c7a 482 mbedtls_md_finish( md_ctx, mask );
JMF 12:0071cb144c7a 483
JMF 12:0071cb144c7a 484 for( i = 0; i < use_len; ++i )
JMF 12:0071cb144c7a 485 *p++ ^= mask[i];
JMF 12:0071cb144c7a 486
JMF 12:0071cb144c7a 487 counter[3]++;
JMF 12:0071cb144c7a 488
JMF 12:0071cb144c7a 489 dlen -= use_len;
JMF 12:0071cb144c7a 490 }
JMF 12:0071cb144c7a 491 }
JMF 12:0071cb144c7a 492 #endif /* MBEDTLS_PKCS1_V21 */
JMF 12:0071cb144c7a 493
JMF 12:0071cb144c7a 494 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 495 /*
JMF 12:0071cb144c7a 496 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
JMF 12:0071cb144c7a 497 */
JMF 12:0071cb144c7a 498 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 499 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 500 void *p_rng,
JMF 12:0071cb144c7a 501 int mode,
JMF 12:0071cb144c7a 502 const unsigned char *label, size_t label_len,
JMF 12:0071cb144c7a 503 size_t ilen,
JMF 12:0071cb144c7a 504 const unsigned char *input,
JMF 12:0071cb144c7a 505 unsigned char *output )
JMF 12:0071cb144c7a 506 {
JMF 12:0071cb144c7a 507 size_t olen;
JMF 12:0071cb144c7a 508 int ret;
JMF 12:0071cb144c7a 509 unsigned char *p = output;
JMF 12:0071cb144c7a 510 unsigned int hlen;
JMF 12:0071cb144c7a 511 const mbedtls_md_info_t *md_info;
JMF 12:0071cb144c7a 512 mbedtls_md_context_t md_ctx;
JMF 12:0071cb144c7a 513
JMF 12:0071cb144c7a 514 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
JMF 12:0071cb144c7a 515 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 516
JMF 12:0071cb144c7a 517 if( f_rng == NULL )
JMF 12:0071cb144c7a 518 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 519
JMF 12:0071cb144c7a 520 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
JMF 12:0071cb144c7a 521 if( md_info == NULL )
JMF 12:0071cb144c7a 522 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 523
JMF 12:0071cb144c7a 524 olen = ctx->len;
JMF 12:0071cb144c7a 525 hlen = mbedtls_md_get_size( md_info );
JMF 12:0071cb144c7a 526
JMF 12:0071cb144c7a 527 /* first comparison checks for overflow */
JMF 12:0071cb144c7a 528 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
JMF 12:0071cb144c7a 529 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 530
JMF 12:0071cb144c7a 531 memset( output, 0, olen );
JMF 12:0071cb144c7a 532
JMF 12:0071cb144c7a 533 *p++ = 0;
JMF 12:0071cb144c7a 534
JMF 12:0071cb144c7a 535 /* Generate a random octet string seed */
JMF 12:0071cb144c7a 536 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
JMF 12:0071cb144c7a 537 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
JMF 12:0071cb144c7a 538
JMF 12:0071cb144c7a 539 p += hlen;
JMF 12:0071cb144c7a 540
JMF 12:0071cb144c7a 541 /* Construct DB */
JMF 12:0071cb144c7a 542 mbedtls_md( md_info, label, label_len, p );
JMF 12:0071cb144c7a 543 p += hlen;
JMF 12:0071cb144c7a 544 p += olen - 2 * hlen - 2 - ilen;
JMF 12:0071cb144c7a 545 *p++ = 1;
JMF 12:0071cb144c7a 546 memcpy( p, input, ilen );
JMF 12:0071cb144c7a 547
JMF 12:0071cb144c7a 548 mbedtls_md_init( &md_ctx );
JMF 12:0071cb144c7a 549 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
JMF 12:0071cb144c7a 550 {
JMF 12:0071cb144c7a 551 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 552 return( ret );
JMF 12:0071cb144c7a 553 }
JMF 12:0071cb144c7a 554
JMF 12:0071cb144c7a 555 /* maskedDB: Apply dbMask to DB */
JMF 12:0071cb144c7a 556 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
JMF 12:0071cb144c7a 557 &md_ctx );
JMF 12:0071cb144c7a 558
JMF 12:0071cb144c7a 559 /* maskedSeed: Apply seedMask to seed */
JMF 12:0071cb144c7a 560 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
JMF 12:0071cb144c7a 561 &md_ctx );
JMF 12:0071cb144c7a 562
JMF 12:0071cb144c7a 563 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 564
JMF 12:0071cb144c7a 565 return( ( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 566 ? mbedtls_rsa_public( ctx, output, output )
JMF 12:0071cb144c7a 567 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
JMF 12:0071cb144c7a 568 }
JMF 12:0071cb144c7a 569 #endif /* MBEDTLS_PKCS1_V21 */
JMF 12:0071cb144c7a 570
JMF 12:0071cb144c7a 571 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 572 /*
JMF 12:0071cb144c7a 573 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
JMF 12:0071cb144c7a 574 */
JMF 12:0071cb144c7a 575 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 576 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 577 void *p_rng,
JMF 12:0071cb144c7a 578 int mode, size_t ilen,
JMF 12:0071cb144c7a 579 const unsigned char *input,
JMF 12:0071cb144c7a 580 unsigned char *output )
JMF 12:0071cb144c7a 581 {
JMF 12:0071cb144c7a 582 size_t nb_pad, olen;
JMF 12:0071cb144c7a 583 int ret;
JMF 12:0071cb144c7a 584 unsigned char *p = output;
JMF 12:0071cb144c7a 585
JMF 12:0071cb144c7a 586 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
JMF 12:0071cb144c7a 587 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 588
JMF 12:0071cb144c7a 589 // We don't check p_rng because it won't be dereferenced here
JMF 12:0071cb144c7a 590 if( f_rng == NULL || input == NULL || output == NULL )
JMF 12:0071cb144c7a 591 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 592
JMF 12:0071cb144c7a 593 olen = ctx->len;
JMF 12:0071cb144c7a 594
JMF 12:0071cb144c7a 595 /* first comparison checks for overflow */
JMF 12:0071cb144c7a 596 if( ilen + 11 < ilen || olen < ilen + 11 )
JMF 12:0071cb144c7a 597 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 598
JMF 12:0071cb144c7a 599 nb_pad = olen - 3 - ilen;
JMF 12:0071cb144c7a 600
JMF 12:0071cb144c7a 601 *p++ = 0;
JMF 12:0071cb144c7a 602 if( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 603 {
JMF 12:0071cb144c7a 604 *p++ = MBEDTLS_RSA_CRYPT;
JMF 12:0071cb144c7a 605
JMF 12:0071cb144c7a 606 while( nb_pad-- > 0 )
JMF 12:0071cb144c7a 607 {
JMF 12:0071cb144c7a 608 int rng_dl = 100;
JMF 12:0071cb144c7a 609
JMF 12:0071cb144c7a 610 do {
JMF 12:0071cb144c7a 611 ret = f_rng( p_rng, p, 1 );
JMF 12:0071cb144c7a 612 } while( *p == 0 && --rng_dl && ret == 0 );
JMF 12:0071cb144c7a 613
JMF 12:0071cb144c7a 614 /* Check if RNG failed to generate data */
JMF 12:0071cb144c7a 615 if( rng_dl == 0 || ret != 0 )
JMF 12:0071cb144c7a 616 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
JMF 12:0071cb144c7a 617
JMF 12:0071cb144c7a 618 p++;
JMF 12:0071cb144c7a 619 }
JMF 12:0071cb144c7a 620 }
JMF 12:0071cb144c7a 621 else
JMF 12:0071cb144c7a 622 {
JMF 12:0071cb144c7a 623 *p++ = MBEDTLS_RSA_SIGN;
JMF 12:0071cb144c7a 624
JMF 12:0071cb144c7a 625 while( nb_pad-- > 0 )
JMF 12:0071cb144c7a 626 *p++ = 0xFF;
JMF 12:0071cb144c7a 627 }
JMF 12:0071cb144c7a 628
JMF 12:0071cb144c7a 629 *p++ = 0;
JMF 12:0071cb144c7a 630 memcpy( p, input, ilen );
JMF 12:0071cb144c7a 631
JMF 12:0071cb144c7a 632 return( ( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 633 ? mbedtls_rsa_public( ctx, output, output )
JMF 12:0071cb144c7a 634 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
JMF 12:0071cb144c7a 635 }
JMF 12:0071cb144c7a 636 #endif /* MBEDTLS_PKCS1_V15 */
JMF 12:0071cb144c7a 637
JMF 12:0071cb144c7a 638 /*
JMF 12:0071cb144c7a 639 * Add the message padding, then do an RSA operation
JMF 12:0071cb144c7a 640 */
JMF 12:0071cb144c7a 641 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 642 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 643 void *p_rng,
JMF 12:0071cb144c7a 644 int mode, size_t ilen,
JMF 12:0071cb144c7a 645 const unsigned char *input,
JMF 12:0071cb144c7a 646 unsigned char *output )
JMF 12:0071cb144c7a 647 {
JMF 12:0071cb144c7a 648 switch( ctx->padding )
JMF 12:0071cb144c7a 649 {
JMF 12:0071cb144c7a 650 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 651 case MBEDTLS_RSA_PKCS_V15:
JMF 12:0071cb144c7a 652 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
JMF 12:0071cb144c7a 653 input, output );
JMF 12:0071cb144c7a 654 #endif
JMF 12:0071cb144c7a 655
JMF 12:0071cb144c7a 656 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 657 case MBEDTLS_RSA_PKCS_V21:
JMF 12:0071cb144c7a 658 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
JMF 12:0071cb144c7a 659 ilen, input, output );
JMF 12:0071cb144c7a 660 #endif
JMF 12:0071cb144c7a 661
JMF 12:0071cb144c7a 662 default:
JMF 12:0071cb144c7a 663 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 664 }
JMF 12:0071cb144c7a 665 }
JMF 12:0071cb144c7a 666
JMF 12:0071cb144c7a 667 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 668 /*
JMF 12:0071cb144c7a 669 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
JMF 12:0071cb144c7a 670 */
JMF 12:0071cb144c7a 671 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 672 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 673 void *p_rng,
JMF 12:0071cb144c7a 674 int mode,
JMF 12:0071cb144c7a 675 const unsigned char *label, size_t label_len,
JMF 12:0071cb144c7a 676 size_t *olen,
JMF 12:0071cb144c7a 677 const unsigned char *input,
JMF 12:0071cb144c7a 678 unsigned char *output,
JMF 12:0071cb144c7a 679 size_t output_max_len )
JMF 12:0071cb144c7a 680 {
JMF 12:0071cb144c7a 681 int ret;
JMF 12:0071cb144c7a 682 size_t ilen, i, pad_len;
JMF 12:0071cb144c7a 683 unsigned char *p, bad, pad_done;
JMF 12:0071cb144c7a 684 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
JMF 12:0071cb144c7a 685 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
JMF 12:0071cb144c7a 686 unsigned int hlen;
JMF 12:0071cb144c7a 687 const mbedtls_md_info_t *md_info;
JMF 12:0071cb144c7a 688 mbedtls_md_context_t md_ctx;
JMF 12:0071cb144c7a 689
JMF 12:0071cb144c7a 690 /*
JMF 12:0071cb144c7a 691 * Parameters sanity checks
JMF 12:0071cb144c7a 692 */
JMF 12:0071cb144c7a 693 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
JMF 12:0071cb144c7a 694 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 695
JMF 12:0071cb144c7a 696 ilen = ctx->len;
JMF 12:0071cb144c7a 697
JMF 12:0071cb144c7a 698 if( ilen < 16 || ilen > sizeof( buf ) )
JMF 12:0071cb144c7a 699 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 700
JMF 12:0071cb144c7a 701 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
JMF 12:0071cb144c7a 702 if( md_info == NULL )
JMF 12:0071cb144c7a 703 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 704
JMF 12:0071cb144c7a 705 hlen = mbedtls_md_get_size( md_info );
JMF 12:0071cb144c7a 706
JMF 12:0071cb144c7a 707 // checking for integer underflow
JMF 12:0071cb144c7a 708 if( 2 * hlen + 2 > ilen )
JMF 12:0071cb144c7a 709 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 710
JMF 12:0071cb144c7a 711 /*
JMF 12:0071cb144c7a 712 * RSA operation
JMF 12:0071cb144c7a 713 */
JMF 12:0071cb144c7a 714 ret = ( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 715 ? mbedtls_rsa_public( ctx, input, buf )
JMF 12:0071cb144c7a 716 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
JMF 12:0071cb144c7a 717
JMF 12:0071cb144c7a 718 if( ret != 0 )
JMF 12:0071cb144c7a 719 return( ret );
JMF 12:0071cb144c7a 720
JMF 12:0071cb144c7a 721 /*
JMF 12:0071cb144c7a 722 * Unmask data and generate lHash
JMF 12:0071cb144c7a 723 */
JMF 12:0071cb144c7a 724 mbedtls_md_init( &md_ctx );
JMF 12:0071cb144c7a 725 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
JMF 12:0071cb144c7a 726 {
JMF 12:0071cb144c7a 727 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 728 return( ret );
JMF 12:0071cb144c7a 729 }
JMF 12:0071cb144c7a 730
JMF 12:0071cb144c7a 731
JMF 12:0071cb144c7a 732 /* Generate lHash */
JMF 12:0071cb144c7a 733 mbedtls_md( md_info, label, label_len, lhash );
JMF 12:0071cb144c7a 734
JMF 12:0071cb144c7a 735 /* seed: Apply seedMask to maskedSeed */
JMF 12:0071cb144c7a 736 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
JMF 12:0071cb144c7a 737 &md_ctx );
JMF 12:0071cb144c7a 738
JMF 12:0071cb144c7a 739 /* DB: Apply dbMask to maskedDB */
JMF 12:0071cb144c7a 740 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
JMF 12:0071cb144c7a 741 &md_ctx );
JMF 12:0071cb144c7a 742
JMF 12:0071cb144c7a 743 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 744
JMF 12:0071cb144c7a 745 /*
JMF 12:0071cb144c7a 746 * Check contents, in "constant-time"
JMF 12:0071cb144c7a 747 */
JMF 12:0071cb144c7a 748 p = buf;
JMF 12:0071cb144c7a 749 bad = 0;
JMF 12:0071cb144c7a 750
JMF 12:0071cb144c7a 751 bad |= *p++; /* First byte must be 0 */
JMF 12:0071cb144c7a 752
JMF 12:0071cb144c7a 753 p += hlen; /* Skip seed */
JMF 12:0071cb144c7a 754
JMF 12:0071cb144c7a 755 /* Check lHash */
JMF 12:0071cb144c7a 756 for( i = 0; i < hlen; i++ )
JMF 12:0071cb144c7a 757 bad |= lhash[i] ^ *p++;
JMF 12:0071cb144c7a 758
JMF 12:0071cb144c7a 759 /* Get zero-padding len, but always read till end of buffer
JMF 12:0071cb144c7a 760 * (minus one, for the 01 byte) */
JMF 12:0071cb144c7a 761 pad_len = 0;
JMF 12:0071cb144c7a 762 pad_done = 0;
JMF 12:0071cb144c7a 763 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
JMF 12:0071cb144c7a 764 {
JMF 12:0071cb144c7a 765 pad_done |= p[i];
JMF 12:0071cb144c7a 766 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
JMF 12:0071cb144c7a 767 }
JMF 12:0071cb144c7a 768
JMF 12:0071cb144c7a 769 p += pad_len;
JMF 12:0071cb144c7a 770 bad |= *p++ ^ 0x01;
JMF 12:0071cb144c7a 771
JMF 12:0071cb144c7a 772 /*
JMF 12:0071cb144c7a 773 * The only information "leaked" is whether the padding was correct or not
JMF 12:0071cb144c7a 774 * (eg, no data is copied if it was not correct). This meets the
JMF 12:0071cb144c7a 775 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
JMF 12:0071cb144c7a 776 * the different error conditions.
JMF 12:0071cb144c7a 777 */
JMF 12:0071cb144c7a 778 if( bad != 0 )
JMF 12:0071cb144c7a 779 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 780
JMF 12:0071cb144c7a 781 if( ilen - ( p - buf ) > output_max_len )
JMF 12:0071cb144c7a 782 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
JMF 12:0071cb144c7a 783
JMF 12:0071cb144c7a 784 *olen = ilen - (p - buf);
JMF 12:0071cb144c7a 785 memcpy( output, p, *olen );
JMF 12:0071cb144c7a 786
JMF 12:0071cb144c7a 787 return( 0 );
JMF 12:0071cb144c7a 788 }
JMF 12:0071cb144c7a 789 #endif /* MBEDTLS_PKCS1_V21 */
JMF 12:0071cb144c7a 790
JMF 12:0071cb144c7a 791 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 792 /*
JMF 12:0071cb144c7a 793 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
JMF 12:0071cb144c7a 794 */
JMF 12:0071cb144c7a 795 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 796 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 797 void *p_rng,
JMF 12:0071cb144c7a 798 int mode, size_t *olen,
JMF 12:0071cb144c7a 799 const unsigned char *input,
JMF 12:0071cb144c7a 800 unsigned char *output,
JMF 12:0071cb144c7a 801 size_t output_max_len)
JMF 12:0071cb144c7a 802 {
JMF 12:0071cb144c7a 803 int ret;
JMF 12:0071cb144c7a 804 size_t ilen, pad_count = 0, i;
JMF 12:0071cb144c7a 805 unsigned char *p, bad, pad_done = 0;
JMF 12:0071cb144c7a 806 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
JMF 12:0071cb144c7a 807 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
JMF 12:0071cb144c7a 808 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 809 ilen = ctx->len;
JMF 12:0071cb144c7a 810
JMF 12:0071cb144c7a 811 if( ilen < 16 || ilen > sizeof( buf ) )
JMF 12:0071cb144c7a 812 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 813 ret = ( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 814 ? mbedtls_rsa_public( ctx, input, buf )
JMF 12:0071cb144c7a 815 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
JMF 12:0071cb144c7a 816 if( ret != 0 )
JMF 12:0071cb144c7a 817 return( ret );
JMF 12:0071cb144c7a 818 p = buf;
JMF 12:0071cb144c7a 819 bad = 0;
JMF 12:0071cb144c7a 820
JMF 12:0071cb144c7a 821 /*
JMF 12:0071cb144c7a 822 * Check and get padding len in "constant-time"
JMF 12:0071cb144c7a 823 */
JMF 12:0071cb144c7a 824 bad |= *p++; /* First byte must be 0 */
JMF 12:0071cb144c7a 825 /* This test does not depend on secret data */
JMF 12:0071cb144c7a 826 if( mode == MBEDTLS_RSA_PRIVATE )
JMF 12:0071cb144c7a 827 {
JMF 12:0071cb144c7a 828 bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
JMF 12:0071cb144c7a 829
JMF 12:0071cb144c7a 830 /* Get padding len, but always read till end of buffer
JMF 12:0071cb144c7a 831 * (minus one, for the 00 byte) */
JMF 12:0071cb144c7a 832 for( i = 0; i < ilen - 3; i++ )
JMF 12:0071cb144c7a 833 {
JMF 12:0071cb144c7a 834 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
JMF 12:0071cb144c7a 835 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
JMF 12:0071cb144c7a 836 }
JMF 12:0071cb144c7a 837
JMF 12:0071cb144c7a 838 p += pad_count;
JMF 12:0071cb144c7a 839 bad |= *p++; /* Must be zero */
JMF 12:0071cb144c7a 840 }
JMF 12:0071cb144c7a 841 else
JMF 12:0071cb144c7a 842 {
JMF 12:0071cb144c7a 843 bad |= *p++ ^ MBEDTLS_RSA_SIGN;
JMF 12:0071cb144c7a 844
JMF 12:0071cb144c7a 845 /* Get padding len, but always read till end of buffer
JMF 12:0071cb144c7a 846 * (minus one, for the 00 byte) */
JMF 12:0071cb144c7a 847 for( i = 0; i < ilen - 3; i++ )
JMF 12:0071cb144c7a 848 {
JMF 12:0071cb144c7a 849 pad_done |= ( p[i] != 0xFF );
JMF 12:0071cb144c7a 850 pad_count += ( pad_done == 0 );
JMF 12:0071cb144c7a 851 }
JMF 12:0071cb144c7a 852
JMF 12:0071cb144c7a 853 p += pad_count;
JMF 12:0071cb144c7a 854 bad |= *p++; /* Must be zero */
JMF 12:0071cb144c7a 855 }
JMF 12:0071cb144c7a 856
JMF 12:0071cb144c7a 857 bad |= ( pad_count < 8 );
JMF 12:0071cb144c7a 858 if( bad )
JMF 12:0071cb144c7a 859 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 860 if( ilen - ( p - buf ) > output_max_len )
JMF 12:0071cb144c7a 861 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
JMF 12:0071cb144c7a 862 *olen = ilen - (p - buf);
JMF 12:0071cb144c7a 863 memcpy( output, p, *olen );
JMF 12:0071cb144c7a 864
JMF 12:0071cb144c7a 865 return( 0 );
JMF 12:0071cb144c7a 866 }
JMF 12:0071cb144c7a 867 #endif /* MBEDTLS_PKCS1_V15 */
JMF 12:0071cb144c7a 868
JMF 12:0071cb144c7a 869 /*
JMF 12:0071cb144c7a 870 * Do an RSA operation, then remove the message padding
JMF 12:0071cb144c7a 871 */
JMF 12:0071cb144c7a 872 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 873 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 874 void *p_rng,
JMF 12:0071cb144c7a 875 int mode, size_t *olen,
JMF 12:0071cb144c7a 876 const unsigned char *input,
JMF 12:0071cb144c7a 877 unsigned char *output,
JMF 12:0071cb144c7a 878 size_t output_max_len)
JMF 12:0071cb144c7a 879 {
JMF 12:0071cb144c7a 880 switch( ctx->padding )
JMF 12:0071cb144c7a 881 {
JMF 12:0071cb144c7a 882 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 883 case MBEDTLS_RSA_PKCS_V15:
JMF 12:0071cb144c7a 884 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
JMF 12:0071cb144c7a 885 input, output, output_max_len );
JMF 12:0071cb144c7a 886 #endif
JMF 12:0071cb144c7a 887
JMF 12:0071cb144c7a 888 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 889 case MBEDTLS_RSA_PKCS_V21:
JMF 12:0071cb144c7a 890 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
JMF 12:0071cb144c7a 891 olen, input, output,
JMF 12:0071cb144c7a 892 output_max_len );
JMF 12:0071cb144c7a 893 #endif
JMF 12:0071cb144c7a 894
JMF 12:0071cb144c7a 895 default:
JMF 12:0071cb144c7a 896 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 897 }
JMF 12:0071cb144c7a 898 }
JMF 12:0071cb144c7a 899
JMF 12:0071cb144c7a 900 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 901 /*
JMF 12:0071cb144c7a 902 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
JMF 12:0071cb144c7a 903 */
JMF 12:0071cb144c7a 904 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 905 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 906 void *p_rng,
JMF 12:0071cb144c7a 907 int mode,
JMF 12:0071cb144c7a 908 mbedtls_md_type_t md_alg,
JMF 12:0071cb144c7a 909 unsigned int hashlen,
JMF 12:0071cb144c7a 910 const unsigned char *hash,
JMF 12:0071cb144c7a 911 unsigned char *sig )
JMF 12:0071cb144c7a 912 {
JMF 12:0071cb144c7a 913 size_t olen;
JMF 12:0071cb144c7a 914 unsigned char *p = sig;
JMF 12:0071cb144c7a 915 unsigned char salt[MBEDTLS_MD_MAX_SIZE];
JMF 12:0071cb144c7a 916 unsigned int slen, hlen, offset = 0;
JMF 12:0071cb144c7a 917 int ret;
JMF 12:0071cb144c7a 918 size_t msb;
JMF 12:0071cb144c7a 919 const mbedtls_md_info_t *md_info;
JMF 12:0071cb144c7a 920 mbedtls_md_context_t md_ctx;
JMF 12:0071cb144c7a 921
JMF 12:0071cb144c7a 922 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
JMF 12:0071cb144c7a 923 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 924
JMF 12:0071cb144c7a 925 if( f_rng == NULL )
JMF 12:0071cb144c7a 926 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 927
JMF 12:0071cb144c7a 928 olen = ctx->len;
JMF 12:0071cb144c7a 929
JMF 12:0071cb144c7a 930 if( md_alg != MBEDTLS_MD_NONE )
JMF 12:0071cb144c7a 931 {
JMF 12:0071cb144c7a 932 /* Gather length of hash to sign */
JMF 12:0071cb144c7a 933 md_info = mbedtls_md_info_from_type( md_alg );
JMF 12:0071cb144c7a 934 if( md_info == NULL )
JMF 12:0071cb144c7a 935 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 936
JMF 12:0071cb144c7a 937 hashlen = mbedtls_md_get_size( md_info );
JMF 12:0071cb144c7a 938 }
JMF 12:0071cb144c7a 939
JMF 12:0071cb144c7a 940 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
JMF 12:0071cb144c7a 941 if( md_info == NULL )
JMF 12:0071cb144c7a 942 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 943
JMF 12:0071cb144c7a 944 hlen = mbedtls_md_get_size( md_info );
JMF 12:0071cb144c7a 945 slen = hlen;
JMF 12:0071cb144c7a 946
JMF 12:0071cb144c7a 947 if( olen < hlen + slen + 2 )
JMF 12:0071cb144c7a 948 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 949
JMF 12:0071cb144c7a 950 memset( sig, 0, olen );
JMF 12:0071cb144c7a 951
JMF 12:0071cb144c7a 952 /* Generate salt of length slen */
JMF 12:0071cb144c7a 953 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
JMF 12:0071cb144c7a 954 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
JMF 12:0071cb144c7a 955
JMF 12:0071cb144c7a 956 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
JMF 12:0071cb144c7a 957 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
JMF 12:0071cb144c7a 958 p += olen - hlen * 2 - 2;
JMF 12:0071cb144c7a 959 *p++ = 0x01;
JMF 12:0071cb144c7a 960 memcpy( p, salt, slen );
JMF 12:0071cb144c7a 961 p += slen;
JMF 12:0071cb144c7a 962
JMF 12:0071cb144c7a 963 mbedtls_md_init( &md_ctx );
JMF 12:0071cb144c7a 964 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
JMF 12:0071cb144c7a 965 {
JMF 12:0071cb144c7a 966 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 967 return( ret );
JMF 12:0071cb144c7a 968 }
JMF 12:0071cb144c7a 969
JMF 12:0071cb144c7a 970 /* Generate H = Hash( M' ) */
JMF 12:0071cb144c7a 971 mbedtls_md_starts( &md_ctx );
JMF 12:0071cb144c7a 972 mbedtls_md_update( &md_ctx, p, 8 );
JMF 12:0071cb144c7a 973 mbedtls_md_update( &md_ctx, hash, hashlen );
JMF 12:0071cb144c7a 974 mbedtls_md_update( &md_ctx, salt, slen );
JMF 12:0071cb144c7a 975 mbedtls_md_finish( &md_ctx, p );
JMF 12:0071cb144c7a 976
JMF 12:0071cb144c7a 977 /* Compensate for boundary condition when applying mask */
JMF 12:0071cb144c7a 978 if( msb % 8 == 0 )
JMF 12:0071cb144c7a 979 offset = 1;
JMF 12:0071cb144c7a 980
JMF 12:0071cb144c7a 981 /* maskedDB: Apply dbMask to DB */
JMF 12:0071cb144c7a 982 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
JMF 12:0071cb144c7a 983
JMF 12:0071cb144c7a 984 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 985
JMF 12:0071cb144c7a 986 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
JMF 12:0071cb144c7a 987 sig[0] &= 0xFF >> ( olen * 8 - msb );
JMF 12:0071cb144c7a 988
JMF 12:0071cb144c7a 989 p += hlen;
JMF 12:0071cb144c7a 990 *p++ = 0xBC;
JMF 12:0071cb144c7a 991
JMF 12:0071cb144c7a 992 return( ( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 993 ? mbedtls_rsa_public( ctx, sig, sig )
JMF 12:0071cb144c7a 994 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
JMF 12:0071cb144c7a 995 }
JMF 12:0071cb144c7a 996 #endif /* MBEDTLS_PKCS1_V21 */
JMF 12:0071cb144c7a 997
JMF 12:0071cb144c7a 998 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 999 /*
JMF 12:0071cb144c7a 1000 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
JMF 12:0071cb144c7a 1001 */
JMF 12:0071cb144c7a 1002 /*
JMF 12:0071cb144c7a 1003 * Do an RSA operation to sign the message digest
JMF 12:0071cb144c7a 1004 */
JMF 12:0071cb144c7a 1005 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 1006 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 1007 void *p_rng,
JMF 12:0071cb144c7a 1008 int mode,
JMF 12:0071cb144c7a 1009 mbedtls_md_type_t md_alg,
JMF 12:0071cb144c7a 1010 unsigned int hashlen,
JMF 12:0071cb144c7a 1011 const unsigned char *hash,
JMF 12:0071cb144c7a 1012 unsigned char *sig )
JMF 12:0071cb144c7a 1013 {
JMF 12:0071cb144c7a 1014 size_t nb_pad, olen, oid_size = 0;
JMF 12:0071cb144c7a 1015 unsigned char *p = sig;
JMF 12:0071cb144c7a 1016 const char *oid = NULL;
JMF 12:0071cb144c7a 1017 unsigned char *sig_try = NULL, *verif = NULL;
JMF 12:0071cb144c7a 1018 size_t i;
JMF 12:0071cb144c7a 1019 unsigned char diff;
JMF 12:0071cb144c7a 1020 volatile unsigned char diff_no_optimize;
JMF 12:0071cb144c7a 1021 int ret;
JMF 12:0071cb144c7a 1022
JMF 12:0071cb144c7a 1023 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
JMF 12:0071cb144c7a 1024 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1025
JMF 12:0071cb144c7a 1026 olen = ctx->len;
JMF 12:0071cb144c7a 1027 nb_pad = olen - 3;
JMF 12:0071cb144c7a 1028
JMF 12:0071cb144c7a 1029 if( md_alg != MBEDTLS_MD_NONE )
JMF 12:0071cb144c7a 1030 {
JMF 12:0071cb144c7a 1031 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
JMF 12:0071cb144c7a 1032 if( md_info == NULL )
JMF 12:0071cb144c7a 1033 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1034
JMF 12:0071cb144c7a 1035 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
JMF 12:0071cb144c7a 1036 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1037
JMF 12:0071cb144c7a 1038 nb_pad -= 10 + oid_size;
JMF 12:0071cb144c7a 1039
JMF 12:0071cb144c7a 1040 hashlen = mbedtls_md_get_size( md_info );
JMF 12:0071cb144c7a 1041 }
JMF 12:0071cb144c7a 1042
JMF 12:0071cb144c7a 1043 nb_pad -= hashlen;
JMF 12:0071cb144c7a 1044
JMF 12:0071cb144c7a 1045 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
JMF 12:0071cb144c7a 1046 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1047
JMF 12:0071cb144c7a 1048 *p++ = 0;
JMF 12:0071cb144c7a 1049 *p++ = MBEDTLS_RSA_SIGN;
JMF 12:0071cb144c7a 1050 memset( p, 0xFF, nb_pad );
JMF 12:0071cb144c7a 1051 p += nb_pad;
JMF 12:0071cb144c7a 1052 *p++ = 0;
JMF 12:0071cb144c7a 1053
JMF 12:0071cb144c7a 1054 if( md_alg == MBEDTLS_MD_NONE )
JMF 12:0071cb144c7a 1055 {
JMF 12:0071cb144c7a 1056 memcpy( p, hash, hashlen );
JMF 12:0071cb144c7a 1057 }
JMF 12:0071cb144c7a 1058 else
JMF 12:0071cb144c7a 1059 {
JMF 12:0071cb144c7a 1060 /*
JMF 12:0071cb144c7a 1061 * DigestInfo ::= SEQUENCE {
JMF 12:0071cb144c7a 1062 * digestAlgorithm DigestAlgorithmIdentifier,
JMF 12:0071cb144c7a 1063 * digest Digest }
JMF 12:0071cb144c7a 1064 *
JMF 12:0071cb144c7a 1065 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
JMF 12:0071cb144c7a 1066 *
JMF 12:0071cb144c7a 1067 * Digest ::= OCTET STRING
JMF 12:0071cb144c7a 1068 */
JMF 12:0071cb144c7a 1069 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
JMF 12:0071cb144c7a 1070 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
JMF 12:0071cb144c7a 1071 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
JMF 12:0071cb144c7a 1072 *p++ = (unsigned char) ( 0x04 + oid_size );
JMF 12:0071cb144c7a 1073 *p++ = MBEDTLS_ASN1_OID;
JMF 12:0071cb144c7a 1074 *p++ = oid_size & 0xFF;
JMF 12:0071cb144c7a 1075 memcpy( p, oid, oid_size );
JMF 12:0071cb144c7a 1076 p += oid_size;
JMF 12:0071cb144c7a 1077 *p++ = MBEDTLS_ASN1_NULL;
JMF 12:0071cb144c7a 1078 *p++ = 0x00;
JMF 12:0071cb144c7a 1079 *p++ = MBEDTLS_ASN1_OCTET_STRING;
JMF 12:0071cb144c7a 1080 *p++ = hashlen;
JMF 12:0071cb144c7a 1081 memcpy( p, hash, hashlen );
JMF 12:0071cb144c7a 1082 }
JMF 12:0071cb144c7a 1083
JMF 12:0071cb144c7a 1084 if( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 1085 return( mbedtls_rsa_public( ctx, sig, sig ) );
JMF 12:0071cb144c7a 1086
JMF 12:0071cb144c7a 1087 /*
JMF 12:0071cb144c7a 1088 * In order to prevent Lenstra's attack, make the signature in a
JMF 12:0071cb144c7a 1089 * temporary buffer and check it before returning it.
JMF 12:0071cb144c7a 1090 */
JMF 12:0071cb144c7a 1091 sig_try = mbedtls_calloc( 1, ctx->len );
JMF 12:0071cb144c7a 1092 if( sig_try == NULL )
JMF 12:0071cb144c7a 1093 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
JMF 12:0071cb144c7a 1094
JMF 12:0071cb144c7a 1095 verif = mbedtls_calloc( 1, ctx->len );
JMF 12:0071cb144c7a 1096 if( verif == NULL )
JMF 12:0071cb144c7a 1097 {
JMF 12:0071cb144c7a 1098 mbedtls_free( sig_try );
JMF 12:0071cb144c7a 1099 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
JMF 12:0071cb144c7a 1100 }
JMF 12:0071cb144c7a 1101
JMF 12:0071cb144c7a 1102 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
JMF 12:0071cb144c7a 1103 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
JMF 12:0071cb144c7a 1104
JMF 12:0071cb144c7a 1105 /* Compare in constant time just in case */
JMF 12:0071cb144c7a 1106 for( diff = 0, i = 0; i < ctx->len; i++ )
JMF 12:0071cb144c7a 1107 diff |= verif[i] ^ sig[i];
JMF 12:0071cb144c7a 1108 diff_no_optimize = diff;
JMF 12:0071cb144c7a 1109
JMF 12:0071cb144c7a 1110 if( diff_no_optimize != 0 )
JMF 12:0071cb144c7a 1111 {
JMF 12:0071cb144c7a 1112 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
JMF 12:0071cb144c7a 1113 goto cleanup;
JMF 12:0071cb144c7a 1114 }
JMF 12:0071cb144c7a 1115
JMF 12:0071cb144c7a 1116 memcpy( sig, sig_try, ctx->len );
JMF 12:0071cb144c7a 1117
JMF 12:0071cb144c7a 1118 cleanup:
JMF 12:0071cb144c7a 1119 mbedtls_free( sig_try );
JMF 12:0071cb144c7a 1120 mbedtls_free( verif );
JMF 12:0071cb144c7a 1121
JMF 12:0071cb144c7a 1122 return( ret );
JMF 12:0071cb144c7a 1123 }
JMF 12:0071cb144c7a 1124 #endif /* MBEDTLS_PKCS1_V15 */
JMF 12:0071cb144c7a 1125
JMF 12:0071cb144c7a 1126 /*
JMF 12:0071cb144c7a 1127 * Do an RSA operation to sign the message digest
JMF 12:0071cb144c7a 1128 */
JMF 12:0071cb144c7a 1129 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 1130 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 1131 void *p_rng,
JMF 12:0071cb144c7a 1132 int mode,
JMF 12:0071cb144c7a 1133 mbedtls_md_type_t md_alg,
JMF 12:0071cb144c7a 1134 unsigned int hashlen,
JMF 12:0071cb144c7a 1135 const unsigned char *hash,
JMF 12:0071cb144c7a 1136 unsigned char *sig )
JMF 12:0071cb144c7a 1137 {
JMF 12:0071cb144c7a 1138 switch( ctx->padding )
JMF 12:0071cb144c7a 1139 {
JMF 12:0071cb144c7a 1140 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 1141 case MBEDTLS_RSA_PKCS_V15:
JMF 12:0071cb144c7a 1142 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
JMF 12:0071cb144c7a 1143 hashlen, hash, sig );
JMF 12:0071cb144c7a 1144 #endif
JMF 12:0071cb144c7a 1145
JMF 12:0071cb144c7a 1146 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 1147 case MBEDTLS_RSA_PKCS_V21:
JMF 12:0071cb144c7a 1148 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
JMF 12:0071cb144c7a 1149 hashlen, hash, sig );
JMF 12:0071cb144c7a 1150 #endif
JMF 12:0071cb144c7a 1151
JMF 12:0071cb144c7a 1152 default:
JMF 12:0071cb144c7a 1153 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 1154 }
JMF 12:0071cb144c7a 1155 }
JMF 12:0071cb144c7a 1156
JMF 12:0071cb144c7a 1157 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 1158 /*
JMF 12:0071cb144c7a 1159 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
JMF 12:0071cb144c7a 1160 */
JMF 12:0071cb144c7a 1161 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 1162 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 1163 void *p_rng,
JMF 12:0071cb144c7a 1164 int mode,
JMF 12:0071cb144c7a 1165 mbedtls_md_type_t md_alg,
JMF 12:0071cb144c7a 1166 unsigned int hashlen,
JMF 12:0071cb144c7a 1167 const unsigned char *hash,
JMF 12:0071cb144c7a 1168 mbedtls_md_type_t mgf1_hash_id,
JMF 12:0071cb144c7a 1169 int expected_salt_len,
JMF 12:0071cb144c7a 1170 const unsigned char *sig )
JMF 12:0071cb144c7a 1171 {
JMF 12:0071cb144c7a 1172 int ret;
JMF 12:0071cb144c7a 1173 size_t siglen;
JMF 12:0071cb144c7a 1174 unsigned char *p;
JMF 12:0071cb144c7a 1175 unsigned char result[MBEDTLS_MD_MAX_SIZE];
JMF 12:0071cb144c7a 1176 unsigned char zeros[8];
JMF 12:0071cb144c7a 1177 unsigned int hlen;
JMF 12:0071cb144c7a 1178 size_t slen, msb;
JMF 12:0071cb144c7a 1179 const mbedtls_md_info_t *md_info;
JMF 12:0071cb144c7a 1180 mbedtls_md_context_t md_ctx;
JMF 12:0071cb144c7a 1181 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
JMF 12:0071cb144c7a 1182
JMF 12:0071cb144c7a 1183 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
JMF 12:0071cb144c7a 1184 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1185
JMF 12:0071cb144c7a 1186 siglen = ctx->len;
JMF 12:0071cb144c7a 1187
JMF 12:0071cb144c7a 1188 if( siglen < 16 || siglen > sizeof( buf ) )
JMF 12:0071cb144c7a 1189 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1190
JMF 12:0071cb144c7a 1191 ret = ( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 1192 ? mbedtls_rsa_public( ctx, sig, buf )
JMF 12:0071cb144c7a 1193 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
JMF 12:0071cb144c7a 1194
JMF 12:0071cb144c7a 1195 if( ret != 0 )
JMF 12:0071cb144c7a 1196 return( ret );
JMF 12:0071cb144c7a 1197
JMF 12:0071cb144c7a 1198 p = buf;
JMF 12:0071cb144c7a 1199
JMF 12:0071cb144c7a 1200 if( buf[siglen - 1] != 0xBC )
JMF 12:0071cb144c7a 1201 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 1202
JMF 12:0071cb144c7a 1203 if( md_alg != MBEDTLS_MD_NONE )
JMF 12:0071cb144c7a 1204 {
JMF 12:0071cb144c7a 1205 /* Gather length of hash to sign */
JMF 12:0071cb144c7a 1206 md_info = mbedtls_md_info_from_type( md_alg );
JMF 12:0071cb144c7a 1207 if( md_info == NULL )
JMF 12:0071cb144c7a 1208 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1209
JMF 12:0071cb144c7a 1210 hashlen = mbedtls_md_get_size( md_info );
JMF 12:0071cb144c7a 1211 }
JMF 12:0071cb144c7a 1212
JMF 12:0071cb144c7a 1213 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
JMF 12:0071cb144c7a 1214 if( md_info == NULL )
JMF 12:0071cb144c7a 1215 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1216
JMF 12:0071cb144c7a 1217 hlen = mbedtls_md_get_size( md_info );
JMF 12:0071cb144c7a 1218 slen = siglen - hlen - 1; /* Currently length of salt + padding */
JMF 12:0071cb144c7a 1219
JMF 12:0071cb144c7a 1220 memset( zeros, 0, 8 );
JMF 12:0071cb144c7a 1221
JMF 12:0071cb144c7a 1222 /*
JMF 12:0071cb144c7a 1223 * Note: EMSA-PSS verification is over the length of N - 1 bits
JMF 12:0071cb144c7a 1224 */
JMF 12:0071cb144c7a 1225 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
JMF 12:0071cb144c7a 1226
JMF 12:0071cb144c7a 1227 /* Compensate for boundary condition when applying mask */
JMF 12:0071cb144c7a 1228 if( msb % 8 == 0 )
JMF 12:0071cb144c7a 1229 {
JMF 12:0071cb144c7a 1230 p++;
JMF 12:0071cb144c7a 1231 siglen -= 1;
JMF 12:0071cb144c7a 1232 }
JMF 12:0071cb144c7a 1233 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
JMF 12:0071cb144c7a 1234 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1235
JMF 12:0071cb144c7a 1236 mbedtls_md_init( &md_ctx );
JMF 12:0071cb144c7a 1237 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
JMF 12:0071cb144c7a 1238 {
JMF 12:0071cb144c7a 1239 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 1240 return( ret );
JMF 12:0071cb144c7a 1241 }
JMF 12:0071cb144c7a 1242
JMF 12:0071cb144c7a 1243 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
JMF 12:0071cb144c7a 1244
JMF 12:0071cb144c7a 1245 buf[0] &= 0xFF >> ( siglen * 8 - msb );
JMF 12:0071cb144c7a 1246
JMF 12:0071cb144c7a 1247 while( p < buf + siglen && *p == 0 )
JMF 12:0071cb144c7a 1248 p++;
JMF 12:0071cb144c7a 1249
JMF 12:0071cb144c7a 1250 if( p == buf + siglen ||
JMF 12:0071cb144c7a 1251 *p++ != 0x01 )
JMF 12:0071cb144c7a 1252 {
JMF 12:0071cb144c7a 1253 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 1254 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 1255 }
JMF 12:0071cb144c7a 1256
JMF 12:0071cb144c7a 1257 /* Actual salt len */
JMF 12:0071cb144c7a 1258 slen -= p - buf;
JMF 12:0071cb144c7a 1259
JMF 12:0071cb144c7a 1260 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
JMF 12:0071cb144c7a 1261 slen != (size_t) expected_salt_len )
JMF 12:0071cb144c7a 1262 {
JMF 12:0071cb144c7a 1263 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 1264 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 1265 }
JMF 12:0071cb144c7a 1266
JMF 12:0071cb144c7a 1267 /*
JMF 12:0071cb144c7a 1268 * Generate H = Hash( M' )
JMF 12:0071cb144c7a 1269 */
JMF 12:0071cb144c7a 1270 mbedtls_md_starts( &md_ctx );
JMF 12:0071cb144c7a 1271 mbedtls_md_update( &md_ctx, zeros, 8 );
JMF 12:0071cb144c7a 1272 mbedtls_md_update( &md_ctx, hash, hashlen );
JMF 12:0071cb144c7a 1273 mbedtls_md_update( &md_ctx, p, slen );
JMF 12:0071cb144c7a 1274 mbedtls_md_finish( &md_ctx, result );
JMF 12:0071cb144c7a 1275
JMF 12:0071cb144c7a 1276 mbedtls_md_free( &md_ctx );
JMF 12:0071cb144c7a 1277
JMF 12:0071cb144c7a 1278 if( memcmp( p + slen, result, hlen ) == 0 )
JMF 12:0071cb144c7a 1279 return( 0 );
JMF 12:0071cb144c7a 1280 else
JMF 12:0071cb144c7a 1281 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1282 }
JMF 12:0071cb144c7a 1283
JMF 12:0071cb144c7a 1284 /*
JMF 12:0071cb144c7a 1285 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
JMF 12:0071cb144c7a 1286 */
JMF 12:0071cb144c7a 1287 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 1288 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 1289 void *p_rng,
JMF 12:0071cb144c7a 1290 int mode,
JMF 12:0071cb144c7a 1291 mbedtls_md_type_t md_alg,
JMF 12:0071cb144c7a 1292 unsigned int hashlen,
JMF 12:0071cb144c7a 1293 const unsigned char *hash,
JMF 12:0071cb144c7a 1294 const unsigned char *sig )
JMF 12:0071cb144c7a 1295 {
JMF 12:0071cb144c7a 1296 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
JMF 12:0071cb144c7a 1297 ? (mbedtls_md_type_t) ctx->hash_id
JMF 12:0071cb144c7a 1298 : md_alg;
JMF 12:0071cb144c7a 1299
JMF 12:0071cb144c7a 1300 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
JMF 12:0071cb144c7a 1301 md_alg, hashlen, hash,
JMF 12:0071cb144c7a 1302 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
JMF 12:0071cb144c7a 1303 sig ) );
JMF 12:0071cb144c7a 1304
JMF 12:0071cb144c7a 1305 }
JMF 12:0071cb144c7a 1306 #endif /* MBEDTLS_PKCS1_V21 */
JMF 12:0071cb144c7a 1307
JMF 12:0071cb144c7a 1308 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 1309 /*
JMF 12:0071cb144c7a 1310 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
JMF 12:0071cb144c7a 1311 */
JMF 12:0071cb144c7a 1312 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 1313 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 1314 void *p_rng,
JMF 12:0071cb144c7a 1315 int mode,
JMF 12:0071cb144c7a 1316 mbedtls_md_type_t md_alg,
JMF 12:0071cb144c7a 1317 unsigned int hashlen,
JMF 12:0071cb144c7a 1318 const unsigned char *hash,
JMF 12:0071cb144c7a 1319 const unsigned char *sig )
JMF 12:0071cb144c7a 1320 {
JMF 12:0071cb144c7a 1321 int ret;
JMF 12:0071cb144c7a 1322 size_t len, siglen, asn1_len;
JMF 12:0071cb144c7a 1323 unsigned char *p, *end;
JMF 12:0071cb144c7a 1324 mbedtls_md_type_t msg_md_alg;
JMF 12:0071cb144c7a 1325 const mbedtls_md_info_t *md_info;
JMF 12:0071cb144c7a 1326 mbedtls_asn1_buf oid;
JMF 12:0071cb144c7a 1327 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
JMF 12:0071cb144c7a 1328
JMF 12:0071cb144c7a 1329 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
JMF 12:0071cb144c7a 1330 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1331
JMF 12:0071cb144c7a 1332 siglen = ctx->len;
JMF 12:0071cb144c7a 1333
JMF 12:0071cb144c7a 1334 if( siglen < 16 || siglen > sizeof( buf ) )
JMF 12:0071cb144c7a 1335 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1336
JMF 12:0071cb144c7a 1337 ret = ( mode == MBEDTLS_RSA_PUBLIC )
JMF 12:0071cb144c7a 1338 ? mbedtls_rsa_public( ctx, sig, buf )
JMF 12:0071cb144c7a 1339 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
JMF 12:0071cb144c7a 1340
JMF 12:0071cb144c7a 1341 if( ret != 0 )
JMF 12:0071cb144c7a 1342 return( ret );
JMF 12:0071cb144c7a 1343
JMF 12:0071cb144c7a 1344 p = buf;
JMF 12:0071cb144c7a 1345
JMF 12:0071cb144c7a 1346 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )
JMF 12:0071cb144c7a 1347 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 1348
JMF 12:0071cb144c7a 1349 while( *p != 0 )
JMF 12:0071cb144c7a 1350 {
JMF 12:0071cb144c7a 1351 if( p >= buf + siglen - 1 || *p != 0xFF )
JMF 12:0071cb144c7a 1352 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 1353 p++;
JMF 12:0071cb144c7a 1354 }
JMF 12:0071cb144c7a 1355 p++;
JMF 12:0071cb144c7a 1356
JMF 12:0071cb144c7a 1357 len = siglen - ( p - buf );
JMF 12:0071cb144c7a 1358
JMF 12:0071cb144c7a 1359 if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
JMF 12:0071cb144c7a 1360 {
JMF 12:0071cb144c7a 1361 if( memcmp( p, hash, hashlen ) == 0 )
JMF 12:0071cb144c7a 1362 return( 0 );
JMF 12:0071cb144c7a 1363 else
JMF 12:0071cb144c7a 1364 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1365 }
JMF 12:0071cb144c7a 1366
JMF 12:0071cb144c7a 1367 md_info = mbedtls_md_info_from_type( md_alg );
JMF 12:0071cb144c7a 1368 if( md_info == NULL )
JMF 12:0071cb144c7a 1369 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
JMF 12:0071cb144c7a 1370 hashlen = mbedtls_md_get_size( md_info );
JMF 12:0071cb144c7a 1371
JMF 12:0071cb144c7a 1372 end = p + len;
JMF 12:0071cb144c7a 1373
JMF 12:0071cb144c7a 1374 /*
JMF 12:0071cb144c7a 1375 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
JMF 12:0071cb144c7a 1376 */
JMF 12:0071cb144c7a 1377 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
JMF 12:0071cb144c7a 1378 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
JMF 12:0071cb144c7a 1379 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1380
JMF 12:0071cb144c7a 1381 if( asn1_len + 2 != len )
JMF 12:0071cb144c7a 1382 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1383
JMF 12:0071cb144c7a 1384 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
JMF 12:0071cb144c7a 1385 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
JMF 12:0071cb144c7a 1386 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1387
JMF 12:0071cb144c7a 1388 if( asn1_len + 6 + hashlen != len )
JMF 12:0071cb144c7a 1389 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1390
JMF 12:0071cb144c7a 1391 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
JMF 12:0071cb144c7a 1392 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1393
JMF 12:0071cb144c7a 1394 oid.p = p;
JMF 12:0071cb144c7a 1395 p += oid.len;
JMF 12:0071cb144c7a 1396
JMF 12:0071cb144c7a 1397 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
JMF 12:0071cb144c7a 1398 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1399
JMF 12:0071cb144c7a 1400 if( md_alg != msg_md_alg )
JMF 12:0071cb144c7a 1401 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1402
JMF 12:0071cb144c7a 1403 /*
JMF 12:0071cb144c7a 1404 * assume the algorithm parameters must be NULL
JMF 12:0071cb144c7a 1405 */
JMF 12:0071cb144c7a 1406 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
JMF 12:0071cb144c7a 1407 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1408
JMF 12:0071cb144c7a 1409 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
JMF 12:0071cb144c7a 1410 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1411
JMF 12:0071cb144c7a 1412 if( asn1_len != hashlen )
JMF 12:0071cb144c7a 1413 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1414
JMF 12:0071cb144c7a 1415 if( memcmp( p, hash, hashlen ) != 0 )
JMF 12:0071cb144c7a 1416 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1417
JMF 12:0071cb144c7a 1418 p += hashlen;
JMF 12:0071cb144c7a 1419
JMF 12:0071cb144c7a 1420 if( p != end )
JMF 12:0071cb144c7a 1421 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
JMF 12:0071cb144c7a 1422
JMF 12:0071cb144c7a 1423 return( 0 );
JMF 12:0071cb144c7a 1424 }
JMF 12:0071cb144c7a 1425 #endif /* MBEDTLS_PKCS1_V15 */
JMF 12:0071cb144c7a 1426
JMF 12:0071cb144c7a 1427 /*
JMF 12:0071cb144c7a 1428 * Do an RSA operation and check the message digest
JMF 12:0071cb144c7a 1429 */
JMF 12:0071cb144c7a 1430 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
JMF 12:0071cb144c7a 1431 int (*f_rng)(void *, unsigned char *, size_t),
JMF 12:0071cb144c7a 1432 void *p_rng,
JMF 12:0071cb144c7a 1433 int mode,
JMF 12:0071cb144c7a 1434 mbedtls_md_type_t md_alg,
JMF 12:0071cb144c7a 1435 unsigned int hashlen,
JMF 12:0071cb144c7a 1436 const unsigned char *hash,
JMF 12:0071cb144c7a 1437 const unsigned char *sig )
JMF 12:0071cb144c7a 1438 {
JMF 12:0071cb144c7a 1439 switch( ctx->padding )
JMF 12:0071cb144c7a 1440 {
JMF 12:0071cb144c7a 1441 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 1442 case MBEDTLS_RSA_PKCS_V15:
JMF 12:0071cb144c7a 1443 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
JMF 12:0071cb144c7a 1444 hashlen, hash, sig );
JMF 12:0071cb144c7a 1445 #endif
JMF 12:0071cb144c7a 1446
JMF 12:0071cb144c7a 1447 #if defined(MBEDTLS_PKCS1_V21)
JMF 12:0071cb144c7a 1448 case MBEDTLS_RSA_PKCS_V21:
JMF 12:0071cb144c7a 1449 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
JMF 12:0071cb144c7a 1450 hashlen, hash, sig );
JMF 12:0071cb144c7a 1451 #endif
JMF 12:0071cb144c7a 1452
JMF 12:0071cb144c7a 1453 default:
JMF 12:0071cb144c7a 1454 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
JMF 12:0071cb144c7a 1455 }
JMF 12:0071cb144c7a 1456 }
JMF 12:0071cb144c7a 1457
JMF 12:0071cb144c7a 1458 /*
JMF 12:0071cb144c7a 1459 * Copy the components of an RSA key
JMF 12:0071cb144c7a 1460 */
JMF 12:0071cb144c7a 1461 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
JMF 12:0071cb144c7a 1462 {
JMF 12:0071cb144c7a 1463 int ret;
JMF 12:0071cb144c7a 1464
JMF 12:0071cb144c7a 1465 dst->ver = src->ver;
JMF 12:0071cb144c7a 1466 dst->len = src->len;
JMF 12:0071cb144c7a 1467
JMF 12:0071cb144c7a 1468 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
JMF 12:0071cb144c7a 1469 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
JMF 12:0071cb144c7a 1470
JMF 12:0071cb144c7a 1471 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
JMF 12:0071cb144c7a 1472 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
JMF 12:0071cb144c7a 1473 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
JMF 12:0071cb144c7a 1474 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
JMF 12:0071cb144c7a 1475 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
JMF 12:0071cb144c7a 1476 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
JMF 12:0071cb144c7a 1477
JMF 12:0071cb144c7a 1478 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
JMF 12:0071cb144c7a 1479 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
JMF 12:0071cb144c7a 1480 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
JMF 12:0071cb144c7a 1481
JMF 12:0071cb144c7a 1482 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
JMF 12:0071cb144c7a 1483 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
JMF 12:0071cb144c7a 1484
JMF 12:0071cb144c7a 1485 dst->padding = src->padding;
JMF 12:0071cb144c7a 1486 dst->hash_id = src->hash_id;
JMF 12:0071cb144c7a 1487
JMF 12:0071cb144c7a 1488 cleanup:
JMF 12:0071cb144c7a 1489 if( ret != 0 )
JMF 12:0071cb144c7a 1490 mbedtls_rsa_free( dst );
JMF 12:0071cb144c7a 1491
JMF 12:0071cb144c7a 1492 return( ret );
JMF 12:0071cb144c7a 1493 }
JMF 12:0071cb144c7a 1494
JMF 12:0071cb144c7a 1495 /*
JMF 12:0071cb144c7a 1496 * Free the components of an RSA key
JMF 12:0071cb144c7a 1497 */
JMF 12:0071cb144c7a 1498 void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
JMF 12:0071cb144c7a 1499 {
JMF 12:0071cb144c7a 1500 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
JMF 12:0071cb144c7a 1501 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
JMF 12:0071cb144c7a 1502 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
JMF 12:0071cb144c7a 1503 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
JMF 12:0071cb144c7a 1504 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
JMF 12:0071cb144c7a 1505
JMF 12:0071cb144c7a 1506 #if defined(MBEDTLS_THREADING_C)
JMF 12:0071cb144c7a 1507 mbedtls_mutex_free( &ctx->mutex );
JMF 12:0071cb144c7a 1508 #endif
JMF 12:0071cb144c7a 1509 }
JMF 12:0071cb144c7a 1510
JMF 12:0071cb144c7a 1511 #if defined(MBEDTLS_SELF_TEST)
JMF 12:0071cb144c7a 1512
JMF 12:0071cb144c7a 1513 #include "mbedtls/sha1.h"
JMF 12:0071cb144c7a 1514
JMF 12:0071cb144c7a 1515 /*
JMF 12:0071cb144c7a 1516 * Example RSA-1024 keypair, for test purposes
JMF 12:0071cb144c7a 1517 */
JMF 12:0071cb144c7a 1518 #define KEY_LEN 128
JMF 12:0071cb144c7a 1519
JMF 12:0071cb144c7a 1520 #define RSA_N "9292758453063D803DD603D5E777D788" \
JMF 12:0071cb144c7a 1521 "8ED1D5BF35786190FA2F23EBC0848AEA" \
JMF 12:0071cb144c7a 1522 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
JMF 12:0071cb144c7a 1523 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
JMF 12:0071cb144c7a 1524 "93A89813FBF3C4F8066D2D800F7C38A8" \
JMF 12:0071cb144c7a 1525 "1AE31942917403FF4946B0A83D3D3E05" \
JMF 12:0071cb144c7a 1526 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
JMF 12:0071cb144c7a 1527 "5E94BB77B07507233A0BC7BAC8F90F79"
JMF 12:0071cb144c7a 1528
JMF 12:0071cb144c7a 1529 #define RSA_E "10001"
JMF 12:0071cb144c7a 1530
JMF 12:0071cb144c7a 1531 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
JMF 12:0071cb144c7a 1532 "66CA472BC44D253102F8B4A9D3BFA750" \
JMF 12:0071cb144c7a 1533 "91386C0077937FE33FA3252D28855837" \
JMF 12:0071cb144c7a 1534 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
JMF 12:0071cb144c7a 1535 "DF79C5CE07EE72C7F123142198164234" \
JMF 12:0071cb144c7a 1536 "CABB724CF78B8173B9F880FC86322407" \
JMF 12:0071cb144c7a 1537 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
JMF 12:0071cb144c7a 1538 "071513A1E85B5DFA031F21ECAE91A34D"
JMF 12:0071cb144c7a 1539
JMF 12:0071cb144c7a 1540 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
JMF 12:0071cb144c7a 1541 "2C01CAD19EA484A87EA4377637E75500" \
JMF 12:0071cb144c7a 1542 "FCB2005C5C7DD6EC4AC023CDA285D796" \
JMF 12:0071cb144c7a 1543 "C3D9E75E1EFC42488BB4F1D13AC30A57"
JMF 12:0071cb144c7a 1544
JMF 12:0071cb144c7a 1545 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
JMF 12:0071cb144c7a 1546 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
JMF 12:0071cb144c7a 1547 "910E4168387E3C30AA1E00C339A79508" \
JMF 12:0071cb144c7a 1548 "8452DD96A9A5EA5D9DCA68DA636032AF"
JMF 12:0071cb144c7a 1549
JMF 12:0071cb144c7a 1550 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
JMF 12:0071cb144c7a 1551 "3C94D22288ACD763FD8E5600ED4A702D" \
JMF 12:0071cb144c7a 1552 "F84198A5F06C2E72236AE490C93F07F8" \
JMF 12:0071cb144c7a 1553 "3CC559CD27BC2D1CA488811730BB5725"
JMF 12:0071cb144c7a 1554
JMF 12:0071cb144c7a 1555 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
JMF 12:0071cb144c7a 1556 "D8AAEA56749EA28623272E4F7D0592AF" \
JMF 12:0071cb144c7a 1557 "7C1F1313CAC9471B5C523BFE592F517B" \
JMF 12:0071cb144c7a 1558 "407A1BD76C164B93DA2D32A383E58357"
JMF 12:0071cb144c7a 1559
JMF 12:0071cb144c7a 1560 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
JMF 12:0071cb144c7a 1561 "F38D18D2B2F0E2DD275AA977E2BF4411" \
JMF 12:0071cb144c7a 1562 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
JMF 12:0071cb144c7a 1563 "A74206CEC169D74BF5A8C50D6F48EA08"
JMF 12:0071cb144c7a 1564
JMF 12:0071cb144c7a 1565 #define PT_LEN 24
JMF 12:0071cb144c7a 1566 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
JMF 12:0071cb144c7a 1567 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
JMF 12:0071cb144c7a 1568
JMF 12:0071cb144c7a 1569 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 1570 static int myrand( void *rng_state, unsigned char *output, size_t len )
JMF 12:0071cb144c7a 1571 {
JMF 12:0071cb144c7a 1572 #if !defined(__OpenBSD__)
JMF 12:0071cb144c7a 1573 size_t i;
JMF 12:0071cb144c7a 1574
JMF 12:0071cb144c7a 1575 if( rng_state != NULL )
JMF 12:0071cb144c7a 1576 rng_state = NULL;
JMF 12:0071cb144c7a 1577
JMF 12:0071cb144c7a 1578 for( i = 0; i < len; ++i )
JMF 12:0071cb144c7a 1579 output[i] = rand();
JMF 12:0071cb144c7a 1580 #else
JMF 12:0071cb144c7a 1581 if( rng_state != NULL )
JMF 12:0071cb144c7a 1582 rng_state = NULL;
JMF 12:0071cb144c7a 1583
JMF 12:0071cb144c7a 1584 arc4random_buf( output, len );
JMF 12:0071cb144c7a 1585 #endif /* !OpenBSD */
JMF 12:0071cb144c7a 1586
JMF 12:0071cb144c7a 1587 return( 0 );
JMF 12:0071cb144c7a 1588 }
JMF 12:0071cb144c7a 1589 #endif /* MBEDTLS_PKCS1_V15 */
JMF 12:0071cb144c7a 1590
JMF 12:0071cb144c7a 1591 /*
JMF 12:0071cb144c7a 1592 * Checkup routine
JMF 12:0071cb144c7a 1593 */
JMF 12:0071cb144c7a 1594 int mbedtls_rsa_self_test( int verbose )
JMF 12:0071cb144c7a 1595 {
JMF 12:0071cb144c7a 1596 int ret = 0;
JMF 12:0071cb144c7a 1597 #if defined(MBEDTLS_PKCS1_V15)
JMF 12:0071cb144c7a 1598 size_t len;
JMF 12:0071cb144c7a 1599 mbedtls_rsa_context rsa;
JMF 12:0071cb144c7a 1600 unsigned char rsa_plaintext[PT_LEN];
JMF 12:0071cb144c7a 1601 unsigned char rsa_decrypted[PT_LEN];
JMF 12:0071cb144c7a 1602 unsigned char rsa_ciphertext[KEY_LEN];
JMF 12:0071cb144c7a 1603 #if defined(MBEDTLS_SHA1_C)
JMF 12:0071cb144c7a 1604 unsigned char sha1sum[20];
JMF 12:0071cb144c7a 1605 #endif
JMF 12:0071cb144c7a 1606
JMF 12:0071cb144c7a 1607 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
JMF 12:0071cb144c7a 1608
JMF 12:0071cb144c7a 1609 rsa.len = KEY_LEN;
JMF 12:0071cb144c7a 1610 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
JMF 12:0071cb144c7a 1611 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
JMF 12:0071cb144c7a 1612 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
JMF 12:0071cb144c7a 1613 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
JMF 12:0071cb144c7a 1614 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
JMF 12:0071cb144c7a 1615 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
JMF 12:0071cb144c7a 1616 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
JMF 12:0071cb144c7a 1617 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
JMF 12:0071cb144c7a 1618
JMF 12:0071cb144c7a 1619 if( verbose != 0 )
JMF 12:0071cb144c7a 1620 mbedtls_printf( " RSA key validation: " );
JMF 12:0071cb144c7a 1621
JMF 12:0071cb144c7a 1622 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
JMF 12:0071cb144c7a 1623 mbedtls_rsa_check_privkey( &rsa ) != 0 )
JMF 12:0071cb144c7a 1624 {
JMF 12:0071cb144c7a 1625 if( verbose != 0 )
JMF 12:0071cb144c7a 1626 mbedtls_printf( "failed\n" );
JMF 12:0071cb144c7a 1627
JMF 12:0071cb144c7a 1628 return( 1 );
JMF 12:0071cb144c7a 1629 }
JMF 12:0071cb144c7a 1630
JMF 12:0071cb144c7a 1631 if( verbose != 0 )
JMF 12:0071cb144c7a 1632 mbedtls_printf( "passed\n PKCS#1 encryption : " );
JMF 12:0071cb144c7a 1633
JMF 12:0071cb144c7a 1634 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
JMF 12:0071cb144c7a 1635
JMF 12:0071cb144c7a 1636 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
JMF 12:0071cb144c7a 1637 rsa_plaintext, rsa_ciphertext ) != 0 )
JMF 12:0071cb144c7a 1638 {
JMF 12:0071cb144c7a 1639 if( verbose != 0 )
JMF 12:0071cb144c7a 1640 mbedtls_printf( "failed\n" );
JMF 12:0071cb144c7a 1641
JMF 12:0071cb144c7a 1642 return( 1 );
JMF 12:0071cb144c7a 1643 }
JMF 12:0071cb144c7a 1644
JMF 12:0071cb144c7a 1645 if( verbose != 0 )
JMF 12:0071cb144c7a 1646 mbedtls_printf( "passed\n PKCS#1 decryption : " );
JMF 12:0071cb144c7a 1647
JMF 12:0071cb144c7a 1648 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
JMF 12:0071cb144c7a 1649 rsa_ciphertext, rsa_decrypted,
JMF 12:0071cb144c7a 1650 sizeof(rsa_decrypted) ) != 0 )
JMF 12:0071cb144c7a 1651 {
JMF 12:0071cb144c7a 1652 if( verbose != 0 )
JMF 12:0071cb144c7a 1653 mbedtls_printf( "failed\n" );
JMF 12:0071cb144c7a 1654
JMF 12:0071cb144c7a 1655 return( 1 );
JMF 12:0071cb144c7a 1656 }
JMF 12:0071cb144c7a 1657
JMF 12:0071cb144c7a 1658 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
JMF 12:0071cb144c7a 1659 {
JMF 12:0071cb144c7a 1660 if( verbose != 0 )
JMF 12:0071cb144c7a 1661 mbedtls_printf( "failed\n" );
JMF 12:0071cb144c7a 1662
JMF 12:0071cb144c7a 1663 return( 1 );
JMF 12:0071cb144c7a 1664 }
JMF 12:0071cb144c7a 1665
JMF 12:0071cb144c7a 1666 if( verbose != 0 )
JMF 12:0071cb144c7a 1667 mbedtls_printf( "passed\n" );
JMF 12:0071cb144c7a 1668
JMF 12:0071cb144c7a 1669 #if defined(MBEDTLS_SHA1_C)
JMF 12:0071cb144c7a 1670 if( verbose != 0 )
JMF 12:0071cb144c7a 1671 mbedtls_printf( " PKCS#1 data sign : " );
JMF 12:0071cb144c7a 1672
JMF 12:0071cb144c7a 1673 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
JMF 12:0071cb144c7a 1674
JMF 12:0071cb144c7a 1675 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
JMF 12:0071cb144c7a 1676 sha1sum, rsa_ciphertext ) != 0 )
JMF 12:0071cb144c7a 1677 {
JMF 12:0071cb144c7a 1678 if( verbose != 0 )
JMF 12:0071cb144c7a 1679 mbedtls_printf( "failed\n" );
JMF 12:0071cb144c7a 1680
JMF 12:0071cb144c7a 1681 return( 1 );
JMF 12:0071cb144c7a 1682 }
JMF 12:0071cb144c7a 1683
JMF 12:0071cb144c7a 1684 if( verbose != 0 )
JMF 12:0071cb144c7a 1685 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
JMF 12:0071cb144c7a 1686
JMF 12:0071cb144c7a 1687 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
JMF 12:0071cb144c7a 1688 sha1sum, rsa_ciphertext ) != 0 )
JMF 12:0071cb144c7a 1689 {
JMF 12:0071cb144c7a 1690 if( verbose != 0 )
JMF 12:0071cb144c7a 1691 mbedtls_printf( "failed\n" );
JMF 12:0071cb144c7a 1692
JMF 12:0071cb144c7a 1693 return( 1 );
JMF 12:0071cb144c7a 1694 }
JMF 12:0071cb144c7a 1695
JMF 12:0071cb144c7a 1696 if( verbose != 0 )
JMF 12:0071cb144c7a 1697 mbedtls_printf( "passed\n" );
JMF 12:0071cb144c7a 1698 #endif /* MBEDTLS_SHA1_C */
JMF 12:0071cb144c7a 1699
JMF 12:0071cb144c7a 1700 if( verbose != 0 )
JMF 12:0071cb144c7a 1701 mbedtls_printf( "\n" );
JMF 12:0071cb144c7a 1702
JMF 12:0071cb144c7a 1703 cleanup:
JMF 12:0071cb144c7a 1704 mbedtls_rsa_free( &rsa );
JMF 12:0071cb144c7a 1705 #else /* MBEDTLS_PKCS1_V15 */
JMF 12:0071cb144c7a 1706 ((void) verbose);
JMF 12:0071cb144c7a 1707 #endif /* MBEDTLS_PKCS1_V15 */
JMF 12:0071cb144c7a 1708 return( ret );
JMF 12:0071cb144c7a 1709 }
JMF 12:0071cb144c7a 1710
JMF 12:0071cb144c7a 1711 #endif /* MBEDTLS_SELF_TEST */
JMF 12:0071cb144c7a 1712
JMF 12:0071cb144c7a 1713 #endif /* MBEDTLS_RSA_C */