ON Semiconductor
/
mbed-os
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: mbed-TFT-example-NCS36510 mbed-Accelerometer-example-NCS36510 mbed-Accelerometer-example-NCS36510
Embed:
(wiki syntax)
Show/hide line numbers
rsa.c
00001 /* 00002 * The RSA public-key cryptosystem 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The following sources were referenced in the design of this implementation 00023 * of the RSA algorithm: 00024 * 00025 * [1] A method for obtaining digital signatures and public-key cryptosystems 00026 * R Rivest, A Shamir, and L Adleman 00027 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 00028 * 00029 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 00030 * Menezes, van Oorschot and Vanstone 00031 * 00032 */ 00033 00034 #if !defined(MBEDTLS_CONFIG_FILE) 00035 #include "mbedtls/config.h" 00036 #else 00037 #include MBEDTLS_CONFIG_FILE 00038 #endif 00039 00040 #if defined(MBEDTLS_RSA_C) 00041 00042 #include "mbedtls/rsa.h" 00043 #include "mbedtls/oid.h" 00044 00045 #include <string.h> 00046 00047 #if defined(MBEDTLS_PKCS1_V21) 00048 #include "mbedtls/md.h" 00049 #endif 00050 00051 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) 00052 #include <stdlib.h> 00053 #endif 00054 00055 #if defined(MBEDTLS_PLATFORM_C) 00056 #include "mbedtls/platform.h" 00057 #else 00058 #include <stdio.h> 00059 #define mbedtls_printf printf 00060 #define mbedtls_calloc calloc 00061 #define mbedtls_free free 00062 #endif 00063 00064 /* 00065 * Initialize an RSA context 00066 */ 00067 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 00068 int padding, 00069 int hash_id ) 00070 { 00071 memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); 00072 00073 mbedtls_rsa_set_padding( ctx, padding, hash_id ); 00074 00075 #if defined(MBEDTLS_THREADING_C) 00076 mbedtls_mutex_init( &ctx->mutex ); 00077 #endif 00078 } 00079 00080 /* 00081 * Set padding for an existing RSA context 00082 */ 00083 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id ) 00084 { 00085 ctx->padding = padding; 00086 ctx->hash_id = hash_id; 00087 } 00088 00089 #if defined(MBEDTLS_GENPRIME) 00090 00091 /* 00092 * Generate an RSA keypair 00093 */ 00094 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 00095 int (*f_rng)(void *, unsigned char *, size_t), 00096 void *p_rng, 00097 unsigned int nbits, int exponent ) 00098 { 00099 int ret; 00100 mbedtls_mpi P1, Q1, H, G; 00101 00102 if( f_rng == NULL || nbits < 128 || exponent < 3 ) 00103 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00104 00105 if( nbits % 2 ) 00106 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00107 00108 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 00109 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G ); 00110 00111 /* 00112 * find primes P and Q with Q < P so that: 00113 * GCD( E, (P-1)*(Q-1) ) == 1 00114 */ 00115 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E , exponent ) ); 00116 00117 do 00118 { 00119 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P , nbits >> 1, 0, 00120 f_rng, p_rng ) ); 00121 00122 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , nbits >> 1, 0, 00123 f_rng, p_rng ) ); 00124 00125 if( mbedtls_mpi_cmp_mpi( &ctx->P , &ctx->Q ) == 0 ) 00126 continue; 00127 00128 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P , &ctx->Q ) ); 00129 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits ) 00130 continue; 00131 00132 if( mbedtls_mpi_cmp_mpi( &ctx->P , &ctx->Q ) < 0 ) 00133 mbedtls_mpi_swap( &ctx->P , &ctx->Q ); 00134 00135 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00136 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00137 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 00138 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00139 } 00140 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ); 00141 00142 /* 00143 * D = E^-1 mod ((P-1)*(Q-1)) 00144 * DP = D mod (P - 1) 00145 * DQ = D mod (Q - 1) 00146 * QP = Q^-1 mod P 00147 */ 00148 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E , &H ) ); 00149 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP , &ctx->D , &P1 ) ); 00150 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ , &ctx->D , &Q1 ) ); 00151 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP , &ctx->Q , &ctx->P ) ); 00152 00153 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3; 00154 00155 cleanup: 00156 00157 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); 00158 00159 if( ret != 0 ) 00160 { 00161 mbedtls_rsa_free( ctx ); 00162 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret ); 00163 } 00164 00165 return( 0 ); 00166 } 00167 00168 #endif /* MBEDTLS_GENPRIME */ 00169 00170 /* 00171 * Check a public RSA key 00172 */ 00173 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) 00174 { 00175 if( !ctx->N .p || !ctx->E .p ) 00176 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00177 00178 if( ( ctx->N .p [0] & 1 ) == 0 || 00179 ( ctx->E .p [0] & 1 ) == 0 ) 00180 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00181 00182 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 || 00183 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS ) 00184 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00185 00186 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 || 00187 mbedtls_mpi_cmp_mpi( &ctx->E , &ctx->N ) >= 0 ) 00188 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00189 00190 return( 0 ); 00191 } 00192 00193 /* 00194 * Check a private RSA key 00195 */ 00196 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) 00197 { 00198 int ret; 00199 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP; 00200 00201 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 ) 00202 return( ret ); 00203 00204 if( !ctx->P .p || !ctx->Q .p || !ctx->D .p ) 00205 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00206 00207 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 00208 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 ); 00209 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ ); 00210 mbedtls_mpi_init( &QP ); 00211 00212 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P , &ctx->Q ) ); 00213 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D , &ctx->E ) ); 00214 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00215 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00216 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 00217 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00218 00219 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) ); 00220 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) ); 00221 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) ); 00222 00223 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D , &P1 ) ); 00224 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D , &Q1 ) ); 00225 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q , &ctx->P ) ); 00226 /* 00227 * Check for a valid PKCS1v2 private key 00228 */ 00229 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 || 00230 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 || 00231 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 || 00232 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 || 00233 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 || 00234 mbedtls_mpi_cmp_int( &I, 1 ) != 0 || 00235 mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) 00236 { 00237 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 00238 } 00239 00240 cleanup: 00241 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); 00242 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 ); 00243 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ ); 00244 mbedtls_mpi_free( &QP ); 00245 00246 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ) 00247 return( ret ); 00248 00249 if( ret != 0 ) 00250 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret ); 00251 00252 return( 0 ); 00253 } 00254 00255 /* 00256 * Check if contexts holding a public and private key match 00257 */ 00258 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ) 00259 { 00260 if( mbedtls_rsa_check_pubkey( pub ) != 0 || 00261 mbedtls_rsa_check_privkey( prv ) != 0 ) 00262 { 00263 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00264 } 00265 00266 if( mbedtls_mpi_cmp_mpi( &pub->N , &prv->N ) != 0 || 00267 mbedtls_mpi_cmp_mpi( &pub->E , &prv->E ) != 0 ) 00268 { 00269 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00270 } 00271 00272 return( 0 ); 00273 } 00274 00275 /* 00276 * Do an RSA public key operation 00277 */ 00278 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 00279 const unsigned char *input, 00280 unsigned char *output ) 00281 { 00282 int ret; 00283 size_t olen; 00284 mbedtls_mpi T; 00285 00286 mbedtls_mpi_init( &T ); 00287 00288 #if defined(MBEDTLS_THREADING_C) 00289 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00290 return( ret ); 00291 #endif 00292 00293 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00294 00295 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00296 { 00297 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00298 goto cleanup; 00299 } 00300 00301 olen = ctx->len ; 00302 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E , &ctx->N , &ctx->RN ) ); 00303 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00304 00305 cleanup: 00306 #if defined(MBEDTLS_THREADING_C) 00307 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00308 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00309 #endif 00310 00311 mbedtls_mpi_free( &T ); 00312 00313 if( ret != 0 ) 00314 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret ); 00315 00316 return( 0 ); 00317 } 00318 00319 /* 00320 * Generate or update blinding values, see section 10 of: 00321 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 00322 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 00323 * Berlin Heidelberg, 1996. p. 104-113. 00324 */ 00325 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, 00326 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00327 { 00328 int ret, count = 0; 00329 00330 if( ctx->Vf .p != NULL ) 00331 { 00332 /* We already have blinding values, just update them by squaring */ 00333 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi , &ctx->Vi , &ctx->Vi ) ); 00334 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi , &ctx->Vi , &ctx->N ) ); 00335 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf , &ctx->Vf , &ctx->Vf ) ); 00336 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf , &ctx->Vf , &ctx->N ) ); 00337 00338 goto cleanup; 00339 } 00340 00341 /* Unblinding value: Vf = random number, invertible mod N */ 00342 do { 00343 if( count++ > 10 ) 00344 return( MBEDTLS_ERR_RSA_RNG_FAILED ); 00345 00346 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf , ctx->len - 1, f_rng, p_rng ) ); 00347 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00348 } while( mbedtls_mpi_cmp_int( &ctx->Vi , 1 ) != 0 ); 00349 00350 /* Blinding value: Vi = Vf^(-e) mod N */ 00351 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00352 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi , &ctx->Vi , &ctx->E , &ctx->N , &ctx->RN ) ); 00353 00354 00355 cleanup: 00356 return( ret ); 00357 } 00358 00359 /* 00360 * Do an RSA private key operation 00361 */ 00362 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 00363 int (*f_rng)(void *, unsigned char *, size_t), 00364 void *p_rng, 00365 const unsigned char *input, 00366 unsigned char *output ) 00367 { 00368 int ret; 00369 size_t olen; 00370 mbedtls_mpi T, T1, T2; 00371 00372 /* Make sure we have private key info, prevent possible misuse */ 00373 if( ctx->P .p == NULL || ctx->Q .p == NULL || ctx->D .p == NULL ) 00374 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00375 00376 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); 00377 00378 #if defined(MBEDTLS_THREADING_C) 00379 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00380 return( ret ); 00381 #endif 00382 00383 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00384 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00385 { 00386 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00387 goto cleanup; 00388 } 00389 00390 if( f_rng != NULL ) 00391 { 00392 /* 00393 * Blinding 00394 * T = T * Vi mod N 00395 */ 00396 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); 00397 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); 00398 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00399 } 00400 00401 #if defined(MBEDTLS_RSA_NO_CRT) 00402 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D , &ctx->N , &ctx->RN ) ); 00403 #else 00404 /* 00405 * faster decryption using the CRT 00406 * 00407 * T1 = input ^ dP mod P 00408 * T2 = input ^ dQ mod Q 00409 */ 00410 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP , &ctx->P , &ctx->RP ) ); 00411 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ , &ctx->Q , &ctx->RQ ) ); 00412 00413 /* 00414 * T = (T1 - T2) * (Q^-1 mod P) mod P 00415 */ 00416 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) ); 00417 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) ); 00418 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) ); 00419 00420 /* 00421 * T = T2 + T * Q 00422 */ 00423 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) ); 00424 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) ); 00425 #endif /* MBEDTLS_RSA_NO_CRT */ 00426 00427 if( f_rng != NULL ) 00428 { 00429 /* 00430 * Unblind 00431 * T = T * Vf mod N 00432 */ 00433 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); 00434 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00435 } 00436 00437 olen = ctx->len ; 00438 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00439 00440 cleanup: 00441 #if defined(MBEDTLS_THREADING_C) 00442 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00443 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00444 #endif 00445 00446 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); 00447 00448 if( ret != 0 ) 00449 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); 00450 00451 return( 0 ); 00452 } 00453 00454 #if defined(MBEDTLS_PKCS1_V21) 00455 /** 00456 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 00457 * 00458 * \param dst buffer to mask 00459 * \param dlen length of destination buffer 00460 * \param src source of the mask generation 00461 * \param slen length of the source buffer 00462 * \param md_ctx message digest context to use 00463 */ 00464 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 00465 size_t slen, mbedtls_md_context_t *md_ctx ) 00466 { 00467 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 00468 unsigned char counter[4]; 00469 unsigned char *p; 00470 unsigned int hlen; 00471 size_t i, use_len; 00472 00473 memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); 00474 memset( counter, 0, 4 ); 00475 00476 hlen = mbedtls_md_get_size( md_ctx->md_info ); 00477 00478 /* Generate and apply dbMask */ 00479 p = dst; 00480 00481 while( dlen > 0 ) 00482 { 00483 use_len = hlen; 00484 if( dlen < hlen ) 00485 use_len = dlen; 00486 00487 mbedtls_md_starts( md_ctx ); 00488 mbedtls_md_update( md_ctx, src, slen ); 00489 mbedtls_md_update( md_ctx, counter, 4 ); 00490 mbedtls_md_finish( md_ctx, mask ); 00491 00492 for( i = 0; i < use_len; ++i ) 00493 *p++ ^= mask[i]; 00494 00495 counter[3]++; 00496 00497 dlen -= use_len; 00498 } 00499 } 00500 #endif /* MBEDTLS_PKCS1_V21 */ 00501 00502 #if defined(MBEDTLS_PKCS1_V21) 00503 /* 00504 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 00505 */ 00506 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 00507 int (*f_rng)(void *, unsigned char *, size_t), 00508 void *p_rng, 00509 int mode, 00510 const unsigned char *label, size_t label_len, 00511 size_t ilen, 00512 const unsigned char *input, 00513 unsigned char *output ) 00514 { 00515 size_t olen; 00516 int ret; 00517 unsigned char *p = output; 00518 unsigned int hlen; 00519 const mbedtls_md_info_t *md_info; 00520 mbedtls_md_context_t md_ctx; 00521 00522 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00523 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00524 00525 if( f_rng == NULL ) 00526 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00527 00528 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00529 if( md_info == NULL ) 00530 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00531 00532 olen = ctx->len ; 00533 hlen = mbedtls_md_get_size( md_info ); 00534 00535 /* first comparison checks for overflow */ 00536 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) 00537 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00538 00539 memset( output, 0, olen ); 00540 00541 *p++ = 0; 00542 00543 /* Generate a random octet string seed */ 00544 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 00545 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00546 00547 p += hlen; 00548 00549 /* Construct DB */ 00550 mbedtls_md( md_info, label, label_len, p ); 00551 p += hlen; 00552 p += olen - 2 * hlen - 2 - ilen; 00553 *p++ = 1; 00554 memcpy( p, input, ilen ); 00555 00556 mbedtls_md_init( &md_ctx ); 00557 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00558 { 00559 mbedtls_md_free( &md_ctx ); 00560 return( ret ); 00561 } 00562 00563 /* maskedDB: Apply dbMask to DB */ 00564 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 00565 &md_ctx ); 00566 00567 /* maskedSeed: Apply seedMask to seed */ 00568 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 00569 &md_ctx ); 00570 00571 mbedtls_md_free( &md_ctx ); 00572 00573 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00574 ? mbedtls_rsa_public( ctx, output, output ) 00575 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 00576 } 00577 #endif /* MBEDTLS_PKCS1_V21 */ 00578 00579 #if defined(MBEDTLS_PKCS1_V15) 00580 /* 00581 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 00582 */ 00583 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 00584 int (*f_rng)(void *, unsigned char *, size_t), 00585 void *p_rng, 00586 int mode, size_t ilen, 00587 const unsigned char *input, 00588 unsigned char *output ) 00589 { 00590 size_t nb_pad, olen; 00591 int ret; 00592 unsigned char *p = output; 00593 00594 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 00595 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00596 00597 // We don't check p_rng because it won't be dereferenced here 00598 if( f_rng == NULL || input == NULL || output == NULL ) 00599 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00600 00601 olen = ctx->len ; 00602 00603 /* first comparison checks for overflow */ 00604 if( ilen + 11 < ilen || olen < ilen + 11 ) 00605 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00606 00607 nb_pad = olen - 3 - ilen; 00608 00609 *p++ = 0; 00610 if( mode == MBEDTLS_RSA_PUBLIC ) 00611 { 00612 *p++ = MBEDTLS_RSA_CRYPT; 00613 00614 while( nb_pad-- > 0 ) 00615 { 00616 int rng_dl = 100; 00617 00618 do { 00619 ret = f_rng( p_rng, p, 1 ); 00620 } while( *p == 0 && --rng_dl && ret == 0 ); 00621 00622 /* Check if RNG failed to generate data */ 00623 if( rng_dl == 0 || ret != 0 ) 00624 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00625 00626 p++; 00627 } 00628 } 00629 else 00630 { 00631 *p++ = MBEDTLS_RSA_SIGN; 00632 00633 while( nb_pad-- > 0 ) 00634 *p++ = 0xFF; 00635 } 00636 00637 *p++ = 0; 00638 memcpy( p, input, ilen ); 00639 00640 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00641 ? mbedtls_rsa_public( ctx, output, output ) 00642 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 00643 } 00644 #endif /* MBEDTLS_PKCS1_V15 */ 00645 00646 /* 00647 * Add the message padding, then do an RSA operation 00648 */ 00649 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 00650 int (*f_rng)(void *, unsigned char *, size_t), 00651 void *p_rng, 00652 int mode, size_t ilen, 00653 const unsigned char *input, 00654 unsigned char *output ) 00655 { 00656 switch( ctx->padding ) 00657 { 00658 #if defined(MBEDTLS_PKCS1_V15) 00659 case MBEDTLS_RSA_PKCS_V15: 00660 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 00661 input, output ); 00662 #endif 00663 00664 #if defined(MBEDTLS_PKCS1_V21) 00665 case MBEDTLS_RSA_PKCS_V21: 00666 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00667 ilen, input, output ); 00668 #endif 00669 00670 default: 00671 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00672 } 00673 } 00674 00675 #if defined(MBEDTLS_PKCS1_V21) 00676 /* 00677 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 00678 */ 00679 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 00680 int (*f_rng)(void *, unsigned char *, size_t), 00681 void *p_rng, 00682 int mode, 00683 const unsigned char *label, size_t label_len, 00684 size_t *olen, 00685 const unsigned char *input, 00686 unsigned char *output, 00687 size_t output_max_len ) 00688 { 00689 int ret; 00690 size_t ilen, i, pad_len; 00691 unsigned char *p, bad, pad_done; 00692 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 00693 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 00694 unsigned int hlen; 00695 const mbedtls_md_info_t *md_info; 00696 mbedtls_md_context_t md_ctx; 00697 00698 /* 00699 * Parameters sanity checks 00700 */ 00701 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00702 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00703 00704 ilen = ctx->len ; 00705 00706 if( ilen < 16 || ilen > sizeof( buf ) ) 00707 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00708 00709 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00710 if( md_info == NULL ) 00711 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00712 00713 hlen = mbedtls_md_get_size( md_info ); 00714 00715 // checking for integer underflow 00716 if( 2 * hlen + 2 > ilen ) 00717 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00718 00719 /* 00720 * RSA operation 00721 */ 00722 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 00723 ? mbedtls_rsa_public( ctx, input, buf ) 00724 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 00725 00726 if( ret != 0 ) 00727 return( ret ); 00728 00729 /* 00730 * Unmask data and generate lHash 00731 */ 00732 mbedtls_md_init( &md_ctx ); 00733 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00734 { 00735 mbedtls_md_free( &md_ctx ); 00736 return( ret ); 00737 } 00738 00739 00740 /* Generate lHash */ 00741 mbedtls_md( md_info, label, label_len, lhash ); 00742 00743 /* seed: Apply seedMask to maskedSeed */ 00744 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 00745 &md_ctx ); 00746 00747 /* DB: Apply dbMask to maskedDB */ 00748 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 00749 &md_ctx ); 00750 00751 mbedtls_md_free( &md_ctx ); 00752 00753 /* 00754 * Check contents, in "constant-time" 00755 */ 00756 p = buf; 00757 bad = 0; 00758 00759 bad |= *p++; /* First byte must be 0 */ 00760 00761 p += hlen; /* Skip seed */ 00762 00763 /* Check lHash */ 00764 for( i = 0; i < hlen; i++ ) 00765 bad |= lhash[i] ^ *p++; 00766 00767 /* Get zero-padding len, but always read till end of buffer 00768 * (minus one, for the 01 byte) */ 00769 pad_len = 0; 00770 pad_done = 0; 00771 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 00772 { 00773 pad_done |= p[i]; 00774 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 00775 } 00776 00777 p += pad_len; 00778 bad |= *p++ ^ 0x01; 00779 00780 /* 00781 * The only information "leaked" is whether the padding was correct or not 00782 * (eg, no data is copied if it was not correct). This meets the 00783 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 00784 * the different error conditions. 00785 */ 00786 if( bad != 0 ) 00787 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00788 00789 if( ilen - ( p - buf ) > output_max_len ) 00790 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 00791 00792 *olen = ilen - (p - buf); 00793 memcpy( output, p, *olen ); 00794 00795 return( 0 ); 00796 } 00797 #endif /* MBEDTLS_PKCS1_V21 */ 00798 00799 #if defined(MBEDTLS_PKCS1_V15) 00800 /* 00801 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 00802 */ 00803 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 00804 int (*f_rng)(void *, unsigned char *, size_t), 00805 void *p_rng, 00806 int mode, size_t *olen, 00807 const unsigned char *input, 00808 unsigned char *output, 00809 size_t output_max_len) 00810 { 00811 int ret; 00812 size_t ilen, pad_count = 0, i; 00813 unsigned char *p, bad, pad_done = 0; 00814 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 00815 00816 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 00817 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00818 00819 ilen = ctx->len ; 00820 00821 if( ilen < 16 || ilen > sizeof( buf ) ) 00822 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00823 00824 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 00825 ? mbedtls_rsa_public( ctx, input, buf ) 00826 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 00827 00828 if( ret != 0 ) 00829 return( ret ); 00830 00831 p = buf; 00832 bad = 0; 00833 00834 /* 00835 * Check and get padding len in "constant-time" 00836 */ 00837 bad |= *p++; /* First byte must be 0 */ 00838 00839 /* This test does not depend on secret data */ 00840 if( mode == MBEDTLS_RSA_PRIVATE ) 00841 { 00842 bad |= *p++ ^ MBEDTLS_RSA_CRYPT; 00843 00844 /* Get padding len, but always read till end of buffer 00845 * (minus one, for the 00 byte) */ 00846 for( i = 0; i < ilen - 3; i++ ) 00847 { 00848 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1; 00849 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 00850 } 00851 00852 p += pad_count; 00853 bad |= *p++; /* Must be zero */ 00854 } 00855 else 00856 { 00857 bad |= *p++ ^ MBEDTLS_RSA_SIGN; 00858 00859 /* Get padding len, but always read till end of buffer 00860 * (minus one, for the 00 byte) */ 00861 for( i = 0; i < ilen - 3; i++ ) 00862 { 00863 pad_done |= ( p[i] != 0xFF ); 00864 pad_count += ( pad_done == 0 ); 00865 } 00866 00867 p += pad_count; 00868 bad |= *p++; /* Must be zero */ 00869 } 00870 00871 bad |= ( pad_count < 8 ); 00872 00873 if( bad ) 00874 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00875 00876 if( ilen - ( p - buf ) > output_max_len ) 00877 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 00878 00879 *olen = ilen - (p - buf); 00880 memcpy( output, p, *olen ); 00881 00882 return( 0 ); 00883 } 00884 #endif /* MBEDTLS_PKCS1_V15 */ 00885 00886 /* 00887 * Do an RSA operation, then remove the message padding 00888 */ 00889 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 00890 int (*f_rng)(void *, unsigned char *, size_t), 00891 void *p_rng, 00892 int mode, size_t *olen, 00893 const unsigned char *input, 00894 unsigned char *output, 00895 size_t output_max_len) 00896 { 00897 switch( ctx->padding ) 00898 { 00899 #if defined(MBEDTLS_PKCS1_V15) 00900 case MBEDTLS_RSA_PKCS_V15: 00901 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 00902 input, output, output_max_len ); 00903 #endif 00904 00905 #if defined(MBEDTLS_PKCS1_V21) 00906 case MBEDTLS_RSA_PKCS_V21: 00907 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00908 olen, input, output, 00909 output_max_len ); 00910 #endif 00911 00912 default: 00913 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00914 } 00915 } 00916 00917 #if defined(MBEDTLS_PKCS1_V21) 00918 /* 00919 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 00920 */ 00921 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 00922 int (*f_rng)(void *, unsigned char *, size_t), 00923 void *p_rng, 00924 int mode, 00925 mbedtls_md_type_t md_alg, 00926 unsigned int hashlen, 00927 const unsigned char *hash, 00928 unsigned char *sig ) 00929 { 00930 size_t olen; 00931 unsigned char *p = sig; 00932 unsigned char salt[MBEDTLS_MD_MAX_SIZE]; 00933 unsigned int slen, hlen, offset = 0; 00934 int ret; 00935 size_t msb; 00936 const mbedtls_md_info_t *md_info; 00937 mbedtls_md_context_t md_ctx; 00938 00939 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00940 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00941 00942 if( f_rng == NULL ) 00943 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00944 00945 olen = ctx->len ; 00946 00947 if( md_alg != MBEDTLS_MD_NONE ) 00948 { 00949 /* Gather length of hash to sign */ 00950 md_info = mbedtls_md_info_from_type( md_alg ); 00951 if( md_info == NULL ) 00952 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00953 00954 hashlen = mbedtls_md_get_size( md_info ); 00955 } 00956 00957 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00958 if( md_info == NULL ) 00959 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00960 00961 hlen = mbedtls_md_get_size( md_info ); 00962 slen = hlen; 00963 00964 if( olen < hlen + slen + 2 ) 00965 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00966 00967 memset( sig, 0, olen ); 00968 00969 /* Generate salt of length slen */ 00970 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 00971 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00972 00973 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 00974 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 00975 p += olen - hlen * 2 - 2; 00976 *p++ = 0x01; 00977 memcpy( p, salt, slen ); 00978 p += slen; 00979 00980 mbedtls_md_init( &md_ctx ); 00981 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00982 { 00983 mbedtls_md_free( &md_ctx ); 00984 return( ret ); 00985 } 00986 00987 /* Generate H = Hash( M' ) */ 00988 mbedtls_md_starts( &md_ctx ); 00989 mbedtls_md_update( &md_ctx, p, 8 ); 00990 mbedtls_md_update( &md_ctx, hash, hashlen ); 00991 mbedtls_md_update( &md_ctx, salt, slen ); 00992 mbedtls_md_finish( &md_ctx, p ); 00993 00994 /* Compensate for boundary condition when applying mask */ 00995 if( msb % 8 == 0 ) 00996 offset = 1; 00997 00998 /* maskedDB: Apply dbMask to DB */ 00999 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); 01000 01001 mbedtls_md_free( &md_ctx ); 01002 01003 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01004 sig[0] &= 0xFF >> ( olen * 8 - msb ); 01005 01006 p += hlen; 01007 *p++ = 0xBC; 01008 01009 return( ( mode == MBEDTLS_RSA_PUBLIC ) 01010 ? mbedtls_rsa_public( ctx, sig, sig ) 01011 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 01012 } 01013 #endif /* MBEDTLS_PKCS1_V21 */ 01014 01015 #if defined(MBEDTLS_PKCS1_V15) 01016 /* 01017 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 01018 */ 01019 /* 01020 * Do an RSA operation to sign the message digest 01021 */ 01022 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 01023 int (*f_rng)(void *, unsigned char *, size_t), 01024 void *p_rng, 01025 int mode, 01026 mbedtls_md_type_t md_alg, 01027 unsigned int hashlen, 01028 const unsigned char *hash, 01029 unsigned char *sig ) 01030 { 01031 size_t nb_pad, olen, oid_size = 0; 01032 unsigned char *p = sig; 01033 const char *oid = NULL; 01034 unsigned char *sig_try = NULL, *verif = NULL; 01035 size_t i; 01036 unsigned char diff; 01037 volatile unsigned char diff_no_optimize; 01038 int ret; 01039 01040 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01041 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01042 01043 olen = ctx->len ; 01044 nb_pad = olen - 3; 01045 01046 if( md_alg != MBEDTLS_MD_NONE ) 01047 { 01048 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 01049 if( md_info == NULL ) 01050 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01051 01052 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 01053 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01054 01055 nb_pad -= 10 + oid_size; 01056 01057 hashlen = mbedtls_md_get_size( md_info ); 01058 } 01059 01060 nb_pad -= hashlen; 01061 01062 if( ( nb_pad < 8 ) || ( nb_pad > olen ) ) 01063 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01064 01065 *p++ = 0; 01066 *p++ = MBEDTLS_RSA_SIGN; 01067 memset( p, 0xFF, nb_pad ); 01068 p += nb_pad; 01069 *p++ = 0; 01070 01071 if( md_alg == MBEDTLS_MD_NONE ) 01072 { 01073 memcpy( p, hash, hashlen ); 01074 } 01075 else 01076 { 01077 /* 01078 * DigestInfo ::= SEQUENCE { 01079 * digestAlgorithm DigestAlgorithmIdentifier, 01080 * digest Digest } 01081 * 01082 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 01083 * 01084 * Digest ::= OCTET STRING 01085 */ 01086 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01087 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); 01088 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01089 *p++ = (unsigned char) ( 0x04 + oid_size ); 01090 *p++ = MBEDTLS_ASN1_OID; 01091 *p++ = oid_size & 0xFF; 01092 memcpy( p, oid, oid_size ); 01093 p += oid_size; 01094 *p++ = MBEDTLS_ASN1_NULL; 01095 *p++ = 0x00; 01096 *p++ = MBEDTLS_ASN1_OCTET_STRING; 01097 *p++ = hashlen; 01098 memcpy( p, hash, hashlen ); 01099 } 01100 01101 if( mode == MBEDTLS_RSA_PUBLIC ) 01102 return( mbedtls_rsa_public( ctx, sig, sig ) ); 01103 01104 /* 01105 * In order to prevent Lenstra's attack, make the signature in a 01106 * temporary buffer and check it before returning it. 01107 */ 01108 sig_try = mbedtls_calloc( 1, ctx->len ); 01109 if( sig_try == NULL ) 01110 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 01111 01112 verif = mbedtls_calloc( 1, ctx->len ); 01113 if( verif == NULL ) 01114 { 01115 mbedtls_free( sig_try ); 01116 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 01117 } 01118 01119 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); 01120 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); 01121 01122 /* Compare in constant time just in case */ 01123 for( diff = 0, i = 0; i < ctx->len ; i++ ) 01124 diff |= verif[i] ^ sig[i]; 01125 diff_no_optimize = diff; 01126 01127 if( diff_no_optimize != 0 ) 01128 { 01129 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 01130 goto cleanup; 01131 } 01132 01133 memcpy( sig, sig_try, ctx->len ); 01134 01135 cleanup: 01136 mbedtls_free( sig_try ); 01137 mbedtls_free( verif ); 01138 01139 return( ret ); 01140 } 01141 #endif /* MBEDTLS_PKCS1_V15 */ 01142 01143 /* 01144 * Do an RSA operation to sign the message digest 01145 */ 01146 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 01147 int (*f_rng)(void *, unsigned char *, size_t), 01148 void *p_rng, 01149 int mode, 01150 mbedtls_md_type_t md_alg, 01151 unsigned int hashlen, 01152 const unsigned char *hash, 01153 unsigned char *sig ) 01154 { 01155 switch( ctx->padding ) 01156 { 01157 #if defined(MBEDTLS_PKCS1_V15) 01158 case MBEDTLS_RSA_PKCS_V15: 01159 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 01160 hashlen, hash, sig ); 01161 #endif 01162 01163 #if defined(MBEDTLS_PKCS1_V21) 01164 case MBEDTLS_RSA_PKCS_V21: 01165 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 01166 hashlen, hash, sig ); 01167 #endif 01168 01169 default: 01170 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01171 } 01172 } 01173 01174 #if defined(MBEDTLS_PKCS1_V21) 01175 /* 01176 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01177 */ 01178 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 01179 int (*f_rng)(void *, unsigned char *, size_t), 01180 void *p_rng, 01181 int mode, 01182 mbedtls_md_type_t md_alg, 01183 unsigned int hashlen, 01184 const unsigned char *hash, 01185 mbedtls_md_type_t mgf1_hash_id, 01186 int expected_salt_len, 01187 const unsigned char *sig ) 01188 { 01189 int ret; 01190 size_t siglen; 01191 unsigned char *p; 01192 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 01193 unsigned char zeros[8]; 01194 unsigned int hlen; 01195 size_t slen, msb; 01196 const mbedtls_md_info_t *md_info; 01197 mbedtls_md_context_t md_ctx; 01198 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01199 01200 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 01201 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01202 01203 siglen = ctx->len ; 01204 01205 if( siglen < 16 || siglen > sizeof( buf ) ) 01206 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01207 01208 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01209 ? mbedtls_rsa_public( ctx, sig, buf ) 01210 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 01211 01212 if( ret != 0 ) 01213 return( ret ); 01214 01215 p = buf; 01216 01217 if( buf[siglen - 1] != 0xBC ) 01218 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01219 01220 if( md_alg != MBEDTLS_MD_NONE ) 01221 { 01222 /* Gather length of hash to sign */ 01223 md_info = mbedtls_md_info_from_type( md_alg ); 01224 if( md_info == NULL ) 01225 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01226 01227 hashlen = mbedtls_md_get_size( md_info ); 01228 } 01229 01230 md_info = mbedtls_md_info_from_type( mgf1_hash_id ); 01231 if( md_info == NULL ) 01232 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01233 01234 hlen = mbedtls_md_get_size( md_info ); 01235 slen = siglen - hlen - 1; /* Currently length of salt + padding */ 01236 01237 memset( zeros, 0, 8 ); 01238 01239 /* 01240 * Note: EMSA-PSS verification is over the length of N - 1 bits 01241 */ 01242 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01243 01244 /* Compensate for boundary condition when applying mask */ 01245 if( msb % 8 == 0 ) 01246 { 01247 p++; 01248 siglen -= 1; 01249 } 01250 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 01251 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01252 01253 mbedtls_md_init( &md_ctx ); 01254 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 01255 { 01256 mbedtls_md_free( &md_ctx ); 01257 return( ret ); 01258 } 01259 01260 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); 01261 01262 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 01263 01264 while( p < buf + siglen && *p == 0 ) 01265 p++; 01266 01267 if( p == buf + siglen || 01268 *p++ != 0x01 ) 01269 { 01270 mbedtls_md_free( &md_ctx ); 01271 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01272 } 01273 01274 /* Actual salt len */ 01275 slen -= p - buf; 01276 01277 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 01278 slen != (size_t) expected_salt_len ) 01279 { 01280 mbedtls_md_free( &md_ctx ); 01281 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01282 } 01283 01284 /* 01285 * Generate H = Hash( M' ) 01286 */ 01287 mbedtls_md_starts( &md_ctx ); 01288 mbedtls_md_update( &md_ctx, zeros, 8 ); 01289 mbedtls_md_update( &md_ctx, hash, hashlen ); 01290 mbedtls_md_update( &md_ctx, p, slen ); 01291 mbedtls_md_finish( &md_ctx, result ); 01292 01293 mbedtls_md_free( &md_ctx ); 01294 01295 if( memcmp( p + slen, result, hlen ) == 0 ) 01296 return( 0 ); 01297 else 01298 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01299 } 01300 01301 /* 01302 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01303 */ 01304 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 01305 int (*f_rng)(void *, unsigned char *, size_t), 01306 void *p_rng, 01307 int mode, 01308 mbedtls_md_type_t md_alg, 01309 unsigned int hashlen, 01310 const unsigned char *hash, 01311 const unsigned char *sig ) 01312 { 01313 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) 01314 ? (mbedtls_md_type_t) ctx->hash_id 01315 : md_alg; 01316 01317 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, 01318 md_alg, hashlen, hash, 01319 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, 01320 sig ) ); 01321 01322 } 01323 #endif /* MBEDTLS_PKCS1_V21 */ 01324 01325 #if defined(MBEDTLS_PKCS1_V15) 01326 /* 01327 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 01328 */ 01329 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 01330 int (*f_rng)(void *, unsigned char *, size_t), 01331 void *p_rng, 01332 int mode, 01333 mbedtls_md_type_t md_alg, 01334 unsigned int hashlen, 01335 const unsigned char *hash, 01336 const unsigned char *sig ) 01337 { 01338 int ret; 01339 size_t len, siglen, asn1_len; 01340 unsigned char *p, *end; 01341 mbedtls_md_type_t msg_md_alg; 01342 const mbedtls_md_info_t *md_info; 01343 mbedtls_asn1_buf oid; 01344 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01345 01346 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01347 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01348 01349 siglen = ctx->len ; 01350 01351 if( siglen < 16 || siglen > sizeof( buf ) ) 01352 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01353 01354 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01355 ? mbedtls_rsa_public( ctx, sig, buf ) 01356 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 01357 01358 if( ret != 0 ) 01359 return( ret ); 01360 01361 p = buf; 01362 01363 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN ) 01364 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01365 01366 while( *p != 0 ) 01367 { 01368 if( p >= buf + siglen - 1 || *p != 0xFF ) 01369 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01370 p++; 01371 } 01372 p++; 01373 01374 len = siglen - ( p - buf ); 01375 01376 if( len == hashlen && md_alg == MBEDTLS_MD_NONE ) 01377 { 01378 if( memcmp( p, hash, hashlen ) == 0 ) 01379 return( 0 ); 01380 else 01381 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01382 } 01383 01384 md_info = mbedtls_md_info_from_type( md_alg ); 01385 if( md_info == NULL ) 01386 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01387 hashlen = mbedtls_md_get_size( md_info ); 01388 01389 end = p + len; 01390 01391 /* 01392 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure 01393 */ 01394 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 01395 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 01396 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01397 01398 if( asn1_len + 2 != len ) 01399 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01400 01401 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 01402 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 01403 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01404 01405 if( asn1_len + 6 + hashlen != len ) 01406 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01407 01408 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) 01409 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01410 01411 oid.p = p; 01412 p += oid.len; 01413 01414 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 ) 01415 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01416 01417 if( md_alg != msg_md_alg ) 01418 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01419 01420 /* 01421 * assume the algorithm parameters must be NULL 01422 */ 01423 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 ) 01424 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01425 01426 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 01427 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01428 01429 if( asn1_len != hashlen ) 01430 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01431 01432 if( memcmp( p, hash, hashlen ) != 0 ) 01433 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01434 01435 p += hashlen; 01436 01437 if( p != end ) 01438 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01439 01440 return( 0 ); 01441 } 01442 #endif /* MBEDTLS_PKCS1_V15 */ 01443 01444 /* 01445 * Do an RSA operation and check the message digest 01446 */ 01447 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 01448 int (*f_rng)(void *, unsigned char *, size_t), 01449 void *p_rng, 01450 int mode, 01451 mbedtls_md_type_t md_alg, 01452 unsigned int hashlen, 01453 const unsigned char *hash, 01454 const unsigned char *sig ) 01455 { 01456 switch( ctx->padding ) 01457 { 01458 #if defined(MBEDTLS_PKCS1_V15) 01459 case MBEDTLS_RSA_PKCS_V15: 01460 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 01461 hashlen, hash, sig ); 01462 #endif 01463 01464 #if defined(MBEDTLS_PKCS1_V21) 01465 case MBEDTLS_RSA_PKCS_V21: 01466 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 01467 hashlen, hash, sig ); 01468 #endif 01469 01470 default: 01471 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01472 } 01473 } 01474 01475 /* 01476 * Copy the components of an RSA key 01477 */ 01478 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) 01479 { 01480 int ret; 01481 01482 dst->ver = src->ver ; 01483 dst->len = src->len ; 01484 01485 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N , &src->N ) ); 01486 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E , &src->E ) ); 01487 01488 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D , &src->D ) ); 01489 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P , &src->P ) ); 01490 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q , &src->Q ) ); 01491 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP , &src->DP ) ); 01492 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ , &src->DQ ) ); 01493 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP , &src->QP ) ); 01494 01495 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN , &src->RN ) ); 01496 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP , &src->RP ) ); 01497 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ , &src->RQ ) ); 01498 01499 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi , &src->Vi ) ); 01500 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf , &src->Vf ) ); 01501 01502 dst->padding = src->padding ; 01503 dst->hash_id = src->hash_id ; 01504 01505 cleanup: 01506 if( ret != 0 ) 01507 mbedtls_rsa_free( dst ); 01508 01509 return( ret ); 01510 } 01511 01512 /* 01513 * Free the components of an RSA key 01514 */ 01515 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) 01516 { 01517 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf ); 01518 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN ); 01519 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP ); 01520 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D ); 01521 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N ); 01522 01523 #if defined(MBEDTLS_THREADING_C) 01524 mbedtls_mutex_free( &ctx->mutex ); 01525 #endif 01526 } 01527 01528 #if defined(MBEDTLS_SELF_TEST) 01529 01530 #include "mbedtls/sha1.h" 01531 01532 /* 01533 * Example RSA-1024 keypair, for test purposes 01534 */ 01535 #define KEY_LEN 128 01536 01537 #define RSA_N "9292758453063D803DD603D5E777D788" \ 01538 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 01539 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 01540 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 01541 "93A89813FBF3C4F8066D2D800F7C38A8" \ 01542 "1AE31942917403FF4946B0A83D3D3E05" \ 01543 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 01544 "5E94BB77B07507233A0BC7BAC8F90F79" 01545 01546 #define RSA_E "10001" 01547 01548 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 01549 "66CA472BC44D253102F8B4A9D3BFA750" \ 01550 "91386C0077937FE33FA3252D28855837" \ 01551 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 01552 "DF79C5CE07EE72C7F123142198164234" \ 01553 "CABB724CF78B8173B9F880FC86322407" \ 01554 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 01555 "071513A1E85B5DFA031F21ECAE91A34D" 01556 01557 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 01558 "2C01CAD19EA484A87EA4377637E75500" \ 01559 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 01560 "C3D9E75E1EFC42488BB4F1D13AC30A57" 01561 01562 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 01563 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 01564 "910E4168387E3C30AA1E00C339A79508" \ 01565 "8452DD96A9A5EA5D9DCA68DA636032AF" 01566 01567 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \ 01568 "3C94D22288ACD763FD8E5600ED4A702D" \ 01569 "F84198A5F06C2E72236AE490C93F07F8" \ 01570 "3CC559CD27BC2D1CA488811730BB5725" 01571 01572 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \ 01573 "D8AAEA56749EA28623272E4F7D0592AF" \ 01574 "7C1F1313CAC9471B5C523BFE592F517B" \ 01575 "407A1BD76C164B93DA2D32A383E58357" 01576 01577 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \ 01578 "F38D18D2B2F0E2DD275AA977E2BF4411" \ 01579 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \ 01580 "A74206CEC169D74BF5A8C50D6F48EA08" 01581 01582 #define PT_LEN 24 01583 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 01584 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 01585 01586 #if defined(MBEDTLS_PKCS1_V15) 01587 static int myrand( void *rng_state, unsigned char *output, size_t len ) 01588 { 01589 #if !defined(__OpenBSD__) 01590 size_t i; 01591 01592 if( rng_state != NULL ) 01593 rng_state = NULL; 01594 01595 for( i = 0; i < len; ++i ) 01596 output[i] = rand(); 01597 #else 01598 if( rng_state != NULL ) 01599 rng_state = NULL; 01600 01601 arc4random_buf( output, len ); 01602 #endif /* !OpenBSD */ 01603 01604 return( 0 ); 01605 } 01606 #endif /* MBEDTLS_PKCS1_V15 */ 01607 01608 /* 01609 * Checkup routine 01610 */ 01611 int mbedtls_rsa_self_test( int verbose ) 01612 { 01613 int ret = 0; 01614 #if defined(MBEDTLS_PKCS1_V15) 01615 size_t len; 01616 mbedtls_rsa_context rsa; 01617 unsigned char rsa_plaintext[PT_LEN]; 01618 unsigned char rsa_decrypted[PT_LEN]; 01619 unsigned char rsa_ciphertext[KEY_LEN]; 01620 #if defined(MBEDTLS_SHA1_C) 01621 unsigned char sha1sum[20]; 01622 #endif 01623 01624 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); 01625 01626 rsa.len = KEY_LEN; 01627 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) ); 01628 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) ); 01629 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) ); 01630 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) ); 01631 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) ); 01632 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP , 16, RSA_DP ) ); 01633 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ , 16, RSA_DQ ) ); 01634 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP , 16, RSA_QP ) ); 01635 01636 if( verbose != 0 ) 01637 mbedtls_printf( " RSA key validation: " ); 01638 01639 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || 01640 mbedtls_rsa_check_privkey( &rsa ) != 0 ) 01641 { 01642 if( verbose != 0 ) 01643 mbedtls_printf( "failed\n" ); 01644 01645 return( 1 ); 01646 } 01647 01648 if( verbose != 0 ) 01649 mbedtls_printf( "passed\n PKCS#1 encryption : " ); 01650 01651 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 01652 01653 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN, 01654 rsa_plaintext, rsa_ciphertext ) != 0 ) 01655 { 01656 if( verbose != 0 ) 01657 mbedtls_printf( "failed\n" ); 01658 01659 return( 1 ); 01660 } 01661 01662 if( verbose != 0 ) 01663 mbedtls_printf( "passed\n PKCS#1 decryption : " ); 01664 01665 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len, 01666 rsa_ciphertext, rsa_decrypted, 01667 sizeof(rsa_decrypted) ) != 0 ) 01668 { 01669 if( verbose != 0 ) 01670 mbedtls_printf( "failed\n" ); 01671 01672 return( 1 ); 01673 } 01674 01675 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 01676 { 01677 if( verbose != 0 ) 01678 mbedtls_printf( "failed\n" ); 01679 01680 return( 1 ); 01681 } 01682 01683 if( verbose != 0 ) 01684 mbedtls_printf( "passed\n" ); 01685 01686 #if defined(MBEDTLS_SHA1_C) 01687 if( verbose != 0 ) 01688 mbedtls_printf( " PKCS#1 data sign : " ); 01689 01690 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ); 01691 01692 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, 01693 sha1sum, rsa_ciphertext ) != 0 ) 01694 { 01695 if( verbose != 0 ) 01696 mbedtls_printf( "failed\n" ); 01697 01698 return( 1 ); 01699 } 01700 01701 if( verbose != 0 ) 01702 mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); 01703 01704 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, 01705 sha1sum, rsa_ciphertext ) != 0 ) 01706 { 01707 if( verbose != 0 ) 01708 mbedtls_printf( "failed\n" ); 01709 01710 return( 1 ); 01711 } 01712 01713 if( verbose != 0 ) 01714 mbedtls_printf( "passed\n" ); 01715 #endif /* MBEDTLS_SHA1_C */ 01716 01717 if( verbose != 0 ) 01718 mbedtls_printf( "\n" ); 01719 01720 cleanup: 01721 mbedtls_rsa_free( &rsa ); 01722 #else /* MBEDTLS_PKCS1_V15 */ 01723 ((void) verbose); 01724 #endif /* MBEDTLS_PKCS1_V15 */ 01725 return( ret ); 01726 } 01727 01728 #endif /* MBEDTLS_SELF_TEST */ 01729 01730 #endif /* MBEDTLS_RSA_C */
Generated on Tue Jul 12 2022 11:02:50 by
1.7.2