Chuck Swiger
/
WNCInterface2
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependencies: WncControllerK64F
Fork of
WNCInterface
by 
Avnet
Embed:
(wiki syntax)
Show/hide line numbers
rsa.c
00001 /* 00002 * The RSA public-key cryptosystem 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The following sources were referenced in the design of this implementation 00023 * of the RSA algorithm: 00024 * 00025 * [1] A method for obtaining digital signatures and public-key cryptosystems 00026 * R Rivest, A Shamir, and L Adleman 00027 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 00028 * 00029 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 00030 * Menezes, van Oorschot and Vanstone 00031 * 00032 */ 00033 00034 #if !defined(MBEDTLS_CONFIG_FILE) 00035 #include "mbedtls/config.h" 00036 #else 00037 #include MBEDTLS_CONFIG_FILE 00038 #endif 00039 00040 #if defined(MBEDTLS_RSA_C) 00041 00042 #include "mbedtls/rsa.h" 00043 #include "mbedtls/oid.h" 00044 00045 #include <string.h> 00046 00047 #if defined(MBEDTLS_PKCS1_V21) 00048 #include "mbedtls/md.h" 00049 #endif 00050 00051 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) 00052 #include <stdlib.h> 00053 #endif 00054 00055 #if defined(MBEDTLS_PLATFORM_C) 00056 #include "mbedtls/platform.h" 00057 #else 00058 #include <stdio.h> 00059 #define mbedtls_printf printf 00060 #define mbedtls_calloc calloc 00061 #define mbedtls_free free 00062 #endif 00063 00064 /* 00065 * Initialize an RSA context 00066 */ 00067 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 00068 int padding, 00069 int hash_id ) 00070 { 00071 memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); 00072 00073 mbedtls_rsa_set_padding( ctx, padding, hash_id ); 00074 00075 #if defined(MBEDTLS_THREADING_C) 00076 mbedtls_mutex_init( &ctx->mutex ); 00077 #endif 00078 } 00079 00080 /* 00081 * Set padding for an existing RSA context 00082 */ 00083 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id ) 00084 { 00085 ctx->padding = padding; 00086 ctx->hash_id = hash_id; 00087 } 00088 00089 #if defined(MBEDTLS_GENPRIME) 00090 00091 /* 00092 * Generate an RSA keypair 00093 */ 00094 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 00095 int (*f_rng)(void *, unsigned char *, size_t), 00096 void *p_rng, 00097 unsigned int nbits, int exponent ) 00098 { 00099 int ret; 00100 mbedtls_mpi P1, Q1, H, G; 00101 00102 if( f_rng == NULL || nbits < 128 || exponent < 3 ) 00103 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00104 00105 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 00106 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G ); 00107 00108 /* 00109 * find primes P and Q with Q < P so that: 00110 * GCD( E, (P-1)*(Q-1) ) == 1 00111 */ 00112 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E , exponent ) ); 00113 00114 do 00115 { 00116 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P , nbits >> 1, 0, 00117 f_rng, p_rng ) ); 00118 00119 if( nbits % 2 ) 00120 { 00121 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , ( nbits >> 1 ) + 1, 0, 00122 f_rng, p_rng ) ); 00123 } 00124 else 00125 { 00126 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , nbits >> 1, 0, 00127 f_rng, p_rng ) ); 00128 } 00129 00130 if( mbedtls_mpi_cmp_mpi( &ctx->P , &ctx->Q ) == 0 ) 00131 continue; 00132 00133 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P , &ctx->Q ) ); 00134 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits ) 00135 continue; 00136 00137 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00138 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00139 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 00140 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00141 } 00142 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ); 00143 00144 /* 00145 * D = E^-1 mod ((P-1)*(Q-1)) 00146 * DP = D mod (P - 1) 00147 * DQ = D mod (Q - 1) 00148 * QP = Q^-1 mod P 00149 */ 00150 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E , &H ) ); 00151 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP , &ctx->D , &P1 ) ); 00152 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ , &ctx->D , &Q1 ) ); 00153 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP , &ctx->Q , &ctx->P ) ); 00154 00155 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3; 00156 00157 cleanup: 00158 00159 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); 00160 00161 if( ret != 0 ) 00162 { 00163 mbedtls_rsa_free( ctx ); 00164 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret ); 00165 } 00166 00167 return( 0 ); 00168 } 00169 00170 #endif /* MBEDTLS_GENPRIME */ 00171 00172 /* 00173 * Check a public RSA key 00174 */ 00175 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) 00176 { 00177 if( !ctx->N .p || !ctx->E .p ) 00178 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00179 00180 if( ( ctx->N .p [0] & 1 ) == 0 || 00181 ( ctx->E .p [0] & 1 ) == 0 ) 00182 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00183 00184 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 || 00185 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS ) 00186 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00187 00188 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 || 00189 mbedtls_mpi_cmp_mpi( &ctx->E , &ctx->N ) >= 0 ) 00190 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00191 00192 return( 0 ); 00193 } 00194 00195 /* 00196 * Check a private RSA key 00197 */ 00198 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) 00199 { 00200 int ret; 00201 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP; 00202 00203 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 ) 00204 return( ret ); 00205 00206 if( !ctx->P .p || !ctx->Q .p || !ctx->D .p ) 00207 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00208 00209 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 00210 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 ); 00211 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ ); 00212 mbedtls_mpi_init( &QP ); 00213 00214 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P , &ctx->Q ) ); 00215 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D , &ctx->E ) ); 00216 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00217 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00218 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 00219 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00220 00221 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) ); 00222 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) ); 00223 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) ); 00224 00225 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D , &P1 ) ); 00226 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D , &Q1 ) ); 00227 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q , &ctx->P ) ); 00228 /* 00229 * Check for a valid PKCS1v2 private key 00230 */ 00231 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 || 00232 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 || 00233 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 || 00234 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 || 00235 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 || 00236 mbedtls_mpi_cmp_int( &I, 1 ) != 0 || 00237 mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) 00238 { 00239 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 00240 } 00241 00242 cleanup: 00243 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); 00244 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 ); 00245 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ ); 00246 mbedtls_mpi_free( &QP ); 00247 00248 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ) 00249 return( ret ); 00250 00251 if( ret != 0 ) 00252 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret ); 00253 00254 return( 0 ); 00255 } 00256 00257 /* 00258 * Check if contexts holding a public and private key match 00259 */ 00260 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ) 00261 { 00262 if( mbedtls_rsa_check_pubkey( pub ) != 0 || 00263 mbedtls_rsa_check_privkey( prv ) != 0 ) 00264 { 00265 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00266 } 00267 00268 if( mbedtls_mpi_cmp_mpi( &pub->N , &prv->N ) != 0 || 00269 mbedtls_mpi_cmp_mpi( &pub->E , &prv->E ) != 0 ) 00270 { 00271 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00272 } 00273 00274 return( 0 ); 00275 } 00276 00277 /* 00278 * Do an RSA public key operation 00279 */ 00280 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 00281 const unsigned char *input, 00282 unsigned char *output ) 00283 { 00284 int ret; 00285 size_t olen; 00286 mbedtls_mpi T; 00287 00288 mbedtls_mpi_init( &T ); 00289 #if defined(MBEDTLS_THREADING_C) 00290 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00291 return( ret ); 00292 #endif 00293 00294 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00295 00296 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00297 { 00298 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00299 goto cleanup; 00300 } 00301 00302 olen = ctx->len ; 00303 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E , &ctx->N , &ctx->RN ) ); 00304 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00305 00306 cleanup: 00307 #if defined(MBEDTLS_THREADING_C) 00308 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00309 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00310 #endif 00311 00312 mbedtls_mpi_free( &T ); 00313 00314 if( ret != 0 ) 00315 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret ); 00316 00317 return( 0 ); 00318 } 00319 00320 /* 00321 * Generate or update blinding values, see section 10 of: 00322 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 00323 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 00324 * Berlin Heidelberg, 1996. p. 104-113. 00325 */ 00326 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, 00327 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00328 { 00329 int ret, count = 0; 00330 00331 if( ctx->Vf .p != NULL ) 00332 { 00333 /* We already have blinding values, just update them by squaring */ 00334 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi , &ctx->Vi , &ctx->Vi ) ); 00335 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi , &ctx->Vi , &ctx->N ) ); 00336 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf , &ctx->Vf , &ctx->Vf ) ); 00337 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf , &ctx->Vf , &ctx->N ) ); 00338 00339 goto cleanup; 00340 } 00341 00342 /* Unblinding value: Vf = random number, invertible mod N */ 00343 do { 00344 if( count++ > 10 ) 00345 return( MBEDTLS_ERR_RSA_RNG_FAILED ); 00346 00347 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf , ctx->len - 1, f_rng, p_rng ) ); 00348 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00349 } while( mbedtls_mpi_cmp_int( &ctx->Vi , 1 ) != 0 ); 00350 00351 /* Blinding value: Vi = Vf^(-e) mod N */ 00352 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00353 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi , &ctx->Vi , &ctx->E , &ctx->N , &ctx->RN ) ); 00354 00355 00356 cleanup: 00357 return( ret ); 00358 } 00359 00360 /* 00361 * Do an RSA private key operation 00362 */ 00363 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 00364 int (*f_rng)(void *, unsigned char *, size_t), 00365 void *p_rng, 00366 const unsigned char *input, 00367 unsigned char *output ) 00368 { 00369 int ret; 00370 size_t olen; 00371 mbedtls_mpi T, T1, T2; 00372 /* Make sure we have private key info, prevent possible misuse */ 00373 if( ctx->P .p == NULL || ctx->Q .p == NULL || ctx->D .p == NULL ) 00374 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00375 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); 00376 #if defined(MBEDTLS_THREADING_C) 00377 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00378 return( ret ); 00379 #endif 00380 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00381 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00382 { 00383 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00384 goto cleanup; 00385 } 00386 if( f_rng != NULL ) 00387 { 00388 /* 00389 * Blinding 00390 * T = T * Vi mod N 00391 */ 00392 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); 00393 00394 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); 00395 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00396 } 00397 #if defined(MBEDTLS_RSA_NO_CRT) 00398 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D , &ctx->N , &ctx->RN ) ); 00399 #else 00400 /* 00401 * faster decryption using the CRT 00402 * 00403 * T1 = input ^ dP mod P 00404 * T2 = input ^ dQ mod Q 00405 */ 00406 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP , &ctx->P , &ctx->RP ) ); 00407 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ , &ctx->Q , &ctx->RQ ) ); 00408 /* 00409 * T = (T1 - T2) * (Q^-1 mod P) mod P 00410 */ 00411 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) ); 00412 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) ); 00413 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) ); 00414 00415 /* 00416 * T = T2 + T * Q 00417 */ 00418 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) ); 00419 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) ); 00420 #endif /* MBEDTLS_RSA_NO_CRT */ 00421 if( f_rng != NULL ) 00422 { 00423 /* 00424 * Unblind 00425 * T = T * Vf mod N 00426 */ 00427 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); 00428 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00429 } 00430 olen = ctx->len ; 00431 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00432 00433 cleanup: 00434 #if defined(MBEDTLS_THREADING_C) 00435 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00436 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00437 #endif 00438 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); 00439 00440 if( ret != 0 ) 00441 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); 00442 00443 return( 0 ); 00444 } 00445 00446 #if defined(MBEDTLS_PKCS1_V21) 00447 /** 00448 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 00449 * 00450 * \param dst buffer to mask 00451 * \param dlen length of destination buffer 00452 * \param src source of the mask generation 00453 * \param slen length of the source buffer 00454 * \param md_ctx message digest context to use 00455 */ 00456 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 00457 size_t slen, mbedtls_md_context_t *md_ctx ) 00458 { 00459 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 00460 unsigned char counter[4]; 00461 unsigned char *p; 00462 unsigned int hlen; 00463 size_t i, use_len; 00464 00465 memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); 00466 memset( counter, 0, 4 ); 00467 00468 hlen = mbedtls_md_get_size( md_ctx->md_info ); 00469 00470 /* Generate and apply dbMask */ 00471 p = dst; 00472 00473 while( dlen > 0 ) 00474 { 00475 use_len = hlen; 00476 if( dlen < hlen ) 00477 use_len = dlen; 00478 00479 mbedtls_md_starts( md_ctx ); 00480 mbedtls_md_update( md_ctx, src, slen ); 00481 mbedtls_md_update( md_ctx, counter, 4 ); 00482 mbedtls_md_finish( md_ctx, mask ); 00483 00484 for( i = 0; i < use_len; ++i ) 00485 *p++ ^= mask[i]; 00486 00487 counter[3]++; 00488 00489 dlen -= use_len; 00490 } 00491 } 00492 #endif /* MBEDTLS_PKCS1_V21 */ 00493 00494 #if defined(MBEDTLS_PKCS1_V21) 00495 /* 00496 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 00497 */ 00498 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 00499 int (*f_rng)(void *, unsigned char *, size_t), 00500 void *p_rng, 00501 int mode, 00502 const unsigned char *label, size_t label_len, 00503 size_t ilen, 00504 const unsigned char *input, 00505 unsigned char *output ) 00506 { 00507 size_t olen; 00508 int ret; 00509 unsigned char *p = output; 00510 unsigned int hlen; 00511 const mbedtls_md_info_t *md_info; 00512 mbedtls_md_context_t md_ctx; 00513 00514 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00515 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00516 00517 if( f_rng == NULL ) 00518 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00519 00520 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00521 if( md_info == NULL ) 00522 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00523 00524 olen = ctx->len ; 00525 hlen = mbedtls_md_get_size( md_info ); 00526 00527 /* first comparison checks for overflow */ 00528 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) 00529 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00530 00531 memset( output, 0, olen ); 00532 00533 *p++ = 0; 00534 00535 /* Generate a random octet string seed */ 00536 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 00537 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00538 00539 p += hlen; 00540 00541 /* Construct DB */ 00542 mbedtls_md( md_info, label, label_len, p ); 00543 p += hlen; 00544 p += olen - 2 * hlen - 2 - ilen; 00545 *p++ = 1; 00546 memcpy( p, input, ilen ); 00547 00548 mbedtls_md_init( &md_ctx ); 00549 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00550 { 00551 mbedtls_md_free( &md_ctx ); 00552 return( ret ); 00553 } 00554 00555 /* maskedDB: Apply dbMask to DB */ 00556 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 00557 &md_ctx ); 00558 00559 /* maskedSeed: Apply seedMask to seed */ 00560 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 00561 &md_ctx ); 00562 00563 mbedtls_md_free( &md_ctx ); 00564 00565 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00566 ? mbedtls_rsa_public( ctx, output, output ) 00567 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 00568 } 00569 #endif /* MBEDTLS_PKCS1_V21 */ 00570 00571 #if defined(MBEDTLS_PKCS1_V15) 00572 /* 00573 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 00574 */ 00575 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 00576 int (*f_rng)(void *, unsigned char *, size_t), 00577 void *p_rng, 00578 int mode, size_t ilen, 00579 const unsigned char *input, 00580 unsigned char *output ) 00581 { 00582 size_t nb_pad, olen; 00583 int ret; 00584 unsigned char *p = output; 00585 00586 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 00587 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00588 00589 // We don't check p_rng because it won't be dereferenced here 00590 if( f_rng == NULL || input == NULL || output == NULL ) 00591 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00592 00593 olen = ctx->len ; 00594 00595 /* first comparison checks for overflow */ 00596 if( ilen + 11 < ilen || olen < ilen + 11 ) 00597 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00598 00599 nb_pad = olen - 3 - ilen; 00600 00601 *p++ = 0; 00602 if( mode == MBEDTLS_RSA_PUBLIC ) 00603 { 00604 *p++ = MBEDTLS_RSA_CRYPT; 00605 00606 while( nb_pad-- > 0 ) 00607 { 00608 int rng_dl = 100; 00609 00610 do { 00611 ret = f_rng( p_rng, p, 1 ); 00612 } while( *p == 0 && --rng_dl && ret == 0 ); 00613 00614 /* Check if RNG failed to generate data */ 00615 if( rng_dl == 0 || ret != 0 ) 00616 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00617 00618 p++; 00619 } 00620 } 00621 else 00622 { 00623 *p++ = MBEDTLS_RSA_SIGN; 00624 00625 while( nb_pad-- > 0 ) 00626 *p++ = 0xFF; 00627 } 00628 00629 *p++ = 0; 00630 memcpy( p, input, ilen ); 00631 00632 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00633 ? mbedtls_rsa_public( ctx, output, output ) 00634 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 00635 } 00636 #endif /* MBEDTLS_PKCS1_V15 */ 00637 00638 /* 00639 * Add the message padding, then do an RSA operation 00640 */ 00641 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 00642 int (*f_rng)(void *, unsigned char *, size_t), 00643 void *p_rng, 00644 int mode, size_t ilen, 00645 const unsigned char *input, 00646 unsigned char *output ) 00647 { 00648 switch( ctx->padding ) 00649 { 00650 #if defined(MBEDTLS_PKCS1_V15) 00651 case MBEDTLS_RSA_PKCS_V15: 00652 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 00653 input, output ); 00654 #endif 00655 00656 #if defined(MBEDTLS_PKCS1_V21) 00657 case MBEDTLS_RSA_PKCS_V21: 00658 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00659 ilen, input, output ); 00660 #endif 00661 00662 default: 00663 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00664 } 00665 } 00666 00667 #if defined(MBEDTLS_PKCS1_V21) 00668 /* 00669 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 00670 */ 00671 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 00672 int (*f_rng)(void *, unsigned char *, size_t), 00673 void *p_rng, 00674 int mode, 00675 const unsigned char *label, size_t label_len, 00676 size_t *olen, 00677 const unsigned char *input, 00678 unsigned char *output, 00679 size_t output_max_len ) 00680 { 00681 int ret; 00682 size_t ilen, i, pad_len; 00683 unsigned char *p, bad, pad_done; 00684 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 00685 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 00686 unsigned int hlen; 00687 const mbedtls_md_info_t *md_info; 00688 mbedtls_md_context_t md_ctx; 00689 00690 /* 00691 * Parameters sanity checks 00692 */ 00693 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00694 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00695 00696 ilen = ctx->len ; 00697 00698 if( ilen < 16 || ilen > sizeof( buf ) ) 00699 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00700 00701 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00702 if( md_info == NULL ) 00703 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00704 00705 hlen = mbedtls_md_get_size( md_info ); 00706 00707 // checking for integer underflow 00708 if( 2 * hlen + 2 > ilen ) 00709 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00710 00711 /* 00712 * RSA operation 00713 */ 00714 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 00715 ? mbedtls_rsa_public( ctx, input, buf ) 00716 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 00717 00718 if( ret != 0 ) 00719 return( ret ); 00720 00721 /* 00722 * Unmask data and generate lHash 00723 */ 00724 mbedtls_md_init( &md_ctx ); 00725 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00726 { 00727 mbedtls_md_free( &md_ctx ); 00728 return( ret ); 00729 } 00730 00731 00732 /* Generate lHash */ 00733 mbedtls_md( md_info, label, label_len, lhash ); 00734 00735 /* seed: Apply seedMask to maskedSeed */ 00736 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 00737 &md_ctx ); 00738 00739 /* DB: Apply dbMask to maskedDB */ 00740 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 00741 &md_ctx ); 00742 00743 mbedtls_md_free( &md_ctx ); 00744 00745 /* 00746 * Check contents, in "constant-time" 00747 */ 00748 p = buf; 00749 bad = 0; 00750 00751 bad |= *p++; /* First byte must be 0 */ 00752 00753 p += hlen; /* Skip seed */ 00754 00755 /* Check lHash */ 00756 for( i = 0; i < hlen; i++ ) 00757 bad |= lhash[i] ^ *p++; 00758 00759 /* Get zero-padding len, but always read till end of buffer 00760 * (minus one, for the 01 byte) */ 00761 pad_len = 0; 00762 pad_done = 0; 00763 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 00764 { 00765 pad_done |= p[i]; 00766 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 00767 } 00768 00769 p += pad_len; 00770 bad |= *p++ ^ 0x01; 00771 00772 /* 00773 * The only information "leaked" is whether the padding was correct or not 00774 * (eg, no data is copied if it was not correct). This meets the 00775 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 00776 * the different error conditions. 00777 */ 00778 if( bad != 0 ) 00779 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00780 00781 if( ilen - ( p - buf ) > output_max_len ) 00782 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 00783 00784 *olen = ilen - (p - buf); 00785 memcpy( output, p, *olen ); 00786 00787 return( 0 ); 00788 } 00789 #endif /* MBEDTLS_PKCS1_V21 */ 00790 00791 #if defined(MBEDTLS_PKCS1_V15) 00792 /* 00793 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 00794 */ 00795 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 00796 int (*f_rng)(void *, unsigned char *, size_t), 00797 void *p_rng, 00798 int mode, size_t *olen, 00799 const unsigned char *input, 00800 unsigned char *output, 00801 size_t output_max_len) 00802 { 00803 int ret; 00804 size_t ilen, pad_count = 0, i; 00805 unsigned char *p, bad, pad_done = 0; 00806 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 00807 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 00808 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00809 ilen = ctx->len ; 00810 00811 if( ilen < 16 || ilen > sizeof( buf ) ) 00812 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00813 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 00814 ? mbedtls_rsa_public( ctx, input, buf ) 00815 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 00816 if( ret != 0 ) 00817 return( ret ); 00818 p = buf; 00819 bad = 0; 00820 00821 /* 00822 * Check and get padding len in "constant-time" 00823 */ 00824 bad |= *p++; /* First byte must be 0 */ 00825 /* This test does not depend on secret data */ 00826 if( mode == MBEDTLS_RSA_PRIVATE ) 00827 { 00828 bad |= *p++ ^ MBEDTLS_RSA_CRYPT; 00829 00830 /* Get padding len, but always read till end of buffer 00831 * (minus one, for the 00 byte) */ 00832 for( i = 0; i < ilen - 3; i++ ) 00833 { 00834 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1; 00835 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 00836 } 00837 00838 p += pad_count; 00839 bad |= *p++; /* Must be zero */ 00840 } 00841 else 00842 { 00843 bad |= *p++ ^ MBEDTLS_RSA_SIGN; 00844 00845 /* Get padding len, but always read till end of buffer 00846 * (minus one, for the 00 byte) */ 00847 for( i = 0; i < ilen - 3; i++ ) 00848 { 00849 pad_done |= ( p[i] != 0xFF ); 00850 pad_count += ( pad_done == 0 ); 00851 } 00852 00853 p += pad_count; 00854 bad |= *p++; /* Must be zero */ 00855 } 00856 00857 bad |= ( pad_count < 8 ); 00858 if( bad ) 00859 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00860 if( ilen - ( p - buf ) > output_max_len ) 00861 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 00862 *olen = ilen - (p - buf); 00863 memcpy( output, p, *olen ); 00864 00865 return( 0 ); 00866 } 00867 #endif /* MBEDTLS_PKCS1_V15 */ 00868 00869 /* 00870 * Do an RSA operation, then remove the message padding 00871 */ 00872 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 00873 int (*f_rng)(void *, unsigned char *, size_t), 00874 void *p_rng, 00875 int mode, size_t *olen, 00876 const unsigned char *input, 00877 unsigned char *output, 00878 size_t output_max_len) 00879 { 00880 switch( ctx->padding ) 00881 { 00882 #if defined(MBEDTLS_PKCS1_V15) 00883 case MBEDTLS_RSA_PKCS_V15: 00884 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 00885 input, output, output_max_len ); 00886 #endif 00887 00888 #if defined(MBEDTLS_PKCS1_V21) 00889 case MBEDTLS_RSA_PKCS_V21: 00890 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00891 olen, input, output, 00892 output_max_len ); 00893 #endif 00894 00895 default: 00896 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00897 } 00898 } 00899 00900 #if defined(MBEDTLS_PKCS1_V21) 00901 /* 00902 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 00903 */ 00904 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 00905 int (*f_rng)(void *, unsigned char *, size_t), 00906 void *p_rng, 00907 int mode, 00908 mbedtls_md_type_t md_alg, 00909 unsigned int hashlen, 00910 const unsigned char *hash, 00911 unsigned char *sig ) 00912 { 00913 size_t olen; 00914 unsigned char *p = sig; 00915 unsigned char salt[MBEDTLS_MD_MAX_SIZE]; 00916 unsigned int slen, hlen, offset = 0; 00917 int ret; 00918 size_t msb; 00919 const mbedtls_md_info_t *md_info; 00920 mbedtls_md_context_t md_ctx; 00921 00922 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00923 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00924 00925 if( f_rng == NULL ) 00926 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00927 00928 olen = ctx->len ; 00929 00930 if( md_alg != MBEDTLS_MD_NONE ) 00931 { 00932 /* Gather length of hash to sign */ 00933 md_info = mbedtls_md_info_from_type( md_alg ); 00934 if( md_info == NULL ) 00935 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00936 00937 hashlen = mbedtls_md_get_size( md_info ); 00938 } 00939 00940 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00941 if( md_info == NULL ) 00942 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00943 00944 hlen = mbedtls_md_get_size( md_info ); 00945 slen = hlen; 00946 00947 if( olen < hlen + slen + 2 ) 00948 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00949 00950 memset( sig, 0, olen ); 00951 00952 /* Generate salt of length slen */ 00953 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 00954 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00955 00956 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 00957 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 00958 p += olen - hlen * 2 - 2; 00959 *p++ = 0x01; 00960 memcpy( p, salt, slen ); 00961 p += slen; 00962 00963 mbedtls_md_init( &md_ctx ); 00964 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00965 { 00966 mbedtls_md_free( &md_ctx ); 00967 return( ret ); 00968 } 00969 00970 /* Generate H = Hash( M' ) */ 00971 mbedtls_md_starts( &md_ctx ); 00972 mbedtls_md_update( &md_ctx, p, 8 ); 00973 mbedtls_md_update( &md_ctx, hash, hashlen ); 00974 mbedtls_md_update( &md_ctx, salt, slen ); 00975 mbedtls_md_finish( &md_ctx, p ); 00976 00977 /* Compensate for boundary condition when applying mask */ 00978 if( msb % 8 == 0 ) 00979 offset = 1; 00980 00981 /* maskedDB: Apply dbMask to DB */ 00982 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); 00983 00984 mbedtls_md_free( &md_ctx ); 00985 00986 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 00987 sig[0] &= 0xFF >> ( olen * 8 - msb ); 00988 00989 p += hlen; 00990 *p++ = 0xBC; 00991 00992 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00993 ? mbedtls_rsa_public( ctx, sig, sig ) 00994 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 00995 } 00996 #endif /* MBEDTLS_PKCS1_V21 */ 00997 00998 #if defined(MBEDTLS_PKCS1_V15) 00999 /* 01000 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 01001 */ 01002 /* 01003 * Do an RSA operation to sign the message digest 01004 */ 01005 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 01006 int (*f_rng)(void *, unsigned char *, size_t), 01007 void *p_rng, 01008 int mode, 01009 mbedtls_md_type_t md_alg, 01010 unsigned int hashlen, 01011 const unsigned char *hash, 01012 unsigned char *sig ) 01013 { 01014 size_t nb_pad, olen, oid_size = 0; 01015 unsigned char *p = sig; 01016 const char *oid = NULL; 01017 unsigned char *sig_try = NULL, *verif = NULL; 01018 size_t i; 01019 unsigned char diff; 01020 volatile unsigned char diff_no_optimize; 01021 int ret; 01022 01023 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01024 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01025 01026 olen = ctx->len ; 01027 nb_pad = olen - 3; 01028 01029 if( md_alg != MBEDTLS_MD_NONE ) 01030 { 01031 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 01032 if( md_info == NULL ) 01033 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01034 01035 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 01036 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01037 01038 nb_pad -= 10 + oid_size; 01039 01040 hashlen = mbedtls_md_get_size( md_info ); 01041 } 01042 01043 nb_pad -= hashlen; 01044 01045 if( ( nb_pad < 8 ) || ( nb_pad > olen ) ) 01046 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01047 01048 *p++ = 0; 01049 *p++ = MBEDTLS_RSA_SIGN; 01050 memset( p, 0xFF, nb_pad ); 01051 p += nb_pad; 01052 *p++ = 0; 01053 01054 if( md_alg == MBEDTLS_MD_NONE ) 01055 { 01056 memcpy( p, hash, hashlen ); 01057 } 01058 else 01059 { 01060 /* 01061 * DigestInfo ::= SEQUENCE { 01062 * digestAlgorithm DigestAlgorithmIdentifier, 01063 * digest Digest } 01064 * 01065 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 01066 * 01067 * Digest ::= OCTET STRING 01068 */ 01069 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01070 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); 01071 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01072 *p++ = (unsigned char) ( 0x04 + oid_size ); 01073 *p++ = MBEDTLS_ASN1_OID; 01074 *p++ = oid_size & 0xFF; 01075 memcpy( p, oid, oid_size ); 01076 p += oid_size; 01077 *p++ = MBEDTLS_ASN1_NULL; 01078 *p++ = 0x00; 01079 *p++ = MBEDTLS_ASN1_OCTET_STRING; 01080 *p++ = hashlen; 01081 memcpy( p, hash, hashlen ); 01082 } 01083 01084 if( mode == MBEDTLS_RSA_PUBLIC ) 01085 return( mbedtls_rsa_public( ctx, sig, sig ) ); 01086 01087 /* 01088 * In order to prevent Lenstra's attack, make the signature in a 01089 * temporary buffer and check it before returning it. 01090 */ 01091 sig_try = mbedtls_calloc( 1, ctx->len ); 01092 if( sig_try == NULL ) 01093 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 01094 01095 verif = mbedtls_calloc( 1, ctx->len ); 01096 if( verif == NULL ) 01097 { 01098 mbedtls_free( sig_try ); 01099 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 01100 } 01101 01102 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); 01103 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); 01104 01105 /* Compare in constant time just in case */ 01106 for( diff = 0, i = 0; i < ctx->len ; i++ ) 01107 diff |= verif[i] ^ sig[i]; 01108 diff_no_optimize = diff; 01109 01110 if( diff_no_optimize != 0 ) 01111 { 01112 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 01113 goto cleanup; 01114 } 01115 01116 memcpy( sig, sig_try, ctx->len ); 01117 01118 cleanup: 01119 mbedtls_free( sig_try ); 01120 mbedtls_free( verif ); 01121 01122 return( ret ); 01123 } 01124 #endif /* MBEDTLS_PKCS1_V15 */ 01125 01126 /* 01127 * Do an RSA operation to sign the message digest 01128 */ 01129 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 01130 int (*f_rng)(void *, unsigned char *, size_t), 01131 void *p_rng, 01132 int mode, 01133 mbedtls_md_type_t md_alg, 01134 unsigned int hashlen, 01135 const unsigned char *hash, 01136 unsigned char *sig ) 01137 { 01138 switch( ctx->padding ) 01139 { 01140 #if defined(MBEDTLS_PKCS1_V15) 01141 case MBEDTLS_RSA_PKCS_V15: 01142 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 01143 hashlen, hash, sig ); 01144 #endif 01145 01146 #if defined(MBEDTLS_PKCS1_V21) 01147 case MBEDTLS_RSA_PKCS_V21: 01148 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 01149 hashlen, hash, sig ); 01150 #endif 01151 01152 default: 01153 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01154 } 01155 } 01156 01157 #if defined(MBEDTLS_PKCS1_V21) 01158 /* 01159 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01160 */ 01161 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 01162 int (*f_rng)(void *, unsigned char *, size_t), 01163 void *p_rng, 01164 int mode, 01165 mbedtls_md_type_t md_alg, 01166 unsigned int hashlen, 01167 const unsigned char *hash, 01168 mbedtls_md_type_t mgf1_hash_id, 01169 int expected_salt_len, 01170 const unsigned char *sig ) 01171 { 01172 int ret; 01173 size_t siglen; 01174 unsigned char *p; 01175 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 01176 unsigned char zeros[8]; 01177 unsigned int hlen; 01178 size_t slen, msb; 01179 const mbedtls_md_info_t *md_info; 01180 mbedtls_md_context_t md_ctx; 01181 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01182 01183 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 01184 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01185 01186 siglen = ctx->len ; 01187 01188 if( siglen < 16 || siglen > sizeof( buf ) ) 01189 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01190 01191 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01192 ? mbedtls_rsa_public( ctx, sig, buf ) 01193 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 01194 01195 if( ret != 0 ) 01196 return( ret ); 01197 01198 p = buf; 01199 01200 if( buf[siglen - 1] != 0xBC ) 01201 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01202 01203 if( md_alg != MBEDTLS_MD_NONE ) 01204 { 01205 /* Gather length of hash to sign */ 01206 md_info = mbedtls_md_info_from_type( md_alg ); 01207 if( md_info == NULL ) 01208 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01209 01210 hashlen = mbedtls_md_get_size( md_info ); 01211 } 01212 01213 md_info = mbedtls_md_info_from_type( mgf1_hash_id ); 01214 if( md_info == NULL ) 01215 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01216 01217 hlen = mbedtls_md_get_size( md_info ); 01218 slen = siglen - hlen - 1; /* Currently length of salt + padding */ 01219 01220 memset( zeros, 0, 8 ); 01221 01222 /* 01223 * Note: EMSA-PSS verification is over the length of N - 1 bits 01224 */ 01225 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01226 01227 /* Compensate for boundary condition when applying mask */ 01228 if( msb % 8 == 0 ) 01229 { 01230 p++; 01231 siglen -= 1; 01232 } 01233 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 01234 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01235 01236 mbedtls_md_init( &md_ctx ); 01237 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 01238 { 01239 mbedtls_md_free( &md_ctx ); 01240 return( ret ); 01241 } 01242 01243 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); 01244 01245 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 01246 01247 while( p < buf + siglen && *p == 0 ) 01248 p++; 01249 01250 if( p == buf + siglen || 01251 *p++ != 0x01 ) 01252 { 01253 mbedtls_md_free( &md_ctx ); 01254 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01255 } 01256 01257 /* Actual salt len */ 01258 slen -= p - buf; 01259 01260 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 01261 slen != (size_t) expected_salt_len ) 01262 { 01263 mbedtls_md_free( &md_ctx ); 01264 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01265 } 01266 01267 /* 01268 * Generate H = Hash( M' ) 01269 */ 01270 mbedtls_md_starts( &md_ctx ); 01271 mbedtls_md_update( &md_ctx, zeros, 8 ); 01272 mbedtls_md_update( &md_ctx, hash, hashlen ); 01273 mbedtls_md_update( &md_ctx, p, slen ); 01274 mbedtls_md_finish( &md_ctx, result ); 01275 01276 mbedtls_md_free( &md_ctx ); 01277 01278 if( memcmp( p + slen, result, hlen ) == 0 ) 01279 return( 0 ); 01280 else 01281 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01282 } 01283 01284 /* 01285 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01286 */ 01287 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 01288 int (*f_rng)(void *, unsigned char *, size_t), 01289 void *p_rng, 01290 int mode, 01291 mbedtls_md_type_t md_alg, 01292 unsigned int hashlen, 01293 const unsigned char *hash, 01294 const unsigned char *sig ) 01295 { 01296 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) 01297 ? (mbedtls_md_type_t) ctx->hash_id 01298 : md_alg; 01299 01300 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, 01301 md_alg, hashlen, hash, 01302 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, 01303 sig ) ); 01304 01305 } 01306 #endif /* MBEDTLS_PKCS1_V21 */ 01307 01308 #if defined(MBEDTLS_PKCS1_V15) 01309 /* 01310 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 01311 */ 01312 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 01313 int (*f_rng)(void *, unsigned char *, size_t), 01314 void *p_rng, 01315 int mode, 01316 mbedtls_md_type_t md_alg, 01317 unsigned int hashlen, 01318 const unsigned char *hash, 01319 const unsigned char *sig ) 01320 { 01321 int ret; 01322 size_t len, siglen, asn1_len; 01323 unsigned char *p, *end; 01324 mbedtls_md_type_t msg_md_alg; 01325 const mbedtls_md_info_t *md_info; 01326 mbedtls_asn1_buf oid; 01327 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01328 01329 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01330 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01331 01332 siglen = ctx->len ; 01333 01334 if( siglen < 16 || siglen > sizeof( buf ) ) 01335 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01336 01337 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01338 ? mbedtls_rsa_public( ctx, sig, buf ) 01339 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 01340 01341 if( ret != 0 ) 01342 return( ret ); 01343 01344 p = buf; 01345 01346 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN ) 01347 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01348 01349 while( *p != 0 ) 01350 { 01351 if( p >= buf + siglen - 1 || *p != 0xFF ) 01352 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01353 p++; 01354 } 01355 p++; 01356 01357 len = siglen - ( p - buf ); 01358 01359 if( len == hashlen && md_alg == MBEDTLS_MD_NONE ) 01360 { 01361 if( memcmp( p, hash, hashlen ) == 0 ) 01362 return( 0 ); 01363 else 01364 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01365 } 01366 01367 md_info = mbedtls_md_info_from_type( md_alg ); 01368 if( md_info == NULL ) 01369 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01370 hashlen = mbedtls_md_get_size( md_info ); 01371 01372 end = p + len; 01373 01374 /* 01375 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure 01376 */ 01377 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 01378 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 01379 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01380 01381 if( asn1_len + 2 != len ) 01382 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01383 01384 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 01385 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 01386 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01387 01388 if( asn1_len + 6 + hashlen != len ) 01389 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01390 01391 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) 01392 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01393 01394 oid.p = p; 01395 p += oid.len; 01396 01397 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 ) 01398 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01399 01400 if( md_alg != msg_md_alg ) 01401 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01402 01403 /* 01404 * assume the algorithm parameters must be NULL 01405 */ 01406 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 ) 01407 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01408 01409 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 01410 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01411 01412 if( asn1_len != hashlen ) 01413 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01414 01415 if( memcmp( p, hash, hashlen ) != 0 ) 01416 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01417 01418 p += hashlen; 01419 01420 if( p != end ) 01421 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01422 01423 return( 0 ); 01424 } 01425 #endif /* MBEDTLS_PKCS1_V15 */ 01426 01427 /* 01428 * Do an RSA operation and check the message digest 01429 */ 01430 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 01431 int (*f_rng)(void *, unsigned char *, size_t), 01432 void *p_rng, 01433 int mode, 01434 mbedtls_md_type_t md_alg, 01435 unsigned int hashlen, 01436 const unsigned char *hash, 01437 const unsigned char *sig ) 01438 { 01439 switch( ctx->padding ) 01440 { 01441 #if defined(MBEDTLS_PKCS1_V15) 01442 case MBEDTLS_RSA_PKCS_V15: 01443 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 01444 hashlen, hash, sig ); 01445 #endif 01446 01447 #if defined(MBEDTLS_PKCS1_V21) 01448 case MBEDTLS_RSA_PKCS_V21: 01449 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 01450 hashlen, hash, sig ); 01451 #endif 01452 01453 default: 01454 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01455 } 01456 } 01457 01458 /* 01459 * Copy the components of an RSA key 01460 */ 01461 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) 01462 { 01463 int ret; 01464 01465 dst->ver = src->ver ; 01466 dst->len = src->len ; 01467 01468 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N , &src->N ) ); 01469 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E , &src->E ) ); 01470 01471 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D , &src->D ) ); 01472 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P , &src->P ) ); 01473 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q , &src->Q ) ); 01474 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP , &src->DP ) ); 01475 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ , &src->DQ ) ); 01476 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP , &src->QP ) ); 01477 01478 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN , &src->RN ) ); 01479 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP , &src->RP ) ); 01480 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ , &src->RQ ) ); 01481 01482 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi , &src->Vi ) ); 01483 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf , &src->Vf ) ); 01484 01485 dst->padding = src->padding ; 01486 dst->hash_id = src->hash_id ; 01487 01488 cleanup: 01489 if( ret != 0 ) 01490 mbedtls_rsa_free( dst ); 01491 01492 return( ret ); 01493 } 01494 01495 /* 01496 * Free the components of an RSA key 01497 */ 01498 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) 01499 { 01500 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf ); 01501 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN ); 01502 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP ); 01503 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D ); 01504 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N ); 01505 01506 #if defined(MBEDTLS_THREADING_C) 01507 mbedtls_mutex_free( &ctx->mutex ); 01508 #endif 01509 } 01510 01511 #if defined(MBEDTLS_SELF_TEST) 01512 01513 #include "mbedtls/sha1.h" 01514 01515 /* 01516 * Example RSA-1024 keypair, for test purposes 01517 */ 01518 #define KEY_LEN 128 01519 01520 #define RSA_N "9292758453063D803DD603D5E777D788" \ 01521 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 01522 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 01523 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 01524 "93A89813FBF3C4F8066D2D800F7C38A8" \ 01525 "1AE31942917403FF4946B0A83D3D3E05" \ 01526 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 01527 "5E94BB77B07507233A0BC7BAC8F90F79" 01528 01529 #define RSA_E "10001" 01530 01531 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 01532 "66CA472BC44D253102F8B4A9D3BFA750" \ 01533 "91386C0077937FE33FA3252D28855837" \ 01534 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 01535 "DF79C5CE07EE72C7F123142198164234" \ 01536 "CABB724CF78B8173B9F880FC86322407" \ 01537 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 01538 "071513A1E85B5DFA031F21ECAE91A34D" 01539 01540 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 01541 "2C01CAD19EA484A87EA4377637E75500" \ 01542 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 01543 "C3D9E75E1EFC42488BB4F1D13AC30A57" 01544 01545 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 01546 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 01547 "910E4168387E3C30AA1E00C339A79508" \ 01548 "8452DD96A9A5EA5D9DCA68DA636032AF" 01549 01550 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \ 01551 "3C94D22288ACD763FD8E5600ED4A702D" \ 01552 "F84198A5F06C2E72236AE490C93F07F8" \ 01553 "3CC559CD27BC2D1CA488811730BB5725" 01554 01555 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \ 01556 "D8AAEA56749EA28623272E4F7D0592AF" \ 01557 "7C1F1313CAC9471B5C523BFE592F517B" \ 01558 "407A1BD76C164B93DA2D32A383E58357" 01559 01560 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \ 01561 "F38D18D2B2F0E2DD275AA977E2BF4411" \ 01562 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \ 01563 "A74206CEC169D74BF5A8C50D6F48EA08" 01564 01565 #define PT_LEN 24 01566 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 01567 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 01568 01569 #if defined(MBEDTLS_PKCS1_V15) 01570 static int myrand( void *rng_state, unsigned char *output, size_t len ) 01571 { 01572 #if !defined(__OpenBSD__) 01573 size_t i; 01574 01575 if( rng_state != NULL ) 01576 rng_state = NULL; 01577 01578 for( i = 0; i < len; ++i ) 01579 output[i] = rand(); 01580 #else 01581 if( rng_state != NULL ) 01582 rng_state = NULL; 01583 01584 arc4random_buf( output, len ); 01585 #endif /* !OpenBSD */ 01586 01587 return( 0 ); 01588 } 01589 #endif /* MBEDTLS_PKCS1_V15 */ 01590 01591 /* 01592 * Checkup routine 01593 */ 01594 int mbedtls_rsa_self_test( int verbose ) 01595 { 01596 int ret = 0; 01597 #if defined(MBEDTLS_PKCS1_V15) 01598 size_t len; 01599 mbedtls_rsa_context rsa; 01600 unsigned char rsa_plaintext[PT_LEN]; 01601 unsigned char rsa_decrypted[PT_LEN]; 01602 unsigned char rsa_ciphertext[KEY_LEN]; 01603 #if defined(MBEDTLS_SHA1_C) 01604 unsigned char sha1sum[20]; 01605 #endif 01606 01607 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); 01608 01609 rsa.len = KEY_LEN; 01610 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) ); 01611 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) ); 01612 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) ); 01613 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) ); 01614 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) ); 01615 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP , 16, RSA_DP ) ); 01616 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ , 16, RSA_DQ ) ); 01617 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP , 16, RSA_QP ) ); 01618 01619 if( verbose != 0 ) 01620 mbedtls_printf( " RSA key validation: " ); 01621 01622 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || 01623 mbedtls_rsa_check_privkey( &rsa ) != 0 ) 01624 { 01625 if( verbose != 0 ) 01626 mbedtls_printf( "failed\n" ); 01627 01628 return( 1 ); 01629 } 01630 01631 if( verbose != 0 ) 01632 mbedtls_printf( "passed\n PKCS#1 encryption : " ); 01633 01634 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 01635 01636 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN, 01637 rsa_plaintext, rsa_ciphertext ) != 0 ) 01638 { 01639 if( verbose != 0 ) 01640 mbedtls_printf( "failed\n" ); 01641 01642 return( 1 ); 01643 } 01644 01645 if( verbose != 0 ) 01646 mbedtls_printf( "passed\n PKCS#1 decryption : " ); 01647 01648 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len, 01649 rsa_ciphertext, rsa_decrypted, 01650 sizeof(rsa_decrypted) ) != 0 ) 01651 { 01652 if( verbose != 0 ) 01653 mbedtls_printf( "failed\n" ); 01654 01655 return( 1 ); 01656 } 01657 01658 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 01659 { 01660 if( verbose != 0 ) 01661 mbedtls_printf( "failed\n" ); 01662 01663 return( 1 ); 01664 } 01665 01666 if( verbose != 0 ) 01667 mbedtls_printf( "passed\n" ); 01668 01669 #if defined(MBEDTLS_SHA1_C) 01670 if( verbose != 0 ) 01671 mbedtls_printf( " PKCS#1 data sign : " ); 01672 01673 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ); 01674 01675 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, 01676 sha1sum, rsa_ciphertext ) != 0 ) 01677 { 01678 if( verbose != 0 ) 01679 mbedtls_printf( "failed\n" ); 01680 01681 return( 1 ); 01682 } 01683 01684 if( verbose != 0 ) 01685 mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); 01686 01687 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, 01688 sha1sum, rsa_ciphertext ) != 0 ) 01689 { 01690 if( verbose != 0 ) 01691 mbedtls_printf( "failed\n" ); 01692 01693 return( 1 ); 01694 } 01695 01696 if( verbose != 0 ) 01697 mbedtls_printf( "passed\n" ); 01698 #endif /* MBEDTLS_SHA1_C */ 01699 01700 if( verbose != 0 ) 01701 mbedtls_printf( "\n" ); 01702 01703 cleanup: 01704 mbedtls_rsa_free( &rsa ); 01705 #else /* MBEDTLS_PKCS1_V15 */ 01706 ((void) verbose); 01707 #endif /* MBEDTLS_PKCS1_V15 */ 01708 return( ret ); 01709 } 01710 01711 #endif /* MBEDTLS_SELF_TEST */ 01712 01713 #endif /* MBEDTLS_RSA_C */
Generated on Tue Jul 12 2022 18:50:29 by
1.7.2