Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependencies: MAX44000 PWM_Tone_Library nexpaq_mdk
Fork of LED_Demo by
rsa.c
00001 /* 00002 * The RSA public-key cryptosystem 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The following sources were referenced in the design of this implementation 00023 * of the RSA algorithm: 00024 * 00025 * [1] A method for obtaining digital signatures and public-key cryptosystems 00026 * R Rivest, A Shamir, and L Adleman 00027 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 00028 * 00029 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 00030 * Menezes, van Oorschot and Vanstone 00031 * 00032 */ 00033 00034 #if !defined(MBEDTLS_CONFIG_FILE) 00035 #include "mbedtls/config.h" 00036 #else 00037 #include MBEDTLS_CONFIG_FILE 00038 #endif 00039 00040 #if defined(MBEDTLS_RSA_C) 00041 00042 #include "mbedtls/rsa.h" 00043 #include "mbedtls/oid.h" 00044 00045 #include <string.h> 00046 00047 #if defined(MBEDTLS_PKCS1_V21) 00048 #include "mbedtls/md.h" 00049 #endif 00050 00051 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) 00052 #include <stdlib.h> 00053 #endif 00054 00055 #if defined(MBEDTLS_PLATFORM_C) 00056 #include "mbedtls/platform.h" 00057 #else 00058 #include <stdio.h> 00059 #define mbedtls_printf printf 00060 #define mbedtls_calloc calloc 00061 #define mbedtls_free free 00062 #endif 00063 00064 /* 00065 * Initialize an RSA context 00066 */ 00067 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 00068 int padding, 00069 int hash_id ) 00070 { 00071 memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); 00072 00073 mbedtls_rsa_set_padding( ctx, padding, hash_id ); 00074 00075 #if defined(MBEDTLS_THREADING_C) 00076 mbedtls_mutex_init( &ctx->mutex ); 00077 #endif 00078 } 00079 00080 /* 00081 * Set padding for an existing RSA context 00082 */ 00083 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id ) 00084 { 00085 ctx->padding = padding; 00086 ctx->hash_id = hash_id; 00087 } 00088 00089 #if defined(MBEDTLS_GENPRIME) 00090 00091 /* 00092 * Generate an RSA keypair 00093 */ 00094 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 00095 int (*f_rng)(void *, unsigned char *, size_t), 00096 void *p_rng, 00097 unsigned int nbits, int exponent ) 00098 { 00099 int ret; 00100 mbedtls_mpi P1, Q1, H, G; 00101 00102 if( f_rng == NULL || nbits < 128 || exponent < 3 ) 00103 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00104 00105 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 00106 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G ); 00107 00108 /* 00109 * find primes P and Q with Q < P so that: 00110 * GCD( E, (P-1)*(Q-1) ) == 1 00111 */ 00112 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E , exponent ) ); 00113 00114 do 00115 { 00116 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P , nbits >> 1, 0, 00117 f_rng, p_rng ) ); 00118 00119 if( nbits % 2 ) 00120 { 00121 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , ( nbits >> 1 ) + 1, 0, 00122 f_rng, p_rng ) ); 00123 } 00124 else 00125 { 00126 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , nbits >> 1, 0, 00127 f_rng, p_rng ) ); 00128 } 00129 00130 if( mbedtls_mpi_cmp_mpi( &ctx->P , &ctx->Q ) == 0 ) 00131 continue; 00132 00133 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P , &ctx->Q ) ); 00134 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits ) 00135 continue; 00136 00137 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00138 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00139 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 00140 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00141 } 00142 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ); 00143 00144 /* 00145 * D = E^-1 mod ((P-1)*(Q-1)) 00146 * DP = D mod (P - 1) 00147 * DQ = D mod (Q - 1) 00148 * QP = Q^-1 mod P 00149 */ 00150 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E , &H ) ); 00151 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP , &ctx->D , &P1 ) ); 00152 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ , &ctx->D , &Q1 ) ); 00153 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP , &ctx->Q , &ctx->P ) ); 00154 00155 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3; 00156 00157 cleanup: 00158 00159 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); 00160 00161 if( ret != 0 ) 00162 { 00163 mbedtls_rsa_free( ctx ); 00164 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret ); 00165 } 00166 00167 return( 0 ); 00168 } 00169 00170 #endif /* MBEDTLS_GENPRIME */ 00171 00172 /* 00173 * Check a public RSA key 00174 */ 00175 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) 00176 { 00177 if( !ctx->N .p || !ctx->E .p ) 00178 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00179 00180 if( ( ctx->N .p [0] & 1 ) == 0 || 00181 ( ctx->E .p [0] & 1 ) == 0 ) 00182 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00183 00184 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 || 00185 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS ) 00186 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00187 00188 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 || 00189 mbedtls_mpi_cmp_mpi( &ctx->E , &ctx->N ) >= 0 ) 00190 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00191 00192 return( 0 ); 00193 } 00194 00195 /* 00196 * Check a private RSA key 00197 */ 00198 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) 00199 { 00200 int ret; 00201 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP; 00202 00203 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 ) 00204 return( ret ); 00205 00206 if( !ctx->P .p || !ctx->Q .p || !ctx->D .p ) 00207 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00208 00209 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 00210 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 ); 00211 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ ); 00212 mbedtls_mpi_init( &QP ); 00213 00214 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P , &ctx->Q ) ); 00215 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D , &ctx->E ) ); 00216 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00217 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00218 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) ); 00219 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00220 00221 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) ); 00222 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) ); 00223 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) ); 00224 00225 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D , &P1 ) ); 00226 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D , &Q1 ) ); 00227 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q , &ctx->P ) ); 00228 /* 00229 * Check for a valid PKCS1v2 private key 00230 */ 00231 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 || 00232 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 || 00233 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 || 00234 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 || 00235 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 || 00236 mbedtls_mpi_cmp_int( &I, 1 ) != 0 || 00237 mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) 00238 { 00239 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED; 00240 } 00241 00242 cleanup: 00243 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); 00244 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 ); 00245 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ ); 00246 mbedtls_mpi_free( &QP ); 00247 00248 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ) 00249 return( ret ); 00250 00251 if( ret != 0 ) 00252 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret ); 00253 00254 return( 0 ); 00255 } 00256 00257 /* 00258 * Check if contexts holding a public and private key match 00259 */ 00260 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ) 00261 { 00262 if( mbedtls_rsa_check_pubkey( pub ) != 0 || 00263 mbedtls_rsa_check_privkey( prv ) != 0 ) 00264 { 00265 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00266 } 00267 00268 if( mbedtls_mpi_cmp_mpi( &pub->N , &prv->N ) != 0 || 00269 mbedtls_mpi_cmp_mpi( &pub->E , &prv->E ) != 0 ) 00270 { 00271 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00272 } 00273 00274 return( 0 ); 00275 } 00276 00277 /* 00278 * Do an RSA public key operation 00279 */ 00280 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 00281 const unsigned char *input, 00282 unsigned char *output ) 00283 { 00284 int ret; 00285 size_t olen; 00286 mbedtls_mpi T; 00287 00288 mbedtls_mpi_init( &T ); 00289 00290 #if defined(MBEDTLS_THREADING_C) 00291 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00292 return( ret ); 00293 #endif 00294 00295 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00296 00297 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00298 { 00299 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00300 goto cleanup; 00301 } 00302 00303 olen = ctx->len ; 00304 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E , &ctx->N , &ctx->RN ) ); 00305 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00306 00307 cleanup: 00308 #if defined(MBEDTLS_THREADING_C) 00309 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00310 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00311 #endif 00312 00313 mbedtls_mpi_free( &T ); 00314 00315 if( ret != 0 ) 00316 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret ); 00317 00318 return( 0 ); 00319 } 00320 00321 /* 00322 * Generate or update blinding values, see section 10 of: 00323 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 00324 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 00325 * Berlin Heidelberg, 1996. p. 104-113. 00326 */ 00327 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, 00328 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00329 { 00330 int ret, count = 0; 00331 00332 if( ctx->Vf .p != NULL ) 00333 { 00334 /* We already have blinding values, just update them by squaring */ 00335 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi , &ctx->Vi , &ctx->Vi ) ); 00336 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi , &ctx->Vi , &ctx->N ) ); 00337 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf , &ctx->Vf , &ctx->Vf ) ); 00338 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf , &ctx->Vf , &ctx->N ) ); 00339 00340 goto cleanup; 00341 } 00342 00343 /* Unblinding value: Vf = random number, invertible mod N */ 00344 do { 00345 if( count++ > 10 ) 00346 return( MBEDTLS_ERR_RSA_RNG_FAILED ); 00347 00348 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf , ctx->len - 1, f_rng, p_rng ) ); 00349 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00350 } while( mbedtls_mpi_cmp_int( &ctx->Vi , 1 ) != 0 ); 00351 00352 /* Blinding value: Vi = Vf^(-e) mod N */ 00353 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00354 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi , &ctx->Vi , &ctx->E , &ctx->N , &ctx->RN ) ); 00355 00356 00357 cleanup: 00358 return( ret ); 00359 } 00360 00361 /* 00362 * Do an RSA private key operation 00363 */ 00364 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 00365 int (*f_rng)(void *, unsigned char *, size_t), 00366 void *p_rng, 00367 const unsigned char *input, 00368 unsigned char *output ) 00369 { 00370 int ret; 00371 size_t olen; 00372 mbedtls_mpi T, T1, T2; 00373 00374 /* Make sure we have private key info, prevent possible misuse */ 00375 if( ctx->P .p == NULL || ctx->Q .p == NULL || ctx->D .p == NULL ) 00376 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00377 00378 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); 00379 00380 #if defined(MBEDTLS_THREADING_C) 00381 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00382 return( ret ); 00383 #endif 00384 00385 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00386 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00387 { 00388 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00389 goto cleanup; 00390 } 00391 00392 if( f_rng != NULL ) 00393 { 00394 /* 00395 * Blinding 00396 * T = T * Vi mod N 00397 */ 00398 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); 00399 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); 00400 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00401 } 00402 00403 #if defined(MBEDTLS_RSA_NO_CRT) 00404 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D , &ctx->N , &ctx->RN ) ); 00405 #else 00406 /* 00407 * faster decryption using the CRT 00408 * 00409 * T1 = input ^ dP mod P 00410 * T2 = input ^ dQ mod Q 00411 */ 00412 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP , &ctx->P , &ctx->RP ) ); 00413 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ , &ctx->Q , &ctx->RQ ) ); 00414 00415 /* 00416 * T = (T1 - T2) * (Q^-1 mod P) mod P 00417 */ 00418 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) ); 00419 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) ); 00420 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) ); 00421 00422 /* 00423 * T = T2 + T * Q 00424 */ 00425 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) ); 00426 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) ); 00427 #endif /* MBEDTLS_RSA_NO_CRT */ 00428 00429 if( f_rng != NULL ) 00430 { 00431 /* 00432 * Unblind 00433 * T = T * Vf mod N 00434 */ 00435 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); 00436 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00437 } 00438 00439 olen = ctx->len ; 00440 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00441 00442 cleanup: 00443 #if defined(MBEDTLS_THREADING_C) 00444 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00445 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00446 #endif 00447 00448 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); 00449 00450 if( ret != 0 ) 00451 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); 00452 00453 return( 0 ); 00454 } 00455 00456 #if defined(MBEDTLS_PKCS1_V21) 00457 /** 00458 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 00459 * 00460 * \param dst buffer to mask 00461 * \param dlen length of destination buffer 00462 * \param src source of the mask generation 00463 * \param slen length of the source buffer 00464 * \param md_ctx message digest context to use 00465 */ 00466 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 00467 size_t slen, mbedtls_md_context_t *md_ctx ) 00468 { 00469 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 00470 unsigned char counter[4]; 00471 unsigned char *p; 00472 unsigned int hlen; 00473 size_t i, use_len; 00474 00475 memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); 00476 memset( counter, 0, 4 ); 00477 00478 hlen = mbedtls_md_get_size( md_ctx->md_info ); 00479 00480 /* Generate and apply dbMask */ 00481 p = dst; 00482 00483 while( dlen > 0 ) 00484 { 00485 use_len = hlen; 00486 if( dlen < hlen ) 00487 use_len = dlen; 00488 00489 mbedtls_md_starts( md_ctx ); 00490 mbedtls_md_update( md_ctx, src, slen ); 00491 mbedtls_md_update( md_ctx, counter, 4 ); 00492 mbedtls_md_finish( md_ctx, mask ); 00493 00494 for( i = 0; i < use_len; ++i ) 00495 *p++ ^= mask[i]; 00496 00497 counter[3]++; 00498 00499 dlen -= use_len; 00500 } 00501 } 00502 #endif /* MBEDTLS_PKCS1_V21 */ 00503 00504 #if defined(MBEDTLS_PKCS1_V21) 00505 /* 00506 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 00507 */ 00508 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 00509 int (*f_rng)(void *, unsigned char *, size_t), 00510 void *p_rng, 00511 int mode, 00512 const unsigned char *label, size_t label_len, 00513 size_t ilen, 00514 const unsigned char *input, 00515 unsigned char *output ) 00516 { 00517 size_t olen; 00518 int ret; 00519 unsigned char *p = output; 00520 unsigned int hlen; 00521 const mbedtls_md_info_t *md_info; 00522 mbedtls_md_context_t md_ctx; 00523 00524 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00525 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00526 00527 if( f_rng == NULL ) 00528 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00529 00530 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00531 if( md_info == NULL ) 00532 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00533 00534 olen = ctx->len ; 00535 hlen = mbedtls_md_get_size( md_info ); 00536 00537 /* first comparison checks for overflow */ 00538 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) 00539 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00540 00541 memset( output, 0, olen ); 00542 00543 *p++ = 0; 00544 00545 /* Generate a random octet string seed */ 00546 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 00547 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00548 00549 p += hlen; 00550 00551 /* Construct DB */ 00552 mbedtls_md( md_info, label, label_len, p ); 00553 p += hlen; 00554 p += olen - 2 * hlen - 2 - ilen; 00555 *p++ = 1; 00556 memcpy( p, input, ilen ); 00557 00558 mbedtls_md_init( &md_ctx ); 00559 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00560 { 00561 mbedtls_md_free( &md_ctx ); 00562 return( ret ); 00563 } 00564 00565 /* maskedDB: Apply dbMask to DB */ 00566 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 00567 &md_ctx ); 00568 00569 /* maskedSeed: Apply seedMask to seed */ 00570 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 00571 &md_ctx ); 00572 00573 mbedtls_md_free( &md_ctx ); 00574 00575 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00576 ? mbedtls_rsa_public( ctx, output, output ) 00577 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 00578 } 00579 #endif /* MBEDTLS_PKCS1_V21 */ 00580 00581 #if defined(MBEDTLS_PKCS1_V15) 00582 /* 00583 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 00584 */ 00585 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 00586 int (*f_rng)(void *, unsigned char *, size_t), 00587 void *p_rng, 00588 int mode, size_t ilen, 00589 const unsigned char *input, 00590 unsigned char *output ) 00591 { 00592 size_t nb_pad, olen; 00593 int ret; 00594 unsigned char *p = output; 00595 00596 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 00597 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00598 00599 // We don't check p_rng because it won't be dereferenced here 00600 if( f_rng == NULL || input == NULL || output == NULL ) 00601 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00602 00603 olen = ctx->len ; 00604 00605 /* first comparison checks for overflow */ 00606 if( ilen + 11 < ilen || olen < ilen + 11 ) 00607 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00608 00609 nb_pad = olen - 3 - ilen; 00610 00611 *p++ = 0; 00612 if( mode == MBEDTLS_RSA_PUBLIC ) 00613 { 00614 *p++ = MBEDTLS_RSA_CRYPT; 00615 00616 while( nb_pad-- > 0 ) 00617 { 00618 int rng_dl = 100; 00619 00620 do { 00621 ret = f_rng( p_rng, p, 1 ); 00622 } while( *p == 0 && --rng_dl && ret == 0 ); 00623 00624 /* Check if RNG failed to generate data */ 00625 if( rng_dl == 0 || ret != 0 ) 00626 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00627 00628 p++; 00629 } 00630 } 00631 else 00632 { 00633 *p++ = MBEDTLS_RSA_SIGN; 00634 00635 while( nb_pad-- > 0 ) 00636 *p++ = 0xFF; 00637 } 00638 00639 *p++ = 0; 00640 memcpy( p, input, ilen ); 00641 00642 return( ( mode == MBEDTLS_RSA_PUBLIC ) 00643 ? mbedtls_rsa_public( ctx, output, output ) 00644 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 00645 } 00646 #endif /* MBEDTLS_PKCS1_V15 */ 00647 00648 /* 00649 * Add the message padding, then do an RSA operation 00650 */ 00651 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 00652 int (*f_rng)(void *, unsigned char *, size_t), 00653 void *p_rng, 00654 int mode, size_t ilen, 00655 const unsigned char *input, 00656 unsigned char *output ) 00657 { 00658 switch( ctx->padding ) 00659 { 00660 #if defined(MBEDTLS_PKCS1_V15) 00661 case MBEDTLS_RSA_PKCS_V15: 00662 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 00663 input, output ); 00664 #endif 00665 00666 #if defined(MBEDTLS_PKCS1_V21) 00667 case MBEDTLS_RSA_PKCS_V21: 00668 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00669 ilen, input, output ); 00670 #endif 00671 00672 default: 00673 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00674 } 00675 } 00676 00677 #if defined(MBEDTLS_PKCS1_V21) 00678 /* 00679 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 00680 */ 00681 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 00682 int (*f_rng)(void *, unsigned char *, size_t), 00683 void *p_rng, 00684 int mode, 00685 const unsigned char *label, size_t label_len, 00686 size_t *olen, 00687 const unsigned char *input, 00688 unsigned char *output, 00689 size_t output_max_len ) 00690 { 00691 int ret; 00692 size_t ilen, i, pad_len; 00693 unsigned char *p, bad, pad_done; 00694 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 00695 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 00696 unsigned int hlen; 00697 const mbedtls_md_info_t *md_info; 00698 mbedtls_md_context_t md_ctx; 00699 00700 /* 00701 * Parameters sanity checks 00702 */ 00703 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00704 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00705 00706 ilen = ctx->len ; 00707 00708 if( ilen < 16 || ilen > sizeof( buf ) ) 00709 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00710 00711 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00712 if( md_info == NULL ) 00713 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00714 00715 hlen = mbedtls_md_get_size( md_info ); 00716 00717 // checking for integer underflow 00718 if( 2 * hlen + 2 > ilen ) 00719 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00720 00721 /* 00722 * RSA operation 00723 */ 00724 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 00725 ? mbedtls_rsa_public( ctx, input, buf ) 00726 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 00727 00728 if( ret != 0 ) 00729 return( ret ); 00730 00731 /* 00732 * Unmask data and generate lHash 00733 */ 00734 mbedtls_md_init( &md_ctx ); 00735 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00736 { 00737 mbedtls_md_free( &md_ctx ); 00738 return( ret ); 00739 } 00740 00741 00742 /* Generate lHash */ 00743 mbedtls_md( md_info, label, label_len, lhash ); 00744 00745 /* seed: Apply seedMask to maskedSeed */ 00746 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 00747 &md_ctx ); 00748 00749 /* DB: Apply dbMask to maskedDB */ 00750 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 00751 &md_ctx ); 00752 00753 mbedtls_md_free( &md_ctx ); 00754 00755 /* 00756 * Check contents, in "constant-time" 00757 */ 00758 p = buf; 00759 bad = 0; 00760 00761 bad |= *p++; /* First byte must be 0 */ 00762 00763 p += hlen; /* Skip seed */ 00764 00765 /* Check lHash */ 00766 for( i = 0; i < hlen; i++ ) 00767 bad |= lhash[i] ^ *p++; 00768 00769 /* Get zero-padding len, but always read till end of buffer 00770 * (minus one, for the 01 byte) */ 00771 pad_len = 0; 00772 pad_done = 0; 00773 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 00774 { 00775 pad_done |= p[i]; 00776 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 00777 } 00778 00779 p += pad_len; 00780 bad |= *p++ ^ 0x01; 00781 00782 /* 00783 * The only information "leaked" is whether the padding was correct or not 00784 * (eg, no data is copied if it was not correct). This meets the 00785 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 00786 * the different error conditions. 00787 */ 00788 if( bad != 0 ) 00789 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00790 00791 if( ilen - ( p - buf ) > output_max_len ) 00792 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 00793 00794 *olen = ilen - (p - buf); 00795 memcpy( output, p, *olen ); 00796 00797 return( 0 ); 00798 } 00799 #endif /* MBEDTLS_PKCS1_V21 */ 00800 00801 #if defined(MBEDTLS_PKCS1_V15) 00802 /* 00803 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 00804 */ 00805 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 00806 int (*f_rng)(void *, unsigned char *, size_t), 00807 void *p_rng, 00808 int mode, size_t *olen, 00809 const unsigned char *input, 00810 unsigned char *output, 00811 size_t output_max_len) 00812 { 00813 int ret; 00814 size_t ilen, pad_count = 0, i; 00815 unsigned char *p, bad, pad_done = 0; 00816 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 00817 00818 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 00819 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00820 00821 ilen = ctx->len ; 00822 00823 if( ilen < 16 || ilen > sizeof( buf ) ) 00824 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00825 00826 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 00827 ? mbedtls_rsa_public( ctx, input, buf ) 00828 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 00829 00830 if( ret != 0 ) 00831 return( ret ); 00832 00833 p = buf; 00834 bad = 0; 00835 00836 /* 00837 * Check and get padding len in "constant-time" 00838 */ 00839 bad |= *p++; /* First byte must be 0 */ 00840 00841 /* This test does not depend on secret data */ 00842 if( mode == MBEDTLS_RSA_PRIVATE ) 00843 { 00844 bad |= *p++ ^ MBEDTLS_RSA_CRYPT; 00845 00846 /* Get padding len, but always read till end of buffer 00847 * (minus one, for the 00 byte) */ 00848 for( i = 0; i < ilen - 3; i++ ) 00849 { 00850 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1; 00851 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 00852 } 00853 00854 p += pad_count; 00855 bad |= *p++; /* Must be zero */ 00856 } 00857 else 00858 { 00859 bad |= *p++ ^ MBEDTLS_RSA_SIGN; 00860 00861 /* Get padding len, but always read till end of buffer 00862 * (minus one, for the 00 byte) */ 00863 for( i = 0; i < ilen - 3; i++ ) 00864 { 00865 pad_done |= ( p[i] != 0xFF ); 00866 pad_count += ( pad_done == 0 ); 00867 } 00868 00869 p += pad_count; 00870 bad |= *p++; /* Must be zero */ 00871 } 00872 00873 bad |= ( pad_count < 8 ); 00874 00875 if( bad ) 00876 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00877 00878 if( ilen - ( p - buf ) > output_max_len ) 00879 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 00880 00881 *olen = ilen - (p - buf); 00882 memcpy( output, p, *olen ); 00883 00884 return( 0 ); 00885 } 00886 #endif /* MBEDTLS_PKCS1_V15 */ 00887 00888 /* 00889 * Do an RSA operation, then remove the message padding 00890 */ 00891 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 00892 int (*f_rng)(void *, unsigned char *, size_t), 00893 void *p_rng, 00894 int mode, size_t *olen, 00895 const unsigned char *input, 00896 unsigned char *output, 00897 size_t output_max_len) 00898 { 00899 switch( ctx->padding ) 00900 { 00901 #if defined(MBEDTLS_PKCS1_V15) 00902 case MBEDTLS_RSA_PKCS_V15: 00903 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 00904 input, output, output_max_len ); 00905 #endif 00906 00907 #if defined(MBEDTLS_PKCS1_V21) 00908 case MBEDTLS_RSA_PKCS_V21: 00909 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 00910 olen, input, output, 00911 output_max_len ); 00912 #endif 00913 00914 default: 00915 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 00916 } 00917 } 00918 00919 #if defined(MBEDTLS_PKCS1_V21) 00920 /* 00921 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 00922 */ 00923 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 00924 int (*f_rng)(void *, unsigned char *, size_t), 00925 void *p_rng, 00926 int mode, 00927 mbedtls_md_type_t md_alg, 00928 unsigned int hashlen, 00929 const unsigned char *hash, 00930 unsigned char *sig ) 00931 { 00932 size_t olen; 00933 unsigned char *p = sig; 00934 unsigned char salt[MBEDTLS_MD_MAX_SIZE]; 00935 unsigned int slen, hlen, offset = 0; 00936 int ret; 00937 size_t msb; 00938 const mbedtls_md_info_t *md_info; 00939 mbedtls_md_context_t md_ctx; 00940 00941 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 00942 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00943 00944 if( f_rng == NULL ) 00945 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00946 00947 olen = ctx->len ; 00948 00949 if( md_alg != MBEDTLS_MD_NONE ) 00950 { 00951 /* Gather length of hash to sign */ 00952 md_info = mbedtls_md_info_from_type( md_alg ); 00953 if( md_info == NULL ) 00954 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00955 00956 hashlen = mbedtls_md_get_size( md_info ); 00957 } 00958 00959 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 00960 if( md_info == NULL ) 00961 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00962 00963 hlen = mbedtls_md_get_size( md_info ); 00964 slen = hlen; 00965 00966 if( olen < hlen + slen + 2 ) 00967 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00968 00969 memset( sig, 0, olen ); 00970 00971 /* Generate salt of length slen */ 00972 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 00973 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 00974 00975 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 00976 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 00977 p += olen - hlen * 2 - 2; 00978 *p++ = 0x01; 00979 memcpy( p, salt, slen ); 00980 p += slen; 00981 00982 mbedtls_md_init( &md_ctx ); 00983 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 00984 { 00985 mbedtls_md_free( &md_ctx ); 00986 return( ret ); 00987 } 00988 00989 /* Generate H = Hash( M' ) */ 00990 mbedtls_md_starts( &md_ctx ); 00991 mbedtls_md_update( &md_ctx, p, 8 ); 00992 mbedtls_md_update( &md_ctx, hash, hashlen ); 00993 mbedtls_md_update( &md_ctx, salt, slen ); 00994 mbedtls_md_finish( &md_ctx, p ); 00995 00996 /* Compensate for boundary condition when applying mask */ 00997 if( msb % 8 == 0 ) 00998 offset = 1; 00999 01000 /* maskedDB: Apply dbMask to DB */ 01001 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); 01002 01003 mbedtls_md_free( &md_ctx ); 01004 01005 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01006 sig[0] &= 0xFF >> ( olen * 8 - msb ); 01007 01008 p += hlen; 01009 *p++ = 0xBC; 01010 01011 return( ( mode == MBEDTLS_RSA_PUBLIC ) 01012 ? mbedtls_rsa_public( ctx, sig, sig ) 01013 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 01014 } 01015 #endif /* MBEDTLS_PKCS1_V21 */ 01016 01017 #if defined(MBEDTLS_PKCS1_V15) 01018 /* 01019 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 01020 */ 01021 /* 01022 * Do an RSA operation to sign the message digest 01023 */ 01024 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 01025 int (*f_rng)(void *, unsigned char *, size_t), 01026 void *p_rng, 01027 int mode, 01028 mbedtls_md_type_t md_alg, 01029 unsigned int hashlen, 01030 const unsigned char *hash, 01031 unsigned char *sig ) 01032 { 01033 size_t nb_pad, olen, oid_size = 0; 01034 unsigned char *p = sig; 01035 const char *oid = NULL; 01036 unsigned char *sig_try = NULL, *verif = NULL; 01037 size_t i; 01038 unsigned char diff; 01039 volatile unsigned char diff_no_optimize; 01040 int ret; 01041 01042 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01043 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01044 01045 olen = ctx->len ; 01046 nb_pad = olen - 3; 01047 01048 if( md_alg != MBEDTLS_MD_NONE ) 01049 { 01050 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 01051 if( md_info == NULL ) 01052 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01053 01054 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 01055 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01056 01057 nb_pad -= 10 + oid_size; 01058 01059 hashlen = mbedtls_md_get_size( md_info ); 01060 } 01061 01062 nb_pad -= hashlen; 01063 01064 if( ( nb_pad < 8 ) || ( nb_pad > olen ) ) 01065 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01066 01067 *p++ = 0; 01068 *p++ = MBEDTLS_RSA_SIGN; 01069 memset( p, 0xFF, nb_pad ); 01070 p += nb_pad; 01071 *p++ = 0; 01072 01073 if( md_alg == MBEDTLS_MD_NONE ) 01074 { 01075 memcpy( p, hash, hashlen ); 01076 } 01077 else 01078 { 01079 /* 01080 * DigestInfo ::= SEQUENCE { 01081 * digestAlgorithm DigestAlgorithmIdentifier, 01082 * digest Digest } 01083 * 01084 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 01085 * 01086 * Digest ::= OCTET STRING 01087 */ 01088 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01089 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); 01090 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01091 *p++ = (unsigned char) ( 0x04 + oid_size ); 01092 *p++ = MBEDTLS_ASN1_OID; 01093 *p++ = oid_size & 0xFF; 01094 memcpy( p, oid, oid_size ); 01095 p += oid_size; 01096 *p++ = MBEDTLS_ASN1_NULL; 01097 *p++ = 0x00; 01098 *p++ = MBEDTLS_ASN1_OCTET_STRING; 01099 *p++ = hashlen; 01100 memcpy( p, hash, hashlen ); 01101 } 01102 01103 if( mode == MBEDTLS_RSA_PUBLIC ) 01104 return( mbedtls_rsa_public( ctx, sig, sig ) ); 01105 01106 /* 01107 * In order to prevent Lenstra's attack, make the signature in a 01108 * temporary buffer and check it before returning it. 01109 */ 01110 sig_try = mbedtls_calloc( 1, ctx->len ); 01111 if( sig_try == NULL ) 01112 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 01113 01114 verif = mbedtls_calloc( 1, ctx->len ); 01115 if( verif == NULL ) 01116 { 01117 mbedtls_free( sig_try ); 01118 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 01119 } 01120 01121 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); 01122 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); 01123 01124 /* Compare in constant time just in case */ 01125 for( diff = 0, i = 0; i < ctx->len ; i++ ) 01126 diff |= verif[i] ^ sig[i]; 01127 diff_no_optimize = diff; 01128 01129 if( diff_no_optimize != 0 ) 01130 { 01131 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 01132 goto cleanup; 01133 } 01134 01135 memcpy( sig, sig_try, ctx->len ); 01136 01137 cleanup: 01138 mbedtls_free( sig_try ); 01139 mbedtls_free( verif ); 01140 01141 return( ret ); 01142 } 01143 #endif /* MBEDTLS_PKCS1_V15 */ 01144 01145 /* 01146 * Do an RSA operation to sign the message digest 01147 */ 01148 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 01149 int (*f_rng)(void *, unsigned char *, size_t), 01150 void *p_rng, 01151 int mode, 01152 mbedtls_md_type_t md_alg, 01153 unsigned int hashlen, 01154 const unsigned char *hash, 01155 unsigned char *sig ) 01156 { 01157 switch( ctx->padding ) 01158 { 01159 #if defined(MBEDTLS_PKCS1_V15) 01160 case MBEDTLS_RSA_PKCS_V15: 01161 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 01162 hashlen, hash, sig ); 01163 #endif 01164 01165 #if defined(MBEDTLS_PKCS1_V21) 01166 case MBEDTLS_RSA_PKCS_V21: 01167 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 01168 hashlen, hash, sig ); 01169 #endif 01170 01171 default: 01172 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01173 } 01174 } 01175 01176 #if defined(MBEDTLS_PKCS1_V21) 01177 /* 01178 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01179 */ 01180 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 01181 int (*f_rng)(void *, unsigned char *, size_t), 01182 void *p_rng, 01183 int mode, 01184 mbedtls_md_type_t md_alg, 01185 unsigned int hashlen, 01186 const unsigned char *hash, 01187 mbedtls_md_type_t mgf1_hash_id, 01188 int expected_salt_len, 01189 const unsigned char *sig ) 01190 { 01191 int ret; 01192 size_t siglen; 01193 unsigned char *p; 01194 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 01195 unsigned char zeros[8]; 01196 unsigned int hlen; 01197 size_t slen, msb; 01198 const mbedtls_md_info_t *md_info; 01199 mbedtls_md_context_t md_ctx; 01200 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01201 01202 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 01203 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01204 01205 siglen = ctx->len ; 01206 01207 if( siglen < 16 || siglen > sizeof( buf ) ) 01208 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01209 01210 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01211 ? mbedtls_rsa_public( ctx, sig, buf ) 01212 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 01213 01214 if( ret != 0 ) 01215 return( ret ); 01216 01217 p = buf; 01218 01219 if( buf[siglen - 1] != 0xBC ) 01220 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01221 01222 if( md_alg != MBEDTLS_MD_NONE ) 01223 { 01224 /* Gather length of hash to sign */ 01225 md_info = mbedtls_md_info_from_type( md_alg ); 01226 if( md_info == NULL ) 01227 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01228 01229 hashlen = mbedtls_md_get_size( md_info ); 01230 } 01231 01232 md_info = mbedtls_md_info_from_type( mgf1_hash_id ); 01233 if( md_info == NULL ) 01234 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01235 01236 hlen = mbedtls_md_get_size( md_info ); 01237 slen = siglen - hlen - 1; /* Currently length of salt + padding */ 01238 01239 memset( zeros, 0, 8 ); 01240 01241 /* 01242 * Note: EMSA-PSS verification is over the length of N - 1 bits 01243 */ 01244 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01245 01246 /* Compensate for boundary condition when applying mask */ 01247 if( msb % 8 == 0 ) 01248 { 01249 p++; 01250 siglen -= 1; 01251 } 01252 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 01253 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01254 01255 mbedtls_md_init( &md_ctx ); 01256 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 01257 { 01258 mbedtls_md_free( &md_ctx ); 01259 return( ret ); 01260 } 01261 01262 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); 01263 01264 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 01265 01266 while( p < buf + siglen && *p == 0 ) 01267 p++; 01268 01269 if( p == buf + siglen || 01270 *p++ != 0x01 ) 01271 { 01272 mbedtls_md_free( &md_ctx ); 01273 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01274 } 01275 01276 /* Actual salt len */ 01277 slen -= p - buf; 01278 01279 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 01280 slen != (size_t) expected_salt_len ) 01281 { 01282 mbedtls_md_free( &md_ctx ); 01283 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01284 } 01285 01286 /* 01287 * Generate H = Hash( M' ) 01288 */ 01289 mbedtls_md_starts( &md_ctx ); 01290 mbedtls_md_update( &md_ctx, zeros, 8 ); 01291 mbedtls_md_update( &md_ctx, hash, hashlen ); 01292 mbedtls_md_update( &md_ctx, p, slen ); 01293 mbedtls_md_finish( &md_ctx, result ); 01294 01295 mbedtls_md_free( &md_ctx ); 01296 01297 if( memcmp( p + slen, result, hlen ) == 0 ) 01298 return( 0 ); 01299 else 01300 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01301 } 01302 01303 /* 01304 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 01305 */ 01306 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 01307 int (*f_rng)(void *, unsigned char *, size_t), 01308 void *p_rng, 01309 int mode, 01310 mbedtls_md_type_t md_alg, 01311 unsigned int hashlen, 01312 const unsigned char *hash, 01313 const unsigned char *sig ) 01314 { 01315 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) 01316 ? (mbedtls_md_type_t) ctx->hash_id 01317 : md_alg; 01318 01319 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, 01320 md_alg, hashlen, hash, 01321 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, 01322 sig ) ); 01323 01324 } 01325 #endif /* MBEDTLS_PKCS1_V21 */ 01326 01327 #if defined(MBEDTLS_PKCS1_V15) 01328 /* 01329 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 01330 */ 01331 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 01332 int (*f_rng)(void *, unsigned char *, size_t), 01333 void *p_rng, 01334 int mode, 01335 mbedtls_md_type_t md_alg, 01336 unsigned int hashlen, 01337 const unsigned char *hash, 01338 const unsigned char *sig ) 01339 { 01340 int ret; 01341 size_t len, siglen, asn1_len; 01342 unsigned char *p, *end; 01343 mbedtls_md_type_t msg_md_alg; 01344 const mbedtls_md_info_t *md_info; 01345 mbedtls_asn1_buf oid; 01346 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01347 01348 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01349 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01350 01351 siglen = ctx->len ; 01352 01353 if( siglen < 16 || siglen > sizeof( buf ) ) 01354 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01355 01356 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01357 ? mbedtls_rsa_public( ctx, sig, buf ) 01358 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 01359 01360 if( ret != 0 ) 01361 return( ret ); 01362 01363 p = buf; 01364 01365 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN ) 01366 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01367 01368 while( *p != 0 ) 01369 { 01370 if( p >= buf + siglen - 1 || *p != 0xFF ) 01371 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01372 p++; 01373 } 01374 p++; 01375 01376 len = siglen - ( p - buf ); 01377 01378 if( len == hashlen && md_alg == MBEDTLS_MD_NONE ) 01379 { 01380 if( memcmp( p, hash, hashlen ) == 0 ) 01381 return( 0 ); 01382 else 01383 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01384 } 01385 01386 md_info = mbedtls_md_info_from_type( md_alg ); 01387 if( md_info == NULL ) 01388 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01389 hashlen = mbedtls_md_get_size( md_info ); 01390 01391 end = p + len; 01392 01393 /* 01394 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure 01395 */ 01396 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 01397 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 01398 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01399 01400 if( asn1_len + 2 != len ) 01401 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01402 01403 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, 01404 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 01405 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01406 01407 if( asn1_len + 6 + hashlen != len ) 01408 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01409 01410 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) 01411 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01412 01413 oid.p = p; 01414 p += oid.len; 01415 01416 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 ) 01417 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01418 01419 if( md_alg != msg_md_alg ) 01420 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01421 01422 /* 01423 * assume the algorithm parameters must be NULL 01424 */ 01425 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 ) 01426 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01427 01428 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 01429 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01430 01431 if( asn1_len != hashlen ) 01432 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01433 01434 if( memcmp( p, hash, hashlen ) != 0 ) 01435 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01436 01437 p += hashlen; 01438 01439 if( p != end ) 01440 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 01441 01442 return( 0 ); 01443 } 01444 #endif /* MBEDTLS_PKCS1_V15 */ 01445 01446 /* 01447 * Do an RSA operation and check the message digest 01448 */ 01449 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 01450 int (*f_rng)(void *, unsigned char *, size_t), 01451 void *p_rng, 01452 int mode, 01453 mbedtls_md_type_t md_alg, 01454 unsigned int hashlen, 01455 const unsigned char *hash, 01456 const unsigned char *sig ) 01457 { 01458 switch( ctx->padding ) 01459 { 01460 #if defined(MBEDTLS_PKCS1_V15) 01461 case MBEDTLS_RSA_PKCS_V15: 01462 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 01463 hashlen, hash, sig ); 01464 #endif 01465 01466 #if defined(MBEDTLS_PKCS1_V21) 01467 case MBEDTLS_RSA_PKCS_V21: 01468 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 01469 hashlen, hash, sig ); 01470 #endif 01471 01472 default: 01473 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01474 } 01475 } 01476 01477 /* 01478 * Copy the components of an RSA key 01479 */ 01480 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) 01481 { 01482 int ret; 01483 01484 dst->ver = src->ver ; 01485 dst->len = src->len ; 01486 01487 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N , &src->N ) ); 01488 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E , &src->E ) ); 01489 01490 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D , &src->D ) ); 01491 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P , &src->P ) ); 01492 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q , &src->Q ) ); 01493 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP , &src->DP ) ); 01494 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ , &src->DQ ) ); 01495 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP , &src->QP ) ); 01496 01497 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN , &src->RN ) ); 01498 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP , &src->RP ) ); 01499 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ , &src->RQ ) ); 01500 01501 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi , &src->Vi ) ); 01502 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf , &src->Vf ) ); 01503 01504 dst->padding = src->padding ; 01505 dst->hash_id = src->hash_id ; 01506 01507 cleanup: 01508 if( ret != 0 ) 01509 mbedtls_rsa_free( dst ); 01510 01511 return( ret ); 01512 } 01513 01514 /* 01515 * Free the components of an RSA key 01516 */ 01517 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) 01518 { 01519 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf ); 01520 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN ); 01521 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP ); 01522 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D ); 01523 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N ); 01524 01525 #if defined(MBEDTLS_THREADING_C) 01526 mbedtls_mutex_free( &ctx->mutex ); 01527 #endif 01528 } 01529 01530 #if defined(MBEDTLS_SELF_TEST) 01531 01532 #include "mbedtls/sha1.h" 01533 01534 /* 01535 * Example RSA-1024 keypair, for test purposes 01536 */ 01537 #define KEY_LEN 128 01538 01539 #define RSA_N "9292758453063D803DD603D5E777D788" \ 01540 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 01541 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 01542 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 01543 "93A89813FBF3C4F8066D2D800F7C38A8" \ 01544 "1AE31942917403FF4946B0A83D3D3E05" \ 01545 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 01546 "5E94BB77B07507233A0BC7BAC8F90F79" 01547 01548 #define RSA_E "10001" 01549 01550 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 01551 "66CA472BC44D253102F8B4A9D3BFA750" \ 01552 "91386C0077937FE33FA3252D28855837" \ 01553 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 01554 "DF79C5CE07EE72C7F123142198164234" \ 01555 "CABB724CF78B8173B9F880FC86322407" \ 01556 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 01557 "071513A1E85B5DFA031F21ECAE91A34D" 01558 01559 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 01560 "2C01CAD19EA484A87EA4377637E75500" \ 01561 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 01562 "C3D9E75E1EFC42488BB4F1D13AC30A57" 01563 01564 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 01565 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 01566 "910E4168387E3C30AA1E00C339A79508" \ 01567 "8452DD96A9A5EA5D9DCA68DA636032AF" 01568 01569 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \ 01570 "3C94D22288ACD763FD8E5600ED4A702D" \ 01571 "F84198A5F06C2E72236AE490C93F07F8" \ 01572 "3CC559CD27BC2D1CA488811730BB5725" 01573 01574 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \ 01575 "D8AAEA56749EA28623272E4F7D0592AF" \ 01576 "7C1F1313CAC9471B5C523BFE592F517B" \ 01577 "407A1BD76C164B93DA2D32A383E58357" 01578 01579 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \ 01580 "F38D18D2B2F0E2DD275AA977E2BF4411" \ 01581 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \ 01582 "A74206CEC169D74BF5A8C50D6F48EA08" 01583 01584 #define PT_LEN 24 01585 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 01586 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 01587 01588 #if defined(MBEDTLS_PKCS1_V15) 01589 static int myrand( void *rng_state, unsigned char *output, size_t len ) 01590 { 01591 #if !defined(__OpenBSD__) 01592 size_t i; 01593 01594 if( rng_state != NULL ) 01595 rng_state = NULL; 01596 01597 for( i = 0; i < len; ++i ) 01598 output[i] = rand(); 01599 #else 01600 if( rng_state != NULL ) 01601 rng_state = NULL; 01602 01603 arc4random_buf( output, len ); 01604 #endif /* !OpenBSD */ 01605 01606 return( 0 ); 01607 } 01608 #endif /* MBEDTLS_PKCS1_V15 */ 01609 01610 /* 01611 * Checkup routine 01612 */ 01613 int mbedtls_rsa_self_test( int verbose ) 01614 { 01615 int ret = 0; 01616 #if defined(MBEDTLS_PKCS1_V15) 01617 size_t len; 01618 mbedtls_rsa_context rsa; 01619 unsigned char rsa_plaintext[PT_LEN]; 01620 unsigned char rsa_decrypted[PT_LEN]; 01621 unsigned char rsa_ciphertext[KEY_LEN]; 01622 #if defined(MBEDTLS_SHA1_C) 01623 unsigned char sha1sum[20]; 01624 #endif 01625 01626 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); 01627 01628 rsa.len = KEY_LEN; 01629 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) ); 01630 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) ); 01631 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) ); 01632 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) ); 01633 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) ); 01634 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP , 16, RSA_DP ) ); 01635 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ , 16, RSA_DQ ) ); 01636 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP , 16, RSA_QP ) ); 01637 01638 if( verbose != 0 ) 01639 mbedtls_printf( " RSA key validation: " ); 01640 01641 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || 01642 mbedtls_rsa_check_privkey( &rsa ) != 0 ) 01643 { 01644 if( verbose != 0 ) 01645 mbedtls_printf( "failed\n" ); 01646 01647 return( 1 ); 01648 } 01649 01650 if( verbose != 0 ) 01651 mbedtls_printf( "passed\n PKCS#1 encryption : " ); 01652 01653 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 01654 01655 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN, 01656 rsa_plaintext, rsa_ciphertext ) != 0 ) 01657 { 01658 if( verbose != 0 ) 01659 mbedtls_printf( "failed\n" ); 01660 01661 return( 1 ); 01662 } 01663 01664 if( verbose != 0 ) 01665 mbedtls_printf( "passed\n PKCS#1 decryption : " ); 01666 01667 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len, 01668 rsa_ciphertext, rsa_decrypted, 01669 sizeof(rsa_decrypted) ) != 0 ) 01670 { 01671 if( verbose != 0 ) 01672 mbedtls_printf( "failed\n" ); 01673 01674 return( 1 ); 01675 } 01676 01677 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 01678 { 01679 if( verbose != 0 ) 01680 mbedtls_printf( "failed\n" ); 01681 01682 return( 1 ); 01683 } 01684 01685 if( verbose != 0 ) 01686 mbedtls_printf( "passed\n" ); 01687 01688 #if defined(MBEDTLS_SHA1_C) 01689 if( verbose != 0 ) 01690 mbedtls_printf( " PKCS#1 data sign : " ); 01691 01692 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ); 01693 01694 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, 01695 sha1sum, rsa_ciphertext ) != 0 ) 01696 { 01697 if( verbose != 0 ) 01698 mbedtls_printf( "failed\n" ); 01699 01700 return( 1 ); 01701 } 01702 01703 if( verbose != 0 ) 01704 mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); 01705 01706 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, 01707 sha1sum, rsa_ciphertext ) != 0 ) 01708 { 01709 if( verbose != 0 ) 01710 mbedtls_printf( "failed\n" ); 01711 01712 return( 1 ); 01713 } 01714 01715 if( verbose != 0 ) 01716 mbedtls_printf( "passed\n" ); 01717 #endif /* MBEDTLS_SHA1_C */ 01718 01719 if( verbose != 0 ) 01720 mbedtls_printf( "\n" ); 01721 01722 cleanup: 01723 mbedtls_rsa_free( &rsa ); 01724 #else /* MBEDTLS_PKCS1_V15 */ 01725 ((void) verbose); 01726 #endif /* MBEDTLS_PKCS1_V15 */ 01727 return( ret ); 01728 } 01729 01730 #endif /* MBEDTLS_SELF_TEST */ 01731 01732 #endif /* MBEDTLS_RSA_C */
Generated on Tue Jul 12 2022 12:28:48 by
