joey shelton / LED_Demo

Dependencies:   MAX44000 PWM_Tone_Library nexpaq_mdk

Fork of LED_Demo by Maxim nexpaq

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers rsa.c Source File

rsa.c

00001 /*
00002  *  The RSA public-key cryptosystem
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 /*
00022  *  The following sources were referenced in the design of this implementation
00023  *  of the RSA algorithm:
00024  *
00025  *  [1] A method for obtaining digital signatures and public-key cryptosystems
00026  *      R Rivest, A Shamir, and L Adleman
00027  *      http://people.csail.mit.edu/rivest/pubs.html#RSA78
00028  *
00029  *  [2] Handbook of Applied Cryptography - 1997, Chapter 8
00030  *      Menezes, van Oorschot and Vanstone
00031  *
00032  */
00033 
00034 #if !defined(MBEDTLS_CONFIG_FILE)
00035 #include "mbedtls/config.h"
00036 #else
00037 #include MBEDTLS_CONFIG_FILE
00038 #endif
00039 
00040 #if defined(MBEDTLS_RSA_C)
00041 
00042 #include "mbedtls/rsa.h"
00043 #include "mbedtls/oid.h"
00044 
00045 #include <string.h>
00046 
00047 #if defined(MBEDTLS_PKCS1_V21)
00048 #include "mbedtls/md.h"
00049 #endif
00050 
00051 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
00052 #include <stdlib.h>
00053 #endif
00054 
00055 #if defined(MBEDTLS_PLATFORM_C)
00056 #include "mbedtls/platform.h"
00057 #else
00058 #include <stdio.h>
00059 #define mbedtls_printf printf
00060 #define mbedtls_calloc calloc
00061 #define mbedtls_free   free
00062 #endif
00063 
00064 /*
00065  * Initialize an RSA context
00066  */
00067 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
00068                int padding,
00069                int hash_id )
00070 {
00071     memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
00072 
00073     mbedtls_rsa_set_padding( ctx, padding, hash_id );
00074 
00075 #if defined(MBEDTLS_THREADING_C)
00076     mbedtls_mutex_init( &ctx->mutex  );
00077 #endif
00078 }
00079 
00080 /*
00081  * Set padding for an existing RSA context
00082  */
00083 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
00084 {
00085     ctx->padding  = padding;
00086     ctx->hash_id  = hash_id;
00087 }
00088 
00089 #if defined(MBEDTLS_GENPRIME)
00090 
00091 /*
00092  * Generate an RSA keypair
00093  */
00094 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
00095                  int (*f_rng)(void *, unsigned char *, size_t),
00096                  void *p_rng,
00097                  unsigned int nbits, int exponent )
00098 {
00099     int ret;
00100     mbedtls_mpi P1, Q1, H, G;
00101 
00102     if( f_rng == NULL || nbits < 128 || exponent < 3 )
00103         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00104 
00105     mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); 
00106     mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
00107 
00108     /*
00109      * find primes P and Q with Q < P so that:
00110      * GCD( E, (P-1)*(Q-1) ) == 1
00111      */
00112     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E , exponent ) );
00113 
00114     do
00115     {
00116         MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P , nbits >> 1, 0,
00117                                 f_rng, p_rng ) );
00118 
00119         if( nbits % 2 )
00120         {
00121             MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , ( nbits >> 1 ) + 1, 0,
00122                                 f_rng, p_rng ) );
00123         }
00124         else
00125         {
00126             MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , nbits >> 1, 0,
00127                                 f_rng, p_rng ) );
00128         }
00129 
00130         if( mbedtls_mpi_cmp_mpi( &ctx->P , &ctx->Q  ) == 0 )
00131             continue;
00132 
00133         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P , &ctx->Q  ) );
00134         if( mbedtls_mpi_bitlen( &ctx->N  ) != nbits )
00135             continue;
00136 
00137         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) );
00138         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) );
00139         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
00140         MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H  ) );
00141     }
00142     while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
00143 
00144     /*
00145      * D  = E^-1 mod ((P-1)*(Q-1))
00146      * DP = D mod (P - 1)
00147      * DQ = D mod (Q - 1)
00148      * QP = Q^-1 mod P
00149      */
00150     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D  , &ctx->E , &H  ) );
00151     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP , &ctx->D , &P1 ) );
00152     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ , &ctx->D , &Q1 ) );
00153     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP , &ctx->Q , &ctx->P  ) );
00154 
00155     ctx->len  = ( mbedtls_mpi_bitlen( &ctx->N  ) + 7 ) >> 3;
00156 
00157 cleanup:
00158 
00159     mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
00160 
00161     if( ret != 0 )
00162     {
00163         mbedtls_rsa_free( ctx );
00164         return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
00165     }
00166 
00167     return( 0 );
00168 }
00169 
00170 #endif /* MBEDTLS_GENPRIME */
00171 
00172 /*
00173  * Check a public RSA key
00174  */
00175 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
00176 {
00177     if( !ctx->N .p  || !ctx->E .p  )
00178         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00179 
00180     if( ( ctx->N .p [0] & 1 ) == 0 ||
00181         ( ctx->E .p [0] & 1 ) == 0 )
00182         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00183 
00184     if( mbedtls_mpi_bitlen( &ctx->N  ) < 128 ||
00185         mbedtls_mpi_bitlen( &ctx->N  ) > MBEDTLS_MPI_MAX_BITS )
00186         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00187 
00188     if( mbedtls_mpi_bitlen( &ctx->E  ) < 2 ||
00189         mbedtls_mpi_cmp_mpi( &ctx->E , &ctx->N  ) >= 0 )
00190         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00191 
00192     return( 0 );
00193 }
00194 
00195 /*
00196  * Check a private RSA key
00197  */
00198 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
00199 {
00200     int ret;
00201     mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
00202 
00203     if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
00204         return( ret );
00205 
00206     if( !ctx->P .p  || !ctx->Q .p  || !ctx->D .p  )
00207         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00208 
00209     mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
00210     mbedtls_mpi_init( &H  ); mbedtls_mpi_init( &I  ); mbedtls_mpi_init( &G  ); mbedtls_mpi_init( &G2 );
00211     mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
00212     mbedtls_mpi_init( &QP );
00213 
00214     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P , &ctx->Q  ) );
00215     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D , &ctx->E  ) );
00216     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) );
00217     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) );
00218     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
00219     MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H  ) );
00220 
00221     MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
00222     MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
00223     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1  ) );
00224 
00225     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D , &P1 ) );
00226     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D , &Q1 ) );
00227     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q , &ctx->P  ) );
00228     /*
00229      * Check for a valid PKCS1v2 private key
00230      */
00231     if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N  ) != 0 ||
00232         mbedtls_mpi_cmp_mpi( &DP, &ctx->DP  ) != 0 ||
00233         mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ  ) != 0 ||
00234         mbedtls_mpi_cmp_mpi( &QP, &ctx->QP  ) != 0 ||
00235         mbedtls_mpi_cmp_int( &L2, 0 ) != 0 ||
00236         mbedtls_mpi_cmp_int( &I, 1 ) != 0 ||
00237         mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
00238     {
00239         ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
00240     }
00241 
00242 cleanup:
00243     mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
00244     mbedtls_mpi_free( &H  ); mbedtls_mpi_free( &I  ); mbedtls_mpi_free( &G  ); mbedtls_mpi_free( &G2 );
00245     mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
00246     mbedtls_mpi_free( &QP );
00247 
00248     if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
00249         return( ret );
00250 
00251     if( ret != 0 )
00252         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
00253 
00254     return( 0 );
00255 }
00256 
00257 /*
00258  * Check if contexts holding a public and private key match
00259  */
00260 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv )
00261 {
00262     if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
00263         mbedtls_rsa_check_privkey( prv ) != 0 )
00264     {
00265         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00266     }
00267 
00268     if( mbedtls_mpi_cmp_mpi( &pub->N , &prv->N  ) != 0 ||
00269         mbedtls_mpi_cmp_mpi( &pub->E , &prv->E  ) != 0 )
00270     {
00271         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00272     }
00273 
00274     return( 0 );
00275 }
00276 
00277 /*
00278  * Do an RSA public key operation
00279  */
00280 int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
00281                 const unsigned char *input,
00282                 unsigned char *output )
00283 {
00284     int ret;
00285     size_t olen;
00286     mbedtls_mpi T;
00287 
00288     mbedtls_mpi_init( &T );
00289 
00290 #if defined(MBEDTLS_THREADING_C)
00291     if( ( ret = mbedtls_mutex_lock( &ctx->mutex  ) ) != 0 )
00292         return( ret );
00293 #endif
00294 
00295     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len  ) );
00296 
00297     if( mbedtls_mpi_cmp_mpi( &T, &ctx->N  ) >= 0 )
00298     {
00299         ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
00300         goto cleanup;
00301     }
00302 
00303     olen = ctx->len ;
00304     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E , &ctx->N , &ctx->RN  ) );
00305     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
00306 
00307 cleanup:
00308 #if defined(MBEDTLS_THREADING_C)
00309     if( mbedtls_mutex_unlock( &ctx->mutex  ) != 0 )
00310         return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
00311 #endif
00312 
00313     mbedtls_mpi_free( &T );
00314 
00315     if( ret != 0 )
00316         return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
00317 
00318     return( 0 );
00319 }
00320 
00321 /*
00322  * Generate or update blinding values, see section 10 of:
00323  *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
00324  *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
00325  *  Berlin Heidelberg, 1996. p. 104-113.
00326  */
00327 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
00328                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
00329 {
00330     int ret, count = 0;
00331 
00332     if( ctx->Vf .p  != NULL )
00333     {
00334         /* We already have blinding values, just update them by squaring */
00335         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi , &ctx->Vi , &ctx->Vi  ) );
00336         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi , &ctx->Vi , &ctx->N  ) );
00337         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf , &ctx->Vf , &ctx->Vf  ) );
00338         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf , &ctx->Vf , &ctx->N  ) );
00339 
00340         goto cleanup;
00341     }
00342 
00343     /* Unblinding value: Vf = random number, invertible mod N */
00344     do {
00345         if( count++ > 10 )
00346             return( MBEDTLS_ERR_RSA_RNG_FAILED );
00347 
00348         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf , ctx->len  - 1, f_rng, p_rng ) );
00349         MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi , &ctx->Vf , &ctx->N  ) );
00350     } while( mbedtls_mpi_cmp_int( &ctx->Vi , 1 ) != 0 );
00351 
00352     /* Blinding value: Vi =  Vf^(-e) mod N */
00353     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi , &ctx->Vf , &ctx->N  ) );
00354     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi , &ctx->Vi , &ctx->E , &ctx->N , &ctx->RN  ) );
00355 
00356 
00357 cleanup:
00358     return( ret );
00359 }
00360 
00361 /*
00362  * Do an RSA private key operation
00363  */
00364 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
00365                  int (*f_rng)(void *, unsigned char *, size_t),
00366                  void *p_rng,
00367                  const unsigned char *input,
00368                  unsigned char *output )
00369 {
00370     int ret;
00371     size_t olen;
00372     mbedtls_mpi T, T1, T2;
00373 
00374     /* Make sure we have private key info, prevent possible misuse */
00375     if( ctx->P .p  == NULL || ctx->Q .p  == NULL || ctx->D .p  == NULL )
00376         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00377 
00378     mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
00379 
00380 #if defined(MBEDTLS_THREADING_C)
00381     if( ( ret = mbedtls_mutex_lock( &ctx->mutex  ) ) != 0 )
00382         return( ret );
00383 #endif
00384 
00385     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len  ) );
00386     if( mbedtls_mpi_cmp_mpi( &T, &ctx->N  ) >= 0 )
00387     {
00388         ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
00389         goto cleanup;
00390     }
00391 
00392     if( f_rng != NULL )
00393     {
00394         /*
00395          * Blinding
00396          * T = T * Vi mod N
00397          */
00398         MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
00399         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi  ) );
00400         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N  ) );
00401     }
00402 
00403 #if defined(MBEDTLS_RSA_NO_CRT)
00404     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D , &ctx->N , &ctx->RN  ) );
00405 #else
00406     /*
00407      * faster decryption using the CRT
00408      *
00409      * T1 = input ^ dP mod P
00410      * T2 = input ^ dQ mod Q
00411      */
00412     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP , &ctx->P , &ctx->RP  ) );
00413     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ , &ctx->Q , &ctx->RQ  ) );
00414 
00415     /*
00416      * T = (T1 - T2) * (Q^-1 mod P) mod P
00417      */
00418     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
00419     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP  ) );
00420     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P  ) );
00421 
00422     /*
00423      * T = T2 + T * Q
00424      */
00425     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q  ) );
00426     MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
00427 #endif /* MBEDTLS_RSA_NO_CRT */
00428 
00429     if( f_rng != NULL )
00430     {
00431         /*
00432          * Unblind
00433          * T = T * Vf mod N
00434          */
00435         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf  ) );
00436         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N  ) );
00437     }
00438 
00439     olen = ctx->len ;
00440     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
00441 
00442 cleanup:
00443 #if defined(MBEDTLS_THREADING_C)
00444     if( mbedtls_mutex_unlock( &ctx->mutex  ) != 0 )
00445         return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
00446 #endif
00447 
00448     mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
00449 
00450     if( ret != 0 )
00451         return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
00452 
00453     return( 0 );
00454 }
00455 
00456 #if defined(MBEDTLS_PKCS1_V21)
00457 /**
00458  * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
00459  *
00460  * \param dst       buffer to mask
00461  * \param dlen      length of destination buffer
00462  * \param src       source of the mask generation
00463  * \param slen      length of the source buffer
00464  * \param md_ctx    message digest context to use
00465  */
00466 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
00467                       size_t slen, mbedtls_md_context_t *md_ctx )
00468 {
00469     unsigned char mask[MBEDTLS_MD_MAX_SIZE];
00470     unsigned char counter[4];
00471     unsigned char *p;
00472     unsigned int hlen;
00473     size_t i, use_len;
00474 
00475     memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
00476     memset( counter, 0, 4 );
00477 
00478     hlen = mbedtls_md_get_size( md_ctx->md_info );
00479 
00480     /* Generate and apply dbMask */
00481     p = dst;
00482 
00483     while( dlen > 0 )
00484     {
00485         use_len = hlen;
00486         if( dlen < hlen )
00487             use_len = dlen;
00488 
00489         mbedtls_md_starts( md_ctx );
00490         mbedtls_md_update( md_ctx, src, slen );
00491         mbedtls_md_update( md_ctx, counter, 4 );
00492         mbedtls_md_finish( md_ctx, mask );
00493 
00494         for( i = 0; i < use_len; ++i )
00495             *p++ ^= mask[i];
00496 
00497         counter[3]++;
00498 
00499         dlen -= use_len;
00500     }
00501 }
00502 #endif /* MBEDTLS_PKCS1_V21 */
00503 
00504 #if defined(MBEDTLS_PKCS1_V21)
00505 /*
00506  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
00507  */
00508 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
00509                             int (*f_rng)(void *, unsigned char *, size_t),
00510                             void *p_rng,
00511                             int mode,
00512                             const unsigned char *label, size_t label_len,
00513                             size_t ilen,
00514                             const unsigned char *input,
00515                             unsigned char *output )
00516 {
00517     size_t olen;
00518     int ret;
00519     unsigned char *p = output;
00520     unsigned int hlen;
00521     const mbedtls_md_info_t *md_info;
00522     mbedtls_md_context_t md_ctx;
00523 
00524     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V21 )
00525         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00526 
00527     if( f_rng == NULL )
00528         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00529 
00530     md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id  );
00531     if( md_info == NULL )
00532         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00533 
00534     olen = ctx->len ;
00535     hlen = mbedtls_md_get_size( md_info );
00536 
00537     /* first comparison checks for overflow */
00538     if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
00539         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00540 
00541     memset( output, 0, olen );
00542 
00543     *p++ = 0;
00544 
00545     /* Generate a random octet string seed */
00546     if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
00547         return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
00548 
00549     p += hlen;
00550 
00551     /* Construct DB */
00552     mbedtls_md( md_info, label, label_len, p );
00553     p += hlen;
00554     p += olen - 2 * hlen - 2 - ilen;
00555     *p++ = 1;
00556     memcpy( p, input, ilen );
00557 
00558     mbedtls_md_init( &md_ctx );
00559     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
00560     {
00561         mbedtls_md_free( &md_ctx );
00562         return( ret );
00563     }
00564 
00565     /* maskedDB: Apply dbMask to DB */
00566     mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
00567                &md_ctx );
00568 
00569     /* maskedSeed: Apply seedMask to seed */
00570     mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
00571                &md_ctx );
00572 
00573     mbedtls_md_free( &md_ctx );
00574 
00575     return( ( mode == MBEDTLS_RSA_PUBLIC )
00576             ? mbedtls_rsa_public(  ctx, output, output )
00577             : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
00578 }
00579 #endif /* MBEDTLS_PKCS1_V21 */
00580 
00581 #if defined(MBEDTLS_PKCS1_V15)
00582 /*
00583  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
00584  */
00585 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
00586                                  int (*f_rng)(void *, unsigned char *, size_t),
00587                                  void *p_rng,
00588                                  int mode, size_t ilen,
00589                                  const unsigned char *input,
00590                                  unsigned char *output )
00591 {
00592     size_t nb_pad, olen;
00593     int ret;
00594     unsigned char *p = output;
00595 
00596     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V15 )
00597         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00598 
00599     // We don't check p_rng because it won't be dereferenced here
00600     if( f_rng == NULL || input == NULL || output == NULL )
00601         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00602 
00603     olen = ctx->len ;
00604 
00605     /* first comparison checks for overflow */
00606     if( ilen + 11 < ilen || olen < ilen + 11 )
00607         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00608 
00609     nb_pad = olen - 3 - ilen;
00610 
00611     *p++ = 0;
00612     if( mode == MBEDTLS_RSA_PUBLIC )
00613     {
00614         *p++ = MBEDTLS_RSA_CRYPT;
00615 
00616         while( nb_pad-- > 0 )
00617         {
00618             int rng_dl = 100;
00619 
00620             do {
00621                 ret = f_rng( p_rng, p, 1 );
00622             } while( *p == 0 && --rng_dl && ret == 0 );
00623 
00624             /* Check if RNG failed to generate data */
00625             if( rng_dl == 0 || ret != 0 )
00626                 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
00627 
00628             p++;
00629         }
00630     }
00631     else
00632     {
00633         *p++ = MBEDTLS_RSA_SIGN;
00634 
00635         while( nb_pad-- > 0 )
00636             *p++ = 0xFF;
00637     }
00638 
00639     *p++ = 0;
00640     memcpy( p, input, ilen );
00641 
00642     return( ( mode == MBEDTLS_RSA_PUBLIC )
00643             ? mbedtls_rsa_public(  ctx, output, output )
00644             : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
00645 }
00646 #endif /* MBEDTLS_PKCS1_V15 */
00647 
00648 /*
00649  * Add the message padding, then do an RSA operation
00650  */
00651 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
00652                        int (*f_rng)(void *, unsigned char *, size_t),
00653                        void *p_rng,
00654                        int mode, size_t ilen,
00655                        const unsigned char *input,
00656                        unsigned char *output )
00657 {
00658     switch( ctx->padding  )
00659     {
00660 #if defined(MBEDTLS_PKCS1_V15)
00661         case MBEDTLS_RSA_PKCS_V15:
00662             return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
00663                                                 input, output );
00664 #endif
00665 
00666 #if defined(MBEDTLS_PKCS1_V21)
00667         case MBEDTLS_RSA_PKCS_V21:
00668             return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
00669                                            ilen, input, output );
00670 #endif
00671 
00672         default:
00673             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
00674     }
00675 }
00676 
00677 #if defined(MBEDTLS_PKCS1_V21)
00678 /*
00679  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
00680  */
00681 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
00682                             int (*f_rng)(void *, unsigned char *, size_t),
00683                             void *p_rng,
00684                             int mode,
00685                             const unsigned char *label, size_t label_len,
00686                             size_t *olen,
00687                             const unsigned char *input,
00688                             unsigned char *output,
00689                             size_t output_max_len )
00690 {
00691     int ret;
00692     size_t ilen, i, pad_len;
00693     unsigned char *p, bad, pad_done;
00694     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
00695     unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
00696     unsigned int hlen;
00697     const mbedtls_md_info_t *md_info;
00698     mbedtls_md_context_t md_ctx;
00699 
00700     /*
00701      * Parameters sanity checks
00702      */
00703     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V21 )
00704         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00705 
00706     ilen = ctx->len ;
00707 
00708     if( ilen < 16 || ilen > sizeof( buf ) )
00709         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00710 
00711     md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id  );
00712     if( md_info == NULL )
00713         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00714 
00715     hlen = mbedtls_md_get_size( md_info );
00716 
00717     // checking for integer underflow
00718     if( 2 * hlen + 2 > ilen )
00719         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00720 
00721     /*
00722      * RSA operation
00723      */
00724     ret = ( mode == MBEDTLS_RSA_PUBLIC )
00725           ? mbedtls_rsa_public(  ctx, input, buf )
00726           : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
00727 
00728     if( ret != 0 )
00729         return( ret );
00730 
00731     /*
00732      * Unmask data and generate lHash
00733      */
00734     mbedtls_md_init( &md_ctx );
00735     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
00736     {
00737         mbedtls_md_free( &md_ctx );
00738         return( ret );
00739     }
00740 
00741 
00742     /* Generate lHash */
00743     mbedtls_md( md_info, label, label_len, lhash );
00744 
00745     /* seed: Apply seedMask to maskedSeed */
00746     mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
00747                &md_ctx );
00748 
00749     /* DB: Apply dbMask to maskedDB */
00750     mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
00751                &md_ctx );
00752 
00753     mbedtls_md_free( &md_ctx );
00754 
00755     /*
00756      * Check contents, in "constant-time"
00757      */
00758     p = buf;
00759     bad = 0;
00760 
00761     bad |= *p++; /* First byte must be 0 */
00762 
00763     p += hlen; /* Skip seed */
00764 
00765     /* Check lHash */
00766     for( i = 0; i < hlen; i++ )
00767         bad |= lhash[i] ^ *p++;
00768 
00769     /* Get zero-padding len, but always read till end of buffer
00770      * (minus one, for the 01 byte) */
00771     pad_len = 0;
00772     pad_done = 0;
00773     for( i = 0; i < ilen - 2 * hlen - 2; i++ )
00774     {
00775         pad_done |= p[i];
00776         pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
00777     }
00778 
00779     p += pad_len;
00780     bad |= *p++ ^ 0x01;
00781 
00782     /*
00783      * The only information "leaked" is whether the padding was correct or not
00784      * (eg, no data is copied if it was not correct). This meets the
00785      * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
00786      * the different error conditions.
00787      */
00788     if( bad != 0 )
00789         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
00790 
00791     if( ilen - ( p - buf ) > output_max_len )
00792         return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
00793 
00794     *olen = ilen - (p - buf);
00795     memcpy( output, p, *olen );
00796 
00797     return( 0 );
00798 }
00799 #endif /* MBEDTLS_PKCS1_V21 */
00800 
00801 #if defined(MBEDTLS_PKCS1_V15)
00802 /*
00803  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
00804  */
00805 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
00806                                  int (*f_rng)(void *, unsigned char *, size_t),
00807                                  void *p_rng,
00808                                  int mode, size_t *olen,
00809                                  const unsigned char *input,
00810                                  unsigned char *output,
00811                                  size_t output_max_len)
00812 {
00813     int ret;
00814     size_t ilen, pad_count = 0, i;
00815     unsigned char *p, bad, pad_done = 0;
00816     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
00817 
00818     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V15 )
00819         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00820 
00821     ilen = ctx->len ;
00822 
00823     if( ilen < 16 || ilen > sizeof( buf ) )
00824         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00825 
00826     ret = ( mode == MBEDTLS_RSA_PUBLIC )
00827           ? mbedtls_rsa_public(  ctx, input, buf )
00828           : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
00829 
00830     if( ret != 0 )
00831         return( ret );
00832 
00833     p = buf;
00834     bad = 0;
00835 
00836     /*
00837      * Check and get padding len in "constant-time"
00838      */
00839     bad |= *p++; /* First byte must be 0 */
00840 
00841     /* This test does not depend on secret data */
00842     if( mode == MBEDTLS_RSA_PRIVATE )
00843     {
00844         bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
00845 
00846         /* Get padding len, but always read till end of buffer
00847          * (minus one, for the 00 byte) */
00848         for( i = 0; i < ilen - 3; i++ )
00849         {
00850             pad_done  |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
00851             pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
00852         }
00853 
00854         p += pad_count;
00855         bad |= *p++; /* Must be zero */
00856     }
00857     else
00858     {
00859         bad |= *p++ ^ MBEDTLS_RSA_SIGN;
00860 
00861         /* Get padding len, but always read till end of buffer
00862          * (minus one, for the 00 byte) */
00863         for( i = 0; i < ilen - 3; i++ )
00864         {
00865             pad_done |= ( p[i] != 0xFF );
00866             pad_count += ( pad_done == 0 );
00867         }
00868 
00869         p += pad_count;
00870         bad |= *p++; /* Must be zero */
00871     }
00872 
00873     bad |= ( pad_count < 8 );
00874 
00875     if( bad )
00876         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
00877 
00878     if( ilen - ( p - buf ) > output_max_len )
00879         return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
00880 
00881     *olen = ilen - (p - buf);
00882     memcpy( output, p, *olen );
00883 
00884     return( 0 );
00885 }
00886 #endif /* MBEDTLS_PKCS1_V15 */
00887 
00888 /*
00889  * Do an RSA operation, then remove the message padding
00890  */
00891 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
00892                        int (*f_rng)(void *, unsigned char *, size_t),
00893                        void *p_rng,
00894                        int mode, size_t *olen,
00895                        const unsigned char *input,
00896                        unsigned char *output,
00897                        size_t output_max_len)
00898 {
00899     switch( ctx->padding  )
00900     {
00901 #if defined(MBEDTLS_PKCS1_V15)
00902         case MBEDTLS_RSA_PKCS_V15:
00903             return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
00904                                                 input, output, output_max_len );
00905 #endif
00906 
00907 #if defined(MBEDTLS_PKCS1_V21)
00908         case MBEDTLS_RSA_PKCS_V21:
00909             return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
00910                                            olen, input, output,
00911                                            output_max_len );
00912 #endif
00913 
00914         default:
00915             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
00916     }
00917 }
00918 
00919 #if defined(MBEDTLS_PKCS1_V21)
00920 /*
00921  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
00922  */
00923 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
00924                          int (*f_rng)(void *, unsigned char *, size_t),
00925                          void *p_rng,
00926                          int mode,
00927                          mbedtls_md_type_t md_alg,
00928                          unsigned int hashlen,
00929                          const unsigned char *hash,
00930                          unsigned char *sig )
00931 {
00932     size_t olen;
00933     unsigned char *p = sig;
00934     unsigned char salt[MBEDTLS_MD_MAX_SIZE];
00935     unsigned int slen, hlen, offset = 0;
00936     int ret;
00937     size_t msb;
00938     const mbedtls_md_info_t *md_info;
00939     mbedtls_md_context_t md_ctx;
00940 
00941     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V21 )
00942         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00943 
00944     if( f_rng == NULL )
00945         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00946 
00947     olen = ctx->len ;
00948 
00949     if( md_alg != MBEDTLS_MD_NONE )
00950     {
00951         /* Gather length of hash to sign */
00952         md_info = mbedtls_md_info_from_type( md_alg );
00953         if( md_info == NULL )
00954             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00955 
00956         hashlen = mbedtls_md_get_size( md_info );
00957     }
00958 
00959     md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id  );
00960     if( md_info == NULL )
00961         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00962 
00963     hlen = mbedtls_md_get_size( md_info );
00964     slen = hlen;
00965 
00966     if( olen < hlen + slen + 2 )
00967         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00968 
00969     memset( sig, 0, olen );
00970 
00971     /* Generate salt of length slen */
00972     if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
00973         return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
00974 
00975     /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
00976     msb = mbedtls_mpi_bitlen( &ctx->N  ) - 1;
00977     p += olen - hlen * 2 - 2;
00978     *p++ = 0x01;
00979     memcpy( p, salt, slen );
00980     p += slen;
00981 
00982     mbedtls_md_init( &md_ctx );
00983     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
00984     {
00985         mbedtls_md_free( &md_ctx );
00986         return( ret );
00987     }
00988 
00989     /* Generate H = Hash( M' ) */
00990     mbedtls_md_starts( &md_ctx );
00991     mbedtls_md_update( &md_ctx, p, 8 );
00992     mbedtls_md_update( &md_ctx, hash, hashlen );
00993     mbedtls_md_update( &md_ctx, salt, slen );
00994     mbedtls_md_finish( &md_ctx, p );
00995 
00996     /* Compensate for boundary condition when applying mask */
00997     if( msb % 8 == 0 )
00998         offset = 1;
00999 
01000     /* maskedDB: Apply dbMask to DB */
01001     mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
01002 
01003     mbedtls_md_free( &md_ctx );
01004 
01005     msb = mbedtls_mpi_bitlen( &ctx->N  ) - 1;
01006     sig[0] &= 0xFF >> ( olen * 8 - msb );
01007 
01008     p += hlen;
01009     *p++ = 0xBC;
01010 
01011     return( ( mode == MBEDTLS_RSA_PUBLIC )
01012             ? mbedtls_rsa_public(  ctx, sig, sig )
01013             : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
01014 }
01015 #endif /* MBEDTLS_PKCS1_V21 */
01016 
01017 #if defined(MBEDTLS_PKCS1_V15)
01018 /*
01019  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
01020  */
01021 /*
01022  * Do an RSA operation to sign the message digest
01023  */
01024 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
01025                                int (*f_rng)(void *, unsigned char *, size_t),
01026                                void *p_rng,
01027                                int mode,
01028                                mbedtls_md_type_t md_alg,
01029                                unsigned int hashlen,
01030                                const unsigned char *hash,
01031                                unsigned char *sig )
01032 {
01033     size_t nb_pad, olen, oid_size = 0;
01034     unsigned char *p = sig;
01035     const char *oid = NULL;
01036     unsigned char *sig_try = NULL, *verif = NULL;
01037     size_t i;
01038     unsigned char diff;
01039     volatile unsigned char diff_no_optimize;
01040     int ret;
01041 
01042     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V15 )
01043         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01044 
01045     olen = ctx->len ;
01046     nb_pad = olen - 3;
01047 
01048     if( md_alg != MBEDTLS_MD_NONE )
01049     {
01050         const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
01051         if( md_info == NULL )
01052             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01053 
01054         if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
01055             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01056 
01057         nb_pad -= 10 + oid_size;
01058 
01059         hashlen = mbedtls_md_get_size( md_info );
01060     }
01061 
01062     nb_pad -= hashlen;
01063 
01064     if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
01065         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01066 
01067     *p++ = 0;
01068     *p++ = MBEDTLS_RSA_SIGN;
01069     memset( p, 0xFF, nb_pad );
01070     p += nb_pad;
01071     *p++ = 0;
01072 
01073     if( md_alg == MBEDTLS_MD_NONE )
01074     {
01075         memcpy( p, hash, hashlen );
01076     }
01077     else
01078     {
01079         /*
01080          * DigestInfo ::= SEQUENCE {
01081          *   digestAlgorithm DigestAlgorithmIdentifier,
01082          *   digest Digest }
01083          *
01084          * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
01085          *
01086          * Digest ::= OCTET STRING
01087          */
01088         *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
01089         *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
01090         *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
01091         *p++ = (unsigned char) ( 0x04 + oid_size );
01092         *p++ = MBEDTLS_ASN1_OID;
01093         *p++ = oid_size & 0xFF;
01094         memcpy( p, oid, oid_size );
01095         p += oid_size;
01096         *p++ = MBEDTLS_ASN1_NULL;
01097         *p++ = 0x00;
01098         *p++ = MBEDTLS_ASN1_OCTET_STRING;
01099         *p++ = hashlen;
01100         memcpy( p, hash, hashlen );
01101     }
01102 
01103     if( mode == MBEDTLS_RSA_PUBLIC )
01104         return( mbedtls_rsa_public(  ctx, sig, sig ) );
01105 
01106     /*
01107      * In order to prevent Lenstra's attack, make the signature in a
01108      * temporary buffer and check it before returning it.
01109      */
01110     sig_try = mbedtls_calloc( 1, ctx->len  );
01111     if( sig_try == NULL )
01112         return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
01113 
01114     verif   = mbedtls_calloc( 1, ctx->len  );
01115     if( verif == NULL )
01116     {
01117         mbedtls_free( sig_try );
01118         return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
01119     }
01120 
01121     MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
01122     MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
01123 
01124     /* Compare in constant time just in case */
01125     for( diff = 0, i = 0; i < ctx->len ; i++ )
01126         diff |= verif[i] ^ sig[i];
01127     diff_no_optimize = diff;
01128 
01129     if( diff_no_optimize != 0 )
01130     {
01131         ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
01132         goto cleanup;
01133     }
01134 
01135     memcpy( sig, sig_try, ctx->len  );
01136 
01137 cleanup:
01138     mbedtls_free( sig_try );
01139     mbedtls_free( verif );
01140 
01141     return( ret );
01142 }
01143 #endif /* MBEDTLS_PKCS1_V15 */
01144 
01145 /*
01146  * Do an RSA operation to sign the message digest
01147  */
01148 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
01149                     int (*f_rng)(void *, unsigned char *, size_t),
01150                     void *p_rng,
01151                     int mode,
01152                     mbedtls_md_type_t md_alg,
01153                     unsigned int hashlen,
01154                     const unsigned char *hash,
01155                     unsigned char *sig )
01156 {
01157     switch( ctx->padding  )
01158     {
01159 #if defined(MBEDTLS_PKCS1_V15)
01160         case MBEDTLS_RSA_PKCS_V15:
01161             return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
01162                                               hashlen, hash, sig );
01163 #endif
01164 
01165 #if defined(MBEDTLS_PKCS1_V21)
01166         case MBEDTLS_RSA_PKCS_V21:
01167             return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
01168                                         hashlen, hash, sig );
01169 #endif
01170 
01171         default:
01172             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01173     }
01174 }
01175 
01176 #if defined(MBEDTLS_PKCS1_V21)
01177 /*
01178  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
01179  */
01180 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
01181                                int (*f_rng)(void *, unsigned char *, size_t),
01182                                void *p_rng,
01183                                int mode,
01184                                mbedtls_md_type_t md_alg,
01185                                unsigned int hashlen,
01186                                const unsigned char *hash,
01187                                mbedtls_md_type_t mgf1_hash_id,
01188                                int expected_salt_len,
01189                                const unsigned char *sig )
01190 {
01191     int ret;
01192     size_t siglen;
01193     unsigned char *p;
01194     unsigned char result[MBEDTLS_MD_MAX_SIZE];
01195     unsigned char zeros[8];
01196     unsigned int hlen;
01197     size_t slen, msb;
01198     const mbedtls_md_info_t *md_info;
01199     mbedtls_md_context_t md_ctx;
01200     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
01201 
01202     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V21 )
01203         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01204 
01205     siglen = ctx->len ;
01206 
01207     if( siglen < 16 || siglen > sizeof( buf ) )
01208         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01209 
01210     ret = ( mode == MBEDTLS_RSA_PUBLIC )
01211           ? mbedtls_rsa_public(  ctx, sig, buf )
01212           : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
01213 
01214     if( ret != 0 )
01215         return( ret );
01216 
01217     p = buf;
01218 
01219     if( buf[siglen - 1] != 0xBC )
01220         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01221 
01222     if( md_alg != MBEDTLS_MD_NONE )
01223     {
01224         /* Gather length of hash to sign */
01225         md_info = mbedtls_md_info_from_type( md_alg );
01226         if( md_info == NULL )
01227             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01228 
01229         hashlen = mbedtls_md_get_size( md_info );
01230     }
01231 
01232     md_info = mbedtls_md_info_from_type( mgf1_hash_id );
01233     if( md_info == NULL )
01234         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01235 
01236     hlen = mbedtls_md_get_size( md_info );
01237     slen = siglen - hlen - 1; /* Currently length of salt + padding */
01238 
01239     memset( zeros, 0, 8 );
01240 
01241     /*
01242      * Note: EMSA-PSS verification is over the length of N - 1 bits
01243      */
01244     msb = mbedtls_mpi_bitlen( &ctx->N  ) - 1;
01245 
01246     /* Compensate for boundary condition when applying mask */
01247     if( msb % 8 == 0 )
01248     {
01249         p++;
01250         siglen -= 1;
01251     }
01252     if( buf[0] >> ( 8 - siglen * 8 + msb ) )
01253         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01254 
01255     mbedtls_md_init( &md_ctx );
01256     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
01257     {
01258         mbedtls_md_free( &md_ctx );
01259         return( ret );
01260     }
01261 
01262     mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
01263 
01264     buf[0] &= 0xFF >> ( siglen * 8 - msb );
01265 
01266     while( p < buf + siglen && *p == 0 )
01267         p++;
01268 
01269     if( p == buf + siglen ||
01270         *p++ != 0x01 )
01271     {
01272         mbedtls_md_free( &md_ctx );
01273         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01274     }
01275 
01276     /* Actual salt len */
01277     slen -= p - buf;
01278 
01279     if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
01280         slen != (size_t) expected_salt_len )
01281     {
01282         mbedtls_md_free( &md_ctx );
01283         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01284     }
01285 
01286     /*
01287      * Generate H = Hash( M' )
01288      */
01289     mbedtls_md_starts( &md_ctx );
01290     mbedtls_md_update( &md_ctx, zeros, 8 );
01291     mbedtls_md_update( &md_ctx, hash, hashlen );
01292     mbedtls_md_update( &md_ctx, p, slen );
01293     mbedtls_md_finish( &md_ctx, result );
01294 
01295     mbedtls_md_free( &md_ctx );
01296 
01297     if( memcmp( p + slen, result, hlen ) == 0 )
01298         return( 0 );
01299     else
01300         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01301 }
01302 
01303 /*
01304  * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
01305  */
01306 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
01307                            int (*f_rng)(void *, unsigned char *, size_t),
01308                            void *p_rng,
01309                            int mode,
01310                            mbedtls_md_type_t md_alg,
01311                            unsigned int hashlen,
01312                            const unsigned char *hash,
01313                            const unsigned char *sig )
01314 {
01315     mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id  != MBEDTLS_MD_NONE )
01316                              ? (mbedtls_md_type_t) ctx->hash_id 
01317                              : md_alg;
01318 
01319     return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
01320                                        md_alg, hashlen, hash,
01321                                        mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
01322                                        sig ) );
01323 
01324 }
01325 #endif /* MBEDTLS_PKCS1_V21 */
01326 
01327 #if defined(MBEDTLS_PKCS1_V15)
01328 /*
01329  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
01330  */
01331 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
01332                                  int (*f_rng)(void *, unsigned char *, size_t),
01333                                  void *p_rng,
01334                                  int mode,
01335                                  mbedtls_md_type_t md_alg,
01336                                  unsigned int hashlen,
01337                                  const unsigned char *hash,
01338                                  const unsigned char *sig )
01339 {
01340     int ret;
01341     size_t len, siglen, asn1_len;
01342     unsigned char *p, *end;
01343     mbedtls_md_type_t msg_md_alg;
01344     const mbedtls_md_info_t *md_info;
01345     mbedtls_asn1_buf oid;
01346     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
01347 
01348     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V15 )
01349         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01350 
01351     siglen = ctx->len ;
01352 
01353     if( siglen < 16 || siglen > sizeof( buf ) )
01354         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01355 
01356     ret = ( mode == MBEDTLS_RSA_PUBLIC )
01357           ? mbedtls_rsa_public(  ctx, sig, buf )
01358           : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
01359 
01360     if( ret != 0 )
01361         return( ret );
01362 
01363     p = buf;
01364 
01365     if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )
01366         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01367 
01368     while( *p != 0 )
01369     {
01370         if( p >= buf + siglen - 1 || *p != 0xFF )
01371             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01372         p++;
01373     }
01374     p++;
01375 
01376     len = siglen - ( p - buf );
01377 
01378     if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
01379     {
01380         if( memcmp( p, hash, hashlen ) == 0 )
01381             return( 0 );
01382         else
01383             return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01384     }
01385 
01386     md_info = mbedtls_md_info_from_type( md_alg );
01387     if( md_info == NULL )
01388         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01389     hashlen = mbedtls_md_get_size( md_info );
01390 
01391     end = p + len;
01392 
01393     /*
01394      * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
01395      */
01396     if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
01397             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
01398         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01399 
01400     if( asn1_len + 2 != len )
01401         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01402 
01403     if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
01404             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
01405         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01406 
01407     if( asn1_len + 6 + hashlen != len )
01408         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01409 
01410     if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
01411         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01412 
01413     oid.p = p;
01414     p += oid.len;
01415 
01416     if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
01417         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01418 
01419     if( md_alg != msg_md_alg )
01420         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01421 
01422     /*
01423      * assume the algorithm parameters must be NULL
01424      */
01425     if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
01426         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01427 
01428     if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
01429         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01430 
01431     if( asn1_len != hashlen )
01432         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01433 
01434     if( memcmp( p, hash, hashlen ) != 0 )
01435         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01436 
01437     p += hashlen;
01438 
01439     if( p != end )
01440         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
01441 
01442     return( 0 );
01443 }
01444 #endif /* MBEDTLS_PKCS1_V15 */
01445 
01446 /*
01447  * Do an RSA operation and check the message digest
01448  */
01449 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
01450                       int (*f_rng)(void *, unsigned char *, size_t),
01451                       void *p_rng,
01452                       int mode,
01453                       mbedtls_md_type_t md_alg,
01454                       unsigned int hashlen,
01455                       const unsigned char *hash,
01456                       const unsigned char *sig )
01457 {
01458     switch( ctx->padding  )
01459     {
01460 #if defined(MBEDTLS_PKCS1_V15)
01461         case MBEDTLS_RSA_PKCS_V15:
01462             return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
01463                                                 hashlen, hash, sig );
01464 #endif
01465 
01466 #if defined(MBEDTLS_PKCS1_V21)
01467         case MBEDTLS_RSA_PKCS_V21:
01468             return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
01469                                           hashlen, hash, sig );
01470 #endif
01471 
01472         default:
01473             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01474     }
01475 }
01476 
01477 /*
01478  * Copy the components of an RSA key
01479  */
01480 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
01481 {
01482     int ret;
01483 
01484     dst->ver  = src->ver ;
01485     dst->len  = src->len ;
01486 
01487     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N , &src->N  ) );
01488     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E , &src->E  ) );
01489 
01490     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D , &src->D  ) );
01491     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P , &src->P  ) );
01492     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q , &src->Q  ) );
01493     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP , &src->DP  ) );
01494     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ , &src->DQ  ) );
01495     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP , &src->QP  ) );
01496 
01497     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN , &src->RN  ) );
01498     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP , &src->RP  ) );
01499     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ , &src->RQ  ) );
01500 
01501     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi , &src->Vi  ) );
01502     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf , &src->Vf  ) );
01503 
01504     dst->padding  = src->padding ;
01505     dst->hash_id  = src->hash_id ;
01506 
01507 cleanup:
01508     if( ret != 0 )
01509         mbedtls_rsa_free( dst );
01510 
01511     return( ret );
01512 }
01513 
01514 /*
01515  * Free the components of an RSA key
01516  */
01517 void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
01518 {
01519     mbedtls_mpi_free( &ctx->Vi  ); mbedtls_mpi_free( &ctx->Vf  );
01520     mbedtls_mpi_free( &ctx->RQ  ); mbedtls_mpi_free( &ctx->RP  ); mbedtls_mpi_free( &ctx->RN  );
01521     mbedtls_mpi_free( &ctx->QP  ); mbedtls_mpi_free( &ctx->DQ  ); mbedtls_mpi_free( &ctx->DP  );
01522     mbedtls_mpi_free( &ctx->Q   ); mbedtls_mpi_free( &ctx->P   ); mbedtls_mpi_free( &ctx->D  );
01523     mbedtls_mpi_free( &ctx->E   ); mbedtls_mpi_free( &ctx->N   );
01524 
01525 #if defined(MBEDTLS_THREADING_C)
01526     mbedtls_mutex_free( &ctx->mutex  );
01527 #endif
01528 }
01529 
01530 #if defined(MBEDTLS_SELF_TEST)
01531 
01532 #include "mbedtls/sha1.h"
01533 
01534 /*
01535  * Example RSA-1024 keypair, for test purposes
01536  */
01537 #define KEY_LEN 128
01538 
01539 #define RSA_N   "9292758453063D803DD603D5E777D788" \
01540                 "8ED1D5BF35786190FA2F23EBC0848AEA" \
01541                 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
01542                 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
01543                 "93A89813FBF3C4F8066D2D800F7C38A8" \
01544                 "1AE31942917403FF4946B0A83D3D3E05" \
01545                 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
01546                 "5E94BB77B07507233A0BC7BAC8F90F79"
01547 
01548 #define RSA_E   "10001"
01549 
01550 #define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
01551                 "66CA472BC44D253102F8B4A9D3BFA750" \
01552                 "91386C0077937FE33FA3252D28855837" \
01553                 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
01554                 "DF79C5CE07EE72C7F123142198164234" \
01555                 "CABB724CF78B8173B9F880FC86322407" \
01556                 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
01557                 "071513A1E85B5DFA031F21ECAE91A34D"
01558 
01559 #define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
01560                 "2C01CAD19EA484A87EA4377637E75500" \
01561                 "FCB2005C5C7DD6EC4AC023CDA285D796" \
01562                 "C3D9E75E1EFC42488BB4F1D13AC30A57"
01563 
01564 #define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
01565                 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
01566                 "910E4168387E3C30AA1E00C339A79508" \
01567                 "8452DD96A9A5EA5D9DCA68DA636032AF"
01568 
01569 #define RSA_DP  "C1ACF567564274FB07A0BBAD5D26E298" \
01570                 "3C94D22288ACD763FD8E5600ED4A702D" \
01571                 "F84198A5F06C2E72236AE490C93F07F8" \
01572                 "3CC559CD27BC2D1CA488811730BB5725"
01573 
01574 #define RSA_DQ  "4959CBF6F8FEF750AEE6977C155579C7" \
01575                 "D8AAEA56749EA28623272E4F7D0592AF" \
01576                 "7C1F1313CAC9471B5C523BFE592F517B" \
01577                 "407A1BD76C164B93DA2D32A383E58357"
01578 
01579 #define RSA_QP  "9AE7FBC99546432DF71896FC239EADAE" \
01580                 "F38D18D2B2F0E2DD275AA977E2BF4411" \
01581                 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
01582                 "A74206CEC169D74BF5A8C50D6F48EA08"
01583 
01584 #define PT_LEN  24
01585 #define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
01586                 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
01587 
01588 #if defined(MBEDTLS_PKCS1_V15)
01589 static int myrand( void *rng_state, unsigned char *output, size_t len )
01590 {
01591 #if !defined(__OpenBSD__)
01592     size_t i;
01593 
01594     if( rng_state != NULL )
01595         rng_state  = NULL;
01596 
01597     for( i = 0; i < len; ++i )
01598         output[i] = rand();
01599 #else
01600     if( rng_state != NULL )
01601         rng_state = NULL;
01602 
01603     arc4random_buf( output, len );
01604 #endif /* !OpenBSD */
01605 
01606     return( 0 );
01607 }
01608 #endif /* MBEDTLS_PKCS1_V15 */
01609 
01610 /*
01611  * Checkup routine
01612  */
01613 int mbedtls_rsa_self_test( int verbose )
01614 {
01615     int ret = 0;
01616 #if defined(MBEDTLS_PKCS1_V15)
01617     size_t len;
01618     mbedtls_rsa_context rsa;
01619     unsigned char rsa_plaintext[PT_LEN];
01620     unsigned char rsa_decrypted[PT_LEN];
01621     unsigned char rsa_ciphertext[KEY_LEN];
01622 #if defined(MBEDTLS_SHA1_C)
01623     unsigned char sha1sum[20];
01624 #endif
01625 
01626     mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
01627 
01628     rsa.len  = KEY_LEN;
01629     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N  , 16, RSA_N  ) );
01630     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E  , 16, RSA_E  ) );
01631     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D  , 16, RSA_D  ) );
01632     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P  , 16, RSA_P  ) );
01633     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q  , 16, RSA_Q  ) );
01634     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP , 16, RSA_DP ) );
01635     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ , 16, RSA_DQ ) );
01636     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP , 16, RSA_QP ) );
01637 
01638     if( verbose != 0 )
01639         mbedtls_printf( "  RSA key validation: " );
01640 
01641     if( mbedtls_rsa_check_pubkey(  &rsa ) != 0 ||
01642         mbedtls_rsa_check_privkey( &rsa ) != 0 )
01643     {
01644         if( verbose != 0 )
01645             mbedtls_printf( "failed\n" );
01646 
01647         return( 1 );
01648     }
01649 
01650     if( verbose != 0 )
01651         mbedtls_printf( "passed\n  PKCS#1 encryption : " );
01652 
01653     memcpy( rsa_plaintext, RSA_PT, PT_LEN );
01654 
01655     if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
01656                            rsa_plaintext, rsa_ciphertext ) != 0 )
01657     {
01658         if( verbose != 0 )
01659             mbedtls_printf( "failed\n" );
01660 
01661         return( 1 );
01662     }
01663 
01664     if( verbose != 0 )
01665         mbedtls_printf( "passed\n  PKCS#1 decryption : " );
01666 
01667     if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
01668                            rsa_ciphertext, rsa_decrypted,
01669                            sizeof(rsa_decrypted) ) != 0 )
01670     {
01671         if( verbose != 0 )
01672             mbedtls_printf( "failed\n" );
01673 
01674         return( 1 );
01675     }
01676 
01677     if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
01678     {
01679         if( verbose != 0 )
01680             mbedtls_printf( "failed\n" );
01681 
01682         return( 1 );
01683     }
01684 
01685     if( verbose != 0 )
01686         mbedtls_printf( "passed\n" );
01687 
01688 #if defined(MBEDTLS_SHA1_C)
01689     if( verbose != 0 )
01690         mbedtls_printf( "  PKCS#1 data sign  : " );
01691 
01692     mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
01693 
01694     if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
01695                         sha1sum, rsa_ciphertext ) != 0 )
01696     {
01697         if( verbose != 0 )
01698             mbedtls_printf( "failed\n" );
01699 
01700         return( 1 );
01701     }
01702 
01703     if( verbose != 0 )
01704         mbedtls_printf( "passed\n  PKCS#1 sig. verify: " );
01705 
01706     if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
01707                           sha1sum, rsa_ciphertext ) != 0 )
01708     {
01709         if( verbose != 0 )
01710             mbedtls_printf( "failed\n" );
01711 
01712         return( 1 );
01713     }
01714 
01715     if( verbose != 0 )
01716         mbedtls_printf( "passed\n" );
01717 #endif /* MBEDTLS_SHA1_C */
01718 
01719     if( verbose != 0 )
01720         mbedtls_printf( "\n" );
01721 
01722 cleanup:
01723     mbedtls_rsa_free( &rsa );
01724 #else /* MBEDTLS_PKCS1_V15 */
01725     ((void) verbose);
01726 #endif /* MBEDTLS_PKCS1_V15 */
01727     return( ret );
01728 }
01729 
01730 #endif /* MBEDTLS_SELF_TEST */
01731 
01732 #endif /* MBEDTLS_RSA_C */