Kenji Arai / mbed-os_TYBLE16

Dependents:   TYBLE16_simple_data_logger TYBLE16_MP3_Air

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers rsa.c Source File

rsa.c

00001 /*
00002  *  The RSA public-key cryptosystem
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 
00022 /*
00023  *  The following sources were referenced in the design of this implementation
00024  *  of the RSA algorithm:
00025  *
00026  *  [1] A method for obtaining digital signatures and public-key cryptosystems
00027  *      R Rivest, A Shamir, and L Adleman
00028  *      http://people.csail.mit.edu/rivest/pubs.html#RSA78
00029  *
00030  *  [2] Handbook of Applied Cryptography - 1997, Chapter 8
00031  *      Menezes, van Oorschot and Vanstone
00032  *
00033  *  [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
00034  *      Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
00035  *      Stefan Mangard
00036  *      https://arxiv.org/abs/1702.08719v2
00037  *
00038  */
00039 
00040 #if !defined(MBEDTLS_CONFIG_FILE)
00041 #include "mbedtls/config.h"
00042 #else
00043 #include MBEDTLS_CONFIG_FILE
00044 #endif
00045 
00046 #if defined(MBEDTLS_RSA_C)
00047 
00048 #include "mbedtls/rsa.h"
00049 #include "mbedtls/rsa_internal.h"
00050 #include "mbedtls/oid.h"
00051 #include "mbedtls/platform_util.h"
00052 
00053 #include <string.h>
00054 
00055 #if defined(MBEDTLS_PKCS1_V21)
00056 #include "mbedtls/md.h"
00057 #endif
00058 
00059 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
00060 #include <stdlib.h>
00061 #endif
00062 
00063 #if defined(MBEDTLS_PLATFORM_C)
00064 #include "mbedtls/platform.h"
00065 #else
00066 #include <stdio.h>
00067 #define mbedtls_printf printf
00068 #define mbedtls_calloc calloc
00069 #define mbedtls_free   free
00070 #endif
00071 
00072 #if !defined(MBEDTLS_RSA_ALT)
00073 
00074 /* Parameter validation macros */
00075 #define RSA_VALIDATE_RET( cond )                                       \
00076     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
00077 #define RSA_VALIDATE( cond )                                           \
00078     MBEDTLS_INTERNAL_VALIDATE( cond )
00079 
00080 #if defined(MBEDTLS_PKCS1_V15)
00081 /* constant-time buffer comparison */
00082 static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
00083 {
00084     size_t i;
00085     const unsigned char *A = (const unsigned char *) a;
00086     const unsigned char *B = (const unsigned char *) b;
00087     unsigned char diff = 0;
00088 
00089     for( i = 0; i < n; i++ )
00090         diff |= A[i] ^ B[i];
00091 
00092     return( diff );
00093 }
00094 #endif /* MBEDTLS_PKCS1_V15 */
00095 
00096 int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
00097                         const mbedtls_mpi *N,
00098                         const mbedtls_mpi *P, const mbedtls_mpi *Q,
00099                         const mbedtls_mpi *D, const mbedtls_mpi *E )
00100 {
00101     int ret;
00102     RSA_VALIDATE_RET( ctx != NULL );
00103 
00104     if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N , N ) ) != 0 ) ||
00105         ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P , P ) ) != 0 ) ||
00106         ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q , Q ) ) != 0 ) ||
00107         ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D , D ) ) != 0 ) ||
00108         ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E , E ) ) != 0 ) )
00109     {
00110         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
00111     }
00112 
00113     if( N != NULL )
00114         ctx->len  = mbedtls_mpi_size( &ctx->N  );
00115 
00116     return( 0 );
00117 }
00118 
00119 int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
00120                             unsigned char const *N, size_t N_len,
00121                             unsigned char const *P, size_t P_len,
00122                             unsigned char const *Q, size_t Q_len,
00123                             unsigned char const *D, size_t D_len,
00124                             unsigned char const *E, size_t E_len )
00125 {
00126     int ret = 0;
00127     RSA_VALIDATE_RET( ctx != NULL );
00128 
00129     if( N != NULL )
00130     {
00131         MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N , N, N_len ) );
00132         ctx->len  = mbedtls_mpi_size( &ctx->N  );
00133     }
00134 
00135     if( P != NULL )
00136         MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P , P, P_len ) );
00137 
00138     if( Q != NULL )
00139         MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q , Q, Q_len ) );
00140 
00141     if( D != NULL )
00142         MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D , D, D_len ) );
00143 
00144     if( E != NULL )
00145         MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E , E, E_len ) );
00146 
00147 cleanup:
00148 
00149     if( ret != 0 )
00150         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
00151 
00152     return( 0 );
00153 }
00154 
00155 /*
00156  * Checks whether the context fields are set in such a way
00157  * that the RSA primitives will be able to execute without error.
00158  * It does *not* make guarantees for consistency of the parameters.
00159  */
00160 static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
00161                               int blinding_needed )
00162 {
00163 #if !defined(MBEDTLS_RSA_NO_CRT)
00164     /* blinding_needed is only used for NO_CRT to decide whether
00165      * P,Q need to be present or not. */
00166     ((void) blinding_needed);
00167 #endif
00168 
00169     if( ctx->len  != mbedtls_mpi_size( &ctx->N  ) ||
00170         ctx->len  > MBEDTLS_MPI_MAX_SIZE )
00171     {
00172         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00173     }
00174 
00175     /*
00176      * 1. Modular exponentiation needs positive, odd moduli.
00177      */
00178 
00179     /* Modular exponentiation wrt. N is always used for
00180      * RSA public key operations. */
00181     if( mbedtls_mpi_cmp_int( &ctx->N , 0 ) <= 0 ||
00182         mbedtls_mpi_get_bit( &ctx->N , 0 ) == 0  )
00183     {
00184         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00185     }
00186 
00187 #if !defined(MBEDTLS_RSA_NO_CRT)
00188     /* Modular exponentiation for P and Q is only
00189      * used for private key operations and if CRT
00190      * is used. */
00191     if( is_priv &&
00192         ( mbedtls_mpi_cmp_int( &ctx->P , 0 ) <= 0 ||
00193           mbedtls_mpi_get_bit( &ctx->P , 0 ) == 0 ||
00194           mbedtls_mpi_cmp_int( &ctx->Q , 0 ) <= 0 ||
00195           mbedtls_mpi_get_bit( &ctx->Q , 0 ) == 0  ) )
00196     {
00197         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00198     }
00199 #endif /* !MBEDTLS_RSA_NO_CRT */
00200 
00201     /*
00202      * 2. Exponents must be positive
00203      */
00204 
00205     /* Always need E for public key operations */
00206     if( mbedtls_mpi_cmp_int( &ctx->E , 0 ) <= 0 )
00207         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00208 
00209 #if defined(MBEDTLS_RSA_NO_CRT)
00210     /* For private key operations, use D or DP & DQ
00211      * as (unblinded) exponents. */
00212     if( is_priv && mbedtls_mpi_cmp_int( &ctx->D , 0 ) <= 0 )
00213         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00214 #else
00215     if( is_priv &&
00216         ( mbedtls_mpi_cmp_int( &ctx->DP , 0 ) <= 0 ||
00217           mbedtls_mpi_cmp_int( &ctx->DQ , 0 ) <= 0  ) )
00218     {
00219         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00220     }
00221 #endif /* MBEDTLS_RSA_NO_CRT */
00222 
00223     /* Blinding shouldn't make exponents negative either,
00224      * so check that P, Q >= 1 if that hasn't yet been
00225      * done as part of 1. */
00226 #if defined(MBEDTLS_RSA_NO_CRT)
00227     if( is_priv && blinding_needed &&
00228         ( mbedtls_mpi_cmp_int( &ctx->P , 0 ) <= 0 ||
00229           mbedtls_mpi_cmp_int( &ctx->Q , 0 ) <= 0 ) )
00230     {
00231         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00232     }
00233 #endif
00234 
00235     /* It wouldn't lead to an error if it wasn't satisfied,
00236      * but check for QP >= 1 nonetheless. */
00237 #if !defined(MBEDTLS_RSA_NO_CRT)
00238     if( is_priv &&
00239         mbedtls_mpi_cmp_int( &ctx->QP , 0 ) <= 0 )
00240     {
00241         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00242     }
00243 #endif
00244 
00245     return( 0 );
00246 }
00247 
00248 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
00249 {
00250     int ret = 0;
00251     int have_N, have_P, have_Q, have_D, have_E;
00252     int n_missing, pq_missing, d_missing, is_pub, is_priv;
00253 
00254     RSA_VALIDATE_RET( ctx != NULL );
00255 
00256     have_N = ( mbedtls_mpi_cmp_int( &ctx->N , 0 ) != 0 );
00257     have_P = ( mbedtls_mpi_cmp_int( &ctx->P , 0 ) != 0 );
00258     have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q , 0 ) != 0 );
00259     have_D = ( mbedtls_mpi_cmp_int( &ctx->D , 0 ) != 0 );
00260     have_E = ( mbedtls_mpi_cmp_int( &ctx->E , 0 ) != 0 );
00261 
00262     /*
00263      * Check whether provided parameters are enough
00264      * to deduce all others. The following incomplete
00265      * parameter sets for private keys are supported:
00266      *
00267      * (1) P, Q missing.
00268      * (2) D and potentially N missing.
00269      *
00270      */
00271 
00272     n_missing  =              have_P &&  have_Q &&  have_D && have_E;
00273     pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
00274     d_missing  =              have_P &&  have_Q && !have_D && have_E;
00275     is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
00276 
00277     /* These three alternatives are mutually exclusive */
00278     is_priv = n_missing || pq_missing || d_missing;
00279 
00280     if( !is_priv && !is_pub )
00281         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00282 
00283     /*
00284      * Step 1: Deduce N if P, Q are provided.
00285      */
00286 
00287     if( !have_N && have_P && have_Q )
00288     {
00289         if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P ,
00290                                          &ctx->Q  ) ) != 0 )
00291         {
00292             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
00293         }
00294 
00295         ctx->len  = mbedtls_mpi_size( &ctx->N  );
00296     }
00297 
00298     /*
00299      * Step 2: Deduce and verify all remaining core parameters.
00300      */
00301 
00302     if( pq_missing )
00303     {
00304         ret = mbedtls_rsa_deduce_primes( &ctx->N , &ctx->E , &ctx->D ,
00305                                          &ctx->P , &ctx->Q  );
00306         if( ret != 0 )
00307             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
00308 
00309     }
00310     else if( d_missing )
00311     {
00312         if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P ,
00313                                                          &ctx->Q ,
00314                                                          &ctx->E ,
00315                                                          &ctx->D  ) ) != 0 )
00316         {
00317             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
00318         }
00319     }
00320 
00321     /*
00322      * Step 3: Deduce all additional parameters specific
00323      *         to our current RSA implementation.
00324      */
00325 
00326 #if !defined(MBEDTLS_RSA_NO_CRT)
00327     if( is_priv )
00328     {
00329         ret = mbedtls_rsa_deduce_crt( &ctx->P ,  &ctx->Q ,  &ctx->D ,
00330                                       &ctx->DP , &ctx->DQ , &ctx->QP  );
00331         if( ret != 0 )
00332             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
00333     }
00334 #endif /* MBEDTLS_RSA_NO_CRT */
00335 
00336     /*
00337      * Step 3: Basic sanity checks
00338      */
00339 
00340     return( rsa_check_context( ctx, is_priv, 1 ) );
00341 }
00342 
00343 int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
00344                             unsigned char *N, size_t N_len,
00345                             unsigned char *P, size_t P_len,
00346                             unsigned char *Q, size_t Q_len,
00347                             unsigned char *D, size_t D_len,
00348                             unsigned char *E, size_t E_len )
00349 {
00350     int ret = 0;
00351     int is_priv;
00352     RSA_VALIDATE_RET( ctx != NULL );
00353 
00354     /* Check if key is private or public */
00355     is_priv =
00356         mbedtls_mpi_cmp_int( &ctx->N , 0 ) != 0 &&
00357         mbedtls_mpi_cmp_int( &ctx->P , 0 ) != 0 &&
00358         mbedtls_mpi_cmp_int( &ctx->Q , 0 ) != 0 &&
00359         mbedtls_mpi_cmp_int( &ctx->D , 0 ) != 0 &&
00360         mbedtls_mpi_cmp_int( &ctx->E , 0 ) != 0;
00361 
00362     if( !is_priv )
00363     {
00364         /* If we're trying to export private parameters for a public key,
00365          * something must be wrong. */
00366         if( P != NULL || Q != NULL || D != NULL )
00367             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00368 
00369     }
00370 
00371     if( N != NULL )
00372         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N , N, N_len ) );
00373 
00374     if( P != NULL )
00375         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P , P, P_len ) );
00376 
00377     if( Q != NULL )
00378         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q , Q, Q_len ) );
00379 
00380     if( D != NULL )
00381         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D , D, D_len ) );
00382 
00383     if( E != NULL )
00384         MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E , E, E_len ) );
00385 
00386 cleanup:
00387 
00388     return( ret );
00389 }
00390 
00391 int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
00392                         mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
00393                         mbedtls_mpi *D, mbedtls_mpi *E )
00394 {
00395     int ret;
00396     int is_priv;
00397     RSA_VALIDATE_RET( ctx != NULL );
00398 
00399     /* Check if key is private or public */
00400     is_priv =
00401         mbedtls_mpi_cmp_int( &ctx->N , 0 ) != 0 &&
00402         mbedtls_mpi_cmp_int( &ctx->P , 0 ) != 0 &&
00403         mbedtls_mpi_cmp_int( &ctx->Q , 0 ) != 0 &&
00404         mbedtls_mpi_cmp_int( &ctx->D , 0 ) != 0 &&
00405         mbedtls_mpi_cmp_int( &ctx->E , 0 ) != 0;
00406 
00407     if( !is_priv )
00408     {
00409         /* If we're trying to export private parameters for a public key,
00410          * something must be wrong. */
00411         if( P != NULL || Q != NULL || D != NULL )
00412             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00413 
00414     }
00415 
00416     /* Export all requested core parameters. */
00417 
00418     if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N  ) ) != 0 ) ||
00419         ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P  ) ) != 0 ) ||
00420         ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q  ) ) != 0 ) ||
00421         ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D  ) ) != 0 ) ||
00422         ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E  ) ) != 0 ) )
00423     {
00424         return( ret );
00425     }
00426 
00427     return( 0 );
00428 }
00429 
00430 /*
00431  * Export CRT parameters
00432  * This must also be implemented if CRT is not used, for being able to
00433  * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
00434  * can be used in this case.
00435  */
00436 int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
00437                             mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
00438 {
00439     int ret;
00440     int is_priv;
00441     RSA_VALIDATE_RET( ctx != NULL );
00442 
00443     /* Check if key is private or public */
00444     is_priv =
00445         mbedtls_mpi_cmp_int( &ctx->N , 0 ) != 0 &&
00446         mbedtls_mpi_cmp_int( &ctx->P , 0 ) != 0 &&
00447         mbedtls_mpi_cmp_int( &ctx->Q , 0 ) != 0 &&
00448         mbedtls_mpi_cmp_int( &ctx->D , 0 ) != 0 &&
00449         mbedtls_mpi_cmp_int( &ctx->E , 0 ) != 0;
00450 
00451     if( !is_priv )
00452         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00453 
00454 #if !defined(MBEDTLS_RSA_NO_CRT)
00455     /* Export all requested blinding parameters. */
00456     if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP  ) ) != 0 ) ||
00457         ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ  ) ) != 0 ) ||
00458         ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP  ) ) != 0 ) )
00459     {
00460         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
00461     }
00462 #else
00463     if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P , &ctx->Q , &ctx->D ,
00464                                         DP, DQ, QP ) ) != 0 )
00465     {
00466         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
00467     }
00468 #endif
00469 
00470     return( 0 );
00471 }
00472 
00473 /*
00474  * Initialize an RSA context
00475  */
00476 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
00477                int padding,
00478                int hash_id )
00479 {
00480     RSA_VALIDATE( ctx != NULL );
00481     RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
00482                   padding == MBEDTLS_RSA_PKCS_V21 );
00483 
00484     memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
00485 
00486     mbedtls_rsa_set_padding( ctx, padding, hash_id );
00487 
00488 #if defined(MBEDTLS_THREADING_C)
00489     mbedtls_mutex_init( &ctx->mutex  );
00490 #endif
00491 }
00492 
00493 /*
00494  * Set padding for an existing RSA context
00495  */
00496 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
00497                               int hash_id )
00498 {
00499     RSA_VALIDATE( ctx != NULL );
00500     RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
00501                   padding == MBEDTLS_RSA_PKCS_V21 );
00502 
00503     ctx->padding  = padding;
00504     ctx->hash_id  = hash_id;
00505 }
00506 
00507 /*
00508  * Get length in bytes of RSA modulus
00509  */
00510 
00511 size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
00512 {
00513     return( ctx->len  );
00514 }
00515 
00516 
00517 #if defined(MBEDTLS_GENPRIME)
00518 
00519 /*
00520  * Generate an RSA keypair
00521  *
00522  * This generation method follows the RSA key pair generation procedure of
00523  * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
00524  */
00525 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
00526                  int (*f_rng)(void *, unsigned char *, size_t),
00527                  void *p_rng,
00528                  unsigned int nbits, int exponent )
00529 {
00530     int ret;
00531     mbedtls_mpi H, G, L;
00532     int prime_quality = 0;
00533     RSA_VALIDATE_RET( ctx != NULL );
00534     RSA_VALIDATE_RET( f_rng != NULL );
00535 
00536     if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
00537         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00538 
00539     /*
00540      * If the modulus is 1024 bit long or shorter, then the security strength of
00541      * the RSA algorithm is less than or equal to 80 bits and therefore an error
00542      * rate of 2^-80 is sufficient.
00543      */
00544     if( nbits > 1024 )
00545         prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
00546 
00547     mbedtls_mpi_init( &H );
00548     mbedtls_mpi_init( &G );
00549     mbedtls_mpi_init( &L );
00550 
00551     /*
00552      * find primes P and Q with Q < P so that:
00553      * 1.  |P-Q| > 2^( nbits / 2 - 100 )
00554      * 2.  GCD( E, (P-1)*(Q-1) ) == 1
00555      * 3.  E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
00556      */
00557     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E , exponent ) );
00558 
00559     do
00560     {
00561         MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P , nbits >> 1,
00562                                                 prime_quality, f_rng, p_rng ) );
00563 
00564         MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , nbits >> 1,
00565                                                 prime_quality, f_rng, p_rng ) );
00566 
00567         /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
00568         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P , &ctx->Q  ) );
00569         if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
00570             continue;
00571 
00572         /* not required by any standards, but some users rely on the fact that P > Q */
00573         if( H.s  < 0 )
00574             mbedtls_mpi_swap( &ctx->P , &ctx->Q  );
00575 
00576         /* Temporarily replace P,Q by P-1, Q-1 */
00577         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P , &ctx->P , 1 ) );
00578         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q , &ctx->Q , 1 ) );
00579         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P , &ctx->Q  ) );
00580 
00581         /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
00582         MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H  ) );
00583         if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
00584             continue;
00585 
00586         /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
00587         MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P , &ctx->Q  ) );
00588         MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
00589         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E , &L ) );
00590 
00591         if( mbedtls_mpi_bitlen( &ctx->D  ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
00592             continue;
00593 
00594         break;
00595     }
00596     while( 1 );
00597 
00598     /* Restore P,Q */
00599     MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P ,  &ctx->P , 1 ) );
00600     MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q ,  &ctx->Q , 1 ) );
00601 
00602     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P , &ctx->Q  ) );
00603 
00604     ctx->len  = mbedtls_mpi_size( &ctx->N  );
00605 
00606 #if !defined(MBEDTLS_RSA_NO_CRT)
00607     /*
00608      * DP = D mod (P - 1)
00609      * DQ = D mod (Q - 1)
00610      * QP = Q^-1 mod P
00611      */
00612     MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P , &ctx->Q , &ctx->D ,
00613                                              &ctx->DP , &ctx->DQ , &ctx->QP  ) );
00614 #endif /* MBEDTLS_RSA_NO_CRT */
00615 
00616     /* Double-check */
00617     MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
00618 
00619 cleanup:
00620 
00621     mbedtls_mpi_free( &H );
00622     mbedtls_mpi_free( &G );
00623     mbedtls_mpi_free( &L );
00624 
00625     if( ret != 0 )
00626     {
00627         mbedtls_rsa_free( ctx );
00628         return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
00629     }
00630 
00631     return( 0 );
00632 }
00633 
00634 #endif /* MBEDTLS_GENPRIME */
00635 
00636 /*
00637  * Check a public RSA key
00638  */
00639 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
00640 {
00641     RSA_VALIDATE_RET( ctx != NULL );
00642 
00643     if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
00644         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00645 
00646     if( mbedtls_mpi_bitlen( &ctx->N  ) < 128 )
00647     {
00648         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00649     }
00650 
00651     if( mbedtls_mpi_get_bit( &ctx->E , 0 ) == 0 ||
00652         mbedtls_mpi_bitlen( &ctx->E  )     < 2  ||
00653         mbedtls_mpi_cmp_mpi( &ctx->E , &ctx->N  ) >= 0 )
00654     {
00655         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00656     }
00657 
00658     return( 0 );
00659 }
00660 
00661 /*
00662  * Check for the consistency of all fields in an RSA private key context
00663  */
00664 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
00665 {
00666     RSA_VALIDATE_RET( ctx != NULL );
00667 
00668     if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
00669         rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
00670     {
00671         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00672     }
00673 
00674     if( mbedtls_rsa_validate_params( &ctx->N , &ctx->P , &ctx->Q ,
00675                                      &ctx->D , &ctx->E , NULL, NULL ) != 0 )
00676     {
00677         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00678     }
00679 
00680 #if !defined(MBEDTLS_RSA_NO_CRT)
00681     else if( mbedtls_rsa_validate_crt( &ctx->P , &ctx->Q , &ctx->D ,
00682                                        &ctx->DP , &ctx->DQ , &ctx->QP  ) != 0 )
00683     {
00684         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00685     }
00686 #endif
00687 
00688     return( 0 );
00689 }
00690 
00691 /*
00692  * Check if contexts holding a public and private key match
00693  */
00694 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
00695                                 const mbedtls_rsa_context *prv )
00696 {
00697     RSA_VALIDATE_RET( pub != NULL );
00698     RSA_VALIDATE_RET( prv != NULL );
00699 
00700     if( mbedtls_rsa_check_pubkey( pub )  != 0 ||
00701         mbedtls_rsa_check_privkey( prv ) != 0 )
00702     {
00703         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00704     }
00705 
00706     if( mbedtls_mpi_cmp_mpi( &pub->N , &prv->N  ) != 0 ||
00707         mbedtls_mpi_cmp_mpi( &pub->E , &prv->E  ) != 0 )
00708     {
00709         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
00710     }
00711 
00712     return( 0 );
00713 }
00714 
00715 /*
00716  * Do an RSA public key operation
00717  */
00718 int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
00719                 const unsigned char *input,
00720                 unsigned char *output )
00721 {
00722     int ret;
00723     size_t olen;
00724     mbedtls_mpi T;
00725     RSA_VALIDATE_RET( ctx != NULL );
00726     RSA_VALIDATE_RET( input != NULL );
00727     RSA_VALIDATE_RET( output != NULL );
00728 
00729     if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
00730         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00731 
00732     mbedtls_mpi_init( &T );
00733 
00734 #if defined(MBEDTLS_THREADING_C)
00735     if( ( ret = mbedtls_mutex_lock( &ctx->mutex  ) ) != 0 )
00736         return( ret );
00737 #endif
00738 
00739     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len  ) );
00740 
00741     if( mbedtls_mpi_cmp_mpi( &T, &ctx->N  ) >= 0 )
00742     {
00743         ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
00744         goto cleanup;
00745     }
00746 
00747     olen = ctx->len ;
00748     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E , &ctx->N , &ctx->RN  ) );
00749     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
00750 
00751 cleanup:
00752 #if defined(MBEDTLS_THREADING_C)
00753     if( mbedtls_mutex_unlock( &ctx->mutex  ) != 0 )
00754         return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
00755 #endif
00756 
00757     mbedtls_mpi_free( &T );
00758 
00759     if( ret != 0 )
00760         return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
00761 
00762     return( 0 );
00763 }
00764 
00765 /*
00766  * Generate or update blinding values, see section 10 of:
00767  *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
00768  *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
00769  *  Berlin Heidelberg, 1996. p. 104-113.
00770  */
00771 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
00772                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
00773 {
00774     int ret, count = 0;
00775 
00776     if( ctx->Vf .p  != NULL )
00777     {
00778         /* We already have blinding values, just update them by squaring */
00779         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi , &ctx->Vi , &ctx->Vi  ) );
00780         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi , &ctx->Vi , &ctx->N  ) );
00781         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf , &ctx->Vf , &ctx->Vf  ) );
00782         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf , &ctx->Vf , &ctx->N  ) );
00783 
00784         goto cleanup;
00785     }
00786 
00787     /* Unblinding value: Vf = random number, invertible mod N */
00788     do {
00789         if( count++ > 10 )
00790             return( MBEDTLS_ERR_RSA_RNG_FAILED );
00791 
00792         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf , ctx->len  - 1, f_rng, p_rng ) );
00793         MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi , &ctx->Vf , &ctx->N  ) );
00794     } while( mbedtls_mpi_cmp_int( &ctx->Vi , 1 ) != 0 );
00795 
00796     /* Blinding value: Vi =  Vf^(-e) mod N */
00797     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi , &ctx->Vf , &ctx->N  ) );
00798     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi , &ctx->Vi , &ctx->E , &ctx->N , &ctx->RN  ) );
00799 
00800 
00801 cleanup:
00802     return( ret );
00803 }
00804 
00805 /*
00806  * Exponent blinding supposed to prevent side-channel attacks using multiple
00807  * traces of measurements to recover the RSA key. The more collisions are there,
00808  * the more bits of the key can be recovered. See [3].
00809  *
00810  * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
00811  * observations on avarage.
00812  *
00813  * For example with 28 byte blinding to achieve 2 collisions the adversary has
00814  * to make 2^112 observations on avarage.
00815  *
00816  * (With the currently (as of 2017 April) known best algorithms breaking 2048
00817  * bit RSA requires approximately as much time as trying out 2^112 random keys.
00818  * Thus in this sense with 28 byte blinding the security is not reduced by
00819  * side-channel attacks like the one in [3])
00820  *
00821  * This countermeasure does not help if the key recovery is possible with a
00822  * single trace.
00823  */
00824 #define RSA_EXPONENT_BLINDING 28
00825 
00826 /*
00827  * Do an RSA private key operation
00828  */
00829 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
00830                  int (*f_rng)(void *, unsigned char *, size_t),
00831                  void *p_rng,
00832                  const unsigned char *input,
00833                  unsigned char *output )
00834 {
00835     int ret;
00836     size_t olen;
00837 
00838     /* Temporary holding the result */
00839     mbedtls_mpi T;
00840 
00841     /* Temporaries holding P-1, Q-1 and the
00842      * exponent blinding factor, respectively. */
00843     mbedtls_mpi P1, Q1, R;
00844 
00845 #if !defined(MBEDTLS_RSA_NO_CRT)
00846     /* Temporaries holding the results mod p resp. mod q. */
00847     mbedtls_mpi TP, TQ;
00848 
00849     /* Temporaries holding the blinded exponents for
00850      * the mod p resp. mod q computation (if used). */
00851     mbedtls_mpi DP_blind, DQ_blind;
00852 
00853     /* Pointers to actual exponents to be used - either the unblinded
00854      * or the blinded ones, depending on the presence of a PRNG. */
00855     mbedtls_mpi *DP = &ctx->DP ;
00856     mbedtls_mpi *DQ = &ctx->DQ ;
00857 #else
00858     /* Temporary holding the blinded exponent (if used). */
00859     mbedtls_mpi D_blind;
00860 
00861     /* Pointer to actual exponent to be used - either the unblinded
00862      * or the blinded one, depending on the presence of a PRNG. */
00863     mbedtls_mpi *D = &ctx->D ;
00864 #endif /* MBEDTLS_RSA_NO_CRT */
00865 
00866     /* Temporaries holding the initial input and the double
00867      * checked result; should be the same in the end. */
00868     mbedtls_mpi I, C;
00869 
00870     RSA_VALIDATE_RET( ctx != NULL );
00871     RSA_VALIDATE_RET( input  != NULL );
00872     RSA_VALIDATE_RET( output != NULL );
00873 
00874     if( rsa_check_context( ctx, 1             /* private key checks */,
00875                                 f_rng != NULL /* blinding y/n       */ ) != 0 )
00876     {
00877         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
00878     }
00879 
00880 #if defined(MBEDTLS_THREADING_C)
00881     if( ( ret = mbedtls_mutex_lock( &ctx->mutex  ) ) != 0 )
00882         return( ret );
00883 #endif
00884 
00885     /* MPI Initialization */
00886     mbedtls_mpi_init( &T );
00887 
00888     mbedtls_mpi_init( &P1 );
00889     mbedtls_mpi_init( &Q1 );
00890     mbedtls_mpi_init( &R );
00891 
00892     if( f_rng != NULL )
00893     {
00894 #if defined(MBEDTLS_RSA_NO_CRT)
00895         mbedtls_mpi_init( &D_blind );
00896 #else
00897         mbedtls_mpi_init( &DP_blind );
00898         mbedtls_mpi_init( &DQ_blind );
00899 #endif
00900     }
00901 
00902 #if !defined(MBEDTLS_RSA_NO_CRT)
00903     mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
00904 #endif
00905 
00906     mbedtls_mpi_init( &I );
00907     mbedtls_mpi_init( &C );
00908 
00909     /* End of MPI initialization */
00910 
00911     MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len  ) );
00912     if( mbedtls_mpi_cmp_mpi( &T, &ctx->N  ) >= 0 )
00913     {
00914         ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
00915         goto cleanup;
00916     }
00917 
00918     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
00919 
00920     if( f_rng != NULL )
00921     {
00922         /*
00923          * Blinding
00924          * T = T * Vi mod N
00925          */
00926         MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
00927         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi  ) );
00928         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N  ) );
00929 
00930         /*
00931          * Exponent blinding
00932          */
00933         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) );
00934         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) );
00935 
00936 #if defined(MBEDTLS_RSA_NO_CRT)
00937         /*
00938          * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
00939          */
00940         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
00941                          f_rng, p_rng ) );
00942         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
00943         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
00944         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D  ) );
00945 
00946         D = &D_blind;
00947 #else
00948         /*
00949          * DP_blind = ( P - 1 ) * R + DP
00950          */
00951         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
00952                          f_rng, p_rng ) );
00953         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
00954         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
00955                     &ctx->DP  ) );
00956 
00957         DP = &DP_blind;
00958 
00959         /*
00960          * DQ_blind = ( Q - 1 ) * R + DQ
00961          */
00962         MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
00963                          f_rng, p_rng ) );
00964         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
00965         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
00966                     &ctx->DQ  ) );
00967 
00968         DQ = &DQ_blind;
00969 #endif /* MBEDTLS_RSA_NO_CRT */
00970     }
00971 
00972 #if defined(MBEDTLS_RSA_NO_CRT)
00973     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N , &ctx->RN  ) );
00974 #else
00975     /*
00976      * Faster decryption using the CRT
00977      *
00978      * TP = input ^ dP mod P
00979      * TQ = input ^ dQ mod Q
00980      */
00981 
00982     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P , &ctx->RP  ) );
00983     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q , &ctx->RQ  ) );
00984 
00985     /*
00986      * T = (TP - TQ) * (Q^-1 mod P) mod P
00987      */
00988     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
00989     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP  ) );
00990     MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P  ) );
00991 
00992     /*
00993      * T = TQ + T * Q
00994      */
00995     MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q  ) );
00996     MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
00997 #endif /* MBEDTLS_RSA_NO_CRT */
00998 
00999     if( f_rng != NULL )
01000     {
01001         /*
01002          * Unblind
01003          * T = T * Vf mod N
01004          */
01005         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf  ) );
01006         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N  ) );
01007     }
01008 
01009     /* Verify the result to prevent glitching attacks. */
01010     MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E ,
01011                                           &ctx->N , &ctx->RN  ) );
01012     if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
01013     {
01014         ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
01015         goto cleanup;
01016     }
01017 
01018     olen = ctx->len ;
01019     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
01020 
01021 cleanup:
01022 #if defined(MBEDTLS_THREADING_C)
01023     if( mbedtls_mutex_unlock( &ctx->mutex  ) != 0 )
01024         return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
01025 #endif
01026 
01027     mbedtls_mpi_free( &P1 );
01028     mbedtls_mpi_free( &Q1 );
01029     mbedtls_mpi_free( &R );
01030 
01031     if( f_rng != NULL )
01032     {
01033 #if defined(MBEDTLS_RSA_NO_CRT)
01034         mbedtls_mpi_free( &D_blind );
01035 #else
01036         mbedtls_mpi_free( &DP_blind );
01037         mbedtls_mpi_free( &DQ_blind );
01038 #endif
01039     }
01040 
01041     mbedtls_mpi_free( &T );
01042 
01043 #if !defined(MBEDTLS_RSA_NO_CRT)
01044     mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
01045 #endif
01046 
01047     mbedtls_mpi_free( &C );
01048     mbedtls_mpi_free( &I );
01049 
01050     if( ret != 0 )
01051         return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
01052 
01053     return( 0 );
01054 }
01055 
01056 #if defined(MBEDTLS_PKCS1_V21)
01057 /**
01058  * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
01059  *
01060  * \param dst       buffer to mask
01061  * \param dlen      length of destination buffer
01062  * \param src       source of the mask generation
01063  * \param slen      length of the source buffer
01064  * \param md_ctx    message digest context to use
01065  */
01066 static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
01067                       size_t slen, mbedtls_md_context_t *md_ctx )
01068 {
01069     unsigned char mask[MBEDTLS_MD_MAX_SIZE];
01070     unsigned char counter[4];
01071     unsigned char *p;
01072     unsigned int hlen;
01073     size_t i, use_len;
01074     int ret = 0;
01075 
01076     memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
01077     memset( counter, 0, 4 );
01078 
01079     hlen = mbedtls_md_get_size( md_ctx->md_info );
01080 
01081     /* Generate and apply dbMask */
01082     p = dst;
01083 
01084     while( dlen > 0 )
01085     {
01086         use_len = hlen;
01087         if( dlen < hlen )
01088             use_len = dlen;
01089 
01090         if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
01091             goto exit;
01092         if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
01093             goto exit;
01094         if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
01095             goto exit;
01096         if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
01097             goto exit;
01098 
01099         for( i = 0; i < use_len; ++i )
01100             *p++ ^= mask[i];
01101 
01102         counter[3]++;
01103 
01104         dlen -= use_len;
01105     }
01106 
01107 exit:
01108     mbedtls_platform_zeroize( mask, sizeof( mask ) );
01109 
01110     return( ret );
01111 }
01112 #endif /* MBEDTLS_PKCS1_V21 */
01113 
01114 #if defined(MBEDTLS_PKCS1_V21)
01115 /*
01116  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
01117  */
01118 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
01119                             int (*f_rng)(void *, unsigned char *, size_t),
01120                             void *p_rng,
01121                             int mode,
01122                             const unsigned char *label, size_t label_len,
01123                             size_t ilen,
01124                             const unsigned char *input,
01125                             unsigned char *output )
01126 {
01127     size_t olen;
01128     int ret;
01129     unsigned char *p = output;
01130     unsigned int hlen;
01131     const mbedtls_md_info_t *md_info;
01132     mbedtls_md_context_t md_ctx;
01133 
01134     RSA_VALIDATE_RET( ctx != NULL );
01135     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
01136                       mode == MBEDTLS_RSA_PUBLIC );
01137     RSA_VALIDATE_RET( output != NULL );
01138     RSA_VALIDATE_RET( ilen == 0 || input != NULL );
01139     RSA_VALIDATE_RET( label_len == 0 || label != NULL );
01140 
01141     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V21 )
01142         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01143 
01144     if( f_rng == NULL )
01145         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01146 
01147     md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id  );
01148     if( md_info == NULL )
01149         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01150 
01151     olen = ctx->len ;
01152     hlen = mbedtls_md_get_size( md_info );
01153 
01154     /* first comparison checks for overflow */
01155     if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
01156         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01157 
01158     memset( output, 0, olen );
01159 
01160     *p++ = 0;
01161 
01162     /* Generate a random octet string seed */
01163     if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
01164         return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
01165 
01166     p += hlen;
01167 
01168     /* Construct DB */
01169     if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
01170         return( ret );
01171     p += hlen;
01172     p += olen - 2 * hlen - 2 - ilen;
01173     *p++ = 1;
01174     if( ilen != 0 )
01175         memcpy( p, input, ilen );
01176 
01177     mbedtls_md_init( &md_ctx );
01178     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
01179         goto exit;
01180 
01181     /* maskedDB: Apply dbMask to DB */
01182     if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
01183                           &md_ctx ) ) != 0 )
01184         goto exit;
01185 
01186     /* maskedSeed: Apply seedMask to seed */
01187     if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
01188                           &md_ctx ) ) != 0 )
01189         goto exit;
01190 
01191 exit:
01192     mbedtls_md_free( &md_ctx );
01193 
01194     if( ret != 0 )
01195         return( ret );
01196 
01197     return( ( mode == MBEDTLS_RSA_PUBLIC )
01198             ? mbedtls_rsa_public(  ctx, output, output )
01199             : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
01200 }
01201 #endif /* MBEDTLS_PKCS1_V21 */
01202 
01203 #if defined(MBEDTLS_PKCS1_V15)
01204 /*
01205  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
01206  */
01207 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
01208                                  int (*f_rng)(void *, unsigned char *, size_t),
01209                                  void *p_rng,
01210                                  int mode, size_t ilen,
01211                                  const unsigned char *input,
01212                                  unsigned char *output )
01213 {
01214     size_t nb_pad, olen;
01215     int ret;
01216     unsigned char *p = output;
01217 
01218     RSA_VALIDATE_RET( ctx != NULL );
01219     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
01220                       mode == MBEDTLS_RSA_PUBLIC );
01221     RSA_VALIDATE_RET( output != NULL );
01222     RSA_VALIDATE_RET( ilen == 0 || input != NULL );
01223 
01224     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V15 )
01225         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01226 
01227     olen = ctx->len ;
01228 
01229     /* first comparison checks for overflow */
01230     if( ilen + 11 < ilen || olen < ilen + 11 )
01231         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01232 
01233     nb_pad = olen - 3 - ilen;
01234 
01235     *p++ = 0;
01236     if( mode == MBEDTLS_RSA_PUBLIC )
01237     {
01238         if( f_rng == NULL )
01239             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01240 
01241         *p++ = MBEDTLS_RSA_CRYPT;
01242 
01243         while( nb_pad-- > 0 )
01244         {
01245             int rng_dl = 100;
01246 
01247             do {
01248                 ret = f_rng( p_rng, p, 1 );
01249             } while( *p == 0 && --rng_dl && ret == 0 );
01250 
01251             /* Check if RNG failed to generate data */
01252             if( rng_dl == 0 || ret != 0 )
01253                 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
01254 
01255             p++;
01256         }
01257     }
01258     else
01259     {
01260         *p++ = MBEDTLS_RSA_SIGN;
01261 
01262         while( nb_pad-- > 0 )
01263             *p++ = 0xFF;
01264     }
01265 
01266     *p++ = 0;
01267     if( ilen != 0 )
01268         memcpy( p, input, ilen );
01269 
01270     return( ( mode == MBEDTLS_RSA_PUBLIC )
01271             ? mbedtls_rsa_public(  ctx, output, output )
01272             : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
01273 }
01274 #endif /* MBEDTLS_PKCS1_V15 */
01275 
01276 /*
01277  * Add the message padding, then do an RSA operation
01278  */
01279 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
01280                        int (*f_rng)(void *, unsigned char *, size_t),
01281                        void *p_rng,
01282                        int mode, size_t ilen,
01283                        const unsigned char *input,
01284                        unsigned char *output )
01285 {
01286     RSA_VALIDATE_RET( ctx != NULL );
01287     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
01288                       mode == MBEDTLS_RSA_PUBLIC );
01289     RSA_VALIDATE_RET( output != NULL );
01290     RSA_VALIDATE_RET( ilen == 0 || input != NULL );
01291 
01292     switch( ctx->padding  )
01293     {
01294 #if defined(MBEDTLS_PKCS1_V15)
01295         case MBEDTLS_RSA_PKCS_V15:
01296             return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
01297                                                 input, output );
01298 #endif
01299 
01300 #if defined(MBEDTLS_PKCS1_V21)
01301         case MBEDTLS_RSA_PKCS_V21:
01302             return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
01303                                            ilen, input, output );
01304 #endif
01305 
01306         default:
01307             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01308     }
01309 }
01310 
01311 #if defined(MBEDTLS_PKCS1_V21)
01312 /*
01313  * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
01314  */
01315 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
01316                             int (*f_rng)(void *, unsigned char *, size_t),
01317                             void *p_rng,
01318                             int mode,
01319                             const unsigned char *label, size_t label_len,
01320                             size_t *olen,
01321                             const unsigned char *input,
01322                             unsigned char *output,
01323                             size_t output_max_len )
01324 {
01325     int ret;
01326     size_t ilen, i, pad_len;
01327     unsigned char *p, bad, pad_done;
01328     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
01329     unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
01330     unsigned int hlen;
01331     const mbedtls_md_info_t *md_info;
01332     mbedtls_md_context_t md_ctx;
01333 
01334     RSA_VALIDATE_RET( ctx != NULL );
01335     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
01336                       mode == MBEDTLS_RSA_PUBLIC );
01337     RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
01338     RSA_VALIDATE_RET( label_len == 0 || label != NULL );
01339     RSA_VALIDATE_RET( input != NULL );
01340     RSA_VALIDATE_RET( olen != NULL );
01341 
01342     /*
01343      * Parameters sanity checks
01344      */
01345     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V21 )
01346         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01347 
01348     ilen = ctx->len ;
01349 
01350     if( ilen < 16 || ilen > sizeof( buf ) )
01351         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01352 
01353     md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id  );
01354     if( md_info == NULL )
01355         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01356 
01357     hlen = mbedtls_md_get_size( md_info );
01358 
01359     // checking for integer underflow
01360     if( 2 * hlen + 2 > ilen )
01361         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01362 
01363     /*
01364      * RSA operation
01365      */
01366     ret = ( mode == MBEDTLS_RSA_PUBLIC )
01367           ? mbedtls_rsa_public(  ctx, input, buf )
01368           : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
01369 
01370     if( ret != 0 )
01371         goto cleanup;
01372 
01373     /*
01374      * Unmask data and generate lHash
01375      */
01376     mbedtls_md_init( &md_ctx );
01377     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
01378     {
01379         mbedtls_md_free( &md_ctx );
01380         goto cleanup;
01381     }
01382 
01383     /* seed: Apply seedMask to maskedSeed */
01384     if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
01385                           &md_ctx ) ) != 0 ||
01386     /* DB: Apply dbMask to maskedDB */
01387         ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
01388                           &md_ctx ) ) != 0 )
01389     {
01390         mbedtls_md_free( &md_ctx );
01391         goto cleanup;
01392     }
01393 
01394     mbedtls_md_free( &md_ctx );
01395 
01396     /* Generate lHash */
01397     if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
01398         goto cleanup;
01399 
01400     /*
01401      * Check contents, in "constant-time"
01402      */
01403     p = buf;
01404     bad = 0;
01405 
01406     bad |= *p++; /* First byte must be 0 */
01407 
01408     p += hlen; /* Skip seed */
01409 
01410     /* Check lHash */
01411     for( i = 0; i < hlen; i++ )
01412         bad |= lhash[i] ^ *p++;
01413 
01414     /* Get zero-padding len, but always read till end of buffer
01415      * (minus one, for the 01 byte) */
01416     pad_len = 0;
01417     pad_done = 0;
01418     for( i = 0; i < ilen - 2 * hlen - 2; i++ )
01419     {
01420         pad_done |= p[i];
01421         pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
01422     }
01423 
01424     p += pad_len;
01425     bad |= *p++ ^ 0x01;
01426 
01427     /*
01428      * The only information "leaked" is whether the padding was correct or not
01429      * (eg, no data is copied if it was not correct). This meets the
01430      * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
01431      * the different error conditions.
01432      */
01433     if( bad != 0 )
01434     {
01435         ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
01436         goto cleanup;
01437     }
01438 
01439     if( ilen - ( p - buf ) > output_max_len )
01440     {
01441         ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
01442         goto cleanup;
01443     }
01444 
01445     *olen = ilen - (p - buf);
01446     if( *olen != 0 )
01447         memcpy( output, p, *olen );
01448     ret = 0;
01449 
01450 cleanup:
01451     mbedtls_platform_zeroize( buf, sizeof( buf ) );
01452     mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
01453 
01454     return( ret );
01455 }
01456 #endif /* MBEDTLS_PKCS1_V21 */
01457 
01458 #if defined(MBEDTLS_PKCS1_V15)
01459 /** Turn zero-or-nonzero into zero-or-all-bits-one, without branches.
01460  *
01461  * \param value     The value to analyze.
01462  * \return          Zero if \p value is zero, otherwise all-bits-one.
01463  */
01464 static unsigned all_or_nothing_int( unsigned value )
01465 {
01466     /* MSVC has a warning about unary minus on unsigned, but this is
01467      * well-defined and precisely what we want to do here */
01468 #if defined(_MSC_VER)
01469 #pragma warning( push )
01470 #pragma warning( disable : 4146 )
01471 #endif
01472     return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
01473 #if defined(_MSC_VER)
01474 #pragma warning( pop )
01475 #endif
01476 }
01477 
01478 /** Check whether a size is out of bounds, without branches.
01479  *
01480  * This is equivalent to `size > max`, but is likely to be compiled to
01481  * to code using bitwise operation rather than a branch.
01482  *
01483  * \param size      Size to check.
01484  * \param max       Maximum desired value for \p size.
01485  * \return          \c 0 if `size <= max`.
01486  * \return          \c 1 if `size > max`.
01487  */
01488 static unsigned size_greater_than( size_t size, size_t max )
01489 {
01490     /* Return the sign bit (1 for negative) of (max - size). */
01491     return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) );
01492 }
01493 
01494 /** Choose between two integer values, without branches.
01495  *
01496  * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled
01497  * to code using bitwise operation rather than a branch.
01498  *
01499  * \param cond      Condition to test.
01500  * \param if1       Value to use if \p cond is nonzero.
01501  * \param if0       Value to use if \p cond is zero.
01502  * \return          \c if1 if \p cond is nonzero, otherwise \c if0.
01503  */
01504 static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 )
01505 {
01506     unsigned mask = all_or_nothing_int( cond );
01507     return( ( mask & if1 ) | (~mask & if0 ) );
01508 }
01509 
01510 /** Shift some data towards the left inside a buffer without leaking
01511  * the length of the data through side channels.
01512  *
01513  * `mem_move_to_left(start, total, offset)` is functionally equivalent to
01514  * ```
01515  * memmove(start, start + offset, total - offset);
01516  * memset(start + offset, 0, total - offset);
01517  * ```
01518  * but it strives to use a memory access pattern (and thus total timing)
01519  * that does not depend on \p offset. This timing independence comes at
01520  * the expense of performance.
01521  *
01522  * \param start     Pointer to the start of the buffer.
01523  * \param total     Total size of the buffer.
01524  * \param offset    Offset from which to copy \p total - \p offset bytes.
01525  */
01526 static void mem_move_to_left( void *start,
01527                               size_t total,
01528                               size_t offset )
01529 {
01530     volatile unsigned char *buf = start;
01531     size_t i, n;
01532     if( total == 0 )
01533         return;
01534     for( i = 0; i < total; i++ )
01535     {
01536         unsigned no_op = size_greater_than( total - offset, i );
01537         /* The first `total - offset` passes are a no-op. The last
01538          * `offset` passes shift the data one byte to the left and
01539          * zero out the last byte. */
01540         for( n = 0; n < total - 1; n++ )
01541         {
01542             unsigned char current = buf[n];
01543             unsigned char next = buf[n+1];
01544             buf[n] = if_int( no_op, current, next );
01545         }
01546         buf[total-1] = if_int( no_op, buf[total-1], 0 );
01547     }
01548 }
01549 
01550 /*
01551  * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
01552  */
01553 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
01554                                  int (*f_rng)(void *, unsigned char *, size_t),
01555                                  void *p_rng,
01556                                  int mode, size_t *olen,
01557                                  const unsigned char *input,
01558                                  unsigned char *output,
01559                                  size_t output_max_len )
01560 {
01561     int ret;
01562     size_t ilen, i, plaintext_max_size;
01563     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
01564     /* The following variables take sensitive values: their value must
01565      * not leak into the observable behavior of the function other than
01566      * the designated outputs (output, olen, return value). Otherwise
01567      * this would open the execution of the function to
01568      * side-channel-based variants of the Bleichenbacher padding oracle
01569      * attack. Potential side channels include overall timing, memory
01570      * access patterns (especially visible to an adversary who has access
01571      * to a shared memory cache), and branches (especially visible to
01572      * an adversary who has access to a shared code cache or to a shared
01573      * branch predictor). */
01574     size_t pad_count = 0;
01575     unsigned bad = 0;
01576     unsigned char pad_done = 0;
01577     size_t plaintext_size = 0;
01578     unsigned output_too_large;
01579 
01580     RSA_VALIDATE_RET( ctx != NULL );
01581     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
01582                       mode == MBEDTLS_RSA_PUBLIC );
01583     RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
01584     RSA_VALIDATE_RET( input != NULL );
01585     RSA_VALIDATE_RET( olen != NULL );
01586 
01587     ilen = ctx->len ;
01588     plaintext_max_size = ( output_max_len > ilen - 11 ?
01589                            ilen - 11 :
01590                            output_max_len );
01591 
01592     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V15 )
01593         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01594 
01595     if( ilen < 16 || ilen > sizeof( buf ) )
01596         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01597 
01598     ret = ( mode == MBEDTLS_RSA_PUBLIC )
01599           ? mbedtls_rsa_public(  ctx, input, buf )
01600           : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
01601 
01602     if( ret != 0 )
01603         goto cleanup;
01604 
01605     /* Check and get padding length in constant time and constant
01606      * memory trace. The first byte must be 0. */
01607     bad |= buf[0];
01608 
01609     if( mode == MBEDTLS_RSA_PRIVATE )
01610     {
01611         /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
01612          * where PS must be at least 8 nonzero bytes. */
01613         bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
01614 
01615         /* Read the whole buffer. Set pad_done to nonzero if we find
01616          * the 0x00 byte and remember the padding length in pad_count. */
01617         for( i = 2; i < ilen; i++ )
01618         {
01619             pad_done  |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
01620             pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
01621         }
01622     }
01623     else
01624     {
01625         /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
01626          * where PS must be at least 8 bytes with the value 0xFF. */
01627         bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
01628 
01629         /* Read the whole buffer. Set pad_done to nonzero if we find
01630          * the 0x00 byte and remember the padding length in pad_count.
01631          * If there's a non-0xff byte in the padding, the padding is bad. */
01632         for( i = 2; i < ilen; i++ )
01633         {
01634             pad_done |= if_int( buf[i], 0, 1 );
01635             pad_count += if_int( pad_done, 0, 1 );
01636             bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
01637         }
01638     }
01639 
01640     /* If pad_done is still zero, there's no data, only unfinished padding. */
01641     bad |= if_int( pad_done, 0, 1 );
01642 
01643     /* There must be at least 8 bytes of padding. */
01644     bad |= size_greater_than( 8, pad_count );
01645 
01646     /* If the padding is valid, set plaintext_size to the number of
01647      * remaining bytes after stripping the padding. If the padding
01648      * is invalid, avoid leaking this fact through the size of the
01649      * output: use the maximum message size that fits in the output
01650      * buffer. Do it without branches to avoid leaking the padding
01651      * validity through timing. RSA keys are small enough that all the
01652      * size_t values involved fit in unsigned int. */
01653     plaintext_size = if_int( bad,
01654                              (unsigned) plaintext_max_size,
01655                              (unsigned) ( ilen - pad_count - 3 ) );
01656 
01657     /* Set output_too_large to 0 if the plaintext fits in the output
01658      * buffer and to 1 otherwise. */
01659     output_too_large = size_greater_than( plaintext_size,
01660                                           plaintext_max_size );
01661 
01662     /* Set ret without branches to avoid timing attacks. Return:
01663      * - INVALID_PADDING if the padding is bad (bad != 0).
01664      * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
01665      *   plaintext does not fit in the output buffer.
01666      * - 0 if the padding is correct. */
01667     ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
01668                   if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
01669                           0 ) );
01670 
01671     /* If the padding is bad or the plaintext is too large, zero the
01672      * data that we're about to copy to the output buffer.
01673      * We need to copy the same amount of data
01674      * from the same buffer whether the padding is good or not to
01675      * avoid leaking the padding validity through overall timing or
01676      * through memory or cache access patterns. */
01677     bad = all_or_nothing_int( bad | output_too_large );
01678     for( i = 11; i < ilen; i++ )
01679         buf[i] &= ~bad;
01680 
01681     /* If the plaintext is too large, truncate it to the buffer size.
01682      * Copy anyway to avoid revealing the length through timing, because
01683      * revealing the length is as bad as revealing the padding validity
01684      * for a Bleichenbacher attack. */
01685     plaintext_size = if_int( output_too_large,
01686                              (unsigned) plaintext_max_size,
01687                              (unsigned) plaintext_size );
01688 
01689     /* Move the plaintext to the leftmost position where it can start in
01690      * the working buffer, i.e. make it start plaintext_max_size from
01691      * the end of the buffer. Do this with a memory access trace that
01692      * does not depend on the plaintext size. After this move, the
01693      * starting location of the plaintext is no longer sensitive
01694      * information. */
01695     mem_move_to_left( buf + ilen - plaintext_max_size,
01696                       plaintext_max_size,
01697                       plaintext_max_size - plaintext_size );
01698 
01699     /* Finally copy the decrypted plaintext plus trailing zeros into the output
01700      * buffer. If output_max_len is 0, then output may be an invalid pointer
01701      * and the result of memcpy() would be undefined; prevent undefined
01702      * behavior making sure to depend only on output_max_len (the size of the
01703      * user-provided output buffer), which is independent from plaintext
01704      * length, validity of padding, success of the decryption, and other
01705      * secrets. */
01706     if( output_max_len != 0 )
01707         memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
01708 
01709     /* Report the amount of data we copied to the output buffer. In case
01710      * of errors (bad padding or output too large), the value of *olen
01711      * when this function returns is not specified. Making it equivalent
01712      * to the good case limits the risks of leaking the padding validity. */
01713     *olen = plaintext_size;
01714 
01715 cleanup:
01716     mbedtls_platform_zeroize( buf, sizeof( buf ) );
01717 
01718     return( ret );
01719 }
01720 #endif /* MBEDTLS_PKCS1_V15 */
01721 
01722 /*
01723  * Do an RSA operation, then remove the message padding
01724  */
01725 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
01726                        int (*f_rng)(void *, unsigned char *, size_t),
01727                        void *p_rng,
01728                        int mode, size_t *olen,
01729                        const unsigned char *input,
01730                        unsigned char *output,
01731                        size_t output_max_len)
01732 {
01733     RSA_VALIDATE_RET( ctx != NULL );
01734     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
01735                       mode == MBEDTLS_RSA_PUBLIC );
01736     RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
01737     RSA_VALIDATE_RET( input != NULL );
01738     RSA_VALIDATE_RET( olen != NULL );
01739 
01740     switch( ctx->padding  )
01741     {
01742 #if defined(MBEDTLS_PKCS1_V15)
01743         case MBEDTLS_RSA_PKCS_V15:
01744             return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
01745                                                 input, output, output_max_len );
01746 #endif
01747 
01748 #if defined(MBEDTLS_PKCS1_V21)
01749         case MBEDTLS_RSA_PKCS_V21:
01750             return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
01751                                            olen, input, output,
01752                                            output_max_len );
01753 #endif
01754 
01755         default:
01756             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
01757     }
01758 }
01759 
01760 #if defined(MBEDTLS_PKCS1_V21)
01761 /*
01762  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
01763  */
01764 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
01765                          int (*f_rng)(void *, unsigned char *, size_t),
01766                          void *p_rng,
01767                          int mode,
01768                          mbedtls_md_type_t md_alg,
01769                          unsigned int hashlen,
01770                          const unsigned char *hash,
01771                          unsigned char *sig )
01772 {
01773     size_t olen;
01774     unsigned char *p = sig;
01775     unsigned char salt[MBEDTLS_MD_MAX_SIZE];
01776     size_t slen, min_slen, hlen, offset = 0;
01777     int ret;
01778     size_t msb;
01779     const mbedtls_md_info_t *md_info;
01780     mbedtls_md_context_t md_ctx;
01781     RSA_VALIDATE_RET( ctx != NULL );
01782     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
01783                       mode == MBEDTLS_RSA_PUBLIC );
01784     RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
01785                         hashlen == 0 ) ||
01786                       hash != NULL );
01787     RSA_VALIDATE_RET( sig != NULL );
01788 
01789     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V21 )
01790         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01791 
01792     if( f_rng == NULL )
01793         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01794 
01795     olen = ctx->len ;
01796 
01797     if( md_alg != MBEDTLS_MD_NONE )
01798     {
01799         /* Gather length of hash to sign */
01800         md_info = mbedtls_md_info_from_type( md_alg );
01801         if( md_info == NULL )
01802             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01803 
01804         hashlen = mbedtls_md_get_size( md_info );
01805     }
01806 
01807     md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id  );
01808     if( md_info == NULL )
01809         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01810 
01811     hlen = mbedtls_md_get_size( md_info );
01812 
01813     /* Calculate the largest possible salt length. Normally this is the hash
01814      * length, which is the maximum length the salt can have. If there is not
01815      * enough room, use the maximum salt length that fits. The constraint is
01816      * that the hash length plus the salt length plus 2 bytes must be at most
01817      * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
01818      * (PKCS#1 v2.2) §9.1.1 step 3. */
01819     min_slen = hlen - 2;
01820     if( olen < hlen + min_slen + 2 )
01821         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01822     else if( olen >= hlen + hlen + 2 )
01823         slen = hlen;
01824     else
01825         slen = olen - hlen - 2;
01826 
01827     memset( sig, 0, olen );
01828 
01829     /* Generate salt of length slen */
01830     if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
01831         return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
01832 
01833     /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
01834     msb = mbedtls_mpi_bitlen( &ctx->N  ) - 1;
01835     p += olen - hlen - slen - 2;
01836     *p++ = 0x01;
01837     memcpy( p, salt, slen );
01838     p += slen;
01839 
01840     mbedtls_md_init( &md_ctx );
01841     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
01842         goto exit;
01843 
01844     /* Generate H = Hash( M' ) */
01845     if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
01846         goto exit;
01847     if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
01848         goto exit;
01849     if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
01850         goto exit;
01851     if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
01852         goto exit;
01853     if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
01854         goto exit;
01855 
01856     /* Compensate for boundary condition when applying mask */
01857     if( msb % 8 == 0 )
01858         offset = 1;
01859 
01860     /* maskedDB: Apply dbMask to DB */
01861     if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
01862                           &md_ctx ) ) != 0 )
01863         goto exit;
01864 
01865     msb = mbedtls_mpi_bitlen( &ctx->N  ) - 1;
01866     sig[0] &= 0xFF >> ( olen * 8 - msb );
01867 
01868     p += hlen;
01869     *p++ = 0xBC;
01870 
01871     mbedtls_platform_zeroize( salt, sizeof( salt ) );
01872 
01873 exit:
01874     mbedtls_md_free( &md_ctx );
01875 
01876     if( ret != 0 )
01877         return( ret );
01878 
01879     return( ( mode == MBEDTLS_RSA_PUBLIC )
01880             ? mbedtls_rsa_public(  ctx, sig, sig )
01881             : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
01882 }
01883 #endif /* MBEDTLS_PKCS1_V21 */
01884 
01885 #if defined(MBEDTLS_PKCS1_V15)
01886 /*
01887  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
01888  */
01889 
01890 /* Construct a PKCS v1.5 encoding of a hashed message
01891  *
01892  * This is used both for signature generation and verification.
01893  *
01894  * Parameters:
01895  * - md_alg:  Identifies the hash algorithm used to generate the given hash;
01896  *            MBEDTLS_MD_NONE if raw data is signed.
01897  * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
01898  * - hash:    Buffer containing the hashed message or the raw data.
01899  * - dst_len: Length of the encoded message.
01900  * - dst:     Buffer to hold the encoded message.
01901  *
01902  * Assumptions:
01903  * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
01904  * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
01905  * - dst points to a buffer of size at least dst_len.
01906  *
01907  */
01908 static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
01909                                         unsigned int hashlen,
01910                                         const unsigned char *hash,
01911                                         size_t dst_len,
01912                                         unsigned char *dst )
01913 {
01914     size_t oid_size  = 0;
01915     size_t nb_pad    = dst_len;
01916     unsigned char *p = dst;
01917     const char *oid  = NULL;
01918 
01919     /* Are we signing hashed or raw data? */
01920     if( md_alg != MBEDTLS_MD_NONE )
01921     {
01922         const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
01923         if( md_info == NULL )
01924             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01925 
01926         if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
01927             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01928 
01929         hashlen = mbedtls_md_get_size( md_info );
01930 
01931         /* Double-check that 8 + hashlen + oid_size can be used as a
01932          * 1-byte ASN.1 length encoding and that there's no overflow. */
01933         if( 8 + hashlen + oid_size  >= 0x80         ||
01934             10 + hashlen            <  hashlen      ||
01935             10 + hashlen + oid_size <  10 + hashlen )
01936             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01937 
01938         /*
01939          * Static bounds check:
01940          * - Need 10 bytes for five tag-length pairs.
01941          *   (Insist on 1-byte length encodings to protect against variants of
01942          *    Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
01943          * - Need hashlen bytes for hash
01944          * - Need oid_size bytes for hash alg OID.
01945          */
01946         if( nb_pad < 10 + hashlen + oid_size )
01947             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01948         nb_pad -= 10 + hashlen + oid_size;
01949     }
01950     else
01951     {
01952         if( nb_pad < hashlen )
01953             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01954 
01955         nb_pad -= hashlen;
01956     }
01957 
01958     /* Need space for signature header and padding delimiter (3 bytes),
01959      * and 8 bytes for the minimal padding */
01960     if( nb_pad < 3 + 8 )
01961         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
01962     nb_pad -= 3;
01963 
01964     /* Now nb_pad is the amount of memory to be filled
01965      * with padding, and at least 8 bytes long. */
01966 
01967     /* Write signature header and padding */
01968     *p++ = 0;
01969     *p++ = MBEDTLS_RSA_SIGN;
01970     memset( p, 0xFF, nb_pad );
01971     p += nb_pad;
01972     *p++ = 0;
01973 
01974     /* Are we signing raw data? */
01975     if( md_alg == MBEDTLS_MD_NONE )
01976     {
01977         memcpy( p, hash, hashlen );
01978         return( 0 );
01979     }
01980 
01981     /* Signing hashed data, add corresponding ASN.1 structure
01982      *
01983      * DigestInfo ::= SEQUENCE {
01984      *   digestAlgorithm DigestAlgorithmIdentifier,
01985      *   digest Digest }
01986      * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
01987      * Digest ::= OCTET STRING
01988      *
01989      * Schematic:
01990      * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID  + LEN [ OID  ]
01991      *                                 TAG-NULL + LEN [ NULL ] ]
01992      *                 TAG-OCTET + LEN [ HASH ] ]
01993      */
01994     *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
01995     *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
01996     *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
01997     *p++ = (unsigned char)( 0x04 + oid_size );
01998     *p++ = MBEDTLS_ASN1_OID;
01999     *p++ = (unsigned char) oid_size;
02000     memcpy( p, oid, oid_size );
02001     p += oid_size;
02002     *p++ = MBEDTLS_ASN1_NULL;
02003     *p++ = 0x00;
02004     *p++ = MBEDTLS_ASN1_OCTET_STRING;
02005     *p++ = (unsigned char) hashlen;
02006     memcpy( p, hash, hashlen );
02007     p += hashlen;
02008 
02009     /* Just a sanity-check, should be automatic
02010      * after the initial bounds check. */
02011     if( p != dst + dst_len )
02012     {
02013         mbedtls_platform_zeroize( dst, dst_len );
02014         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02015     }
02016 
02017     return( 0 );
02018 }
02019 
02020 /*
02021  * Do an RSA operation to sign the message digest
02022  */
02023 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
02024                                int (*f_rng)(void *, unsigned char *, size_t),
02025                                void *p_rng,
02026                                int mode,
02027                                mbedtls_md_type_t md_alg,
02028                                unsigned int hashlen,
02029                                const unsigned char *hash,
02030                                unsigned char *sig )
02031 {
02032     int ret;
02033     unsigned char *sig_try = NULL, *verif = NULL;
02034 
02035     RSA_VALIDATE_RET( ctx != NULL );
02036     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
02037                       mode == MBEDTLS_RSA_PUBLIC );
02038     RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
02039                         hashlen == 0 ) ||
02040                       hash != NULL );
02041     RSA_VALIDATE_RET( sig != NULL );
02042 
02043     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V15 )
02044         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02045 
02046     /*
02047      * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
02048      */
02049 
02050     if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
02051                                              ctx->len , sig ) ) != 0 )
02052         return( ret );
02053 
02054     /*
02055      * Call respective RSA primitive
02056      */
02057 
02058     if( mode == MBEDTLS_RSA_PUBLIC )
02059     {
02060         /* Skip verification on a public key operation */
02061         return( mbedtls_rsa_public( ctx, sig, sig ) );
02062     }
02063 
02064     /* Private key operation
02065      *
02066      * In order to prevent Lenstra's attack, make the signature in a
02067      * temporary buffer and check it before returning it.
02068      */
02069 
02070     sig_try = mbedtls_calloc( 1, ctx->len  );
02071     if( sig_try == NULL )
02072         return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
02073 
02074     verif = mbedtls_calloc( 1, ctx->len  );
02075     if( verif == NULL )
02076     {
02077         mbedtls_free( sig_try );
02078         return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
02079     }
02080 
02081     MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
02082     MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
02083 
02084     if( mbedtls_safer_memcmp( verif, sig, ctx->len  ) != 0 )
02085     {
02086         ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
02087         goto cleanup;
02088     }
02089 
02090     memcpy( sig, sig_try, ctx->len  );
02091 
02092 cleanup:
02093     mbedtls_free( sig_try );
02094     mbedtls_free( verif );
02095 
02096     return( ret );
02097 }
02098 #endif /* MBEDTLS_PKCS1_V15 */
02099 
02100 /*
02101  * Do an RSA operation to sign the message digest
02102  */
02103 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
02104                     int (*f_rng)(void *, unsigned char *, size_t),
02105                     void *p_rng,
02106                     int mode,
02107                     mbedtls_md_type_t md_alg,
02108                     unsigned int hashlen,
02109                     const unsigned char *hash,
02110                     unsigned char *sig )
02111 {
02112     RSA_VALIDATE_RET( ctx != NULL );
02113     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
02114                       mode == MBEDTLS_RSA_PUBLIC );
02115     RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
02116                         hashlen == 0 ) ||
02117                       hash != NULL );
02118     RSA_VALIDATE_RET( sig != NULL );
02119 
02120     switch( ctx->padding  )
02121     {
02122 #if defined(MBEDTLS_PKCS1_V15)
02123         case MBEDTLS_RSA_PKCS_V15:
02124             return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
02125                                               hashlen, hash, sig );
02126 #endif
02127 
02128 #if defined(MBEDTLS_PKCS1_V21)
02129         case MBEDTLS_RSA_PKCS_V21:
02130             return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
02131                                         hashlen, hash, sig );
02132 #endif
02133 
02134         default:
02135             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
02136     }
02137 }
02138 
02139 #if defined(MBEDTLS_PKCS1_V21)
02140 /*
02141  * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
02142  */
02143 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
02144                                int (*f_rng)(void *, unsigned char *, size_t),
02145                                void *p_rng,
02146                                int mode,
02147                                mbedtls_md_type_t md_alg,
02148                                unsigned int hashlen,
02149                                const unsigned char *hash,
02150                                mbedtls_md_type_t mgf1_hash_id,
02151                                int expected_salt_len,
02152                                const unsigned char *sig )
02153 {
02154     int ret;
02155     size_t siglen;
02156     unsigned char *p;
02157     unsigned char *hash_start;
02158     unsigned char result[MBEDTLS_MD_MAX_SIZE];
02159     unsigned char zeros[8];
02160     unsigned int hlen;
02161     size_t observed_salt_len, msb;
02162     const mbedtls_md_info_t *md_info;
02163     mbedtls_md_context_t md_ctx;
02164     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
02165 
02166     RSA_VALIDATE_RET( ctx != NULL );
02167     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
02168                       mode == MBEDTLS_RSA_PUBLIC );
02169     RSA_VALIDATE_RET( sig != NULL );
02170     RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
02171                         hashlen == 0 ) ||
02172                       hash != NULL );
02173 
02174     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V21 )
02175         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02176 
02177     siglen = ctx->len ;
02178 
02179     if( siglen < 16 || siglen > sizeof( buf ) )
02180         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02181 
02182     ret = ( mode == MBEDTLS_RSA_PUBLIC )
02183           ? mbedtls_rsa_public(  ctx, sig, buf )
02184           : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
02185 
02186     if( ret != 0 )
02187         return( ret );
02188 
02189     p = buf;
02190 
02191     if( buf[siglen - 1] != 0xBC )
02192         return( MBEDTLS_ERR_RSA_INVALID_PADDING );
02193 
02194     if( md_alg != MBEDTLS_MD_NONE )
02195     {
02196         /* Gather length of hash to sign */
02197         md_info = mbedtls_md_info_from_type( md_alg );
02198         if( md_info == NULL )
02199             return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02200 
02201         hashlen = mbedtls_md_get_size( md_info );
02202     }
02203 
02204     md_info = mbedtls_md_info_from_type( mgf1_hash_id );
02205     if( md_info == NULL )
02206         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02207 
02208     hlen = mbedtls_md_get_size( md_info );
02209 
02210     memset( zeros, 0, 8 );
02211 
02212     /*
02213      * Note: EMSA-PSS verification is over the length of N - 1 bits
02214      */
02215     msb = mbedtls_mpi_bitlen( &ctx->N  ) - 1;
02216 
02217     if( buf[0] >> ( 8 - siglen * 8 + msb ) )
02218         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02219 
02220     /* Compensate for boundary condition when applying mask */
02221     if( msb % 8 == 0 )
02222     {
02223         p++;
02224         siglen -= 1;
02225     }
02226 
02227     if( siglen < hlen + 2 )
02228         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02229     hash_start = p + siglen - hlen - 1;
02230 
02231     mbedtls_md_init( &md_ctx );
02232     if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
02233         goto exit;
02234 
02235     ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
02236     if( ret != 0 )
02237         goto exit;
02238 
02239     buf[0] &= 0xFF >> ( siglen * 8 - msb );
02240 
02241     while( p < hash_start - 1 && *p == 0 )
02242         p++;
02243 
02244     if( *p++ != 0x01 )
02245     {
02246         ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
02247         goto exit;
02248     }
02249 
02250     observed_salt_len = hash_start - p;
02251 
02252     if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
02253         observed_salt_len != (size_t) expected_salt_len )
02254     {
02255         ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
02256         goto exit;
02257     }
02258 
02259     /*
02260      * Generate H = Hash( M' )
02261      */
02262     ret = mbedtls_md_starts( &md_ctx );
02263     if ( ret != 0 )
02264         goto exit;
02265     ret = mbedtls_md_update( &md_ctx, zeros, 8 );
02266     if ( ret != 0 )
02267         goto exit;
02268     ret = mbedtls_md_update( &md_ctx, hash, hashlen );
02269     if ( ret != 0 )
02270         goto exit;
02271     ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
02272     if ( ret != 0 )
02273         goto exit;
02274     ret = mbedtls_md_finish( &md_ctx, result );
02275     if ( ret != 0 )
02276         goto exit;
02277 
02278     if( memcmp( hash_start, result, hlen ) != 0 )
02279     {
02280         ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
02281         goto exit;
02282     }
02283 
02284 exit:
02285     mbedtls_md_free( &md_ctx );
02286 
02287     return( ret );
02288 }
02289 
02290 /*
02291  * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
02292  */
02293 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
02294                            int (*f_rng)(void *, unsigned char *, size_t),
02295                            void *p_rng,
02296                            int mode,
02297                            mbedtls_md_type_t md_alg,
02298                            unsigned int hashlen,
02299                            const unsigned char *hash,
02300                            const unsigned char *sig )
02301 {
02302     mbedtls_md_type_t mgf1_hash_id;
02303     RSA_VALIDATE_RET( ctx != NULL );
02304     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
02305                       mode == MBEDTLS_RSA_PUBLIC );
02306     RSA_VALIDATE_RET( sig != NULL );
02307     RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
02308                         hashlen == 0 ) ||
02309                       hash != NULL );
02310 
02311     mgf1_hash_id = ( ctx->hash_id  != MBEDTLS_MD_NONE )
02312                              ? (mbedtls_md_type_t) ctx->hash_id 
02313                              : md_alg;
02314 
02315     return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
02316                                        md_alg, hashlen, hash,
02317                                        mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
02318                                        sig ) );
02319 
02320 }
02321 #endif /* MBEDTLS_PKCS1_V21 */
02322 
02323 #if defined(MBEDTLS_PKCS1_V15)
02324 /*
02325  * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
02326  */
02327 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
02328                                  int (*f_rng)(void *, unsigned char *, size_t),
02329                                  void *p_rng,
02330                                  int mode,
02331                                  mbedtls_md_type_t md_alg,
02332                                  unsigned int hashlen,
02333                                  const unsigned char *hash,
02334                                  const unsigned char *sig )
02335 {
02336     int ret = 0;
02337     size_t sig_len;
02338     unsigned char *encoded = NULL, *encoded_expected = NULL;
02339 
02340     RSA_VALIDATE_RET( ctx != NULL );
02341     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
02342                       mode == MBEDTLS_RSA_PUBLIC );
02343     RSA_VALIDATE_RET( sig != NULL );
02344     RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
02345                         hashlen == 0 ) ||
02346                       hash != NULL );
02347 
02348     sig_len = ctx->len ;
02349 
02350     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding  != MBEDTLS_RSA_PKCS_V15 )
02351         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
02352 
02353     /*
02354      * Prepare expected PKCS1 v1.5 encoding of hash.
02355      */
02356 
02357     if( ( encoded          = mbedtls_calloc( 1, sig_len ) ) == NULL ||
02358         ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
02359     {
02360         ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
02361         goto cleanup;
02362     }
02363 
02364     if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
02365                                              encoded_expected ) ) != 0 )
02366         goto cleanup;
02367 
02368     /*
02369      * Apply RSA primitive to get what should be PKCS1 encoded hash.
02370      */
02371 
02372     ret = ( mode == MBEDTLS_RSA_PUBLIC )
02373           ? mbedtls_rsa_public(  ctx, sig, encoded )
02374           : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
02375     if( ret != 0 )
02376         goto cleanup;
02377 
02378     /*
02379      * Compare
02380      */
02381 
02382     if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,
02383                                       sig_len ) ) != 0 )
02384     {
02385         ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
02386         goto cleanup;
02387     }
02388 
02389 cleanup:
02390 
02391     if( encoded != NULL )
02392     {
02393         mbedtls_platform_zeroize( encoded, sig_len );
02394         mbedtls_free( encoded );
02395     }
02396 
02397     if( encoded_expected != NULL )
02398     {
02399         mbedtls_platform_zeroize( encoded_expected, sig_len );
02400         mbedtls_free( encoded_expected );
02401     }
02402 
02403     return( ret );
02404 }
02405 #endif /* MBEDTLS_PKCS1_V15 */
02406 
02407 /*
02408  * Do an RSA operation and check the message digest
02409  */
02410 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
02411                       int (*f_rng)(void *, unsigned char *, size_t),
02412                       void *p_rng,
02413                       int mode,
02414                       mbedtls_md_type_t md_alg,
02415                       unsigned int hashlen,
02416                       const unsigned char *hash,
02417                       const unsigned char *sig )
02418 {
02419     RSA_VALIDATE_RET( ctx != NULL );
02420     RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
02421                       mode == MBEDTLS_RSA_PUBLIC );
02422     RSA_VALIDATE_RET( sig != NULL );
02423     RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
02424                         hashlen == 0 ) ||
02425                       hash != NULL );
02426 
02427     switch( ctx->padding  )
02428     {
02429 #if defined(MBEDTLS_PKCS1_V15)
02430         case MBEDTLS_RSA_PKCS_V15:
02431             return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
02432                                                 hashlen, hash, sig );
02433 #endif
02434 
02435 #if defined(MBEDTLS_PKCS1_V21)
02436         case MBEDTLS_RSA_PKCS_V21:
02437             return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
02438                                           hashlen, hash, sig );
02439 #endif
02440 
02441         default:
02442             return( MBEDTLS_ERR_RSA_INVALID_PADDING );
02443     }
02444 }
02445 
02446 /*
02447  * Copy the components of an RSA key
02448  */
02449 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
02450 {
02451     int ret;
02452     RSA_VALIDATE_RET( dst != NULL );
02453     RSA_VALIDATE_RET( src != NULL );
02454 
02455     dst->ver  = src->ver ;
02456     dst->len  = src->len ;
02457 
02458     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N , &src->N  ) );
02459     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E , &src->E  ) );
02460 
02461     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D , &src->D  ) );
02462     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P , &src->P  ) );
02463     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q , &src->Q  ) );
02464 
02465 #if !defined(MBEDTLS_RSA_NO_CRT)
02466     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP , &src->DP  ) );
02467     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ , &src->DQ  ) );
02468     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP , &src->QP  ) );
02469     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP , &src->RP  ) );
02470     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ , &src->RQ  ) );
02471 #endif
02472 
02473     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN , &src->RN  ) );
02474 
02475     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi , &src->Vi  ) );
02476     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf , &src->Vf  ) );
02477 
02478     dst->padding  = src->padding ;
02479     dst->hash_id  = src->hash_id ;
02480 
02481 cleanup:
02482     if( ret != 0 )
02483         mbedtls_rsa_free( dst );
02484 
02485     return( ret );
02486 }
02487 
02488 /*
02489  * Free the components of an RSA key
02490  */
02491 void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
02492 {
02493     if( ctx == NULL )
02494         return;
02495 
02496     mbedtls_mpi_free( &ctx->Vi  );
02497     mbedtls_mpi_free( &ctx->Vf  );
02498     mbedtls_mpi_free( &ctx->RN  );
02499     mbedtls_mpi_free( &ctx->D   );
02500     mbedtls_mpi_free( &ctx->Q   );
02501     mbedtls_mpi_free( &ctx->P   );
02502     mbedtls_mpi_free( &ctx->E   );
02503     mbedtls_mpi_free( &ctx->N   );
02504 
02505 #if !defined(MBEDTLS_RSA_NO_CRT)
02506     mbedtls_mpi_free( &ctx->RQ  );
02507     mbedtls_mpi_free( &ctx->RP  );
02508     mbedtls_mpi_free( &ctx->QP  );
02509     mbedtls_mpi_free( &ctx->DQ  );
02510     mbedtls_mpi_free( &ctx->DP  );
02511 #endif /* MBEDTLS_RSA_NO_CRT */
02512 
02513 #if defined(MBEDTLS_THREADING_C)
02514     mbedtls_mutex_free( &ctx->mutex  );
02515 #endif
02516 }
02517 
02518 #endif /* !MBEDTLS_RSA_ALT */
02519 
02520 #if defined(MBEDTLS_SELF_TEST)
02521 
02522 #include "mbedtls/sha1.h"
02523 
02524 /*
02525  * Example RSA-1024 keypair, for test purposes
02526  */
02527 #define KEY_LEN 128
02528 
02529 #define RSA_N   "9292758453063D803DD603D5E777D788" \
02530                 "8ED1D5BF35786190FA2F23EBC0848AEA" \
02531                 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
02532                 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
02533                 "93A89813FBF3C4F8066D2D800F7C38A8" \
02534                 "1AE31942917403FF4946B0A83D3D3E05" \
02535                 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
02536                 "5E94BB77B07507233A0BC7BAC8F90F79"
02537 
02538 #define RSA_E   "10001"
02539 
02540 #define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
02541                 "66CA472BC44D253102F8B4A9D3BFA750" \
02542                 "91386C0077937FE33FA3252D28855837" \
02543                 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
02544                 "DF79C5CE07EE72C7F123142198164234" \
02545                 "CABB724CF78B8173B9F880FC86322407" \
02546                 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
02547                 "071513A1E85B5DFA031F21ECAE91A34D"
02548 
02549 #define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
02550                 "2C01CAD19EA484A87EA4377637E75500" \
02551                 "FCB2005C5C7DD6EC4AC023CDA285D796" \
02552                 "C3D9E75E1EFC42488BB4F1D13AC30A57"
02553 
02554 #define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
02555                 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
02556                 "910E4168387E3C30AA1E00C339A79508" \
02557                 "8452DD96A9A5EA5D9DCA68DA636032AF"
02558 
02559 #define PT_LEN  24
02560 #define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
02561                 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
02562 
02563 #if defined(MBEDTLS_PKCS1_V15)
02564 static int myrand( void *rng_state, unsigned char *output, size_t len )
02565 {
02566 #if !defined(__OpenBSD__)
02567     size_t i;
02568 
02569     if( rng_state != NULL )
02570         rng_state  = NULL;
02571 
02572     for( i = 0; i < len; ++i )
02573         output[i] = rand();
02574 #else
02575     if( rng_state != NULL )
02576         rng_state = NULL;
02577 
02578     arc4random_buf( output, len );
02579 #endif /* !OpenBSD */
02580 
02581     return( 0 );
02582 }
02583 #endif /* MBEDTLS_PKCS1_V15 */
02584 
02585 /*
02586  * Checkup routine
02587  */
02588 int mbedtls_rsa_self_test( int verbose )
02589 {
02590     int ret = 0;
02591 #if defined(MBEDTLS_PKCS1_V15)
02592     size_t len;
02593     mbedtls_rsa_context rsa;
02594     unsigned char rsa_plaintext[PT_LEN];
02595     unsigned char rsa_decrypted[PT_LEN];
02596     unsigned char rsa_ciphertext[KEY_LEN];
02597 #if defined(MBEDTLS_SHA1_C)
02598     unsigned char sha1sum[20];
02599 #endif
02600 
02601     mbedtls_mpi K;
02602 
02603     mbedtls_mpi_init( &K );
02604     mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
02605 
02606     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N  ) );
02607     MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
02608     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P  ) );
02609     MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
02610     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q  ) );
02611     MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
02612     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D  ) );
02613     MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
02614     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E  ) );
02615     MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
02616 
02617     MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
02618 
02619     if( verbose != 0 )
02620         mbedtls_printf( "  RSA key validation: " );
02621 
02622     if( mbedtls_rsa_check_pubkey(  &rsa ) != 0 ||
02623         mbedtls_rsa_check_privkey( &rsa ) != 0 )
02624     {
02625         if( verbose != 0 )
02626             mbedtls_printf( "failed\n" );
02627 
02628         ret = 1;
02629         goto cleanup;
02630     }
02631 
02632     if( verbose != 0 )
02633         mbedtls_printf( "passed\n  PKCS#1 encryption : " );
02634 
02635     memcpy( rsa_plaintext, RSA_PT, PT_LEN );
02636 
02637     if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
02638                                    PT_LEN, rsa_plaintext,
02639                                    rsa_ciphertext ) != 0 )
02640     {
02641         if( verbose != 0 )
02642             mbedtls_printf( "failed\n" );
02643 
02644         ret = 1;
02645         goto cleanup;
02646     }
02647 
02648     if( verbose != 0 )
02649         mbedtls_printf( "passed\n  PKCS#1 decryption : " );
02650 
02651     if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
02652                                    &len, rsa_ciphertext, rsa_decrypted,
02653                                    sizeof(rsa_decrypted) ) != 0 )
02654     {
02655         if( verbose != 0 )
02656             mbedtls_printf( "failed\n" );
02657 
02658         ret = 1;
02659         goto cleanup;
02660     }
02661 
02662     if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
02663     {
02664         if( verbose != 0 )
02665             mbedtls_printf( "failed\n" );
02666 
02667         ret = 1;
02668         goto cleanup;
02669     }
02670 
02671     if( verbose != 0 )
02672         mbedtls_printf( "passed\n" );
02673 
02674 #if defined(MBEDTLS_SHA1_C)
02675     if( verbose != 0 )
02676         mbedtls_printf( "  PKCS#1 data sign  : " );
02677 
02678     if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
02679     {
02680         if( verbose != 0 )
02681             mbedtls_printf( "failed\n" );
02682 
02683         return( 1 );
02684     }
02685 
02686     if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
02687                                 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
02688                                 sha1sum, rsa_ciphertext ) != 0 )
02689     {
02690         if( verbose != 0 )
02691             mbedtls_printf( "failed\n" );
02692 
02693         ret = 1;
02694         goto cleanup;
02695     }
02696 
02697     if( verbose != 0 )
02698         mbedtls_printf( "passed\n  PKCS#1 sig. verify: " );
02699 
02700     if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
02701                                   MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
02702                                   sha1sum, rsa_ciphertext ) != 0 )
02703     {
02704         if( verbose != 0 )
02705             mbedtls_printf( "failed\n" );
02706 
02707         ret = 1;
02708         goto cleanup;
02709     }
02710 
02711     if( verbose != 0 )
02712         mbedtls_printf( "passed\n" );
02713 #endif /* MBEDTLS_SHA1_C */
02714 
02715     if( verbose != 0 )
02716         mbedtls_printf( "\n" );
02717 
02718 cleanup:
02719     mbedtls_mpi_free( &K );
02720     mbedtls_rsa_free( &rsa );
02721 #else /* MBEDTLS_PKCS1_V15 */
02722     ((void) verbose);
02723 #endif /* MBEDTLS_PKCS1_V15 */
02724     return( ret );
02725 }
02726 
02727 #endif /* MBEDTLS_SELF_TEST */
02728 
02729 #endif /* MBEDTLS_RSA_C */