Kenji Arai
/
mbed-os_TYBLE16
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
Embed:
(wiki syntax)
Show/hide line numbers
rsa.c
00001 /* 00002 * The RSA public-key cryptosystem 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 /* 00023 * The following sources were referenced in the design of this implementation 00024 * of the RSA algorithm: 00025 * 00026 * [1] A method for obtaining digital signatures and public-key cryptosystems 00027 * R Rivest, A Shamir, and L Adleman 00028 * http://people.csail.mit.edu/rivest/pubs.html#RSA78 00029 * 00030 * [2] Handbook of Applied Cryptography - 1997, Chapter 8 00031 * Menezes, van Oorschot and Vanstone 00032 * 00033 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks 00034 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and 00035 * Stefan Mangard 00036 * https://arxiv.org/abs/1702.08719v2 00037 * 00038 */ 00039 00040 #if !defined(MBEDTLS_CONFIG_FILE) 00041 #include "mbedtls/config.h" 00042 #else 00043 #include MBEDTLS_CONFIG_FILE 00044 #endif 00045 00046 #if defined(MBEDTLS_RSA_C) 00047 00048 #include "mbedtls/rsa.h" 00049 #include "mbedtls/rsa_internal.h" 00050 #include "mbedtls/oid.h" 00051 #include "mbedtls/platform_util.h" 00052 00053 #include <string.h> 00054 00055 #if defined(MBEDTLS_PKCS1_V21) 00056 #include "mbedtls/md.h" 00057 #endif 00058 00059 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) 00060 #include <stdlib.h> 00061 #endif 00062 00063 #if defined(MBEDTLS_PLATFORM_C) 00064 #include "mbedtls/platform.h" 00065 #else 00066 #include <stdio.h> 00067 #define mbedtls_printf printf 00068 #define mbedtls_calloc calloc 00069 #define mbedtls_free free 00070 #endif 00071 00072 #if !defined(MBEDTLS_RSA_ALT) 00073 00074 /* Parameter validation macros */ 00075 #define RSA_VALIDATE_RET( cond ) \ 00076 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA ) 00077 #define RSA_VALIDATE( cond ) \ 00078 MBEDTLS_INTERNAL_VALIDATE( cond ) 00079 00080 #if defined(MBEDTLS_PKCS1_V15) 00081 /* constant-time buffer comparison */ 00082 static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n ) 00083 { 00084 size_t i; 00085 const unsigned char *A = (const unsigned char *) a; 00086 const unsigned char *B = (const unsigned char *) b; 00087 unsigned char diff = 0; 00088 00089 for( i = 0; i < n; i++ ) 00090 diff |= A[i] ^ B[i]; 00091 00092 return( diff ); 00093 } 00094 #endif /* MBEDTLS_PKCS1_V15 */ 00095 00096 int mbedtls_rsa_import( mbedtls_rsa_context *ctx, 00097 const mbedtls_mpi *N, 00098 const mbedtls_mpi *P, const mbedtls_mpi *Q, 00099 const mbedtls_mpi *D, const mbedtls_mpi *E ) 00100 { 00101 int ret; 00102 RSA_VALIDATE_RET( ctx != NULL ); 00103 00104 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N , N ) ) != 0 ) || 00105 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P , P ) ) != 0 ) || 00106 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q , Q ) ) != 0 ) || 00107 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D , D ) ) != 0 ) || 00108 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E , E ) ) != 0 ) ) 00109 { 00110 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); 00111 } 00112 00113 if( N != NULL ) 00114 ctx->len = mbedtls_mpi_size( &ctx->N ); 00115 00116 return( 0 ); 00117 } 00118 00119 int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx, 00120 unsigned char const *N, size_t N_len, 00121 unsigned char const *P, size_t P_len, 00122 unsigned char const *Q, size_t Q_len, 00123 unsigned char const *D, size_t D_len, 00124 unsigned char const *E, size_t E_len ) 00125 { 00126 int ret = 0; 00127 RSA_VALIDATE_RET( ctx != NULL ); 00128 00129 if( N != NULL ) 00130 { 00131 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N , N, N_len ) ); 00132 ctx->len = mbedtls_mpi_size( &ctx->N ); 00133 } 00134 00135 if( P != NULL ) 00136 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P , P, P_len ) ); 00137 00138 if( Q != NULL ) 00139 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q , Q, Q_len ) ); 00140 00141 if( D != NULL ) 00142 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D , D, D_len ) ); 00143 00144 if( E != NULL ) 00145 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E , E, E_len ) ); 00146 00147 cleanup: 00148 00149 if( ret != 0 ) 00150 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); 00151 00152 return( 0 ); 00153 } 00154 00155 /* 00156 * Checks whether the context fields are set in such a way 00157 * that the RSA primitives will be able to execute without error. 00158 * It does *not* make guarantees for consistency of the parameters. 00159 */ 00160 static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv, 00161 int blinding_needed ) 00162 { 00163 #if !defined(MBEDTLS_RSA_NO_CRT) 00164 /* blinding_needed is only used for NO_CRT to decide whether 00165 * P,Q need to be present or not. */ 00166 ((void) blinding_needed); 00167 #endif 00168 00169 if( ctx->len != mbedtls_mpi_size( &ctx->N ) || 00170 ctx->len > MBEDTLS_MPI_MAX_SIZE ) 00171 { 00172 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00173 } 00174 00175 /* 00176 * 1. Modular exponentiation needs positive, odd moduli. 00177 */ 00178 00179 /* Modular exponentiation wrt. N is always used for 00180 * RSA public key operations. */ 00181 if( mbedtls_mpi_cmp_int( &ctx->N , 0 ) <= 0 || 00182 mbedtls_mpi_get_bit( &ctx->N , 0 ) == 0 ) 00183 { 00184 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00185 } 00186 00187 #if !defined(MBEDTLS_RSA_NO_CRT) 00188 /* Modular exponentiation for P and Q is only 00189 * used for private key operations and if CRT 00190 * is used. */ 00191 if( is_priv && 00192 ( mbedtls_mpi_cmp_int( &ctx->P , 0 ) <= 0 || 00193 mbedtls_mpi_get_bit( &ctx->P , 0 ) == 0 || 00194 mbedtls_mpi_cmp_int( &ctx->Q , 0 ) <= 0 || 00195 mbedtls_mpi_get_bit( &ctx->Q , 0 ) == 0 ) ) 00196 { 00197 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00198 } 00199 #endif /* !MBEDTLS_RSA_NO_CRT */ 00200 00201 /* 00202 * 2. Exponents must be positive 00203 */ 00204 00205 /* Always need E for public key operations */ 00206 if( mbedtls_mpi_cmp_int( &ctx->E , 0 ) <= 0 ) 00207 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00208 00209 #if defined(MBEDTLS_RSA_NO_CRT) 00210 /* For private key operations, use D or DP & DQ 00211 * as (unblinded) exponents. */ 00212 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D , 0 ) <= 0 ) 00213 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00214 #else 00215 if( is_priv && 00216 ( mbedtls_mpi_cmp_int( &ctx->DP , 0 ) <= 0 || 00217 mbedtls_mpi_cmp_int( &ctx->DQ , 0 ) <= 0 ) ) 00218 { 00219 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00220 } 00221 #endif /* MBEDTLS_RSA_NO_CRT */ 00222 00223 /* Blinding shouldn't make exponents negative either, 00224 * so check that P, Q >= 1 if that hasn't yet been 00225 * done as part of 1. */ 00226 #if defined(MBEDTLS_RSA_NO_CRT) 00227 if( is_priv && blinding_needed && 00228 ( mbedtls_mpi_cmp_int( &ctx->P , 0 ) <= 0 || 00229 mbedtls_mpi_cmp_int( &ctx->Q , 0 ) <= 0 ) ) 00230 { 00231 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00232 } 00233 #endif 00234 00235 /* It wouldn't lead to an error if it wasn't satisfied, 00236 * but check for QP >= 1 nonetheless. */ 00237 #if !defined(MBEDTLS_RSA_NO_CRT) 00238 if( is_priv && 00239 mbedtls_mpi_cmp_int( &ctx->QP , 0 ) <= 0 ) 00240 { 00241 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00242 } 00243 #endif 00244 00245 return( 0 ); 00246 } 00247 00248 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ) 00249 { 00250 int ret = 0; 00251 int have_N, have_P, have_Q, have_D, have_E; 00252 int n_missing, pq_missing, d_missing, is_pub, is_priv; 00253 00254 RSA_VALIDATE_RET( ctx != NULL ); 00255 00256 have_N = ( mbedtls_mpi_cmp_int( &ctx->N , 0 ) != 0 ); 00257 have_P = ( mbedtls_mpi_cmp_int( &ctx->P , 0 ) != 0 ); 00258 have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q , 0 ) != 0 ); 00259 have_D = ( mbedtls_mpi_cmp_int( &ctx->D , 0 ) != 0 ); 00260 have_E = ( mbedtls_mpi_cmp_int( &ctx->E , 0 ) != 0 ); 00261 00262 /* 00263 * Check whether provided parameters are enough 00264 * to deduce all others. The following incomplete 00265 * parameter sets for private keys are supported: 00266 * 00267 * (1) P, Q missing. 00268 * (2) D and potentially N missing. 00269 * 00270 */ 00271 00272 n_missing = have_P && have_Q && have_D && have_E; 00273 pq_missing = have_N && !have_P && !have_Q && have_D && have_E; 00274 d_missing = have_P && have_Q && !have_D && have_E; 00275 is_pub = have_N && !have_P && !have_Q && !have_D && have_E; 00276 00277 /* These three alternatives are mutually exclusive */ 00278 is_priv = n_missing || pq_missing || d_missing; 00279 00280 if( !is_priv && !is_pub ) 00281 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00282 00283 /* 00284 * Step 1: Deduce N if P, Q are provided. 00285 */ 00286 00287 if( !have_N && have_P && have_Q ) 00288 { 00289 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P , 00290 &ctx->Q ) ) != 0 ) 00291 { 00292 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); 00293 } 00294 00295 ctx->len = mbedtls_mpi_size( &ctx->N ); 00296 } 00297 00298 /* 00299 * Step 2: Deduce and verify all remaining core parameters. 00300 */ 00301 00302 if( pq_missing ) 00303 { 00304 ret = mbedtls_rsa_deduce_primes( &ctx->N , &ctx->E , &ctx->D , 00305 &ctx->P , &ctx->Q ); 00306 if( ret != 0 ) 00307 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); 00308 00309 } 00310 else if( d_missing ) 00311 { 00312 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P , 00313 &ctx->Q , 00314 &ctx->E , 00315 &ctx->D ) ) != 0 ) 00316 { 00317 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); 00318 } 00319 } 00320 00321 /* 00322 * Step 3: Deduce all additional parameters specific 00323 * to our current RSA implementation. 00324 */ 00325 00326 #if !defined(MBEDTLS_RSA_NO_CRT) 00327 if( is_priv ) 00328 { 00329 ret = mbedtls_rsa_deduce_crt( &ctx->P , &ctx->Q , &ctx->D , 00330 &ctx->DP , &ctx->DQ , &ctx->QP ); 00331 if( ret != 0 ) 00332 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); 00333 } 00334 #endif /* MBEDTLS_RSA_NO_CRT */ 00335 00336 /* 00337 * Step 3: Basic sanity checks 00338 */ 00339 00340 return( rsa_check_context( ctx, is_priv, 1 ) ); 00341 } 00342 00343 int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, 00344 unsigned char *N, size_t N_len, 00345 unsigned char *P, size_t P_len, 00346 unsigned char *Q, size_t Q_len, 00347 unsigned char *D, size_t D_len, 00348 unsigned char *E, size_t E_len ) 00349 { 00350 int ret = 0; 00351 int is_priv; 00352 RSA_VALIDATE_RET( ctx != NULL ); 00353 00354 /* Check if key is private or public */ 00355 is_priv = 00356 mbedtls_mpi_cmp_int( &ctx->N , 0 ) != 0 && 00357 mbedtls_mpi_cmp_int( &ctx->P , 0 ) != 0 && 00358 mbedtls_mpi_cmp_int( &ctx->Q , 0 ) != 0 && 00359 mbedtls_mpi_cmp_int( &ctx->D , 0 ) != 0 && 00360 mbedtls_mpi_cmp_int( &ctx->E , 0 ) != 0; 00361 00362 if( !is_priv ) 00363 { 00364 /* If we're trying to export private parameters for a public key, 00365 * something must be wrong. */ 00366 if( P != NULL || Q != NULL || D != NULL ) 00367 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00368 00369 } 00370 00371 if( N != NULL ) 00372 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N , N, N_len ) ); 00373 00374 if( P != NULL ) 00375 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P , P, P_len ) ); 00376 00377 if( Q != NULL ) 00378 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q , Q, Q_len ) ); 00379 00380 if( D != NULL ) 00381 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D , D, D_len ) ); 00382 00383 if( E != NULL ) 00384 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E , E, E_len ) ); 00385 00386 cleanup: 00387 00388 return( ret ); 00389 } 00390 00391 int mbedtls_rsa_export( const mbedtls_rsa_context *ctx, 00392 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, 00393 mbedtls_mpi *D, mbedtls_mpi *E ) 00394 { 00395 int ret; 00396 int is_priv; 00397 RSA_VALIDATE_RET( ctx != NULL ); 00398 00399 /* Check if key is private or public */ 00400 is_priv = 00401 mbedtls_mpi_cmp_int( &ctx->N , 0 ) != 0 && 00402 mbedtls_mpi_cmp_int( &ctx->P , 0 ) != 0 && 00403 mbedtls_mpi_cmp_int( &ctx->Q , 0 ) != 0 && 00404 mbedtls_mpi_cmp_int( &ctx->D , 0 ) != 0 && 00405 mbedtls_mpi_cmp_int( &ctx->E , 0 ) != 0; 00406 00407 if( !is_priv ) 00408 { 00409 /* If we're trying to export private parameters for a public key, 00410 * something must be wrong. */ 00411 if( P != NULL || Q != NULL || D != NULL ) 00412 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00413 00414 } 00415 00416 /* Export all requested core parameters. */ 00417 00418 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) || 00419 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) || 00420 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) || 00421 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) || 00422 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) ) 00423 { 00424 return( ret ); 00425 } 00426 00427 return( 0 ); 00428 } 00429 00430 /* 00431 * Export CRT parameters 00432 * This must also be implemented if CRT is not used, for being able to 00433 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt 00434 * can be used in this case. 00435 */ 00436 int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, 00437 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP ) 00438 { 00439 int ret; 00440 int is_priv; 00441 RSA_VALIDATE_RET( ctx != NULL ); 00442 00443 /* Check if key is private or public */ 00444 is_priv = 00445 mbedtls_mpi_cmp_int( &ctx->N , 0 ) != 0 && 00446 mbedtls_mpi_cmp_int( &ctx->P , 0 ) != 0 && 00447 mbedtls_mpi_cmp_int( &ctx->Q , 0 ) != 0 && 00448 mbedtls_mpi_cmp_int( &ctx->D , 0 ) != 0 && 00449 mbedtls_mpi_cmp_int( &ctx->E , 0 ) != 0; 00450 00451 if( !is_priv ) 00452 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00453 00454 #if !defined(MBEDTLS_RSA_NO_CRT) 00455 /* Export all requested blinding parameters. */ 00456 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) || 00457 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) || 00458 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) ) 00459 { 00460 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); 00461 } 00462 #else 00463 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P , &ctx->Q , &ctx->D , 00464 DP, DQ, QP ) ) != 0 ) 00465 { 00466 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); 00467 } 00468 #endif 00469 00470 return( 0 ); 00471 } 00472 00473 /* 00474 * Initialize an RSA context 00475 */ 00476 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 00477 int padding, 00478 int hash_id ) 00479 { 00480 RSA_VALIDATE( ctx != NULL ); 00481 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || 00482 padding == MBEDTLS_RSA_PKCS_V21 ); 00483 00484 memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); 00485 00486 mbedtls_rsa_set_padding( ctx, padding, hash_id ); 00487 00488 #if defined(MBEDTLS_THREADING_C) 00489 mbedtls_mutex_init( &ctx->mutex ); 00490 #endif 00491 } 00492 00493 /* 00494 * Set padding for an existing RSA context 00495 */ 00496 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, 00497 int hash_id ) 00498 { 00499 RSA_VALIDATE( ctx != NULL ); 00500 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || 00501 padding == MBEDTLS_RSA_PKCS_V21 ); 00502 00503 ctx->padding = padding; 00504 ctx->hash_id = hash_id; 00505 } 00506 00507 /* 00508 * Get length in bytes of RSA modulus 00509 */ 00510 00511 size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx ) 00512 { 00513 return( ctx->len ); 00514 } 00515 00516 00517 #if defined(MBEDTLS_GENPRIME) 00518 00519 /* 00520 * Generate an RSA keypair 00521 * 00522 * This generation method follows the RSA key pair generation procedure of 00523 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072. 00524 */ 00525 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 00526 int (*f_rng)(void *, unsigned char *, size_t), 00527 void *p_rng, 00528 unsigned int nbits, int exponent ) 00529 { 00530 int ret; 00531 mbedtls_mpi H, G, L; 00532 int prime_quality = 0; 00533 RSA_VALIDATE_RET( ctx != NULL ); 00534 RSA_VALIDATE_RET( f_rng != NULL ); 00535 00536 if( nbits < 128 || exponent < 3 || nbits % 2 != 0 ) 00537 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00538 00539 /* 00540 * If the modulus is 1024 bit long or shorter, then the security strength of 00541 * the RSA algorithm is less than or equal to 80 bits and therefore an error 00542 * rate of 2^-80 is sufficient. 00543 */ 00544 if( nbits > 1024 ) 00545 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR; 00546 00547 mbedtls_mpi_init( &H ); 00548 mbedtls_mpi_init( &G ); 00549 mbedtls_mpi_init( &L ); 00550 00551 /* 00552 * find primes P and Q with Q < P so that: 00553 * 1. |P-Q| > 2^( nbits / 2 - 100 ) 00554 * 2. GCD( E, (P-1)*(Q-1) ) == 1 00555 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 ) 00556 */ 00557 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E , exponent ) ); 00558 00559 do 00560 { 00561 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P , nbits >> 1, 00562 prime_quality, f_rng, p_rng ) ); 00563 00564 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q , nbits >> 1, 00565 prime_quality, f_rng, p_rng ) ); 00566 00567 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */ 00568 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P , &ctx->Q ) ); 00569 if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) ) 00570 continue; 00571 00572 /* not required by any standards, but some users rely on the fact that P > Q */ 00573 if( H.s < 0 ) 00574 mbedtls_mpi_swap( &ctx->P , &ctx->Q ); 00575 00576 /* Temporarily replace P,Q by P-1, Q-1 */ 00577 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P , &ctx->P , 1 ) ); 00578 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q , &ctx->Q , 1 ) ); 00579 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P , &ctx->Q ) ); 00580 00581 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */ 00582 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E , &H ) ); 00583 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) 00584 continue; 00585 00586 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */ 00587 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P , &ctx->Q ) ); 00588 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) ); 00589 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E , &L ) ); 00590 00591 if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a)) 00592 continue; 00593 00594 break; 00595 } 00596 while( 1 ); 00597 00598 /* Restore P,Q */ 00599 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P , &ctx->P , 1 ) ); 00600 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q , &ctx->Q , 1 ) ); 00601 00602 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N , &ctx->P , &ctx->Q ) ); 00603 00604 ctx->len = mbedtls_mpi_size( &ctx->N ); 00605 00606 #if !defined(MBEDTLS_RSA_NO_CRT) 00607 /* 00608 * DP = D mod (P - 1) 00609 * DQ = D mod (Q - 1) 00610 * QP = Q^-1 mod P 00611 */ 00612 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P , &ctx->Q , &ctx->D , 00613 &ctx->DP , &ctx->DQ , &ctx->QP ) ); 00614 #endif /* MBEDTLS_RSA_NO_CRT */ 00615 00616 /* Double-check */ 00617 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) ); 00618 00619 cleanup: 00620 00621 mbedtls_mpi_free( &H ); 00622 mbedtls_mpi_free( &G ); 00623 mbedtls_mpi_free( &L ); 00624 00625 if( ret != 0 ) 00626 { 00627 mbedtls_rsa_free( ctx ); 00628 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret ); 00629 } 00630 00631 return( 0 ); 00632 } 00633 00634 #endif /* MBEDTLS_GENPRIME */ 00635 00636 /* 00637 * Check a public RSA key 00638 */ 00639 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) 00640 { 00641 RSA_VALIDATE_RET( ctx != NULL ); 00642 00643 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 ) 00644 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00645 00646 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ) 00647 { 00648 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00649 } 00650 00651 if( mbedtls_mpi_get_bit( &ctx->E , 0 ) == 0 || 00652 mbedtls_mpi_bitlen( &ctx->E ) < 2 || 00653 mbedtls_mpi_cmp_mpi( &ctx->E , &ctx->N ) >= 0 ) 00654 { 00655 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00656 } 00657 00658 return( 0 ); 00659 } 00660 00661 /* 00662 * Check for the consistency of all fields in an RSA private key context 00663 */ 00664 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) 00665 { 00666 RSA_VALIDATE_RET( ctx != NULL ); 00667 00668 if( mbedtls_rsa_check_pubkey( ctx ) != 0 || 00669 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 ) 00670 { 00671 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00672 } 00673 00674 if( mbedtls_rsa_validate_params( &ctx->N , &ctx->P , &ctx->Q , 00675 &ctx->D , &ctx->E , NULL, NULL ) != 0 ) 00676 { 00677 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00678 } 00679 00680 #if !defined(MBEDTLS_RSA_NO_CRT) 00681 else if( mbedtls_rsa_validate_crt( &ctx->P , &ctx->Q , &ctx->D , 00682 &ctx->DP , &ctx->DQ , &ctx->QP ) != 0 ) 00683 { 00684 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00685 } 00686 #endif 00687 00688 return( 0 ); 00689 } 00690 00691 /* 00692 * Check if contexts holding a public and private key match 00693 */ 00694 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, 00695 const mbedtls_rsa_context *prv ) 00696 { 00697 RSA_VALIDATE_RET( pub != NULL ); 00698 RSA_VALIDATE_RET( prv != NULL ); 00699 00700 if( mbedtls_rsa_check_pubkey( pub ) != 0 || 00701 mbedtls_rsa_check_privkey( prv ) != 0 ) 00702 { 00703 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00704 } 00705 00706 if( mbedtls_mpi_cmp_mpi( &pub->N , &prv->N ) != 0 || 00707 mbedtls_mpi_cmp_mpi( &pub->E , &prv->E ) != 0 ) 00708 { 00709 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 00710 } 00711 00712 return( 0 ); 00713 } 00714 00715 /* 00716 * Do an RSA public key operation 00717 */ 00718 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 00719 const unsigned char *input, 00720 unsigned char *output ) 00721 { 00722 int ret; 00723 size_t olen; 00724 mbedtls_mpi T; 00725 RSA_VALIDATE_RET( ctx != NULL ); 00726 RSA_VALIDATE_RET( input != NULL ); 00727 RSA_VALIDATE_RET( output != NULL ); 00728 00729 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) ) 00730 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00731 00732 mbedtls_mpi_init( &T ); 00733 00734 #if defined(MBEDTLS_THREADING_C) 00735 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00736 return( ret ); 00737 #endif 00738 00739 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00740 00741 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00742 { 00743 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00744 goto cleanup; 00745 } 00746 00747 olen = ctx->len ; 00748 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E , &ctx->N , &ctx->RN ) ); 00749 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 00750 00751 cleanup: 00752 #if defined(MBEDTLS_THREADING_C) 00753 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 00754 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 00755 #endif 00756 00757 mbedtls_mpi_free( &T ); 00758 00759 if( ret != 0 ) 00760 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret ); 00761 00762 return( 0 ); 00763 } 00764 00765 /* 00766 * Generate or update blinding values, see section 10 of: 00767 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, 00768 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer 00769 * Berlin Heidelberg, 1996. p. 104-113. 00770 */ 00771 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, 00772 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 00773 { 00774 int ret, count = 0; 00775 00776 if( ctx->Vf .p != NULL ) 00777 { 00778 /* We already have blinding values, just update them by squaring */ 00779 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi , &ctx->Vi , &ctx->Vi ) ); 00780 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi , &ctx->Vi , &ctx->N ) ); 00781 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf , &ctx->Vf , &ctx->Vf ) ); 00782 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf , &ctx->Vf , &ctx->N ) ); 00783 00784 goto cleanup; 00785 } 00786 00787 /* Unblinding value: Vf = random number, invertible mod N */ 00788 do { 00789 if( count++ > 10 ) 00790 return( MBEDTLS_ERR_RSA_RNG_FAILED ); 00791 00792 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf , ctx->len - 1, f_rng, p_rng ) ); 00793 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00794 } while( mbedtls_mpi_cmp_int( &ctx->Vi , 1 ) != 0 ); 00795 00796 /* Blinding value: Vi = Vf^(-e) mod N */ 00797 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi , &ctx->Vf , &ctx->N ) ); 00798 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi , &ctx->Vi , &ctx->E , &ctx->N , &ctx->RN ) ); 00799 00800 00801 cleanup: 00802 return( ret ); 00803 } 00804 00805 /* 00806 * Exponent blinding supposed to prevent side-channel attacks using multiple 00807 * traces of measurements to recover the RSA key. The more collisions are there, 00808 * the more bits of the key can be recovered. See [3]. 00809 * 00810 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n) 00811 * observations on avarage. 00812 * 00813 * For example with 28 byte blinding to achieve 2 collisions the adversary has 00814 * to make 2^112 observations on avarage. 00815 * 00816 * (With the currently (as of 2017 April) known best algorithms breaking 2048 00817 * bit RSA requires approximately as much time as trying out 2^112 random keys. 00818 * Thus in this sense with 28 byte blinding the security is not reduced by 00819 * side-channel attacks like the one in [3]) 00820 * 00821 * This countermeasure does not help if the key recovery is possible with a 00822 * single trace. 00823 */ 00824 #define RSA_EXPONENT_BLINDING 28 00825 00826 /* 00827 * Do an RSA private key operation 00828 */ 00829 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 00830 int (*f_rng)(void *, unsigned char *, size_t), 00831 void *p_rng, 00832 const unsigned char *input, 00833 unsigned char *output ) 00834 { 00835 int ret; 00836 size_t olen; 00837 00838 /* Temporary holding the result */ 00839 mbedtls_mpi T; 00840 00841 /* Temporaries holding P-1, Q-1 and the 00842 * exponent blinding factor, respectively. */ 00843 mbedtls_mpi P1, Q1, R; 00844 00845 #if !defined(MBEDTLS_RSA_NO_CRT) 00846 /* Temporaries holding the results mod p resp. mod q. */ 00847 mbedtls_mpi TP, TQ; 00848 00849 /* Temporaries holding the blinded exponents for 00850 * the mod p resp. mod q computation (if used). */ 00851 mbedtls_mpi DP_blind, DQ_blind; 00852 00853 /* Pointers to actual exponents to be used - either the unblinded 00854 * or the blinded ones, depending on the presence of a PRNG. */ 00855 mbedtls_mpi *DP = &ctx->DP ; 00856 mbedtls_mpi *DQ = &ctx->DQ ; 00857 #else 00858 /* Temporary holding the blinded exponent (if used). */ 00859 mbedtls_mpi D_blind; 00860 00861 /* Pointer to actual exponent to be used - either the unblinded 00862 * or the blinded one, depending on the presence of a PRNG. */ 00863 mbedtls_mpi *D = &ctx->D ; 00864 #endif /* MBEDTLS_RSA_NO_CRT */ 00865 00866 /* Temporaries holding the initial input and the double 00867 * checked result; should be the same in the end. */ 00868 mbedtls_mpi I, C; 00869 00870 RSA_VALIDATE_RET( ctx != NULL ); 00871 RSA_VALIDATE_RET( input != NULL ); 00872 RSA_VALIDATE_RET( output != NULL ); 00873 00874 if( rsa_check_context( ctx, 1 /* private key checks */, 00875 f_rng != NULL /* blinding y/n */ ) != 0 ) 00876 { 00877 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 00878 } 00879 00880 #if defined(MBEDTLS_THREADING_C) 00881 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) 00882 return( ret ); 00883 #endif 00884 00885 /* MPI Initialization */ 00886 mbedtls_mpi_init( &T ); 00887 00888 mbedtls_mpi_init( &P1 ); 00889 mbedtls_mpi_init( &Q1 ); 00890 mbedtls_mpi_init( &R ); 00891 00892 if( f_rng != NULL ) 00893 { 00894 #if defined(MBEDTLS_RSA_NO_CRT) 00895 mbedtls_mpi_init( &D_blind ); 00896 #else 00897 mbedtls_mpi_init( &DP_blind ); 00898 mbedtls_mpi_init( &DQ_blind ); 00899 #endif 00900 } 00901 00902 #if !defined(MBEDTLS_RSA_NO_CRT) 00903 mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ ); 00904 #endif 00905 00906 mbedtls_mpi_init( &I ); 00907 mbedtls_mpi_init( &C ); 00908 00909 /* End of MPI initialization */ 00910 00911 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); 00912 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) 00913 { 00914 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 00915 goto cleanup; 00916 } 00917 00918 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) ); 00919 00920 if( f_rng != NULL ) 00921 { 00922 /* 00923 * Blinding 00924 * T = T * Vi mod N 00925 */ 00926 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); 00927 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); 00928 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 00929 00930 /* 00931 * Exponent blinding 00932 */ 00933 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P , 1 ) ); 00934 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q , 1 ) ); 00935 00936 #if defined(MBEDTLS_RSA_NO_CRT) 00937 /* 00938 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D 00939 */ 00940 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 00941 f_rng, p_rng ) ); 00942 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) ); 00943 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) ); 00944 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) ); 00945 00946 D = &D_blind; 00947 #else 00948 /* 00949 * DP_blind = ( P - 1 ) * R + DP 00950 */ 00951 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 00952 f_rng, p_rng ) ); 00953 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) ); 00954 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind, 00955 &ctx->DP ) ); 00956 00957 DP = &DP_blind; 00958 00959 /* 00960 * DQ_blind = ( Q - 1 ) * R + DQ 00961 */ 00962 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, 00963 f_rng, p_rng ) ); 00964 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) ); 00965 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind, 00966 &ctx->DQ ) ); 00967 00968 DQ = &DQ_blind; 00969 #endif /* MBEDTLS_RSA_NO_CRT */ 00970 } 00971 00972 #if defined(MBEDTLS_RSA_NO_CRT) 00973 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N , &ctx->RN ) ); 00974 #else 00975 /* 00976 * Faster decryption using the CRT 00977 * 00978 * TP = input ^ dP mod P 00979 * TQ = input ^ dQ mod Q 00980 */ 00981 00982 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P , &ctx->RP ) ); 00983 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q , &ctx->RQ ) ); 00984 00985 /* 00986 * T = (TP - TQ) * (Q^-1 mod P) mod P 00987 */ 00988 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) ); 00989 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) ); 00990 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) ); 00991 00992 /* 00993 * T = TQ + T * Q 00994 */ 00995 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) ); 00996 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) ); 00997 #endif /* MBEDTLS_RSA_NO_CRT */ 00998 00999 if( f_rng != NULL ) 01000 { 01001 /* 01002 * Unblind 01003 * T = T * Vf mod N 01004 */ 01005 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); 01006 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); 01007 } 01008 01009 /* Verify the result to prevent glitching attacks. */ 01010 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E , 01011 &ctx->N , &ctx->RN ) ); 01012 if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 ) 01013 { 01014 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 01015 goto cleanup; 01016 } 01017 01018 olen = ctx->len ; 01019 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); 01020 01021 cleanup: 01022 #if defined(MBEDTLS_THREADING_C) 01023 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) 01024 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); 01025 #endif 01026 01027 mbedtls_mpi_free( &P1 ); 01028 mbedtls_mpi_free( &Q1 ); 01029 mbedtls_mpi_free( &R ); 01030 01031 if( f_rng != NULL ) 01032 { 01033 #if defined(MBEDTLS_RSA_NO_CRT) 01034 mbedtls_mpi_free( &D_blind ); 01035 #else 01036 mbedtls_mpi_free( &DP_blind ); 01037 mbedtls_mpi_free( &DQ_blind ); 01038 #endif 01039 } 01040 01041 mbedtls_mpi_free( &T ); 01042 01043 #if !defined(MBEDTLS_RSA_NO_CRT) 01044 mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ ); 01045 #endif 01046 01047 mbedtls_mpi_free( &C ); 01048 mbedtls_mpi_free( &I ); 01049 01050 if( ret != 0 ) 01051 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); 01052 01053 return( 0 ); 01054 } 01055 01056 #if defined(MBEDTLS_PKCS1_V21) 01057 /** 01058 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. 01059 * 01060 * \param dst buffer to mask 01061 * \param dlen length of destination buffer 01062 * \param src source of the mask generation 01063 * \param slen length of the source buffer 01064 * \param md_ctx message digest context to use 01065 */ 01066 static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, 01067 size_t slen, mbedtls_md_context_t *md_ctx ) 01068 { 01069 unsigned char mask[MBEDTLS_MD_MAX_SIZE]; 01070 unsigned char counter[4]; 01071 unsigned char *p; 01072 unsigned int hlen; 01073 size_t i, use_len; 01074 int ret = 0; 01075 01076 memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); 01077 memset( counter, 0, 4 ); 01078 01079 hlen = mbedtls_md_get_size( md_ctx->md_info ); 01080 01081 /* Generate and apply dbMask */ 01082 p = dst; 01083 01084 while( dlen > 0 ) 01085 { 01086 use_len = hlen; 01087 if( dlen < hlen ) 01088 use_len = dlen; 01089 01090 if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 ) 01091 goto exit; 01092 if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 ) 01093 goto exit; 01094 if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 ) 01095 goto exit; 01096 if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 ) 01097 goto exit; 01098 01099 for( i = 0; i < use_len; ++i ) 01100 *p++ ^= mask[i]; 01101 01102 counter[3]++; 01103 01104 dlen -= use_len; 01105 } 01106 01107 exit: 01108 mbedtls_platform_zeroize( mask, sizeof( mask ) ); 01109 01110 return( ret ); 01111 } 01112 #endif /* MBEDTLS_PKCS1_V21 */ 01113 01114 #if defined(MBEDTLS_PKCS1_V21) 01115 /* 01116 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function 01117 */ 01118 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 01119 int (*f_rng)(void *, unsigned char *, size_t), 01120 void *p_rng, 01121 int mode, 01122 const unsigned char *label, size_t label_len, 01123 size_t ilen, 01124 const unsigned char *input, 01125 unsigned char *output ) 01126 { 01127 size_t olen; 01128 int ret; 01129 unsigned char *p = output; 01130 unsigned int hlen; 01131 const mbedtls_md_info_t *md_info; 01132 mbedtls_md_context_t md_ctx; 01133 01134 RSA_VALIDATE_RET( ctx != NULL ); 01135 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 01136 mode == MBEDTLS_RSA_PUBLIC ); 01137 RSA_VALIDATE_RET( output != NULL ); 01138 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 01139 RSA_VALIDATE_RET( label_len == 0 || label != NULL ); 01140 01141 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 01142 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01143 01144 if( f_rng == NULL ) 01145 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01146 01147 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 01148 if( md_info == NULL ) 01149 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01150 01151 olen = ctx->len ; 01152 hlen = mbedtls_md_get_size( md_info ); 01153 01154 /* first comparison checks for overflow */ 01155 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) 01156 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01157 01158 memset( output, 0, olen ); 01159 01160 *p++ = 0; 01161 01162 /* Generate a random octet string seed */ 01163 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) 01164 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 01165 01166 p += hlen; 01167 01168 /* Construct DB */ 01169 if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 ) 01170 return( ret ); 01171 p += hlen; 01172 p += olen - 2 * hlen - 2 - ilen; 01173 *p++ = 1; 01174 if( ilen != 0 ) 01175 memcpy( p, input, ilen ); 01176 01177 mbedtls_md_init( &md_ctx ); 01178 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 01179 goto exit; 01180 01181 /* maskedDB: Apply dbMask to DB */ 01182 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, 01183 &md_ctx ) ) != 0 ) 01184 goto exit; 01185 01186 /* maskedSeed: Apply seedMask to seed */ 01187 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, 01188 &md_ctx ) ) != 0 ) 01189 goto exit; 01190 01191 exit: 01192 mbedtls_md_free( &md_ctx ); 01193 01194 if( ret != 0 ) 01195 return( ret ); 01196 01197 return( ( mode == MBEDTLS_RSA_PUBLIC ) 01198 ? mbedtls_rsa_public( ctx, output, output ) 01199 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 01200 } 01201 #endif /* MBEDTLS_PKCS1_V21 */ 01202 01203 #if defined(MBEDTLS_PKCS1_V15) 01204 /* 01205 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function 01206 */ 01207 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 01208 int (*f_rng)(void *, unsigned char *, size_t), 01209 void *p_rng, 01210 int mode, size_t ilen, 01211 const unsigned char *input, 01212 unsigned char *output ) 01213 { 01214 size_t nb_pad, olen; 01215 int ret; 01216 unsigned char *p = output; 01217 01218 RSA_VALIDATE_RET( ctx != NULL ); 01219 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 01220 mode == MBEDTLS_RSA_PUBLIC ); 01221 RSA_VALIDATE_RET( output != NULL ); 01222 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 01223 01224 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01225 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01226 01227 olen = ctx->len ; 01228 01229 /* first comparison checks for overflow */ 01230 if( ilen + 11 < ilen || olen < ilen + 11 ) 01231 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01232 01233 nb_pad = olen - 3 - ilen; 01234 01235 *p++ = 0; 01236 if( mode == MBEDTLS_RSA_PUBLIC ) 01237 { 01238 if( f_rng == NULL ) 01239 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01240 01241 *p++ = MBEDTLS_RSA_CRYPT; 01242 01243 while( nb_pad-- > 0 ) 01244 { 01245 int rng_dl = 100; 01246 01247 do { 01248 ret = f_rng( p_rng, p, 1 ); 01249 } while( *p == 0 && --rng_dl && ret == 0 ); 01250 01251 /* Check if RNG failed to generate data */ 01252 if( rng_dl == 0 || ret != 0 ) 01253 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 01254 01255 p++; 01256 } 01257 } 01258 else 01259 { 01260 *p++ = MBEDTLS_RSA_SIGN; 01261 01262 while( nb_pad-- > 0 ) 01263 *p++ = 0xFF; 01264 } 01265 01266 *p++ = 0; 01267 if( ilen != 0 ) 01268 memcpy( p, input, ilen ); 01269 01270 return( ( mode == MBEDTLS_RSA_PUBLIC ) 01271 ? mbedtls_rsa_public( ctx, output, output ) 01272 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); 01273 } 01274 #endif /* MBEDTLS_PKCS1_V15 */ 01275 01276 /* 01277 * Add the message padding, then do an RSA operation 01278 */ 01279 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 01280 int (*f_rng)(void *, unsigned char *, size_t), 01281 void *p_rng, 01282 int mode, size_t ilen, 01283 const unsigned char *input, 01284 unsigned char *output ) 01285 { 01286 RSA_VALIDATE_RET( ctx != NULL ); 01287 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 01288 mode == MBEDTLS_RSA_PUBLIC ); 01289 RSA_VALIDATE_RET( output != NULL ); 01290 RSA_VALIDATE_RET( ilen == 0 || input != NULL ); 01291 01292 switch( ctx->padding ) 01293 { 01294 #if defined(MBEDTLS_PKCS1_V15) 01295 case MBEDTLS_RSA_PKCS_V15: 01296 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, 01297 input, output ); 01298 #endif 01299 01300 #if defined(MBEDTLS_PKCS1_V21) 01301 case MBEDTLS_RSA_PKCS_V21: 01302 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, 01303 ilen, input, output ); 01304 #endif 01305 01306 default: 01307 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01308 } 01309 } 01310 01311 #if defined(MBEDTLS_PKCS1_V21) 01312 /* 01313 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function 01314 */ 01315 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 01316 int (*f_rng)(void *, unsigned char *, size_t), 01317 void *p_rng, 01318 int mode, 01319 const unsigned char *label, size_t label_len, 01320 size_t *olen, 01321 const unsigned char *input, 01322 unsigned char *output, 01323 size_t output_max_len ) 01324 { 01325 int ret; 01326 size_t ilen, i, pad_len; 01327 unsigned char *p, bad, pad_done; 01328 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01329 unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; 01330 unsigned int hlen; 01331 const mbedtls_md_info_t *md_info; 01332 mbedtls_md_context_t md_ctx; 01333 01334 RSA_VALIDATE_RET( ctx != NULL ); 01335 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 01336 mode == MBEDTLS_RSA_PUBLIC ); 01337 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 01338 RSA_VALIDATE_RET( label_len == 0 || label != NULL ); 01339 RSA_VALIDATE_RET( input != NULL ); 01340 RSA_VALIDATE_RET( olen != NULL ); 01341 01342 /* 01343 * Parameters sanity checks 01344 */ 01345 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 01346 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01347 01348 ilen = ctx->len ; 01349 01350 if( ilen < 16 || ilen > sizeof( buf ) ) 01351 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01352 01353 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 01354 if( md_info == NULL ) 01355 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01356 01357 hlen = mbedtls_md_get_size( md_info ); 01358 01359 // checking for integer underflow 01360 if( 2 * hlen + 2 > ilen ) 01361 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01362 01363 /* 01364 * RSA operation 01365 */ 01366 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01367 ? mbedtls_rsa_public( ctx, input, buf ) 01368 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 01369 01370 if( ret != 0 ) 01371 goto cleanup; 01372 01373 /* 01374 * Unmask data and generate lHash 01375 */ 01376 mbedtls_md_init( &md_ctx ); 01377 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 01378 { 01379 mbedtls_md_free( &md_ctx ); 01380 goto cleanup; 01381 } 01382 01383 /* seed: Apply seedMask to maskedSeed */ 01384 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, 01385 &md_ctx ) ) != 0 || 01386 /* DB: Apply dbMask to maskedDB */ 01387 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, 01388 &md_ctx ) ) != 0 ) 01389 { 01390 mbedtls_md_free( &md_ctx ); 01391 goto cleanup; 01392 } 01393 01394 mbedtls_md_free( &md_ctx ); 01395 01396 /* Generate lHash */ 01397 if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 ) 01398 goto cleanup; 01399 01400 /* 01401 * Check contents, in "constant-time" 01402 */ 01403 p = buf; 01404 bad = 0; 01405 01406 bad |= *p++; /* First byte must be 0 */ 01407 01408 p += hlen; /* Skip seed */ 01409 01410 /* Check lHash */ 01411 for( i = 0; i < hlen; i++ ) 01412 bad |= lhash[i] ^ *p++; 01413 01414 /* Get zero-padding len, but always read till end of buffer 01415 * (minus one, for the 01 byte) */ 01416 pad_len = 0; 01417 pad_done = 0; 01418 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) 01419 { 01420 pad_done |= p[i]; 01421 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 01422 } 01423 01424 p += pad_len; 01425 bad |= *p++ ^ 0x01; 01426 01427 /* 01428 * The only information "leaked" is whether the padding was correct or not 01429 * (eg, no data is copied if it was not correct). This meets the 01430 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between 01431 * the different error conditions. 01432 */ 01433 if( bad != 0 ) 01434 { 01435 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 01436 goto cleanup; 01437 } 01438 01439 if( ilen - ( p - buf ) > output_max_len ) 01440 { 01441 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; 01442 goto cleanup; 01443 } 01444 01445 *olen = ilen - (p - buf); 01446 if( *olen != 0 ) 01447 memcpy( output, p, *olen ); 01448 ret = 0; 01449 01450 cleanup: 01451 mbedtls_platform_zeroize( buf, sizeof( buf ) ); 01452 mbedtls_platform_zeroize( lhash, sizeof( lhash ) ); 01453 01454 return( ret ); 01455 } 01456 #endif /* MBEDTLS_PKCS1_V21 */ 01457 01458 #if defined(MBEDTLS_PKCS1_V15) 01459 /** Turn zero-or-nonzero into zero-or-all-bits-one, without branches. 01460 * 01461 * \param value The value to analyze. 01462 * \return Zero if \p value is zero, otherwise all-bits-one. 01463 */ 01464 static unsigned all_or_nothing_int( unsigned value ) 01465 { 01466 /* MSVC has a warning about unary minus on unsigned, but this is 01467 * well-defined and precisely what we want to do here */ 01468 #if defined(_MSC_VER) 01469 #pragma warning( push ) 01470 #pragma warning( disable : 4146 ) 01471 #endif 01472 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); 01473 #if defined(_MSC_VER) 01474 #pragma warning( pop ) 01475 #endif 01476 } 01477 01478 /** Check whether a size is out of bounds, without branches. 01479 * 01480 * This is equivalent to `size > max`, but is likely to be compiled to 01481 * to code using bitwise operation rather than a branch. 01482 * 01483 * \param size Size to check. 01484 * \param max Maximum desired value for \p size. 01485 * \return \c 0 if `size <= max`. 01486 * \return \c 1 if `size > max`. 01487 */ 01488 static unsigned size_greater_than( size_t size, size_t max ) 01489 { 01490 /* Return the sign bit (1 for negative) of (max - size). */ 01491 return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) ); 01492 } 01493 01494 /** Choose between two integer values, without branches. 01495 * 01496 * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled 01497 * to code using bitwise operation rather than a branch. 01498 * 01499 * \param cond Condition to test. 01500 * \param if1 Value to use if \p cond is nonzero. 01501 * \param if0 Value to use if \p cond is zero. 01502 * \return \c if1 if \p cond is nonzero, otherwise \c if0. 01503 */ 01504 static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 ) 01505 { 01506 unsigned mask = all_or_nothing_int( cond ); 01507 return( ( mask & if1 ) | (~mask & if0 ) ); 01508 } 01509 01510 /** Shift some data towards the left inside a buffer without leaking 01511 * the length of the data through side channels. 01512 * 01513 * `mem_move_to_left(start, total, offset)` is functionally equivalent to 01514 * ``` 01515 * memmove(start, start + offset, total - offset); 01516 * memset(start + offset, 0, total - offset); 01517 * ``` 01518 * but it strives to use a memory access pattern (and thus total timing) 01519 * that does not depend on \p offset. This timing independence comes at 01520 * the expense of performance. 01521 * 01522 * \param start Pointer to the start of the buffer. 01523 * \param total Total size of the buffer. 01524 * \param offset Offset from which to copy \p total - \p offset bytes. 01525 */ 01526 static void mem_move_to_left( void *start, 01527 size_t total, 01528 size_t offset ) 01529 { 01530 volatile unsigned char *buf = start; 01531 size_t i, n; 01532 if( total == 0 ) 01533 return; 01534 for( i = 0; i < total; i++ ) 01535 { 01536 unsigned no_op = size_greater_than( total - offset, i ); 01537 /* The first `total - offset` passes are a no-op. The last 01538 * `offset` passes shift the data one byte to the left and 01539 * zero out the last byte. */ 01540 for( n = 0; n < total - 1; n++ ) 01541 { 01542 unsigned char current = buf[n]; 01543 unsigned char next = buf[n+1]; 01544 buf[n] = if_int( no_op, current, next ); 01545 } 01546 buf[total-1] = if_int( no_op, buf[total-1], 0 ); 01547 } 01548 } 01549 01550 /* 01551 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function 01552 */ 01553 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 01554 int (*f_rng)(void *, unsigned char *, size_t), 01555 void *p_rng, 01556 int mode, size_t *olen, 01557 const unsigned char *input, 01558 unsigned char *output, 01559 size_t output_max_len ) 01560 { 01561 int ret; 01562 size_t ilen, i, plaintext_max_size; 01563 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 01564 /* The following variables take sensitive values: their value must 01565 * not leak into the observable behavior of the function other than 01566 * the designated outputs (output, olen, return value). Otherwise 01567 * this would open the execution of the function to 01568 * side-channel-based variants of the Bleichenbacher padding oracle 01569 * attack. Potential side channels include overall timing, memory 01570 * access patterns (especially visible to an adversary who has access 01571 * to a shared memory cache), and branches (especially visible to 01572 * an adversary who has access to a shared code cache or to a shared 01573 * branch predictor). */ 01574 size_t pad_count = 0; 01575 unsigned bad = 0; 01576 unsigned char pad_done = 0; 01577 size_t plaintext_size = 0; 01578 unsigned output_too_large; 01579 01580 RSA_VALIDATE_RET( ctx != NULL ); 01581 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 01582 mode == MBEDTLS_RSA_PUBLIC ); 01583 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 01584 RSA_VALIDATE_RET( input != NULL ); 01585 RSA_VALIDATE_RET( olen != NULL ); 01586 01587 ilen = ctx->len ; 01588 plaintext_max_size = ( output_max_len > ilen - 11 ? 01589 ilen - 11 : 01590 output_max_len ); 01591 01592 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 01593 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01594 01595 if( ilen < 16 || ilen > sizeof( buf ) ) 01596 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01597 01598 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 01599 ? mbedtls_rsa_public( ctx, input, buf ) 01600 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); 01601 01602 if( ret != 0 ) 01603 goto cleanup; 01604 01605 /* Check and get padding length in constant time and constant 01606 * memory trace. The first byte must be 0. */ 01607 bad |= buf[0]; 01608 01609 if( mode == MBEDTLS_RSA_PRIVATE ) 01610 { 01611 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 01612 * where PS must be at least 8 nonzero bytes. */ 01613 bad |= buf[1] ^ MBEDTLS_RSA_CRYPT; 01614 01615 /* Read the whole buffer. Set pad_done to nonzero if we find 01616 * the 0x00 byte and remember the padding length in pad_count. */ 01617 for( i = 2; i < ilen; i++ ) 01618 { 01619 pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1; 01620 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 01621 } 01622 } 01623 else 01624 { 01625 /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00 01626 * where PS must be at least 8 bytes with the value 0xFF. */ 01627 bad |= buf[1] ^ MBEDTLS_RSA_SIGN; 01628 01629 /* Read the whole buffer. Set pad_done to nonzero if we find 01630 * the 0x00 byte and remember the padding length in pad_count. 01631 * If there's a non-0xff byte in the padding, the padding is bad. */ 01632 for( i = 2; i < ilen; i++ ) 01633 { 01634 pad_done |= if_int( buf[i], 0, 1 ); 01635 pad_count += if_int( pad_done, 0, 1 ); 01636 bad |= if_int( pad_done, 0, buf[i] ^ 0xFF ); 01637 } 01638 } 01639 01640 /* If pad_done is still zero, there's no data, only unfinished padding. */ 01641 bad |= if_int( pad_done, 0, 1 ); 01642 01643 /* There must be at least 8 bytes of padding. */ 01644 bad |= size_greater_than( 8, pad_count ); 01645 01646 /* If the padding is valid, set plaintext_size to the number of 01647 * remaining bytes after stripping the padding. If the padding 01648 * is invalid, avoid leaking this fact through the size of the 01649 * output: use the maximum message size that fits in the output 01650 * buffer. Do it without branches to avoid leaking the padding 01651 * validity through timing. RSA keys are small enough that all the 01652 * size_t values involved fit in unsigned int. */ 01653 plaintext_size = if_int( bad, 01654 (unsigned) plaintext_max_size, 01655 (unsigned) ( ilen - pad_count - 3 ) ); 01656 01657 /* Set output_too_large to 0 if the plaintext fits in the output 01658 * buffer and to 1 otherwise. */ 01659 output_too_large = size_greater_than( plaintext_size, 01660 plaintext_max_size ); 01661 01662 /* Set ret without branches to avoid timing attacks. Return: 01663 * - INVALID_PADDING if the padding is bad (bad != 0). 01664 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted 01665 * plaintext does not fit in the output buffer. 01666 * - 0 if the padding is correct. */ 01667 ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, 01668 if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, 01669 0 ) ); 01670 01671 /* If the padding is bad or the plaintext is too large, zero the 01672 * data that we're about to copy to the output buffer. 01673 * We need to copy the same amount of data 01674 * from the same buffer whether the padding is good or not to 01675 * avoid leaking the padding validity through overall timing or 01676 * through memory or cache access patterns. */ 01677 bad = all_or_nothing_int( bad | output_too_large ); 01678 for( i = 11; i < ilen; i++ ) 01679 buf[i] &= ~bad; 01680 01681 /* If the plaintext is too large, truncate it to the buffer size. 01682 * Copy anyway to avoid revealing the length through timing, because 01683 * revealing the length is as bad as revealing the padding validity 01684 * for a Bleichenbacher attack. */ 01685 plaintext_size = if_int( output_too_large, 01686 (unsigned) plaintext_max_size, 01687 (unsigned) plaintext_size ); 01688 01689 /* Move the plaintext to the leftmost position where it can start in 01690 * the working buffer, i.e. make it start plaintext_max_size from 01691 * the end of the buffer. Do this with a memory access trace that 01692 * does not depend on the plaintext size. After this move, the 01693 * starting location of the plaintext is no longer sensitive 01694 * information. */ 01695 mem_move_to_left( buf + ilen - plaintext_max_size, 01696 plaintext_max_size, 01697 plaintext_max_size - plaintext_size ); 01698 01699 /* Finally copy the decrypted plaintext plus trailing zeros into the output 01700 * buffer. If output_max_len is 0, then output may be an invalid pointer 01701 * and the result of memcpy() would be undefined; prevent undefined 01702 * behavior making sure to depend only on output_max_len (the size of the 01703 * user-provided output buffer), which is independent from plaintext 01704 * length, validity of padding, success of the decryption, and other 01705 * secrets. */ 01706 if( output_max_len != 0 ) 01707 memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size ); 01708 01709 /* Report the amount of data we copied to the output buffer. In case 01710 * of errors (bad padding or output too large), the value of *olen 01711 * when this function returns is not specified. Making it equivalent 01712 * to the good case limits the risks of leaking the padding validity. */ 01713 *olen = plaintext_size; 01714 01715 cleanup: 01716 mbedtls_platform_zeroize( buf, sizeof( buf ) ); 01717 01718 return( ret ); 01719 } 01720 #endif /* MBEDTLS_PKCS1_V15 */ 01721 01722 /* 01723 * Do an RSA operation, then remove the message padding 01724 */ 01725 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 01726 int (*f_rng)(void *, unsigned char *, size_t), 01727 void *p_rng, 01728 int mode, size_t *olen, 01729 const unsigned char *input, 01730 unsigned char *output, 01731 size_t output_max_len) 01732 { 01733 RSA_VALIDATE_RET( ctx != NULL ); 01734 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 01735 mode == MBEDTLS_RSA_PUBLIC ); 01736 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); 01737 RSA_VALIDATE_RET( input != NULL ); 01738 RSA_VALIDATE_RET( olen != NULL ); 01739 01740 switch( ctx->padding ) 01741 { 01742 #if defined(MBEDTLS_PKCS1_V15) 01743 case MBEDTLS_RSA_PKCS_V15: 01744 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, 01745 input, output, output_max_len ); 01746 #endif 01747 01748 #if defined(MBEDTLS_PKCS1_V21) 01749 case MBEDTLS_RSA_PKCS_V21: 01750 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, 01751 olen, input, output, 01752 output_max_len ); 01753 #endif 01754 01755 default: 01756 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 01757 } 01758 } 01759 01760 #if defined(MBEDTLS_PKCS1_V21) 01761 /* 01762 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function 01763 */ 01764 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 01765 int (*f_rng)(void *, unsigned char *, size_t), 01766 void *p_rng, 01767 int mode, 01768 mbedtls_md_type_t md_alg, 01769 unsigned int hashlen, 01770 const unsigned char *hash, 01771 unsigned char *sig ) 01772 { 01773 size_t olen; 01774 unsigned char *p = sig; 01775 unsigned char salt[MBEDTLS_MD_MAX_SIZE]; 01776 size_t slen, min_slen, hlen, offset = 0; 01777 int ret; 01778 size_t msb; 01779 const mbedtls_md_info_t *md_info; 01780 mbedtls_md_context_t md_ctx; 01781 RSA_VALIDATE_RET( ctx != NULL ); 01782 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 01783 mode == MBEDTLS_RSA_PUBLIC ); 01784 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 01785 hashlen == 0 ) || 01786 hash != NULL ); 01787 RSA_VALIDATE_RET( sig != NULL ); 01788 01789 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 01790 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01791 01792 if( f_rng == NULL ) 01793 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01794 01795 olen = ctx->len ; 01796 01797 if( md_alg != MBEDTLS_MD_NONE ) 01798 { 01799 /* Gather length of hash to sign */ 01800 md_info = mbedtls_md_info_from_type( md_alg ); 01801 if( md_info == NULL ) 01802 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01803 01804 hashlen = mbedtls_md_get_size( md_info ); 01805 } 01806 01807 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); 01808 if( md_info == NULL ) 01809 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01810 01811 hlen = mbedtls_md_get_size( md_info ); 01812 01813 /* Calculate the largest possible salt length. Normally this is the hash 01814 * length, which is the maximum length the salt can have. If there is not 01815 * enough room, use the maximum salt length that fits. The constraint is 01816 * that the hash length plus the salt length plus 2 bytes must be at most 01817 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017 01818 * (PKCS#1 v2.2) §9.1.1 step 3. */ 01819 min_slen = hlen - 2; 01820 if( olen < hlen + min_slen + 2 ) 01821 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01822 else if( olen >= hlen + hlen + 2 ) 01823 slen = hlen; 01824 else 01825 slen = olen - hlen - 2; 01826 01827 memset( sig, 0, olen ); 01828 01829 /* Generate salt of length slen */ 01830 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) 01831 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); 01832 01833 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ 01834 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01835 p += olen - hlen - slen - 2; 01836 *p++ = 0x01; 01837 memcpy( p, salt, slen ); 01838 p += slen; 01839 01840 mbedtls_md_init( &md_ctx ); 01841 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 01842 goto exit; 01843 01844 /* Generate H = Hash( M' ) */ 01845 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) 01846 goto exit; 01847 if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 ) 01848 goto exit; 01849 if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) 01850 goto exit; 01851 if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 ) 01852 goto exit; 01853 if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 ) 01854 goto exit; 01855 01856 /* Compensate for boundary condition when applying mask */ 01857 if( msb % 8 == 0 ) 01858 offset = 1; 01859 01860 /* maskedDB: Apply dbMask to DB */ 01861 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, 01862 &md_ctx ) ) != 0 ) 01863 goto exit; 01864 01865 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 01866 sig[0] &= 0xFF >> ( olen * 8 - msb ); 01867 01868 p += hlen; 01869 *p++ = 0xBC; 01870 01871 mbedtls_platform_zeroize( salt, sizeof( salt ) ); 01872 01873 exit: 01874 mbedtls_md_free( &md_ctx ); 01875 01876 if( ret != 0 ) 01877 return( ret ); 01878 01879 return( ( mode == MBEDTLS_RSA_PUBLIC ) 01880 ? mbedtls_rsa_public( ctx, sig, sig ) 01881 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); 01882 } 01883 #endif /* MBEDTLS_PKCS1_V21 */ 01884 01885 #if defined(MBEDTLS_PKCS1_V15) 01886 /* 01887 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function 01888 */ 01889 01890 /* Construct a PKCS v1.5 encoding of a hashed message 01891 * 01892 * This is used both for signature generation and verification. 01893 * 01894 * Parameters: 01895 * - md_alg: Identifies the hash algorithm used to generate the given hash; 01896 * MBEDTLS_MD_NONE if raw data is signed. 01897 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE. 01898 * - hash: Buffer containing the hashed message or the raw data. 01899 * - dst_len: Length of the encoded message. 01900 * - dst: Buffer to hold the encoded message. 01901 * 01902 * Assumptions: 01903 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE. 01904 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE. 01905 * - dst points to a buffer of size at least dst_len. 01906 * 01907 */ 01908 static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, 01909 unsigned int hashlen, 01910 const unsigned char *hash, 01911 size_t dst_len, 01912 unsigned char *dst ) 01913 { 01914 size_t oid_size = 0; 01915 size_t nb_pad = dst_len; 01916 unsigned char *p = dst; 01917 const char *oid = NULL; 01918 01919 /* Are we signing hashed or raw data? */ 01920 if( md_alg != MBEDTLS_MD_NONE ) 01921 { 01922 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 01923 if( md_info == NULL ) 01924 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01925 01926 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) 01927 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01928 01929 hashlen = mbedtls_md_get_size( md_info ); 01930 01931 /* Double-check that 8 + hashlen + oid_size can be used as a 01932 * 1-byte ASN.1 length encoding and that there's no overflow. */ 01933 if( 8 + hashlen + oid_size >= 0x80 || 01934 10 + hashlen < hashlen || 01935 10 + hashlen + oid_size < 10 + hashlen ) 01936 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01937 01938 /* 01939 * Static bounds check: 01940 * - Need 10 bytes for five tag-length pairs. 01941 * (Insist on 1-byte length encodings to protect against variants of 01942 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification) 01943 * - Need hashlen bytes for hash 01944 * - Need oid_size bytes for hash alg OID. 01945 */ 01946 if( nb_pad < 10 + hashlen + oid_size ) 01947 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01948 nb_pad -= 10 + hashlen + oid_size; 01949 } 01950 else 01951 { 01952 if( nb_pad < hashlen ) 01953 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01954 01955 nb_pad -= hashlen; 01956 } 01957 01958 /* Need space for signature header and padding delimiter (3 bytes), 01959 * and 8 bytes for the minimal padding */ 01960 if( nb_pad < 3 + 8 ) 01961 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 01962 nb_pad -= 3; 01963 01964 /* Now nb_pad is the amount of memory to be filled 01965 * with padding, and at least 8 bytes long. */ 01966 01967 /* Write signature header and padding */ 01968 *p++ = 0; 01969 *p++ = MBEDTLS_RSA_SIGN; 01970 memset( p, 0xFF, nb_pad ); 01971 p += nb_pad; 01972 *p++ = 0; 01973 01974 /* Are we signing raw data? */ 01975 if( md_alg == MBEDTLS_MD_NONE ) 01976 { 01977 memcpy( p, hash, hashlen ); 01978 return( 0 ); 01979 } 01980 01981 /* Signing hashed data, add corresponding ASN.1 structure 01982 * 01983 * DigestInfo ::= SEQUENCE { 01984 * digestAlgorithm DigestAlgorithmIdentifier, 01985 * digest Digest } 01986 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier 01987 * Digest ::= OCTET STRING 01988 * 01989 * Schematic: 01990 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ] 01991 * TAG-NULL + LEN [ NULL ] ] 01992 * TAG-OCTET + LEN [ HASH ] ] 01993 */ 01994 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01995 *p++ = (unsigned char)( 0x08 + oid_size + hashlen ); 01996 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; 01997 *p++ = (unsigned char)( 0x04 + oid_size ); 01998 *p++ = MBEDTLS_ASN1_OID; 01999 *p++ = (unsigned char) oid_size; 02000 memcpy( p, oid, oid_size ); 02001 p += oid_size; 02002 *p++ = MBEDTLS_ASN1_NULL; 02003 *p++ = 0x00; 02004 *p++ = MBEDTLS_ASN1_OCTET_STRING; 02005 *p++ = (unsigned char) hashlen; 02006 memcpy( p, hash, hashlen ); 02007 p += hashlen; 02008 02009 /* Just a sanity-check, should be automatic 02010 * after the initial bounds check. */ 02011 if( p != dst + dst_len ) 02012 { 02013 mbedtls_platform_zeroize( dst, dst_len ); 02014 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02015 } 02016 02017 return( 0 ); 02018 } 02019 02020 /* 02021 * Do an RSA operation to sign the message digest 02022 */ 02023 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 02024 int (*f_rng)(void *, unsigned char *, size_t), 02025 void *p_rng, 02026 int mode, 02027 mbedtls_md_type_t md_alg, 02028 unsigned int hashlen, 02029 const unsigned char *hash, 02030 unsigned char *sig ) 02031 { 02032 int ret; 02033 unsigned char *sig_try = NULL, *verif = NULL; 02034 02035 RSA_VALIDATE_RET( ctx != NULL ); 02036 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 02037 mode == MBEDTLS_RSA_PUBLIC ); 02038 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 02039 hashlen == 0 ) || 02040 hash != NULL ); 02041 RSA_VALIDATE_RET( sig != NULL ); 02042 02043 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 02044 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02045 02046 /* 02047 * Prepare PKCS1-v1.5 encoding (padding and hash identifier) 02048 */ 02049 02050 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, 02051 ctx->len , sig ) ) != 0 ) 02052 return( ret ); 02053 02054 /* 02055 * Call respective RSA primitive 02056 */ 02057 02058 if( mode == MBEDTLS_RSA_PUBLIC ) 02059 { 02060 /* Skip verification on a public key operation */ 02061 return( mbedtls_rsa_public( ctx, sig, sig ) ); 02062 } 02063 02064 /* Private key operation 02065 * 02066 * In order to prevent Lenstra's attack, make the signature in a 02067 * temporary buffer and check it before returning it. 02068 */ 02069 02070 sig_try = mbedtls_calloc( 1, ctx->len ); 02071 if( sig_try == NULL ) 02072 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 02073 02074 verif = mbedtls_calloc( 1, ctx->len ); 02075 if( verif == NULL ) 02076 { 02077 mbedtls_free( sig_try ); 02078 return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); 02079 } 02080 02081 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); 02082 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); 02083 02084 if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 ) 02085 { 02086 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; 02087 goto cleanup; 02088 } 02089 02090 memcpy( sig, sig_try, ctx->len ); 02091 02092 cleanup: 02093 mbedtls_free( sig_try ); 02094 mbedtls_free( verif ); 02095 02096 return( ret ); 02097 } 02098 #endif /* MBEDTLS_PKCS1_V15 */ 02099 02100 /* 02101 * Do an RSA operation to sign the message digest 02102 */ 02103 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 02104 int (*f_rng)(void *, unsigned char *, size_t), 02105 void *p_rng, 02106 int mode, 02107 mbedtls_md_type_t md_alg, 02108 unsigned int hashlen, 02109 const unsigned char *hash, 02110 unsigned char *sig ) 02111 { 02112 RSA_VALIDATE_RET( ctx != NULL ); 02113 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 02114 mode == MBEDTLS_RSA_PUBLIC ); 02115 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 02116 hashlen == 0 ) || 02117 hash != NULL ); 02118 RSA_VALIDATE_RET( sig != NULL ); 02119 02120 switch( ctx->padding ) 02121 { 02122 #if defined(MBEDTLS_PKCS1_V15) 02123 case MBEDTLS_RSA_PKCS_V15: 02124 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, 02125 hashlen, hash, sig ); 02126 #endif 02127 02128 #if defined(MBEDTLS_PKCS1_V21) 02129 case MBEDTLS_RSA_PKCS_V21: 02130 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, 02131 hashlen, hash, sig ); 02132 #endif 02133 02134 default: 02135 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 02136 } 02137 } 02138 02139 #if defined(MBEDTLS_PKCS1_V21) 02140 /* 02141 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function 02142 */ 02143 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 02144 int (*f_rng)(void *, unsigned char *, size_t), 02145 void *p_rng, 02146 int mode, 02147 mbedtls_md_type_t md_alg, 02148 unsigned int hashlen, 02149 const unsigned char *hash, 02150 mbedtls_md_type_t mgf1_hash_id, 02151 int expected_salt_len, 02152 const unsigned char *sig ) 02153 { 02154 int ret; 02155 size_t siglen; 02156 unsigned char *p; 02157 unsigned char *hash_start; 02158 unsigned char result[MBEDTLS_MD_MAX_SIZE]; 02159 unsigned char zeros[8]; 02160 unsigned int hlen; 02161 size_t observed_salt_len, msb; 02162 const mbedtls_md_info_t *md_info; 02163 mbedtls_md_context_t md_ctx; 02164 unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; 02165 02166 RSA_VALIDATE_RET( ctx != NULL ); 02167 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 02168 mode == MBEDTLS_RSA_PUBLIC ); 02169 RSA_VALIDATE_RET( sig != NULL ); 02170 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 02171 hashlen == 0 ) || 02172 hash != NULL ); 02173 02174 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) 02175 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02176 02177 siglen = ctx->len ; 02178 02179 if( siglen < 16 || siglen > sizeof( buf ) ) 02180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02181 02182 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 02183 ? mbedtls_rsa_public( ctx, sig, buf ) 02184 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); 02185 02186 if( ret != 0 ) 02187 return( ret ); 02188 02189 p = buf; 02190 02191 if( buf[siglen - 1] != 0xBC ) 02192 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 02193 02194 if( md_alg != MBEDTLS_MD_NONE ) 02195 { 02196 /* Gather length of hash to sign */ 02197 md_info = mbedtls_md_info_from_type( md_alg ); 02198 if( md_info == NULL ) 02199 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02200 02201 hashlen = mbedtls_md_get_size( md_info ); 02202 } 02203 02204 md_info = mbedtls_md_info_from_type( mgf1_hash_id ); 02205 if( md_info == NULL ) 02206 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02207 02208 hlen = mbedtls_md_get_size( md_info ); 02209 02210 memset( zeros, 0, 8 ); 02211 02212 /* 02213 * Note: EMSA-PSS verification is over the length of N - 1 bits 02214 */ 02215 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; 02216 02217 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) 02218 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02219 02220 /* Compensate for boundary condition when applying mask */ 02221 if( msb % 8 == 0 ) 02222 { 02223 p++; 02224 siglen -= 1; 02225 } 02226 02227 if( siglen < hlen + 2 ) 02228 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02229 hash_start = p + siglen - hlen - 1; 02230 02231 mbedtls_md_init( &md_ctx ); 02232 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) 02233 goto exit; 02234 02235 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx ); 02236 if( ret != 0 ) 02237 goto exit; 02238 02239 buf[0] &= 0xFF >> ( siglen * 8 - msb ); 02240 02241 while( p < hash_start - 1 && *p == 0 ) 02242 p++; 02243 02244 if( *p++ != 0x01 ) 02245 { 02246 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 02247 goto exit; 02248 } 02249 02250 observed_salt_len = hash_start - p; 02251 02252 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && 02253 observed_salt_len != (size_t) expected_salt_len ) 02254 { 02255 ret = MBEDTLS_ERR_RSA_INVALID_PADDING; 02256 goto exit; 02257 } 02258 02259 /* 02260 * Generate H = Hash( M' ) 02261 */ 02262 ret = mbedtls_md_starts( &md_ctx ); 02263 if ( ret != 0 ) 02264 goto exit; 02265 ret = mbedtls_md_update( &md_ctx, zeros, 8 ); 02266 if ( ret != 0 ) 02267 goto exit; 02268 ret = mbedtls_md_update( &md_ctx, hash, hashlen ); 02269 if ( ret != 0 ) 02270 goto exit; 02271 ret = mbedtls_md_update( &md_ctx, p, observed_salt_len ); 02272 if ( ret != 0 ) 02273 goto exit; 02274 ret = mbedtls_md_finish( &md_ctx, result ); 02275 if ( ret != 0 ) 02276 goto exit; 02277 02278 if( memcmp( hash_start, result, hlen ) != 0 ) 02279 { 02280 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 02281 goto exit; 02282 } 02283 02284 exit: 02285 mbedtls_md_free( &md_ctx ); 02286 02287 return( ret ); 02288 } 02289 02290 /* 02291 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function 02292 */ 02293 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 02294 int (*f_rng)(void *, unsigned char *, size_t), 02295 void *p_rng, 02296 int mode, 02297 mbedtls_md_type_t md_alg, 02298 unsigned int hashlen, 02299 const unsigned char *hash, 02300 const unsigned char *sig ) 02301 { 02302 mbedtls_md_type_t mgf1_hash_id; 02303 RSA_VALIDATE_RET( ctx != NULL ); 02304 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 02305 mode == MBEDTLS_RSA_PUBLIC ); 02306 RSA_VALIDATE_RET( sig != NULL ); 02307 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 02308 hashlen == 0 ) || 02309 hash != NULL ); 02310 02311 mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) 02312 ? (mbedtls_md_type_t) ctx->hash_id 02313 : md_alg; 02314 02315 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, 02316 md_alg, hashlen, hash, 02317 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, 02318 sig ) ); 02319 02320 } 02321 #endif /* MBEDTLS_PKCS1_V21 */ 02322 02323 #if defined(MBEDTLS_PKCS1_V15) 02324 /* 02325 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function 02326 */ 02327 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 02328 int (*f_rng)(void *, unsigned char *, size_t), 02329 void *p_rng, 02330 int mode, 02331 mbedtls_md_type_t md_alg, 02332 unsigned int hashlen, 02333 const unsigned char *hash, 02334 const unsigned char *sig ) 02335 { 02336 int ret = 0; 02337 size_t sig_len; 02338 unsigned char *encoded = NULL, *encoded_expected = NULL; 02339 02340 RSA_VALIDATE_RET( ctx != NULL ); 02341 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 02342 mode == MBEDTLS_RSA_PUBLIC ); 02343 RSA_VALIDATE_RET( sig != NULL ); 02344 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 02345 hashlen == 0 ) || 02346 hash != NULL ); 02347 02348 sig_len = ctx->len ; 02349 02350 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) 02351 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 02352 02353 /* 02354 * Prepare expected PKCS1 v1.5 encoding of hash. 02355 */ 02356 02357 if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL || 02358 ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL ) 02359 { 02360 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; 02361 goto cleanup; 02362 } 02363 02364 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len, 02365 encoded_expected ) ) != 0 ) 02366 goto cleanup; 02367 02368 /* 02369 * Apply RSA primitive to get what should be PKCS1 encoded hash. 02370 */ 02371 02372 ret = ( mode == MBEDTLS_RSA_PUBLIC ) 02373 ? mbedtls_rsa_public( ctx, sig, encoded ) 02374 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded ); 02375 if( ret != 0 ) 02376 goto cleanup; 02377 02378 /* 02379 * Compare 02380 */ 02381 02382 if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected, 02383 sig_len ) ) != 0 ) 02384 { 02385 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; 02386 goto cleanup; 02387 } 02388 02389 cleanup: 02390 02391 if( encoded != NULL ) 02392 { 02393 mbedtls_platform_zeroize( encoded, sig_len ); 02394 mbedtls_free( encoded ); 02395 } 02396 02397 if( encoded_expected != NULL ) 02398 { 02399 mbedtls_platform_zeroize( encoded_expected, sig_len ); 02400 mbedtls_free( encoded_expected ); 02401 } 02402 02403 return( ret ); 02404 } 02405 #endif /* MBEDTLS_PKCS1_V15 */ 02406 02407 /* 02408 * Do an RSA operation and check the message digest 02409 */ 02410 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 02411 int (*f_rng)(void *, unsigned char *, size_t), 02412 void *p_rng, 02413 int mode, 02414 mbedtls_md_type_t md_alg, 02415 unsigned int hashlen, 02416 const unsigned char *hash, 02417 const unsigned char *sig ) 02418 { 02419 RSA_VALIDATE_RET( ctx != NULL ); 02420 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || 02421 mode == MBEDTLS_RSA_PUBLIC ); 02422 RSA_VALIDATE_RET( sig != NULL ); 02423 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && 02424 hashlen == 0 ) || 02425 hash != NULL ); 02426 02427 switch( ctx->padding ) 02428 { 02429 #if defined(MBEDTLS_PKCS1_V15) 02430 case MBEDTLS_RSA_PKCS_V15: 02431 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, 02432 hashlen, hash, sig ); 02433 #endif 02434 02435 #if defined(MBEDTLS_PKCS1_V21) 02436 case MBEDTLS_RSA_PKCS_V21: 02437 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, 02438 hashlen, hash, sig ); 02439 #endif 02440 02441 default: 02442 return( MBEDTLS_ERR_RSA_INVALID_PADDING ); 02443 } 02444 } 02445 02446 /* 02447 * Copy the components of an RSA key 02448 */ 02449 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) 02450 { 02451 int ret; 02452 RSA_VALIDATE_RET( dst != NULL ); 02453 RSA_VALIDATE_RET( src != NULL ); 02454 02455 dst->ver = src->ver ; 02456 dst->len = src->len ; 02457 02458 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N , &src->N ) ); 02459 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E , &src->E ) ); 02460 02461 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D , &src->D ) ); 02462 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P , &src->P ) ); 02463 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q , &src->Q ) ); 02464 02465 #if !defined(MBEDTLS_RSA_NO_CRT) 02466 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP , &src->DP ) ); 02467 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ , &src->DQ ) ); 02468 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP , &src->QP ) ); 02469 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP , &src->RP ) ); 02470 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ , &src->RQ ) ); 02471 #endif 02472 02473 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN , &src->RN ) ); 02474 02475 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi , &src->Vi ) ); 02476 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf , &src->Vf ) ); 02477 02478 dst->padding = src->padding ; 02479 dst->hash_id = src->hash_id ; 02480 02481 cleanup: 02482 if( ret != 0 ) 02483 mbedtls_rsa_free( dst ); 02484 02485 return( ret ); 02486 } 02487 02488 /* 02489 * Free the components of an RSA key 02490 */ 02491 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) 02492 { 02493 if( ctx == NULL ) 02494 return; 02495 02496 mbedtls_mpi_free( &ctx->Vi ); 02497 mbedtls_mpi_free( &ctx->Vf ); 02498 mbedtls_mpi_free( &ctx->RN ); 02499 mbedtls_mpi_free( &ctx->D ); 02500 mbedtls_mpi_free( &ctx->Q ); 02501 mbedtls_mpi_free( &ctx->P ); 02502 mbedtls_mpi_free( &ctx->E ); 02503 mbedtls_mpi_free( &ctx->N ); 02504 02505 #if !defined(MBEDTLS_RSA_NO_CRT) 02506 mbedtls_mpi_free( &ctx->RQ ); 02507 mbedtls_mpi_free( &ctx->RP ); 02508 mbedtls_mpi_free( &ctx->QP ); 02509 mbedtls_mpi_free( &ctx->DQ ); 02510 mbedtls_mpi_free( &ctx->DP ); 02511 #endif /* MBEDTLS_RSA_NO_CRT */ 02512 02513 #if defined(MBEDTLS_THREADING_C) 02514 mbedtls_mutex_free( &ctx->mutex ); 02515 #endif 02516 } 02517 02518 #endif /* !MBEDTLS_RSA_ALT */ 02519 02520 #if defined(MBEDTLS_SELF_TEST) 02521 02522 #include "mbedtls/sha1.h" 02523 02524 /* 02525 * Example RSA-1024 keypair, for test purposes 02526 */ 02527 #define KEY_LEN 128 02528 02529 #define RSA_N "9292758453063D803DD603D5E777D788" \ 02530 "8ED1D5BF35786190FA2F23EBC0848AEA" \ 02531 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ 02532 "7130B9CED7ACDF54CFC7555AC14EEBAB" \ 02533 "93A89813FBF3C4F8066D2D800F7C38A8" \ 02534 "1AE31942917403FF4946B0A83D3D3E05" \ 02535 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ 02536 "5E94BB77B07507233A0BC7BAC8F90F79" 02537 02538 #define RSA_E "10001" 02539 02540 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ 02541 "66CA472BC44D253102F8B4A9D3BFA750" \ 02542 "91386C0077937FE33FA3252D28855837" \ 02543 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ 02544 "DF79C5CE07EE72C7F123142198164234" \ 02545 "CABB724CF78B8173B9F880FC86322407" \ 02546 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ 02547 "071513A1E85B5DFA031F21ECAE91A34D" 02548 02549 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ 02550 "2C01CAD19EA484A87EA4377637E75500" \ 02551 "FCB2005C5C7DD6EC4AC023CDA285D796" \ 02552 "C3D9E75E1EFC42488BB4F1D13AC30A57" 02553 02554 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ 02555 "E211C2B9E5DB1ED0BF61D0D9899620F4" \ 02556 "910E4168387E3C30AA1E00C339A79508" \ 02557 "8452DD96A9A5EA5D9DCA68DA636032AF" 02558 02559 #define PT_LEN 24 02560 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ 02561 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" 02562 02563 #if defined(MBEDTLS_PKCS1_V15) 02564 static int myrand( void *rng_state, unsigned char *output, size_t len ) 02565 { 02566 #if !defined(__OpenBSD__) 02567 size_t i; 02568 02569 if( rng_state != NULL ) 02570 rng_state = NULL; 02571 02572 for( i = 0; i < len; ++i ) 02573 output[i] = rand(); 02574 #else 02575 if( rng_state != NULL ) 02576 rng_state = NULL; 02577 02578 arc4random_buf( output, len ); 02579 #endif /* !OpenBSD */ 02580 02581 return( 0 ); 02582 } 02583 #endif /* MBEDTLS_PKCS1_V15 */ 02584 02585 /* 02586 * Checkup routine 02587 */ 02588 int mbedtls_rsa_self_test( int verbose ) 02589 { 02590 int ret = 0; 02591 #if defined(MBEDTLS_PKCS1_V15) 02592 size_t len; 02593 mbedtls_rsa_context rsa; 02594 unsigned char rsa_plaintext[PT_LEN]; 02595 unsigned char rsa_decrypted[PT_LEN]; 02596 unsigned char rsa_ciphertext[KEY_LEN]; 02597 #if defined(MBEDTLS_SHA1_C) 02598 unsigned char sha1sum[20]; 02599 #endif 02600 02601 mbedtls_mpi K; 02602 02603 mbedtls_mpi_init( &K ); 02604 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); 02605 02606 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) ); 02607 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) ); 02608 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) ); 02609 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) ); 02610 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) ); 02611 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) ); 02612 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) ); 02613 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) ); 02614 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) ); 02615 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) ); 02616 02617 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) ); 02618 02619 if( verbose != 0 ) 02620 mbedtls_printf( " RSA key validation: " ); 02621 02622 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || 02623 mbedtls_rsa_check_privkey( &rsa ) != 0 ) 02624 { 02625 if( verbose != 0 ) 02626 mbedtls_printf( "failed\n" ); 02627 02628 ret = 1; 02629 goto cleanup; 02630 } 02631 02632 if( verbose != 0 ) 02633 mbedtls_printf( "passed\n PKCS#1 encryption : " ); 02634 02635 memcpy( rsa_plaintext, RSA_PT, PT_LEN ); 02636 02637 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, 02638 PT_LEN, rsa_plaintext, 02639 rsa_ciphertext ) != 0 ) 02640 { 02641 if( verbose != 0 ) 02642 mbedtls_printf( "failed\n" ); 02643 02644 ret = 1; 02645 goto cleanup; 02646 } 02647 02648 if( verbose != 0 ) 02649 mbedtls_printf( "passed\n PKCS#1 decryption : " ); 02650 02651 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, 02652 &len, rsa_ciphertext, rsa_decrypted, 02653 sizeof(rsa_decrypted) ) != 0 ) 02654 { 02655 if( verbose != 0 ) 02656 mbedtls_printf( "failed\n" ); 02657 02658 ret = 1; 02659 goto cleanup; 02660 } 02661 02662 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) 02663 { 02664 if( verbose != 0 ) 02665 mbedtls_printf( "failed\n" ); 02666 02667 ret = 1; 02668 goto cleanup; 02669 } 02670 02671 if( verbose != 0 ) 02672 mbedtls_printf( "passed\n" ); 02673 02674 #if defined(MBEDTLS_SHA1_C) 02675 if( verbose != 0 ) 02676 mbedtls_printf( " PKCS#1 data sign : " ); 02677 02678 if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 ) 02679 { 02680 if( verbose != 0 ) 02681 mbedtls_printf( "failed\n" ); 02682 02683 return( 1 ); 02684 } 02685 02686 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, 02687 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, 02688 sha1sum, rsa_ciphertext ) != 0 ) 02689 { 02690 if( verbose != 0 ) 02691 mbedtls_printf( "failed\n" ); 02692 02693 ret = 1; 02694 goto cleanup; 02695 } 02696 02697 if( verbose != 0 ) 02698 mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); 02699 02700 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, 02701 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, 02702 sha1sum, rsa_ciphertext ) != 0 ) 02703 { 02704 if( verbose != 0 ) 02705 mbedtls_printf( "failed\n" ); 02706 02707 ret = 1; 02708 goto cleanup; 02709 } 02710 02711 if( verbose != 0 ) 02712 mbedtls_printf( "passed\n" ); 02713 #endif /* MBEDTLS_SHA1_C */ 02714 02715 if( verbose != 0 ) 02716 mbedtls_printf( "\n" ); 02717 02718 cleanup: 02719 mbedtls_mpi_free( &K ); 02720 mbedtls_rsa_free( &rsa ); 02721 #else /* MBEDTLS_PKCS1_V15 */ 02722 ((void) verbose); 02723 #endif /* MBEDTLS_PKCS1_V15 */ 02724 return( ret ); 02725 } 02726 02727 #endif /* MBEDTLS_SELF_TEST */ 02728 02729 #endif /* MBEDTLS_RSA_C */
Generated on Tue Jul 12 2022 13:54:48 by
1.7.2