nexpaq_dev - Preliminary main mbed library for nexpaq developm…

Users » nexpaq » Code » nexpaq_dev

Preliminary main mbed library for nexpaq development

features/mbedtls/src/rsa.c@1:d96dbedaebdb, 2016-11-04 (annotated)

Committer:: nexpaq
Date:: Fri Nov 04 20:54:50 2016 +0000
Revision:: 1:d96dbedaebdb
Parent:: 0:6c56fb4bc5f0

Removed extra directories for other platforms

Who changed what in which revision?

User	Revision	Line number	New contents of line
nexpaq	0:6c56fb4bc5f0	1	/*
nexpaq	0:6c56fb4bc5f0	2	* The RSA public-key cryptosystem
nexpaq	0:6c56fb4bc5f0	3	*
nexpaq	0:6c56fb4bc5f0	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
nexpaq	0:6c56fb4bc5f0	5	* SPDX-License-Identifier: Apache-2.0
nexpaq	0:6c56fb4bc5f0	6	*
nexpaq	0:6c56fb4bc5f0	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
nexpaq	0:6c56fb4bc5f0	8	* not use this file except in compliance with the License.
nexpaq	0:6c56fb4bc5f0	9	* You may obtain a copy of the License at
nexpaq	0:6c56fb4bc5f0	10	*
nexpaq	0:6c56fb4bc5f0	11	* http://www.apache.org/licenses/LICENSE-2.0
nexpaq	0:6c56fb4bc5f0	12	*
nexpaq	0:6c56fb4bc5f0	13	* Unless required by applicable law or agreed to in writing, software
nexpaq	0:6c56fb4bc5f0	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
nexpaq	0:6c56fb4bc5f0	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
nexpaq	0:6c56fb4bc5f0	16	* See the License for the specific language governing permissions and
nexpaq	0:6c56fb4bc5f0	17	* limitations under the License.
nexpaq	0:6c56fb4bc5f0	18	*
nexpaq	0:6c56fb4bc5f0	19	* This file is part of mbed TLS (https://tls.mbed.org)
nexpaq	0:6c56fb4bc5f0	20	*/
nexpaq	0:6c56fb4bc5f0	21	/*
nexpaq	0:6c56fb4bc5f0	22	* The following sources were referenced in the design of this implementation
nexpaq	0:6c56fb4bc5f0	23	* of the RSA algorithm:
nexpaq	0:6c56fb4bc5f0	24	*
nexpaq	0:6c56fb4bc5f0	25	* [1] A method for obtaining digital signatures and public-key cryptosystems
nexpaq	0:6c56fb4bc5f0	26	* R Rivest, A Shamir, and L Adleman
nexpaq	0:6c56fb4bc5f0	27	* http://people.csail.mit.edu/rivest/pubs.html#RSA78
nexpaq	0:6c56fb4bc5f0	28	*
nexpaq	0:6c56fb4bc5f0	29	* [2] Handbook of Applied Cryptography - 1997, Chapter 8
nexpaq	0:6c56fb4bc5f0	30	* Menezes, van Oorschot and Vanstone
nexpaq	0:6c56fb4bc5f0	31	*
nexpaq	0:6c56fb4bc5f0	32	*/
nexpaq	0:6c56fb4bc5f0	33
nexpaq	0:6c56fb4bc5f0	34	#if !defined(MBEDTLS_CONFIG_FILE)
nexpaq	0:6c56fb4bc5f0	35	#include "mbedtls/config.h"
nexpaq	0:6c56fb4bc5f0	36	#else
nexpaq	0:6c56fb4bc5f0	37	#include MBEDTLS_CONFIG_FILE
nexpaq	0:6c56fb4bc5f0	38	#endif
nexpaq	0:6c56fb4bc5f0	39
nexpaq	0:6c56fb4bc5f0	40	#if defined(MBEDTLS_RSA_C)
nexpaq	0:6c56fb4bc5f0	41
nexpaq	0:6c56fb4bc5f0	42	#include "mbedtls/rsa.h"
nexpaq	0:6c56fb4bc5f0	43	#include "mbedtls/oid.h"
nexpaq	0:6c56fb4bc5f0	44
nexpaq	0:6c56fb4bc5f0	45	#include <string.h>
nexpaq	0:6c56fb4bc5f0	46
nexpaq	0:6c56fb4bc5f0	47	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	48	#include "mbedtls/md.h"
nexpaq	0:6c56fb4bc5f0	49	#endif
nexpaq	0:6c56fb4bc5f0	50
nexpaq	0:6c56fb4bc5f0	51	#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
nexpaq	0:6c56fb4bc5f0	52	#include <stdlib.h>
nexpaq	0:6c56fb4bc5f0	53	#endif
nexpaq	0:6c56fb4bc5f0	54
nexpaq	0:6c56fb4bc5f0	55	#if defined(MBEDTLS_PLATFORM_C)
nexpaq	0:6c56fb4bc5f0	56	#include "mbedtls/platform.h"
nexpaq	0:6c56fb4bc5f0	57	#else
nexpaq	0:6c56fb4bc5f0	58	#include <stdio.h>
nexpaq	0:6c56fb4bc5f0	59	#define mbedtls_printf printf
nexpaq	0:6c56fb4bc5f0	60	#define mbedtls_calloc calloc
nexpaq	0:6c56fb4bc5f0	61	#define mbedtls_free free
nexpaq	0:6c56fb4bc5f0	62	#endif
nexpaq	0:6c56fb4bc5f0	63
nexpaq	0:6c56fb4bc5f0	64	/*
nexpaq	0:6c56fb4bc5f0	65	* Initialize an RSA context
nexpaq	0:6c56fb4bc5f0	66	*/
nexpaq	0:6c56fb4bc5f0	67	void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	68	int padding,
nexpaq	0:6c56fb4bc5f0	69	int hash_id )
nexpaq	0:6c56fb4bc5f0	70	{
nexpaq	0:6c56fb4bc5f0	71	memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
nexpaq	0:6c56fb4bc5f0	72
nexpaq	0:6c56fb4bc5f0	73	mbedtls_rsa_set_padding( ctx, padding, hash_id );
nexpaq	0:6c56fb4bc5f0	74
nexpaq	0:6c56fb4bc5f0	75	#if defined(MBEDTLS_THREADING_C)
nexpaq	0:6c56fb4bc5f0	76	mbedtls_mutex_init( &ctx->mutex );
nexpaq	0:6c56fb4bc5f0	77	#endif
nexpaq	0:6c56fb4bc5f0	78	}
nexpaq	0:6c56fb4bc5f0	79
nexpaq	0:6c56fb4bc5f0	80	/*
nexpaq	0:6c56fb4bc5f0	81	* Set padding for an existing RSA context
nexpaq	0:6c56fb4bc5f0	82	*/
nexpaq	0:6c56fb4bc5f0	83	void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
nexpaq	0:6c56fb4bc5f0	84	{
nexpaq	0:6c56fb4bc5f0	85	ctx->padding = padding;
nexpaq	0:6c56fb4bc5f0	86	ctx->hash_id = hash_id;
nexpaq	0:6c56fb4bc5f0	87	}
nexpaq	0:6c56fb4bc5f0	88
nexpaq	0:6c56fb4bc5f0	89	#if defined(MBEDTLS_GENPRIME)
nexpaq	0:6c56fb4bc5f0	90
nexpaq	0:6c56fb4bc5f0	91	/*
nexpaq	0:6c56fb4bc5f0	92	* Generate an RSA keypair
nexpaq	0:6c56fb4bc5f0	93	*/
nexpaq	0:6c56fb4bc5f0	94	int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	95	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	96	void *p_rng,
nexpaq	0:6c56fb4bc5f0	97	unsigned int nbits, int exponent )
nexpaq	0:6c56fb4bc5f0	98	{
nexpaq	0:6c56fb4bc5f0	99	int ret;
nexpaq	0:6c56fb4bc5f0	100	mbedtls_mpi P1, Q1, H, G;
nexpaq	0:6c56fb4bc5f0	101
nexpaq	0:6c56fb4bc5f0	102	if( f_rng == NULL \|\| nbits < 128 \|\| exponent < 3 )
nexpaq	0:6c56fb4bc5f0	103	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	104
nexpaq	0:6c56fb4bc5f0	105	mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
nexpaq	0:6c56fb4bc5f0	106	mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
nexpaq	0:6c56fb4bc5f0	107
nexpaq	0:6c56fb4bc5f0	108	/*
nexpaq	0:6c56fb4bc5f0	109	* find primes P and Q with Q < P so that:
nexpaq	0:6c56fb4bc5f0	110	* GCD( E, (P-1)*(Q-1) ) == 1
nexpaq	0:6c56fb4bc5f0	111	*/
nexpaq	0:6c56fb4bc5f0	112	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
nexpaq	0:6c56fb4bc5f0	113
nexpaq	0:6c56fb4bc5f0	114	do
nexpaq	0:6c56fb4bc5f0	115	{
nexpaq	0:6c56fb4bc5f0	116	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
nexpaq	0:6c56fb4bc5f0	117	f_rng, p_rng ) );
nexpaq	0:6c56fb4bc5f0	118
nexpaq	0:6c56fb4bc5f0	119	if( nbits % 2 )
nexpaq	0:6c56fb4bc5f0	120	{
nexpaq	0:6c56fb4bc5f0	121	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, ( nbits >> 1 ) + 1, 0,
nexpaq	0:6c56fb4bc5f0	122	f_rng, p_rng ) );
nexpaq	0:6c56fb4bc5f0	123	}
nexpaq	0:6c56fb4bc5f0	124	else
nexpaq	0:6c56fb4bc5f0	125	{
nexpaq	0:6c56fb4bc5f0	126	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
nexpaq	0:6c56fb4bc5f0	127	f_rng, p_rng ) );
nexpaq	0:6c56fb4bc5f0	128	}
nexpaq	0:6c56fb4bc5f0	129
nexpaq	0:6c56fb4bc5f0	130	if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
nexpaq	0:6c56fb4bc5f0	131	continue;
nexpaq	0:6c56fb4bc5f0	132
nexpaq	0:6c56fb4bc5f0	133	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
nexpaq	0:6c56fb4bc5f0	134	if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
nexpaq	0:6c56fb4bc5f0	135	continue;
nexpaq	0:6c56fb4bc5f0	136
nexpaq	0:6c56fb4bc5f0	137	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
nexpaq	0:6c56fb4bc5f0	138	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
nexpaq	0:6c56fb4bc5f0	139	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
nexpaq	0:6c56fb4bc5f0	140	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
nexpaq	0:6c56fb4bc5f0	141	}
nexpaq	0:6c56fb4bc5f0	142	while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
nexpaq	0:6c56fb4bc5f0	143
nexpaq	0:6c56fb4bc5f0	144	/*
nexpaq	0:6c56fb4bc5f0	145	* D = E^-1 mod ((P-1)*(Q-1))
nexpaq	0:6c56fb4bc5f0	146	* DP = D mod (P - 1)
nexpaq	0:6c56fb4bc5f0	147	* DQ = D mod (Q - 1)
nexpaq	0:6c56fb4bc5f0	148	* QP = Q^-1 mod P
nexpaq	0:6c56fb4bc5f0	149	*/
nexpaq	0:6c56fb4bc5f0	150	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
nexpaq	0:6c56fb4bc5f0	151	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
nexpaq	0:6c56fb4bc5f0	152	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
nexpaq	0:6c56fb4bc5f0	153	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
nexpaq	0:6c56fb4bc5f0	154
nexpaq	0:6c56fb4bc5f0	155	ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
nexpaq	0:6c56fb4bc5f0	156
nexpaq	0:6c56fb4bc5f0	157	cleanup:
nexpaq	0:6c56fb4bc5f0	158
nexpaq	0:6c56fb4bc5f0	159	mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
nexpaq	0:6c56fb4bc5f0	160
nexpaq	0:6c56fb4bc5f0	161	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	162	{
nexpaq	0:6c56fb4bc5f0	163	mbedtls_rsa_free( ctx );
nexpaq	0:6c56fb4bc5f0	164	return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
nexpaq	0:6c56fb4bc5f0	165	}
nexpaq	0:6c56fb4bc5f0	166
nexpaq	0:6c56fb4bc5f0	167	return( 0 );
nexpaq	0:6c56fb4bc5f0	168	}
nexpaq	0:6c56fb4bc5f0	169
nexpaq	0:6c56fb4bc5f0	170	#endif /* MBEDTLS_GENPRIME */
nexpaq	0:6c56fb4bc5f0	171
nexpaq	0:6c56fb4bc5f0	172	/*
nexpaq	0:6c56fb4bc5f0	173	* Check a public RSA key
nexpaq	0:6c56fb4bc5f0	174	*/
nexpaq	0:6c56fb4bc5f0	175	int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
nexpaq	0:6c56fb4bc5f0	176	{
nexpaq	0:6c56fb4bc5f0	177	if( !ctx->N.p \|\| !ctx->E.p )
nexpaq	0:6c56fb4bc5f0	178	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	0:6c56fb4bc5f0	179
nexpaq	0:6c56fb4bc5f0	180	if( ( ctx->N.p[0] & 1 ) == 0 \|\|
nexpaq	0:6c56fb4bc5f0	181	( ctx->E.p[0] & 1 ) == 0 )
nexpaq	0:6c56fb4bc5f0	182	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	0:6c56fb4bc5f0	183
nexpaq	0:6c56fb4bc5f0	184	if( mbedtls_mpi_bitlen( &ctx->N ) < 128 \|\|
nexpaq	0:6c56fb4bc5f0	185	mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
nexpaq	0:6c56fb4bc5f0	186	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	0:6c56fb4bc5f0	187
nexpaq	0:6c56fb4bc5f0	188	if( mbedtls_mpi_bitlen( &ctx->E ) < 2 \|\|
nexpaq	0:6c56fb4bc5f0	189	mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
nexpaq	0:6c56fb4bc5f0	190	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	0:6c56fb4bc5f0	191
nexpaq	0:6c56fb4bc5f0	192	return( 0 );
nexpaq	0:6c56fb4bc5f0	193	}
nexpaq	0:6c56fb4bc5f0	194
nexpaq	0:6c56fb4bc5f0	195	/*
nexpaq	0:6c56fb4bc5f0	196	* Check a private RSA key
nexpaq	0:6c56fb4bc5f0	197	*/
nexpaq	0:6c56fb4bc5f0	198	int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
nexpaq	0:6c56fb4bc5f0	199	{
nexpaq	0:6c56fb4bc5f0	200	int ret;
nexpaq	0:6c56fb4bc5f0	201	mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
nexpaq	0:6c56fb4bc5f0	202
nexpaq	0:6c56fb4bc5f0	203	if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	204	return( ret );
nexpaq	0:6c56fb4bc5f0	205
nexpaq	0:6c56fb4bc5f0	206	if( !ctx->P.p \|\| !ctx->Q.p \|\| !ctx->D.p )
nexpaq	0:6c56fb4bc5f0	207	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	0:6c56fb4bc5f0	208
nexpaq	0:6c56fb4bc5f0	209	mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
nexpaq	0:6c56fb4bc5f0	210	mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
nexpaq	0:6c56fb4bc5f0	211	mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
nexpaq	0:6c56fb4bc5f0	212	mbedtls_mpi_init( &QP );
nexpaq	0:6c56fb4bc5f0	213
nexpaq	0:6c56fb4bc5f0	214	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
nexpaq	0:6c56fb4bc5f0	215	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
nexpaq	0:6c56fb4bc5f0	216	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
nexpaq	0:6c56fb4bc5f0	217	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
nexpaq	0:6c56fb4bc5f0	218	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
nexpaq	0:6c56fb4bc5f0	219	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
nexpaq	0:6c56fb4bc5f0	220
nexpaq	0:6c56fb4bc5f0	221	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
nexpaq	0:6c56fb4bc5f0	222	MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
nexpaq	0:6c56fb4bc5f0	223	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
nexpaq	0:6c56fb4bc5f0	224
nexpaq	0:6c56fb4bc5f0	225	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
nexpaq	0:6c56fb4bc5f0	226	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
nexpaq	0:6c56fb4bc5f0	227	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
nexpaq	0:6c56fb4bc5f0	228	/*
nexpaq	0:6c56fb4bc5f0	229	* Check for a valid PKCS1v2 private key
nexpaq	0:6c56fb4bc5f0	230	*/
nexpaq	0:6c56fb4bc5f0	231	if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	232	mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	233	mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	234	mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	235	mbedtls_mpi_cmp_int( &L2, 0 ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	236	mbedtls_mpi_cmp_int( &I, 1 ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	237	mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
nexpaq	0:6c56fb4bc5f0	238	{
nexpaq	0:6c56fb4bc5f0	239	ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
nexpaq	0:6c56fb4bc5f0	240	}
nexpaq	0:6c56fb4bc5f0	241
nexpaq	0:6c56fb4bc5f0	242	cleanup:
nexpaq	0:6c56fb4bc5f0	243	mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
nexpaq	0:6c56fb4bc5f0	244	mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
nexpaq	0:6c56fb4bc5f0	245	mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
nexpaq	0:6c56fb4bc5f0	246	mbedtls_mpi_free( &QP );
nexpaq	0:6c56fb4bc5f0	247
nexpaq	0:6c56fb4bc5f0	248	if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
nexpaq	0:6c56fb4bc5f0	249	return( ret );
nexpaq	0:6c56fb4bc5f0	250
nexpaq	0:6c56fb4bc5f0	251	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	252	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
nexpaq	0:6c56fb4bc5f0	253
nexpaq	0:6c56fb4bc5f0	254	return( 0 );
nexpaq	0:6c56fb4bc5f0	255	}
nexpaq	0:6c56fb4bc5f0	256
nexpaq	0:6c56fb4bc5f0	257	/*
nexpaq	0:6c56fb4bc5f0	258	* Check if contexts holding a public and private key match
nexpaq	0:6c56fb4bc5f0	259	*/
nexpaq	0:6c56fb4bc5f0	260	int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context pub, const mbedtls_rsa_context prv )
nexpaq	0:6c56fb4bc5f0	261	{
nexpaq	0:6c56fb4bc5f0	262	if( mbedtls_rsa_check_pubkey( pub ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	263	mbedtls_rsa_check_privkey( prv ) != 0 )
nexpaq	0:6c56fb4bc5f0	264	{
nexpaq	0:6c56fb4bc5f0	265	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	0:6c56fb4bc5f0	266	}
nexpaq	0:6c56fb4bc5f0	267
nexpaq	0:6c56fb4bc5f0	268	if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	269	mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
nexpaq	0:6c56fb4bc5f0	270	{
nexpaq	0:6c56fb4bc5f0	271	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	0:6c56fb4bc5f0	272	}
nexpaq	0:6c56fb4bc5f0	273
nexpaq	0:6c56fb4bc5f0	274	return( 0 );
nexpaq	0:6c56fb4bc5f0	275	}
nexpaq	0:6c56fb4bc5f0	276
nexpaq	0:6c56fb4bc5f0	277	/*
nexpaq	0:6c56fb4bc5f0	278	* Do an RSA public key operation
nexpaq	0:6c56fb4bc5f0	279	*/
nexpaq	0:6c56fb4bc5f0	280	int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	281	const unsigned char *input,
nexpaq	0:6c56fb4bc5f0	282	unsigned char *output )
nexpaq	0:6c56fb4bc5f0	283	{
nexpaq	0:6c56fb4bc5f0	284	int ret;
nexpaq	0:6c56fb4bc5f0	285	size_t olen;
nexpaq	0:6c56fb4bc5f0	286	mbedtls_mpi T;
nexpaq	0:6c56fb4bc5f0	287
nexpaq	0:6c56fb4bc5f0	288	mbedtls_mpi_init( &T );
nexpaq	0:6c56fb4bc5f0	289
nexpaq	0:6c56fb4bc5f0	290	#if defined(MBEDTLS_THREADING_C)
nexpaq	0:6c56fb4bc5f0	291	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	292	return( ret );
nexpaq	0:6c56fb4bc5f0	293	#endif
nexpaq	0:6c56fb4bc5f0	294
nexpaq	0:6c56fb4bc5f0	295	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
nexpaq	0:6c56fb4bc5f0	296
nexpaq	0:6c56fb4bc5f0	297	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
nexpaq	0:6c56fb4bc5f0	298	{
nexpaq	0:6c56fb4bc5f0	299	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
nexpaq	0:6c56fb4bc5f0	300	goto cleanup;
nexpaq	0:6c56fb4bc5f0	301	}
nexpaq	0:6c56fb4bc5f0	302
nexpaq	0:6c56fb4bc5f0	303	olen = ctx->len;
nexpaq	0:6c56fb4bc5f0	304	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
nexpaq	0:6c56fb4bc5f0	305	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
nexpaq	0:6c56fb4bc5f0	306
nexpaq	0:6c56fb4bc5f0	307	cleanup:
nexpaq	0:6c56fb4bc5f0	308	#if defined(MBEDTLS_THREADING_C)
nexpaq	0:6c56fb4bc5f0	309	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
nexpaq	0:6c56fb4bc5f0	310	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
nexpaq	0:6c56fb4bc5f0	311	#endif
nexpaq	0:6c56fb4bc5f0	312
nexpaq	0:6c56fb4bc5f0	313	mbedtls_mpi_free( &T );
nexpaq	0:6c56fb4bc5f0	314
nexpaq	0:6c56fb4bc5f0	315	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	316	return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
nexpaq	0:6c56fb4bc5f0	317
nexpaq	0:6c56fb4bc5f0	318	return( 0 );
nexpaq	0:6c56fb4bc5f0	319	}
nexpaq	0:6c56fb4bc5f0	320
nexpaq	0:6c56fb4bc5f0	321	/*
nexpaq	0:6c56fb4bc5f0	322	* Generate or update blinding values, see section 10 of:
nexpaq	0:6c56fb4bc5f0	323	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
nexpaq	0:6c56fb4bc5f0	324	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
nexpaq	0:6c56fb4bc5f0	325	* Berlin Heidelberg, 1996. p. 104-113.
nexpaq	0:6c56fb4bc5f0	326	*/
nexpaq	0:6c56fb4bc5f0	327	static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	328	int (f_rng)(void , unsigned char , size_t), void p_rng )
nexpaq	0:6c56fb4bc5f0	329	{
nexpaq	0:6c56fb4bc5f0	330	int ret, count = 0;
nexpaq	0:6c56fb4bc5f0	331
nexpaq	0:6c56fb4bc5f0	332	if( ctx->Vf.p != NULL )
nexpaq	0:6c56fb4bc5f0	333	{
nexpaq	0:6c56fb4bc5f0	334	/* We already have blinding values, just update them by squaring */
nexpaq	0:6c56fb4bc5f0	335	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
nexpaq	0:6c56fb4bc5f0	336	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
nexpaq	0:6c56fb4bc5f0	337	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
nexpaq	0:6c56fb4bc5f0	338	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
nexpaq	0:6c56fb4bc5f0	339
nexpaq	0:6c56fb4bc5f0	340	goto cleanup;
nexpaq	0:6c56fb4bc5f0	341	}
nexpaq	0:6c56fb4bc5f0	342
nexpaq	0:6c56fb4bc5f0	343	/* Unblinding value: Vf = random number, invertible mod N */
nexpaq	0:6c56fb4bc5f0	344	do {
nexpaq	0:6c56fb4bc5f0	345	if( count++ > 10 )
nexpaq	0:6c56fb4bc5f0	346	return( MBEDTLS_ERR_RSA_RNG_FAILED );
nexpaq	0:6c56fb4bc5f0	347
nexpaq	0:6c56fb4bc5f0	348	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
nexpaq	0:6c56fb4bc5f0	349	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
nexpaq	0:6c56fb4bc5f0	350	} while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
nexpaq	0:6c56fb4bc5f0	351
nexpaq	0:6c56fb4bc5f0	352	/* Blinding value: Vi = Vf^(-e) mod N */
nexpaq	0:6c56fb4bc5f0	353	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
nexpaq	0:6c56fb4bc5f0	354	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
nexpaq	0:6c56fb4bc5f0	355
nexpaq	0:6c56fb4bc5f0	356
nexpaq	0:6c56fb4bc5f0	357	cleanup:
nexpaq	0:6c56fb4bc5f0	358	return( ret );
nexpaq	0:6c56fb4bc5f0	359	}
nexpaq	0:6c56fb4bc5f0	360
nexpaq	0:6c56fb4bc5f0	361	/*
nexpaq	0:6c56fb4bc5f0	362	* Do an RSA private key operation
nexpaq	0:6c56fb4bc5f0	363	*/
nexpaq	0:6c56fb4bc5f0	364	int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	365	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	366	void *p_rng,
nexpaq	0:6c56fb4bc5f0	367	const unsigned char *input,
nexpaq	0:6c56fb4bc5f0	368	unsigned char *output )
nexpaq	0:6c56fb4bc5f0	369	{
nexpaq	0:6c56fb4bc5f0	370	int ret;
nexpaq	0:6c56fb4bc5f0	371	size_t olen;
nexpaq	0:6c56fb4bc5f0	372	mbedtls_mpi T, T1, T2;
nexpaq	0:6c56fb4bc5f0	373
nexpaq	0:6c56fb4bc5f0	374	/* Make sure we have private key info, prevent possible misuse */
nexpaq	0:6c56fb4bc5f0	375	if( ctx->P.p == NULL \|\| ctx->Q.p == NULL \|\| ctx->D.p == NULL )
nexpaq	0:6c56fb4bc5f0	376	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	377
nexpaq	0:6c56fb4bc5f0	378	mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
nexpaq	0:6c56fb4bc5f0	379
nexpaq	0:6c56fb4bc5f0	380	#if defined(MBEDTLS_THREADING_C)
nexpaq	0:6c56fb4bc5f0	381	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	382	return( ret );
nexpaq	0:6c56fb4bc5f0	383	#endif
nexpaq	0:6c56fb4bc5f0	384
nexpaq	0:6c56fb4bc5f0	385	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
nexpaq	0:6c56fb4bc5f0	386	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
nexpaq	0:6c56fb4bc5f0	387	{
nexpaq	0:6c56fb4bc5f0	388	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
nexpaq	0:6c56fb4bc5f0	389	goto cleanup;
nexpaq	0:6c56fb4bc5f0	390	}
nexpaq	0:6c56fb4bc5f0	391
nexpaq	0:6c56fb4bc5f0	392	if( f_rng != NULL )
nexpaq	0:6c56fb4bc5f0	393	{
nexpaq	0:6c56fb4bc5f0	394	/*
nexpaq	0:6c56fb4bc5f0	395	* Blinding
nexpaq	0:6c56fb4bc5f0	396	* T = T * Vi mod N
nexpaq	0:6c56fb4bc5f0	397	*/
nexpaq	0:6c56fb4bc5f0	398	MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
nexpaq	0:6c56fb4bc5f0	399	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
nexpaq	0:6c56fb4bc5f0	400	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
nexpaq	0:6c56fb4bc5f0	401	}
nexpaq	0:6c56fb4bc5f0	402
nexpaq	0:6c56fb4bc5f0	403	#if defined(MBEDTLS_RSA_NO_CRT)
nexpaq	0:6c56fb4bc5f0	404	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
nexpaq	0:6c56fb4bc5f0	405	#else
nexpaq	0:6c56fb4bc5f0	406	/*
nexpaq	0:6c56fb4bc5f0	407	* faster decryption using the CRT
nexpaq	0:6c56fb4bc5f0	408	*
nexpaq	0:6c56fb4bc5f0	409	* T1 = input ^ dP mod P
nexpaq	0:6c56fb4bc5f0	410	* T2 = input ^ dQ mod Q
nexpaq	0:6c56fb4bc5f0	411	*/
nexpaq	0:6c56fb4bc5f0	412	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
nexpaq	0:6c56fb4bc5f0	413	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
nexpaq	0:6c56fb4bc5f0	414
nexpaq	0:6c56fb4bc5f0	415	/*
nexpaq	0:6c56fb4bc5f0	416	* T = (T1 - T2) * (Q^-1 mod P) mod P
nexpaq	0:6c56fb4bc5f0	417	*/
nexpaq	0:6c56fb4bc5f0	418	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
nexpaq	0:6c56fb4bc5f0	419	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
nexpaq	0:6c56fb4bc5f0	420	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
nexpaq	0:6c56fb4bc5f0	421
nexpaq	0:6c56fb4bc5f0	422	/*
nexpaq	0:6c56fb4bc5f0	423	* T = T2 + T * Q
nexpaq	0:6c56fb4bc5f0	424	*/
nexpaq	0:6c56fb4bc5f0	425	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
nexpaq	0:6c56fb4bc5f0	426	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
nexpaq	0:6c56fb4bc5f0	427	#endif /* MBEDTLS_RSA_NO_CRT */
nexpaq	0:6c56fb4bc5f0	428
nexpaq	0:6c56fb4bc5f0	429	if( f_rng != NULL )
nexpaq	0:6c56fb4bc5f0	430	{
nexpaq	0:6c56fb4bc5f0	431	/*
nexpaq	0:6c56fb4bc5f0	432	* Unblind
nexpaq	0:6c56fb4bc5f0	433	* T = T * Vf mod N
nexpaq	0:6c56fb4bc5f0	434	*/
nexpaq	0:6c56fb4bc5f0	435	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
nexpaq	0:6c56fb4bc5f0	436	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
nexpaq	0:6c56fb4bc5f0	437	}
nexpaq	0:6c56fb4bc5f0	438
nexpaq	0:6c56fb4bc5f0	439	olen = ctx->len;
nexpaq	0:6c56fb4bc5f0	440	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
nexpaq	0:6c56fb4bc5f0	441
nexpaq	0:6c56fb4bc5f0	442	cleanup:
nexpaq	0:6c56fb4bc5f0	443	#if defined(MBEDTLS_THREADING_C)
nexpaq	0:6c56fb4bc5f0	444	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
nexpaq	0:6c56fb4bc5f0	445	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
nexpaq	0:6c56fb4bc5f0	446	#endif
nexpaq	0:6c56fb4bc5f0	447
nexpaq	0:6c56fb4bc5f0	448	mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
nexpaq	0:6c56fb4bc5f0	449
nexpaq	0:6c56fb4bc5f0	450	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	451	return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
nexpaq	0:6c56fb4bc5f0	452
nexpaq	0:6c56fb4bc5f0	453	return( 0 );
nexpaq	0:6c56fb4bc5f0	454	}
nexpaq	0:6c56fb4bc5f0	455
nexpaq	0:6c56fb4bc5f0	456	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	457	/**
nexpaq	0:6c56fb4bc5f0	458	* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
nexpaq	0:6c56fb4bc5f0	459	*
nexpaq	0:6c56fb4bc5f0	460	* \param dst buffer to mask
nexpaq	0:6c56fb4bc5f0	461	* \param dlen length of destination buffer
nexpaq	0:6c56fb4bc5f0	462	* \param src source of the mask generation
nexpaq	0:6c56fb4bc5f0	463	* \param slen length of the source buffer
nexpaq	0:6c56fb4bc5f0	464	* \param md_ctx message digest context to use
nexpaq	0:6c56fb4bc5f0	465	*/
nexpaq	0:6c56fb4bc5f0	466	static void mgf_mask( unsigned char dst, size_t dlen, unsigned char src,
nexpaq	0:6c56fb4bc5f0	467	size_t slen, mbedtls_md_context_t *md_ctx )
nexpaq	0:6c56fb4bc5f0	468	{
nexpaq	0:6c56fb4bc5f0	469	unsigned char mask[MBEDTLS_MD_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	470	unsigned char counter[4];
nexpaq	0:6c56fb4bc5f0	471	unsigned char *p;
nexpaq	0:6c56fb4bc5f0	472	unsigned int hlen;
nexpaq	0:6c56fb4bc5f0	473	size_t i, use_len;
nexpaq	0:6c56fb4bc5f0	474
nexpaq	0:6c56fb4bc5f0	475	memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
nexpaq	0:6c56fb4bc5f0	476	memset( counter, 0, 4 );
nexpaq	0:6c56fb4bc5f0	477
nexpaq	0:6c56fb4bc5f0	478	hlen = mbedtls_md_get_size( md_ctx->md_info );
nexpaq	0:6c56fb4bc5f0	479
nexpaq	0:6c56fb4bc5f0	480	/* Generate and apply dbMask */
nexpaq	0:6c56fb4bc5f0	481	p = dst;
nexpaq	0:6c56fb4bc5f0	482
nexpaq	0:6c56fb4bc5f0	483	while( dlen > 0 )
nexpaq	0:6c56fb4bc5f0	484	{
nexpaq	0:6c56fb4bc5f0	485	use_len = hlen;
nexpaq	0:6c56fb4bc5f0	486	if( dlen < hlen )
nexpaq	0:6c56fb4bc5f0	487	use_len = dlen;
nexpaq	0:6c56fb4bc5f0	488
nexpaq	0:6c56fb4bc5f0	489	mbedtls_md_starts( md_ctx );
nexpaq	0:6c56fb4bc5f0	490	mbedtls_md_update( md_ctx, src, slen );
nexpaq	0:6c56fb4bc5f0	491	mbedtls_md_update( md_ctx, counter, 4 );
nexpaq	0:6c56fb4bc5f0	492	mbedtls_md_finish( md_ctx, mask );
nexpaq	0:6c56fb4bc5f0	493
nexpaq	0:6c56fb4bc5f0	494	for( i = 0; i < use_len; ++i )
nexpaq	0:6c56fb4bc5f0	495	*p++ ^= mask[i];
nexpaq	0:6c56fb4bc5f0	496
nexpaq	0:6c56fb4bc5f0	497	counter[3]++;
nexpaq	0:6c56fb4bc5f0	498
nexpaq	0:6c56fb4bc5f0	499	dlen -= use_len;
nexpaq	0:6c56fb4bc5f0	500	}
nexpaq	0:6c56fb4bc5f0	501	}
nexpaq	0:6c56fb4bc5f0	502	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	0:6c56fb4bc5f0	503
nexpaq	0:6c56fb4bc5f0	504	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	505	/*
nexpaq	0:6c56fb4bc5f0	506	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
nexpaq	0:6c56fb4bc5f0	507	*/
nexpaq	0:6c56fb4bc5f0	508	int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	509	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	510	void *p_rng,
nexpaq	0:6c56fb4bc5f0	511	int mode,
nexpaq	0:6c56fb4bc5f0	512	const unsigned char *label, size_t label_len,
nexpaq	0:6c56fb4bc5f0	513	size_t ilen,
nexpaq	0:6c56fb4bc5f0	514	const unsigned char *input,
nexpaq	0:6c56fb4bc5f0	515	unsigned char *output )
nexpaq	0:6c56fb4bc5f0	516	{
nexpaq	0:6c56fb4bc5f0	517	size_t olen;
nexpaq	0:6c56fb4bc5f0	518	int ret;
nexpaq	0:6c56fb4bc5f0	519	unsigned char *p = output;
nexpaq	0:6c56fb4bc5f0	520	unsigned int hlen;
nexpaq	0:6c56fb4bc5f0	521	const mbedtls_md_info_t *md_info;
nexpaq	0:6c56fb4bc5f0	522	mbedtls_md_context_t md_ctx;
nexpaq	0:6c56fb4bc5f0	523
nexpaq	0:6c56fb4bc5f0	524	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
nexpaq	0:6c56fb4bc5f0	525	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	526
nexpaq	0:6c56fb4bc5f0	527	if( f_rng == NULL )
nexpaq	0:6c56fb4bc5f0	528	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	529
nexpaq	0:6c56fb4bc5f0	530	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
nexpaq	0:6c56fb4bc5f0	531	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	532	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	533
nexpaq	0:6c56fb4bc5f0	534	olen = ctx->len;
nexpaq	0:6c56fb4bc5f0	535	hlen = mbedtls_md_get_size( md_info );
nexpaq	0:6c56fb4bc5f0	536
nexpaq	0:6c56fb4bc5f0	537	/* first comparison checks for overflow */
nexpaq	0:6c56fb4bc5f0	538	if( ilen + 2 * hlen + 2 < ilen \|\| olen < ilen + 2 * hlen + 2 )
nexpaq	0:6c56fb4bc5f0	539	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	540
nexpaq	0:6c56fb4bc5f0	541	memset( output, 0, olen );
nexpaq	0:6c56fb4bc5f0	542
nexpaq	0:6c56fb4bc5f0	543	*p++ = 0;
nexpaq	0:6c56fb4bc5f0	544
nexpaq	0:6c56fb4bc5f0	545	/* Generate a random octet string seed */
nexpaq	0:6c56fb4bc5f0	546	if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	547	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
nexpaq	0:6c56fb4bc5f0	548
nexpaq	0:6c56fb4bc5f0	549	p += hlen;
nexpaq	0:6c56fb4bc5f0	550
nexpaq	0:6c56fb4bc5f0	551	/* Construct DB */
nexpaq	0:6c56fb4bc5f0	552	mbedtls_md( md_info, label, label_len, p );
nexpaq	0:6c56fb4bc5f0	553	p += hlen;
nexpaq	0:6c56fb4bc5f0	554	p += olen - 2 * hlen - 2 - ilen;
nexpaq	0:6c56fb4bc5f0	555	*p++ = 1;
nexpaq	0:6c56fb4bc5f0	556	memcpy( p, input, ilen );
nexpaq	0:6c56fb4bc5f0	557
nexpaq	0:6c56fb4bc5f0	558	mbedtls_md_init( &md_ctx );
nexpaq	0:6c56fb4bc5f0	559	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	560	{
nexpaq	0:6c56fb4bc5f0	561	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	562	return( ret );
nexpaq	0:6c56fb4bc5f0	563	}
nexpaq	0:6c56fb4bc5f0	564
nexpaq	0:6c56fb4bc5f0	565	/* maskedDB: Apply dbMask to DB */
nexpaq	0:6c56fb4bc5f0	566	mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
nexpaq	0:6c56fb4bc5f0	567	&md_ctx );
nexpaq	0:6c56fb4bc5f0	568
nexpaq	0:6c56fb4bc5f0	569	/* maskedSeed: Apply seedMask to seed */
nexpaq	0:6c56fb4bc5f0	570	mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
nexpaq	0:6c56fb4bc5f0	571	&md_ctx );
nexpaq	0:6c56fb4bc5f0	572
nexpaq	0:6c56fb4bc5f0	573	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	574
nexpaq	0:6c56fb4bc5f0	575	return( ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	576	? mbedtls_rsa_public( ctx, output, output )
nexpaq	0:6c56fb4bc5f0	577	: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
nexpaq	0:6c56fb4bc5f0	578	}
nexpaq	0:6c56fb4bc5f0	579	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	0:6c56fb4bc5f0	580
nexpaq	0:6c56fb4bc5f0	581	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	582	/*
nexpaq	0:6c56fb4bc5f0	583	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
nexpaq	0:6c56fb4bc5f0	584	*/
nexpaq	0:6c56fb4bc5f0	585	int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	586	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	587	void *p_rng,
nexpaq	0:6c56fb4bc5f0	588	int mode, size_t ilen,
nexpaq	0:6c56fb4bc5f0	589	const unsigned char *input,
nexpaq	0:6c56fb4bc5f0	590	unsigned char *output )
nexpaq	0:6c56fb4bc5f0	591	{
nexpaq	0:6c56fb4bc5f0	592	size_t nb_pad, olen;
nexpaq	0:6c56fb4bc5f0	593	int ret;
nexpaq	0:6c56fb4bc5f0	594	unsigned char *p = output;
nexpaq	0:6c56fb4bc5f0	595
nexpaq	0:6c56fb4bc5f0	596	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
nexpaq	0:6c56fb4bc5f0	597	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	598
nexpaq	0:6c56fb4bc5f0	599	// We don't check p_rng because it won't be dereferenced here
nexpaq	0:6c56fb4bc5f0	600	if( f_rng == NULL \|\| input == NULL \|\| output == NULL )
nexpaq	0:6c56fb4bc5f0	601	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	602
nexpaq	0:6c56fb4bc5f0	603	olen = ctx->len;
nexpaq	0:6c56fb4bc5f0	604
nexpaq	0:6c56fb4bc5f0	605	/* first comparison checks for overflow */
nexpaq	0:6c56fb4bc5f0	606	if( ilen + 11 < ilen \|\| olen < ilen + 11 )
nexpaq	0:6c56fb4bc5f0	607	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	608
nexpaq	0:6c56fb4bc5f0	609	nb_pad = olen - 3 - ilen;
nexpaq	0:6c56fb4bc5f0	610
nexpaq	0:6c56fb4bc5f0	611	*p++ = 0;
nexpaq	0:6c56fb4bc5f0	612	if( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	613	{
nexpaq	0:6c56fb4bc5f0	614	*p++ = MBEDTLS_RSA_CRYPT;
nexpaq	0:6c56fb4bc5f0	615
nexpaq	0:6c56fb4bc5f0	616	while( nb_pad-- > 0 )
nexpaq	0:6c56fb4bc5f0	617	{
nexpaq	0:6c56fb4bc5f0	618	int rng_dl = 100;
nexpaq	0:6c56fb4bc5f0	619
nexpaq	0:6c56fb4bc5f0	620	do {
nexpaq	0:6c56fb4bc5f0	621	ret = f_rng( p_rng, p, 1 );
nexpaq	0:6c56fb4bc5f0	622	} while( *p == 0 && --rng_dl && ret == 0 );
nexpaq	0:6c56fb4bc5f0	623
nexpaq	0:6c56fb4bc5f0	624	/* Check if RNG failed to generate data */
nexpaq	0:6c56fb4bc5f0	625	if( rng_dl == 0 \|\| ret != 0 )
nexpaq	0:6c56fb4bc5f0	626	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
nexpaq	0:6c56fb4bc5f0	627
nexpaq	0:6c56fb4bc5f0	628	p++;
nexpaq	0:6c56fb4bc5f0	629	}
nexpaq	0:6c56fb4bc5f0	630	}
nexpaq	0:6c56fb4bc5f0	631	else
nexpaq	0:6c56fb4bc5f0	632	{
nexpaq	0:6c56fb4bc5f0	633	*p++ = MBEDTLS_RSA_SIGN;
nexpaq	0:6c56fb4bc5f0	634
nexpaq	0:6c56fb4bc5f0	635	while( nb_pad-- > 0 )
nexpaq	0:6c56fb4bc5f0	636	*p++ = 0xFF;
nexpaq	0:6c56fb4bc5f0	637	}
nexpaq	0:6c56fb4bc5f0	638
nexpaq	0:6c56fb4bc5f0	639	*p++ = 0;
nexpaq	0:6c56fb4bc5f0	640	memcpy( p, input, ilen );
nexpaq	0:6c56fb4bc5f0	641
nexpaq	0:6c56fb4bc5f0	642	return( ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	643	? mbedtls_rsa_public( ctx, output, output )
nexpaq	0:6c56fb4bc5f0	644	: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
nexpaq	0:6c56fb4bc5f0	645	}
nexpaq	0:6c56fb4bc5f0	646	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	0:6c56fb4bc5f0	647
nexpaq	0:6c56fb4bc5f0	648	/*
nexpaq	0:6c56fb4bc5f0	649	* Add the message padding, then do an RSA operation
nexpaq	0:6c56fb4bc5f0	650	*/
nexpaq	0:6c56fb4bc5f0	651	int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	652	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	653	void *p_rng,
nexpaq	0:6c56fb4bc5f0	654	int mode, size_t ilen,
nexpaq	0:6c56fb4bc5f0	655	const unsigned char *input,
nexpaq	0:6c56fb4bc5f0	656	unsigned char *output )
nexpaq	0:6c56fb4bc5f0	657	{
nexpaq	0:6c56fb4bc5f0	658	switch( ctx->padding )
nexpaq	0:6c56fb4bc5f0	659	{
nexpaq	0:6c56fb4bc5f0	660	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	661	case MBEDTLS_RSA_PKCS_V15:
nexpaq	0:6c56fb4bc5f0	662	return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
nexpaq	0:6c56fb4bc5f0	663	input, output );
nexpaq	0:6c56fb4bc5f0	664	#endif
nexpaq	0:6c56fb4bc5f0	665
nexpaq	0:6c56fb4bc5f0	666	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	667	case MBEDTLS_RSA_PKCS_V21:
nexpaq	0:6c56fb4bc5f0	668	return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
nexpaq	0:6c56fb4bc5f0	669	ilen, input, output );
nexpaq	0:6c56fb4bc5f0	670	#endif
nexpaq	0:6c56fb4bc5f0	671
nexpaq	0:6c56fb4bc5f0	672	default:
nexpaq	0:6c56fb4bc5f0	673	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	674	}
nexpaq	0:6c56fb4bc5f0	675	}
nexpaq	0:6c56fb4bc5f0	676
nexpaq	0:6c56fb4bc5f0	677	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	678	/*
nexpaq	0:6c56fb4bc5f0	679	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
nexpaq	0:6c56fb4bc5f0	680	*/
nexpaq	0:6c56fb4bc5f0	681	int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	682	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	683	void *p_rng,
nexpaq	0:6c56fb4bc5f0	684	int mode,
nexpaq	0:6c56fb4bc5f0	685	const unsigned char *label, size_t label_len,
nexpaq	0:6c56fb4bc5f0	686	size_t *olen,
nexpaq	0:6c56fb4bc5f0	687	const unsigned char *input,
nexpaq	0:6c56fb4bc5f0	688	unsigned char *output,
nexpaq	0:6c56fb4bc5f0	689	size_t output_max_len )
nexpaq	0:6c56fb4bc5f0	690	{
nexpaq	0:6c56fb4bc5f0	691	int ret;
nexpaq	0:6c56fb4bc5f0	692	size_t ilen, i, pad_len;
nexpaq	0:6c56fb4bc5f0	693	unsigned char *p, bad, pad_done;
nexpaq	0:6c56fb4bc5f0	694	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	695	unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	696	unsigned int hlen;
nexpaq	0:6c56fb4bc5f0	697	const mbedtls_md_info_t *md_info;
nexpaq	0:6c56fb4bc5f0	698	mbedtls_md_context_t md_ctx;
nexpaq	0:6c56fb4bc5f0	699
nexpaq	0:6c56fb4bc5f0	700	/*
nexpaq	0:6c56fb4bc5f0	701	* Parameters sanity checks
nexpaq	0:6c56fb4bc5f0	702	*/
nexpaq	0:6c56fb4bc5f0	703	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
nexpaq	0:6c56fb4bc5f0	704	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	705
nexpaq	0:6c56fb4bc5f0	706	ilen = ctx->len;
nexpaq	0:6c56fb4bc5f0	707
nexpaq	0:6c56fb4bc5f0	708	if( ilen < 16 \|\| ilen > sizeof( buf ) )
nexpaq	0:6c56fb4bc5f0	709	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	710
nexpaq	0:6c56fb4bc5f0	711	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
nexpaq	0:6c56fb4bc5f0	712	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	713	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	714
nexpaq	0:6c56fb4bc5f0	715	hlen = mbedtls_md_get_size( md_info );
nexpaq	0:6c56fb4bc5f0	716
nexpaq	0:6c56fb4bc5f0	717	// checking for integer underflow
nexpaq	0:6c56fb4bc5f0	718	if( 2 * hlen + 2 > ilen )
nexpaq	0:6c56fb4bc5f0	719	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	720
nexpaq	0:6c56fb4bc5f0	721	/*
nexpaq	0:6c56fb4bc5f0	722	* RSA operation
nexpaq	0:6c56fb4bc5f0	723	*/
nexpaq	0:6c56fb4bc5f0	724	ret = ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	725	? mbedtls_rsa_public( ctx, input, buf )
nexpaq	0:6c56fb4bc5f0	726	: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
nexpaq	0:6c56fb4bc5f0	727
nexpaq	0:6c56fb4bc5f0	728	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	729	return( ret );
nexpaq	0:6c56fb4bc5f0	730
nexpaq	0:6c56fb4bc5f0	731	/*
nexpaq	0:6c56fb4bc5f0	732	* Unmask data and generate lHash
nexpaq	0:6c56fb4bc5f0	733	*/
nexpaq	0:6c56fb4bc5f0	734	mbedtls_md_init( &md_ctx );
nexpaq	0:6c56fb4bc5f0	735	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	736	{
nexpaq	0:6c56fb4bc5f0	737	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	738	return( ret );
nexpaq	0:6c56fb4bc5f0	739	}
nexpaq	0:6c56fb4bc5f0	740
nexpaq	0:6c56fb4bc5f0	741
nexpaq	0:6c56fb4bc5f0	742	/* Generate lHash */
nexpaq	0:6c56fb4bc5f0	743	mbedtls_md( md_info, label, label_len, lhash );
nexpaq	0:6c56fb4bc5f0	744
nexpaq	0:6c56fb4bc5f0	745	/* seed: Apply seedMask to maskedSeed */
nexpaq	0:6c56fb4bc5f0	746	mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
nexpaq	0:6c56fb4bc5f0	747	&md_ctx );
nexpaq	0:6c56fb4bc5f0	748
nexpaq	0:6c56fb4bc5f0	749	/* DB: Apply dbMask to maskedDB */
nexpaq	0:6c56fb4bc5f0	750	mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
nexpaq	0:6c56fb4bc5f0	751	&md_ctx );
nexpaq	0:6c56fb4bc5f0	752
nexpaq	0:6c56fb4bc5f0	753	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	754
nexpaq	0:6c56fb4bc5f0	755	/*
nexpaq	0:6c56fb4bc5f0	756	* Check contents, in "constant-time"
nexpaq	0:6c56fb4bc5f0	757	*/
nexpaq	0:6c56fb4bc5f0	758	p = buf;
nexpaq	0:6c56fb4bc5f0	759	bad = 0;
nexpaq	0:6c56fb4bc5f0	760
nexpaq	0:6c56fb4bc5f0	761	bad \|= p++; / First byte must be 0 */
nexpaq	0:6c56fb4bc5f0	762
nexpaq	0:6c56fb4bc5f0	763	p += hlen; /* Skip seed */
nexpaq	0:6c56fb4bc5f0	764
nexpaq	0:6c56fb4bc5f0	765	/* Check lHash */
nexpaq	0:6c56fb4bc5f0	766	for( i = 0; i < hlen; i++ )
nexpaq	0:6c56fb4bc5f0	767	bad \|= lhash[i] ^ *p++;
nexpaq	0:6c56fb4bc5f0	768
nexpaq	0:6c56fb4bc5f0	769	/* Get zero-padding len, but always read till end of buffer
nexpaq	0:6c56fb4bc5f0	770	* (minus one, for the 01 byte) */
nexpaq	0:6c56fb4bc5f0	771	pad_len = 0;
nexpaq	0:6c56fb4bc5f0	772	pad_done = 0;
nexpaq	0:6c56fb4bc5f0	773	for( i = 0; i < ilen - 2 * hlen - 2; i++ )
nexpaq	0:6c56fb4bc5f0	774	{
nexpaq	0:6c56fb4bc5f0	775	pad_done \|= p[i];
nexpaq	0:6c56fb4bc5f0	776	pad_len += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
nexpaq	0:6c56fb4bc5f0	777	}
nexpaq	0:6c56fb4bc5f0	778
nexpaq	0:6c56fb4bc5f0	779	p += pad_len;
nexpaq	0:6c56fb4bc5f0	780	bad \|= *p++ ^ 0x01;
nexpaq	0:6c56fb4bc5f0	781
nexpaq	0:6c56fb4bc5f0	782	/*
nexpaq	0:6c56fb4bc5f0	783	* The only information "leaked" is whether the padding was correct or not
nexpaq	0:6c56fb4bc5f0	784	* (eg, no data is copied if it was not correct). This meets the
nexpaq	0:6c56fb4bc5f0	785	* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
nexpaq	0:6c56fb4bc5f0	786	* the different error conditions.
nexpaq	0:6c56fb4bc5f0	787	*/
nexpaq	0:6c56fb4bc5f0	788	if( bad != 0 )
nexpaq	0:6c56fb4bc5f0	789	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	790
nexpaq	0:6c56fb4bc5f0	791	if( ilen - ( p - buf ) > output_max_len )
nexpaq	0:6c56fb4bc5f0	792	return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
nexpaq	0:6c56fb4bc5f0	793
nexpaq	0:6c56fb4bc5f0	794	*olen = ilen - (p - buf);
nexpaq	0:6c56fb4bc5f0	795	memcpy( output, p, *olen );
nexpaq	0:6c56fb4bc5f0	796
nexpaq	0:6c56fb4bc5f0	797	return( 0 );
nexpaq	0:6c56fb4bc5f0	798	}
nexpaq	0:6c56fb4bc5f0	799	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	0:6c56fb4bc5f0	800
nexpaq	0:6c56fb4bc5f0	801	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	802	/*
nexpaq	0:6c56fb4bc5f0	803	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
nexpaq	0:6c56fb4bc5f0	804	*/
nexpaq	0:6c56fb4bc5f0	805	int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	806	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	807	void *p_rng,
nexpaq	0:6c56fb4bc5f0	808	int mode, size_t *olen,
nexpaq	0:6c56fb4bc5f0	809	const unsigned char *input,
nexpaq	0:6c56fb4bc5f0	810	unsigned char *output,
nexpaq	0:6c56fb4bc5f0	811	size_t output_max_len)
nexpaq	0:6c56fb4bc5f0	812	{
nexpaq	0:6c56fb4bc5f0	813	int ret;
nexpaq	0:6c56fb4bc5f0	814	size_t ilen, pad_count = 0, i;
nexpaq	0:6c56fb4bc5f0	815	unsigned char *p, bad, pad_done = 0;
nexpaq	0:6c56fb4bc5f0	816	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	817
nexpaq	0:6c56fb4bc5f0	818	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
nexpaq	0:6c56fb4bc5f0	819	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	820
nexpaq	0:6c56fb4bc5f0	821	ilen = ctx->len;
nexpaq	0:6c56fb4bc5f0	822
nexpaq	0:6c56fb4bc5f0	823	if( ilen < 16 \|\| ilen > sizeof( buf ) )
nexpaq	0:6c56fb4bc5f0	824	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	825
nexpaq	0:6c56fb4bc5f0	826	ret = ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	827	? mbedtls_rsa_public( ctx, input, buf )
nexpaq	0:6c56fb4bc5f0	828	: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
nexpaq	0:6c56fb4bc5f0	829
nexpaq	0:6c56fb4bc5f0	830	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	831	return( ret );
nexpaq	0:6c56fb4bc5f0	832
nexpaq	0:6c56fb4bc5f0	833	p = buf;
nexpaq	0:6c56fb4bc5f0	834	bad = 0;
nexpaq	0:6c56fb4bc5f0	835
nexpaq	0:6c56fb4bc5f0	836	/*
nexpaq	0:6c56fb4bc5f0	837	* Check and get padding len in "constant-time"
nexpaq	0:6c56fb4bc5f0	838	*/
nexpaq	0:6c56fb4bc5f0	839	bad \|= p++; / First byte must be 0 */
nexpaq	0:6c56fb4bc5f0	840
nexpaq	0:6c56fb4bc5f0	841	/* This test does not depend on secret data */
nexpaq	0:6c56fb4bc5f0	842	if( mode == MBEDTLS_RSA_PRIVATE )
nexpaq	0:6c56fb4bc5f0	843	{
nexpaq	0:6c56fb4bc5f0	844	bad \|= *p++ ^ MBEDTLS_RSA_CRYPT;
nexpaq	0:6c56fb4bc5f0	845
nexpaq	0:6c56fb4bc5f0	846	/* Get padding len, but always read till end of buffer
nexpaq	0:6c56fb4bc5f0	847	* (minus one, for the 00 byte) */
nexpaq	0:6c56fb4bc5f0	848	for( i = 0; i < ilen - 3; i++ )
nexpaq	0:6c56fb4bc5f0	849	{
nexpaq	0:6c56fb4bc5f0	850	pad_done \|= ((p[i] \| (unsigned char)-p[i]) >> 7) ^ 1;
nexpaq	0:6c56fb4bc5f0	851	pad_count += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
nexpaq	0:6c56fb4bc5f0	852	}
nexpaq	0:6c56fb4bc5f0	853
nexpaq	0:6c56fb4bc5f0	854	p += pad_count;
nexpaq	0:6c56fb4bc5f0	855	bad \|= p++; / Must be zero */
nexpaq	0:6c56fb4bc5f0	856	}
nexpaq	0:6c56fb4bc5f0	857	else
nexpaq	0:6c56fb4bc5f0	858	{
nexpaq	0:6c56fb4bc5f0	859	bad \|= *p++ ^ MBEDTLS_RSA_SIGN;
nexpaq	0:6c56fb4bc5f0	860
nexpaq	0:6c56fb4bc5f0	861	/* Get padding len, but always read till end of buffer
nexpaq	0:6c56fb4bc5f0	862	* (minus one, for the 00 byte) */
nexpaq	0:6c56fb4bc5f0	863	for( i = 0; i < ilen - 3; i++ )
nexpaq	0:6c56fb4bc5f0	864	{
nexpaq	0:6c56fb4bc5f0	865	pad_done \|= ( p[i] != 0xFF );
nexpaq	0:6c56fb4bc5f0	866	pad_count += ( pad_done == 0 );
nexpaq	0:6c56fb4bc5f0	867	}
nexpaq	0:6c56fb4bc5f0	868
nexpaq	0:6c56fb4bc5f0	869	p += pad_count;
nexpaq	0:6c56fb4bc5f0	870	bad \|= p++; / Must be zero */
nexpaq	0:6c56fb4bc5f0	871	}
nexpaq	0:6c56fb4bc5f0	872
nexpaq	0:6c56fb4bc5f0	873	bad \|= ( pad_count < 8 );
nexpaq	0:6c56fb4bc5f0	874
nexpaq	0:6c56fb4bc5f0	875	if( bad )
nexpaq	0:6c56fb4bc5f0	876	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	877
nexpaq	0:6c56fb4bc5f0	878	if( ilen - ( p - buf ) > output_max_len )
nexpaq	0:6c56fb4bc5f0	879	return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
nexpaq	0:6c56fb4bc5f0	880
nexpaq	0:6c56fb4bc5f0	881	*olen = ilen - (p - buf);
nexpaq	0:6c56fb4bc5f0	882	memcpy( output, p, *olen );
nexpaq	0:6c56fb4bc5f0	883
nexpaq	0:6c56fb4bc5f0	884	return( 0 );
nexpaq	0:6c56fb4bc5f0	885	}
nexpaq	0:6c56fb4bc5f0	886	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	0:6c56fb4bc5f0	887
nexpaq	0:6c56fb4bc5f0	888	/*
nexpaq	0:6c56fb4bc5f0	889	* Do an RSA operation, then remove the message padding
nexpaq	0:6c56fb4bc5f0	890	*/
nexpaq	0:6c56fb4bc5f0	891	int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	892	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	893	void *p_rng,
nexpaq	0:6c56fb4bc5f0	894	int mode, size_t *olen,
nexpaq	0:6c56fb4bc5f0	895	const unsigned char *input,
nexpaq	0:6c56fb4bc5f0	896	unsigned char *output,
nexpaq	0:6c56fb4bc5f0	897	size_t output_max_len)
nexpaq	0:6c56fb4bc5f0	898	{
nexpaq	0:6c56fb4bc5f0	899	switch( ctx->padding )
nexpaq	0:6c56fb4bc5f0	900	{
nexpaq	0:6c56fb4bc5f0	901	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	902	case MBEDTLS_RSA_PKCS_V15:
nexpaq	0:6c56fb4bc5f0	903	return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
nexpaq	0:6c56fb4bc5f0	904	input, output, output_max_len );
nexpaq	0:6c56fb4bc5f0	905	#endif
nexpaq	0:6c56fb4bc5f0	906
nexpaq	0:6c56fb4bc5f0	907	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	908	case MBEDTLS_RSA_PKCS_V21:
nexpaq	0:6c56fb4bc5f0	909	return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
nexpaq	0:6c56fb4bc5f0	910	olen, input, output,
nexpaq	0:6c56fb4bc5f0	911	output_max_len );
nexpaq	0:6c56fb4bc5f0	912	#endif
nexpaq	0:6c56fb4bc5f0	913
nexpaq	0:6c56fb4bc5f0	914	default:
nexpaq	0:6c56fb4bc5f0	915	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	916	}
nexpaq	0:6c56fb4bc5f0	917	}
nexpaq	0:6c56fb4bc5f0	918
nexpaq	0:6c56fb4bc5f0	919	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	920	/*
nexpaq	0:6c56fb4bc5f0	921	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
nexpaq	0:6c56fb4bc5f0	922	*/
nexpaq	0:6c56fb4bc5f0	923	int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	924	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	925	void *p_rng,
nexpaq	0:6c56fb4bc5f0	926	int mode,
nexpaq	0:6c56fb4bc5f0	927	mbedtls_md_type_t md_alg,
nexpaq	0:6c56fb4bc5f0	928	unsigned int hashlen,
nexpaq	0:6c56fb4bc5f0	929	const unsigned char *hash,
nexpaq	0:6c56fb4bc5f0	930	unsigned char *sig )
nexpaq	0:6c56fb4bc5f0	931	{
nexpaq	0:6c56fb4bc5f0	932	size_t olen;
nexpaq	0:6c56fb4bc5f0	933	unsigned char *p = sig;
nexpaq	0:6c56fb4bc5f0	934	unsigned char salt[MBEDTLS_MD_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	935	unsigned int slen, hlen, offset = 0;
nexpaq	0:6c56fb4bc5f0	936	int ret;
nexpaq	0:6c56fb4bc5f0	937	size_t msb;
nexpaq	0:6c56fb4bc5f0	938	const mbedtls_md_info_t *md_info;
nexpaq	0:6c56fb4bc5f0	939	mbedtls_md_context_t md_ctx;
nexpaq	0:6c56fb4bc5f0	940
nexpaq	0:6c56fb4bc5f0	941	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
nexpaq	0:6c56fb4bc5f0	942	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	943
nexpaq	0:6c56fb4bc5f0	944	if( f_rng == NULL )
nexpaq	0:6c56fb4bc5f0	945	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	946
nexpaq	0:6c56fb4bc5f0	947	olen = ctx->len;
nexpaq	0:6c56fb4bc5f0	948
nexpaq	0:6c56fb4bc5f0	949	if( md_alg != MBEDTLS_MD_NONE )
nexpaq	0:6c56fb4bc5f0	950	{
nexpaq	0:6c56fb4bc5f0	951	/* Gather length of hash to sign */
nexpaq	0:6c56fb4bc5f0	952	md_info = mbedtls_md_info_from_type( md_alg );
nexpaq	0:6c56fb4bc5f0	953	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	954	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	955
nexpaq	0:6c56fb4bc5f0	956	hashlen = mbedtls_md_get_size( md_info );
nexpaq	0:6c56fb4bc5f0	957	}
nexpaq	0:6c56fb4bc5f0	958
nexpaq	0:6c56fb4bc5f0	959	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
nexpaq	0:6c56fb4bc5f0	960	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	961	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	962
nexpaq	0:6c56fb4bc5f0	963	hlen = mbedtls_md_get_size( md_info );
nexpaq	0:6c56fb4bc5f0	964	slen = hlen;
nexpaq	0:6c56fb4bc5f0	965
nexpaq	0:6c56fb4bc5f0	966	if( olen < hlen + slen + 2 )
nexpaq	0:6c56fb4bc5f0	967	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	968
nexpaq	0:6c56fb4bc5f0	969	memset( sig, 0, olen );
nexpaq	0:6c56fb4bc5f0	970
nexpaq	0:6c56fb4bc5f0	971	/* Generate salt of length slen */
nexpaq	0:6c56fb4bc5f0	972	if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	973	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
nexpaq	0:6c56fb4bc5f0	974
nexpaq	0:6c56fb4bc5f0	975	/* Note: EMSA-PSS encoding is over the length of N - 1 bits */
nexpaq	0:6c56fb4bc5f0	976	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
nexpaq	0:6c56fb4bc5f0	977	p += olen - hlen * 2 - 2;
nexpaq	0:6c56fb4bc5f0	978	*p++ = 0x01;
nexpaq	0:6c56fb4bc5f0	979	memcpy( p, salt, slen );
nexpaq	0:6c56fb4bc5f0	980	p += slen;
nexpaq	0:6c56fb4bc5f0	981
nexpaq	0:6c56fb4bc5f0	982	mbedtls_md_init( &md_ctx );
nexpaq	0:6c56fb4bc5f0	983	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	984	{
nexpaq	0:6c56fb4bc5f0	985	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	986	return( ret );
nexpaq	0:6c56fb4bc5f0	987	}
nexpaq	0:6c56fb4bc5f0	988
nexpaq	0:6c56fb4bc5f0	989	/* Generate H = Hash( M' ) */
nexpaq	0:6c56fb4bc5f0	990	mbedtls_md_starts( &md_ctx );
nexpaq	0:6c56fb4bc5f0	991	mbedtls_md_update( &md_ctx, p, 8 );
nexpaq	0:6c56fb4bc5f0	992	mbedtls_md_update( &md_ctx, hash, hashlen );
nexpaq	0:6c56fb4bc5f0	993	mbedtls_md_update( &md_ctx, salt, slen );
nexpaq	0:6c56fb4bc5f0	994	mbedtls_md_finish( &md_ctx, p );
nexpaq	0:6c56fb4bc5f0	995
nexpaq	0:6c56fb4bc5f0	996	/* Compensate for boundary condition when applying mask */
nexpaq	0:6c56fb4bc5f0	997	if( msb % 8 == 0 )
nexpaq	0:6c56fb4bc5f0	998	offset = 1;
nexpaq	0:6c56fb4bc5f0	999
nexpaq	0:6c56fb4bc5f0	1000	/* maskedDB: Apply dbMask to DB */
nexpaq	0:6c56fb4bc5f0	1001	mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
nexpaq	0:6c56fb4bc5f0	1002
nexpaq	0:6c56fb4bc5f0	1003	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	1004
nexpaq	0:6c56fb4bc5f0	1005	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
nexpaq	0:6c56fb4bc5f0	1006	sig[0] &= 0xFF >> ( olen * 8 - msb );
nexpaq	0:6c56fb4bc5f0	1007
nexpaq	0:6c56fb4bc5f0	1008	p += hlen;
nexpaq	0:6c56fb4bc5f0	1009	*p++ = 0xBC;
nexpaq	0:6c56fb4bc5f0	1010
nexpaq	0:6c56fb4bc5f0	1011	return( ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	1012	? mbedtls_rsa_public( ctx, sig, sig )
nexpaq	0:6c56fb4bc5f0	1013	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
nexpaq	0:6c56fb4bc5f0	1014	}
nexpaq	0:6c56fb4bc5f0	1015	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	0:6c56fb4bc5f0	1016
nexpaq	0:6c56fb4bc5f0	1017	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	1018	/*
nexpaq	0:6c56fb4bc5f0	1019	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
nexpaq	0:6c56fb4bc5f0	1020	*/
nexpaq	0:6c56fb4bc5f0	1021	/*
nexpaq	0:6c56fb4bc5f0	1022	* Do an RSA operation to sign the message digest
nexpaq	0:6c56fb4bc5f0	1023	*/
nexpaq	0:6c56fb4bc5f0	1024	int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	1025	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	1026	void *p_rng,
nexpaq	0:6c56fb4bc5f0	1027	int mode,
nexpaq	0:6c56fb4bc5f0	1028	mbedtls_md_type_t md_alg,
nexpaq	0:6c56fb4bc5f0	1029	unsigned int hashlen,
nexpaq	0:6c56fb4bc5f0	1030	const unsigned char *hash,
nexpaq	0:6c56fb4bc5f0	1031	unsigned char *sig )
nexpaq	0:6c56fb4bc5f0	1032	{
nexpaq	0:6c56fb4bc5f0	1033	size_t nb_pad, olen, oid_size = 0;
nexpaq	0:6c56fb4bc5f0	1034	unsigned char *p = sig;
nexpaq	0:6c56fb4bc5f0	1035	const char *oid = NULL;
nexpaq	0:6c56fb4bc5f0	1036	unsigned char sig_try = NULL, verif = NULL;
nexpaq	0:6c56fb4bc5f0	1037	size_t i;
nexpaq	0:6c56fb4bc5f0	1038	unsigned char diff;
nexpaq	0:6c56fb4bc5f0	1039	volatile unsigned char diff_no_optimize;
nexpaq	0:6c56fb4bc5f0	1040	int ret;
nexpaq	0:6c56fb4bc5f0	1041
nexpaq	0:6c56fb4bc5f0	1042	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
nexpaq	0:6c56fb4bc5f0	1043	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1044
nexpaq	0:6c56fb4bc5f0	1045	olen = ctx->len;
nexpaq	0:6c56fb4bc5f0	1046	nb_pad = olen - 3;
nexpaq	0:6c56fb4bc5f0	1047
nexpaq	0:6c56fb4bc5f0	1048	if( md_alg != MBEDTLS_MD_NONE )
nexpaq	0:6c56fb4bc5f0	1049	{
nexpaq	0:6c56fb4bc5f0	1050	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
nexpaq	0:6c56fb4bc5f0	1051	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	1052	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1053
nexpaq	0:6c56fb4bc5f0	1054	if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
nexpaq	0:6c56fb4bc5f0	1055	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1056
nexpaq	0:6c56fb4bc5f0	1057	nb_pad -= 10 + oid_size;
nexpaq	0:6c56fb4bc5f0	1058
nexpaq	0:6c56fb4bc5f0	1059	hashlen = mbedtls_md_get_size( md_info );
nexpaq	0:6c56fb4bc5f0	1060	}
nexpaq	0:6c56fb4bc5f0	1061
nexpaq	0:6c56fb4bc5f0	1062	nb_pad -= hashlen;
nexpaq	0:6c56fb4bc5f0	1063
nexpaq	0:6c56fb4bc5f0	1064	if( ( nb_pad < 8 ) \|\| ( nb_pad > olen ) )
nexpaq	0:6c56fb4bc5f0	1065	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1066
nexpaq	0:6c56fb4bc5f0	1067	*p++ = 0;
nexpaq	0:6c56fb4bc5f0	1068	*p++ = MBEDTLS_RSA_SIGN;
nexpaq	0:6c56fb4bc5f0	1069	memset( p, 0xFF, nb_pad );
nexpaq	0:6c56fb4bc5f0	1070	p += nb_pad;
nexpaq	0:6c56fb4bc5f0	1071	*p++ = 0;
nexpaq	0:6c56fb4bc5f0	1072
nexpaq	0:6c56fb4bc5f0	1073	if( md_alg == MBEDTLS_MD_NONE )
nexpaq	0:6c56fb4bc5f0	1074	{
nexpaq	0:6c56fb4bc5f0	1075	memcpy( p, hash, hashlen );
nexpaq	0:6c56fb4bc5f0	1076	}
nexpaq	0:6c56fb4bc5f0	1077	else
nexpaq	0:6c56fb4bc5f0	1078	{
nexpaq	0:6c56fb4bc5f0	1079	/*
nexpaq	0:6c56fb4bc5f0	1080	* DigestInfo ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	1081	* digestAlgorithm DigestAlgorithmIdentifier,
nexpaq	0:6c56fb4bc5f0	1082	* digest Digest }
nexpaq	0:6c56fb4bc5f0	1083	*
nexpaq	0:6c56fb4bc5f0	1084	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
nexpaq	0:6c56fb4bc5f0	1085	*
nexpaq	0:6c56fb4bc5f0	1086	* Digest ::= OCTET STRING
nexpaq	0:6c56fb4bc5f0	1087	*/
nexpaq	0:6c56fb4bc5f0	1088	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
nexpaq	0:6c56fb4bc5f0	1089	*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
nexpaq	0:6c56fb4bc5f0	1090	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
nexpaq	0:6c56fb4bc5f0	1091	*p++ = (unsigned char) ( 0x04 + oid_size );
nexpaq	0:6c56fb4bc5f0	1092	*p++ = MBEDTLS_ASN1_OID;
nexpaq	0:6c56fb4bc5f0	1093	*p++ = oid_size & 0xFF;
nexpaq	0:6c56fb4bc5f0	1094	memcpy( p, oid, oid_size );
nexpaq	0:6c56fb4bc5f0	1095	p += oid_size;
nexpaq	0:6c56fb4bc5f0	1096	*p++ = MBEDTLS_ASN1_NULL;
nexpaq	0:6c56fb4bc5f0	1097	*p++ = 0x00;
nexpaq	0:6c56fb4bc5f0	1098	*p++ = MBEDTLS_ASN1_OCTET_STRING;
nexpaq	0:6c56fb4bc5f0	1099	*p++ = hashlen;
nexpaq	0:6c56fb4bc5f0	1100	memcpy( p, hash, hashlen );
nexpaq	0:6c56fb4bc5f0	1101	}
nexpaq	0:6c56fb4bc5f0	1102
nexpaq	0:6c56fb4bc5f0	1103	if( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	1104	return( mbedtls_rsa_public( ctx, sig, sig ) );
nexpaq	0:6c56fb4bc5f0	1105
nexpaq	0:6c56fb4bc5f0	1106	/*
nexpaq	0:6c56fb4bc5f0	1107	* In order to prevent Lenstra's attack, make the signature in a
nexpaq	0:6c56fb4bc5f0	1108	* temporary buffer and check it before returning it.
nexpaq	0:6c56fb4bc5f0	1109	*/
nexpaq	0:6c56fb4bc5f0	1110	sig_try = mbedtls_calloc( 1, ctx->len );
nexpaq	0:6c56fb4bc5f0	1111	if( sig_try == NULL )
nexpaq	0:6c56fb4bc5f0	1112	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
nexpaq	0:6c56fb4bc5f0	1113
nexpaq	0:6c56fb4bc5f0	1114	verif = mbedtls_calloc( 1, ctx->len );
nexpaq	0:6c56fb4bc5f0	1115	if( verif == NULL )
nexpaq	0:6c56fb4bc5f0	1116	{
nexpaq	0:6c56fb4bc5f0	1117	mbedtls_free( sig_try );
nexpaq	0:6c56fb4bc5f0	1118	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
nexpaq	0:6c56fb4bc5f0	1119	}
nexpaq	0:6c56fb4bc5f0	1120
nexpaq	0:6c56fb4bc5f0	1121	MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
nexpaq	0:6c56fb4bc5f0	1122	MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
nexpaq	0:6c56fb4bc5f0	1123
nexpaq	0:6c56fb4bc5f0	1124	/* Compare in constant time just in case */
nexpaq	0:6c56fb4bc5f0	1125	for( diff = 0, i = 0; i < ctx->len; i++ )
nexpaq	0:6c56fb4bc5f0	1126	diff \|= verif[i] ^ sig[i];
nexpaq	0:6c56fb4bc5f0	1127	diff_no_optimize = diff;
nexpaq	0:6c56fb4bc5f0	1128
nexpaq	0:6c56fb4bc5f0	1129	if( diff_no_optimize != 0 )
nexpaq	0:6c56fb4bc5f0	1130	{
nexpaq	0:6c56fb4bc5f0	1131	ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
nexpaq	0:6c56fb4bc5f0	1132	goto cleanup;
nexpaq	0:6c56fb4bc5f0	1133	}
nexpaq	0:6c56fb4bc5f0	1134
nexpaq	0:6c56fb4bc5f0	1135	memcpy( sig, sig_try, ctx->len );
nexpaq	0:6c56fb4bc5f0	1136
nexpaq	0:6c56fb4bc5f0	1137	cleanup:
nexpaq	0:6c56fb4bc5f0	1138	mbedtls_free( sig_try );
nexpaq	0:6c56fb4bc5f0	1139	mbedtls_free( verif );
nexpaq	0:6c56fb4bc5f0	1140
nexpaq	0:6c56fb4bc5f0	1141	return( ret );
nexpaq	0:6c56fb4bc5f0	1142	}
nexpaq	0:6c56fb4bc5f0	1143	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	0:6c56fb4bc5f0	1144
nexpaq	0:6c56fb4bc5f0	1145	/*
nexpaq	0:6c56fb4bc5f0	1146	* Do an RSA operation to sign the message digest
nexpaq	0:6c56fb4bc5f0	1147	*/
nexpaq	0:6c56fb4bc5f0	1148	int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	1149	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	1150	void *p_rng,
nexpaq	0:6c56fb4bc5f0	1151	int mode,
nexpaq	0:6c56fb4bc5f0	1152	mbedtls_md_type_t md_alg,
nexpaq	0:6c56fb4bc5f0	1153	unsigned int hashlen,
nexpaq	0:6c56fb4bc5f0	1154	const unsigned char *hash,
nexpaq	0:6c56fb4bc5f0	1155	unsigned char *sig )
nexpaq	0:6c56fb4bc5f0	1156	{
nexpaq	0:6c56fb4bc5f0	1157	switch( ctx->padding )
nexpaq	0:6c56fb4bc5f0	1158	{
nexpaq	0:6c56fb4bc5f0	1159	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	1160	case MBEDTLS_RSA_PKCS_V15:
nexpaq	0:6c56fb4bc5f0	1161	return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
nexpaq	0:6c56fb4bc5f0	1162	hashlen, hash, sig );
nexpaq	0:6c56fb4bc5f0	1163	#endif
nexpaq	0:6c56fb4bc5f0	1164
nexpaq	0:6c56fb4bc5f0	1165	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	1166	case MBEDTLS_RSA_PKCS_V21:
nexpaq	0:6c56fb4bc5f0	1167	return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
nexpaq	0:6c56fb4bc5f0	1168	hashlen, hash, sig );
nexpaq	0:6c56fb4bc5f0	1169	#endif
nexpaq	0:6c56fb4bc5f0	1170
nexpaq	0:6c56fb4bc5f0	1171	default:
nexpaq	0:6c56fb4bc5f0	1172	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	1173	}
nexpaq	0:6c56fb4bc5f0	1174	}
nexpaq	0:6c56fb4bc5f0	1175
nexpaq	0:6c56fb4bc5f0	1176	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	1177	/*
nexpaq	0:6c56fb4bc5f0	1178	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
nexpaq	0:6c56fb4bc5f0	1179	*/
nexpaq	0:6c56fb4bc5f0	1180	int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	1181	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	1182	void *p_rng,
nexpaq	0:6c56fb4bc5f0	1183	int mode,
nexpaq	0:6c56fb4bc5f0	1184	mbedtls_md_type_t md_alg,
nexpaq	0:6c56fb4bc5f0	1185	unsigned int hashlen,
nexpaq	0:6c56fb4bc5f0	1186	const unsigned char *hash,
nexpaq	0:6c56fb4bc5f0	1187	mbedtls_md_type_t mgf1_hash_id,
nexpaq	0:6c56fb4bc5f0	1188	int expected_salt_len,
nexpaq	0:6c56fb4bc5f0	1189	const unsigned char *sig )
nexpaq	0:6c56fb4bc5f0	1190	{
nexpaq	0:6c56fb4bc5f0	1191	int ret;
nexpaq	0:6c56fb4bc5f0	1192	size_t siglen;
nexpaq	0:6c56fb4bc5f0	1193	unsigned char *p;
nexpaq	0:6c56fb4bc5f0	1194	unsigned char result[MBEDTLS_MD_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	1195	unsigned char zeros[8];
nexpaq	0:6c56fb4bc5f0	1196	unsigned int hlen;
nexpaq	0:6c56fb4bc5f0	1197	size_t slen, msb;
nexpaq	0:6c56fb4bc5f0	1198	const mbedtls_md_info_t *md_info;
nexpaq	0:6c56fb4bc5f0	1199	mbedtls_md_context_t md_ctx;
nexpaq	0:6c56fb4bc5f0	1200	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	1201
nexpaq	0:6c56fb4bc5f0	1202	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
nexpaq	0:6c56fb4bc5f0	1203	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1204
nexpaq	0:6c56fb4bc5f0	1205	siglen = ctx->len;
nexpaq	0:6c56fb4bc5f0	1206
nexpaq	0:6c56fb4bc5f0	1207	if( siglen < 16 \|\| siglen > sizeof( buf ) )
nexpaq	0:6c56fb4bc5f0	1208	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1209
nexpaq	0:6c56fb4bc5f0	1210	ret = ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	1211	? mbedtls_rsa_public( ctx, sig, buf )
nexpaq	0:6c56fb4bc5f0	1212	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
nexpaq	0:6c56fb4bc5f0	1213
nexpaq	0:6c56fb4bc5f0	1214	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	1215	return( ret );
nexpaq	0:6c56fb4bc5f0	1216
nexpaq	0:6c56fb4bc5f0	1217	p = buf;
nexpaq	0:6c56fb4bc5f0	1218
nexpaq	0:6c56fb4bc5f0	1219	if( buf[siglen - 1] != 0xBC )
nexpaq	0:6c56fb4bc5f0	1220	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	1221
nexpaq	0:6c56fb4bc5f0	1222	if( md_alg != MBEDTLS_MD_NONE )
nexpaq	0:6c56fb4bc5f0	1223	{
nexpaq	0:6c56fb4bc5f0	1224	/* Gather length of hash to sign */
nexpaq	0:6c56fb4bc5f0	1225	md_info = mbedtls_md_info_from_type( md_alg );
nexpaq	0:6c56fb4bc5f0	1226	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	1227	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1228
nexpaq	0:6c56fb4bc5f0	1229	hashlen = mbedtls_md_get_size( md_info );
nexpaq	0:6c56fb4bc5f0	1230	}
nexpaq	0:6c56fb4bc5f0	1231
nexpaq	0:6c56fb4bc5f0	1232	md_info = mbedtls_md_info_from_type( mgf1_hash_id );
nexpaq	0:6c56fb4bc5f0	1233	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	1234	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1235
nexpaq	0:6c56fb4bc5f0	1236	hlen = mbedtls_md_get_size( md_info );
nexpaq	0:6c56fb4bc5f0	1237	slen = siglen - hlen - 1; /* Currently length of salt + padding */
nexpaq	0:6c56fb4bc5f0	1238
nexpaq	0:6c56fb4bc5f0	1239	memset( zeros, 0, 8 );
nexpaq	0:6c56fb4bc5f0	1240
nexpaq	0:6c56fb4bc5f0	1241	/*
nexpaq	0:6c56fb4bc5f0	1242	* Note: EMSA-PSS verification is over the length of N - 1 bits
nexpaq	0:6c56fb4bc5f0	1243	*/
nexpaq	0:6c56fb4bc5f0	1244	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
nexpaq	0:6c56fb4bc5f0	1245
nexpaq	0:6c56fb4bc5f0	1246	/* Compensate for boundary condition when applying mask */
nexpaq	0:6c56fb4bc5f0	1247	if( msb % 8 == 0 )
nexpaq	0:6c56fb4bc5f0	1248	{
nexpaq	0:6c56fb4bc5f0	1249	p++;
nexpaq	0:6c56fb4bc5f0	1250	siglen -= 1;
nexpaq	0:6c56fb4bc5f0	1251	}
nexpaq	0:6c56fb4bc5f0	1252	if( buf[0] >> ( 8 - siglen * 8 + msb ) )
nexpaq	0:6c56fb4bc5f0	1253	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1254
nexpaq	0:6c56fb4bc5f0	1255	mbedtls_md_init( &md_ctx );
nexpaq	0:6c56fb4bc5f0	1256	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1257	{
nexpaq	0:6c56fb4bc5f0	1258	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	1259	return( ret );
nexpaq	0:6c56fb4bc5f0	1260	}
nexpaq	0:6c56fb4bc5f0	1261
nexpaq	0:6c56fb4bc5f0	1262	mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
nexpaq	0:6c56fb4bc5f0	1263
nexpaq	0:6c56fb4bc5f0	1264	buf[0] &= 0xFF >> ( siglen * 8 - msb );
nexpaq	0:6c56fb4bc5f0	1265
nexpaq	0:6c56fb4bc5f0	1266	while( p < buf + siglen && *p == 0 )
nexpaq	0:6c56fb4bc5f0	1267	p++;
nexpaq	0:6c56fb4bc5f0	1268
nexpaq	0:6c56fb4bc5f0	1269	if( p == buf + siglen \|\|
nexpaq	0:6c56fb4bc5f0	1270	*p++ != 0x01 )
nexpaq	0:6c56fb4bc5f0	1271	{
nexpaq	0:6c56fb4bc5f0	1272	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	1273	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	1274	}
nexpaq	0:6c56fb4bc5f0	1275
nexpaq	0:6c56fb4bc5f0	1276	/* Actual salt len */
nexpaq	0:6c56fb4bc5f0	1277	slen -= p - buf;
nexpaq	0:6c56fb4bc5f0	1278
nexpaq	0:6c56fb4bc5f0	1279	if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
nexpaq	0:6c56fb4bc5f0	1280	slen != (size_t) expected_salt_len )
nexpaq	0:6c56fb4bc5f0	1281	{
nexpaq	0:6c56fb4bc5f0	1282	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	1283	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	1284	}
nexpaq	0:6c56fb4bc5f0	1285
nexpaq	0:6c56fb4bc5f0	1286	/*
nexpaq	0:6c56fb4bc5f0	1287	* Generate H = Hash( M' )
nexpaq	0:6c56fb4bc5f0	1288	*/
nexpaq	0:6c56fb4bc5f0	1289	mbedtls_md_starts( &md_ctx );
nexpaq	0:6c56fb4bc5f0	1290	mbedtls_md_update( &md_ctx, zeros, 8 );
nexpaq	0:6c56fb4bc5f0	1291	mbedtls_md_update( &md_ctx, hash, hashlen );
nexpaq	0:6c56fb4bc5f0	1292	mbedtls_md_update( &md_ctx, p, slen );
nexpaq	0:6c56fb4bc5f0	1293	mbedtls_md_finish( &md_ctx, result );
nexpaq	0:6c56fb4bc5f0	1294
nexpaq	0:6c56fb4bc5f0	1295	mbedtls_md_free( &md_ctx );
nexpaq	0:6c56fb4bc5f0	1296
nexpaq	0:6c56fb4bc5f0	1297	if( memcmp( p + slen, result, hlen ) == 0 )
nexpaq	0:6c56fb4bc5f0	1298	return( 0 );
nexpaq	0:6c56fb4bc5f0	1299	else
nexpaq	0:6c56fb4bc5f0	1300	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1301	}
nexpaq	0:6c56fb4bc5f0	1302
nexpaq	0:6c56fb4bc5f0	1303	/*
nexpaq	0:6c56fb4bc5f0	1304	* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
nexpaq	0:6c56fb4bc5f0	1305	*/
nexpaq	0:6c56fb4bc5f0	1306	int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	1307	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	1308	void *p_rng,
nexpaq	0:6c56fb4bc5f0	1309	int mode,
nexpaq	0:6c56fb4bc5f0	1310	mbedtls_md_type_t md_alg,
nexpaq	0:6c56fb4bc5f0	1311	unsigned int hashlen,
nexpaq	0:6c56fb4bc5f0	1312	const unsigned char *hash,
nexpaq	0:6c56fb4bc5f0	1313	const unsigned char *sig )
nexpaq	0:6c56fb4bc5f0	1314	{
nexpaq	0:6c56fb4bc5f0	1315	mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
nexpaq	0:6c56fb4bc5f0	1316	? (mbedtls_md_type_t) ctx->hash_id
nexpaq	0:6c56fb4bc5f0	1317	: md_alg;
nexpaq	0:6c56fb4bc5f0	1318
nexpaq	0:6c56fb4bc5f0	1319	return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
nexpaq	0:6c56fb4bc5f0	1320	md_alg, hashlen, hash,
nexpaq	0:6c56fb4bc5f0	1321	mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
nexpaq	0:6c56fb4bc5f0	1322	sig ) );
nexpaq	0:6c56fb4bc5f0	1323
nexpaq	0:6c56fb4bc5f0	1324	}
nexpaq	0:6c56fb4bc5f0	1325	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	0:6c56fb4bc5f0	1326
nexpaq	0:6c56fb4bc5f0	1327	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	1328	/*
nexpaq	0:6c56fb4bc5f0	1329	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
nexpaq	0:6c56fb4bc5f0	1330	*/
nexpaq	0:6c56fb4bc5f0	1331	int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	1332	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	1333	void *p_rng,
nexpaq	0:6c56fb4bc5f0	1334	int mode,
nexpaq	0:6c56fb4bc5f0	1335	mbedtls_md_type_t md_alg,
nexpaq	0:6c56fb4bc5f0	1336	unsigned int hashlen,
nexpaq	0:6c56fb4bc5f0	1337	const unsigned char *hash,
nexpaq	0:6c56fb4bc5f0	1338	const unsigned char *sig )
nexpaq	0:6c56fb4bc5f0	1339	{
nexpaq	0:6c56fb4bc5f0	1340	int ret;
nexpaq	0:6c56fb4bc5f0	1341	size_t len, siglen, asn1_len;
nexpaq	0:6c56fb4bc5f0	1342	unsigned char p, end;
nexpaq	0:6c56fb4bc5f0	1343	mbedtls_md_type_t msg_md_alg;
nexpaq	0:6c56fb4bc5f0	1344	const mbedtls_md_info_t *md_info;
nexpaq	0:6c56fb4bc5f0	1345	mbedtls_asn1_buf oid;
nexpaq	0:6c56fb4bc5f0	1346	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	1347
nexpaq	0:6c56fb4bc5f0	1348	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
nexpaq	0:6c56fb4bc5f0	1349	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1350
nexpaq	0:6c56fb4bc5f0	1351	siglen = ctx->len;
nexpaq	0:6c56fb4bc5f0	1352
nexpaq	0:6c56fb4bc5f0	1353	if( siglen < 16 \|\| siglen > sizeof( buf ) )
nexpaq	0:6c56fb4bc5f0	1354	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1355
nexpaq	0:6c56fb4bc5f0	1356	ret = ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	0:6c56fb4bc5f0	1357	? mbedtls_rsa_public( ctx, sig, buf )
nexpaq	0:6c56fb4bc5f0	1358	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
nexpaq	0:6c56fb4bc5f0	1359
nexpaq	0:6c56fb4bc5f0	1360	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	1361	return( ret );
nexpaq	0:6c56fb4bc5f0	1362
nexpaq	0:6c56fb4bc5f0	1363	p = buf;
nexpaq	0:6c56fb4bc5f0	1364
nexpaq	0:6c56fb4bc5f0	1365	if( p++ != 0 \|\| p++ != MBEDTLS_RSA_SIGN )
nexpaq	0:6c56fb4bc5f0	1366	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	1367
nexpaq	0:6c56fb4bc5f0	1368	while( *p != 0 )
nexpaq	0:6c56fb4bc5f0	1369	{
nexpaq	0:6c56fb4bc5f0	1370	if( p >= buf + siglen - 1 \|\| *p != 0xFF )
nexpaq	0:6c56fb4bc5f0	1371	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	1372	p++;
nexpaq	0:6c56fb4bc5f0	1373	}
nexpaq	0:6c56fb4bc5f0	1374	p++;
nexpaq	0:6c56fb4bc5f0	1375
nexpaq	0:6c56fb4bc5f0	1376	len = siglen - ( p - buf );
nexpaq	0:6c56fb4bc5f0	1377
nexpaq	0:6c56fb4bc5f0	1378	if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
nexpaq	0:6c56fb4bc5f0	1379	{
nexpaq	0:6c56fb4bc5f0	1380	if( memcmp( p, hash, hashlen ) == 0 )
nexpaq	0:6c56fb4bc5f0	1381	return( 0 );
nexpaq	0:6c56fb4bc5f0	1382	else
nexpaq	0:6c56fb4bc5f0	1383	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1384	}
nexpaq	0:6c56fb4bc5f0	1385
nexpaq	0:6c56fb4bc5f0	1386	md_info = mbedtls_md_info_from_type( md_alg );
nexpaq	0:6c56fb4bc5f0	1387	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	1388	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1389	hashlen = mbedtls_md_get_size( md_info );
nexpaq	0:6c56fb4bc5f0	1390
nexpaq	0:6c56fb4bc5f0	1391	end = p + len;
nexpaq	0:6c56fb4bc5f0	1392
nexpaq	0:6c56fb4bc5f0	1393	/*
nexpaq	0:6c56fb4bc5f0	1394	* Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
nexpaq	0:6c56fb4bc5f0	1395	*/
nexpaq	0:6c56fb4bc5f0	1396	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
nexpaq	0:6c56fb4bc5f0	1397	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1398	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1399
nexpaq	0:6c56fb4bc5f0	1400	if( asn1_len + 2 != len )
nexpaq	0:6c56fb4bc5f0	1401	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1402
nexpaq	0:6c56fb4bc5f0	1403	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
nexpaq	0:6c56fb4bc5f0	1404	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1405	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1406
nexpaq	0:6c56fb4bc5f0	1407	if( asn1_len + 6 + hashlen != len )
nexpaq	0:6c56fb4bc5f0	1408	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1409
nexpaq	0:6c56fb4bc5f0	1410	if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1411	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1412
nexpaq	0:6c56fb4bc5f0	1413	oid.p = p;
nexpaq	0:6c56fb4bc5f0	1414	p += oid.len;
nexpaq	0:6c56fb4bc5f0	1415
nexpaq	0:6c56fb4bc5f0	1416	if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
nexpaq	0:6c56fb4bc5f0	1417	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1418
nexpaq	0:6c56fb4bc5f0	1419	if( md_alg != msg_md_alg )
nexpaq	0:6c56fb4bc5f0	1420	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1421
nexpaq	0:6c56fb4bc5f0	1422	/*
nexpaq	0:6c56fb4bc5f0	1423	* assume the algorithm parameters must be NULL
nexpaq	0:6c56fb4bc5f0	1424	*/
nexpaq	0:6c56fb4bc5f0	1425	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1426	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1427
nexpaq	0:6c56fb4bc5f0	1428	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1429	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1430
nexpaq	0:6c56fb4bc5f0	1431	if( asn1_len != hashlen )
nexpaq	0:6c56fb4bc5f0	1432	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1433
nexpaq	0:6c56fb4bc5f0	1434	if( memcmp( p, hash, hashlen ) != 0 )
nexpaq	0:6c56fb4bc5f0	1435	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1436
nexpaq	0:6c56fb4bc5f0	1437	p += hashlen;
nexpaq	0:6c56fb4bc5f0	1438
nexpaq	0:6c56fb4bc5f0	1439	if( p != end )
nexpaq	0:6c56fb4bc5f0	1440	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	1441
nexpaq	0:6c56fb4bc5f0	1442	return( 0 );
nexpaq	0:6c56fb4bc5f0	1443	}
nexpaq	0:6c56fb4bc5f0	1444	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	0:6c56fb4bc5f0	1445
nexpaq	0:6c56fb4bc5f0	1446	/*
nexpaq	0:6c56fb4bc5f0	1447	* Do an RSA operation and check the message digest
nexpaq	0:6c56fb4bc5f0	1448	*/
nexpaq	0:6c56fb4bc5f0	1449	int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
nexpaq	0:6c56fb4bc5f0	1450	int (f_rng)(void , unsigned char *, size_t),
nexpaq	0:6c56fb4bc5f0	1451	void *p_rng,
nexpaq	0:6c56fb4bc5f0	1452	int mode,
nexpaq	0:6c56fb4bc5f0	1453	mbedtls_md_type_t md_alg,
nexpaq	0:6c56fb4bc5f0	1454	unsigned int hashlen,
nexpaq	0:6c56fb4bc5f0	1455	const unsigned char *hash,
nexpaq	0:6c56fb4bc5f0	1456	const unsigned char *sig )
nexpaq	0:6c56fb4bc5f0	1457	{
nexpaq	0:6c56fb4bc5f0	1458	switch( ctx->padding )
nexpaq	0:6c56fb4bc5f0	1459	{
nexpaq	0:6c56fb4bc5f0	1460	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	1461	case MBEDTLS_RSA_PKCS_V15:
nexpaq	0:6c56fb4bc5f0	1462	return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
nexpaq	0:6c56fb4bc5f0	1463	hashlen, hash, sig );
nexpaq	0:6c56fb4bc5f0	1464	#endif
nexpaq	0:6c56fb4bc5f0	1465
nexpaq	0:6c56fb4bc5f0	1466	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	0:6c56fb4bc5f0	1467	case MBEDTLS_RSA_PKCS_V21:
nexpaq	0:6c56fb4bc5f0	1468	return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
nexpaq	0:6c56fb4bc5f0	1469	hashlen, hash, sig );
nexpaq	0:6c56fb4bc5f0	1470	#endif
nexpaq	0:6c56fb4bc5f0	1471
nexpaq	0:6c56fb4bc5f0	1472	default:
nexpaq	0:6c56fb4bc5f0	1473	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	0:6c56fb4bc5f0	1474	}
nexpaq	0:6c56fb4bc5f0	1475	}
nexpaq	0:6c56fb4bc5f0	1476
nexpaq	0:6c56fb4bc5f0	1477	/*
nexpaq	0:6c56fb4bc5f0	1478	* Copy the components of an RSA key
nexpaq	0:6c56fb4bc5f0	1479	*/
nexpaq	0:6c56fb4bc5f0	1480	int mbedtls_rsa_copy( mbedtls_rsa_context dst, const mbedtls_rsa_context src )
nexpaq	0:6c56fb4bc5f0	1481	{
nexpaq	0:6c56fb4bc5f0	1482	int ret;
nexpaq	0:6c56fb4bc5f0	1483
nexpaq	0:6c56fb4bc5f0	1484	dst->ver = src->ver;
nexpaq	0:6c56fb4bc5f0	1485	dst->len = src->len;
nexpaq	0:6c56fb4bc5f0	1486
nexpaq	0:6c56fb4bc5f0	1487	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
nexpaq	0:6c56fb4bc5f0	1488	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
nexpaq	0:6c56fb4bc5f0	1489
nexpaq	0:6c56fb4bc5f0	1490	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
nexpaq	0:6c56fb4bc5f0	1491	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
nexpaq	0:6c56fb4bc5f0	1492	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
nexpaq	0:6c56fb4bc5f0	1493	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
nexpaq	0:6c56fb4bc5f0	1494	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
nexpaq	0:6c56fb4bc5f0	1495	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
nexpaq	0:6c56fb4bc5f0	1496
nexpaq	0:6c56fb4bc5f0	1497	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
nexpaq	0:6c56fb4bc5f0	1498	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
nexpaq	0:6c56fb4bc5f0	1499	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
nexpaq	0:6c56fb4bc5f0	1500
nexpaq	0:6c56fb4bc5f0	1501	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
nexpaq	0:6c56fb4bc5f0	1502	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
nexpaq	0:6c56fb4bc5f0	1503
nexpaq	0:6c56fb4bc5f0	1504	dst->padding = src->padding;
nexpaq	0:6c56fb4bc5f0	1505	dst->hash_id = src->hash_id;
nexpaq	0:6c56fb4bc5f0	1506
nexpaq	0:6c56fb4bc5f0	1507	cleanup:
nexpaq	0:6c56fb4bc5f0	1508	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	1509	mbedtls_rsa_free( dst );
nexpaq	0:6c56fb4bc5f0	1510
nexpaq	0:6c56fb4bc5f0	1511	return( ret );
nexpaq	0:6c56fb4bc5f0	1512	}
nexpaq	0:6c56fb4bc5f0	1513
nexpaq	0:6c56fb4bc5f0	1514	/*
nexpaq	0:6c56fb4bc5f0	1515	* Free the components of an RSA key
nexpaq	0:6c56fb4bc5f0	1516	*/
nexpaq	0:6c56fb4bc5f0	1517	void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
nexpaq	0:6c56fb4bc5f0	1518	{
nexpaq	0:6c56fb4bc5f0	1519	mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
nexpaq	0:6c56fb4bc5f0	1520	mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
nexpaq	0:6c56fb4bc5f0	1521	mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
nexpaq	0:6c56fb4bc5f0	1522	mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
nexpaq	0:6c56fb4bc5f0	1523	mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
nexpaq	0:6c56fb4bc5f0	1524
nexpaq	0:6c56fb4bc5f0	1525	#if defined(MBEDTLS_THREADING_C)
nexpaq	0:6c56fb4bc5f0	1526	mbedtls_mutex_free( &ctx->mutex );
nexpaq	0:6c56fb4bc5f0	1527	#endif
nexpaq	0:6c56fb4bc5f0	1528	}
nexpaq	0:6c56fb4bc5f0	1529
nexpaq	0:6c56fb4bc5f0	1530	#if defined(MBEDTLS_SELF_TEST)
nexpaq	0:6c56fb4bc5f0	1531
nexpaq	0:6c56fb4bc5f0	1532	#include "mbedtls/sha1.h"
nexpaq	0:6c56fb4bc5f0	1533
nexpaq	0:6c56fb4bc5f0	1534	/*
nexpaq	0:6c56fb4bc5f0	1535	* Example RSA-1024 keypair, for test purposes
nexpaq	0:6c56fb4bc5f0	1536	*/
nexpaq	0:6c56fb4bc5f0	1537	#define KEY_LEN 128
nexpaq	0:6c56fb4bc5f0	1538
nexpaq	0:6c56fb4bc5f0	1539	#define RSA_N "9292758453063D803DD603D5E777D788" \
nexpaq	0:6c56fb4bc5f0	1540	"8ED1D5BF35786190FA2F23EBC0848AEA" \
nexpaq	0:6c56fb4bc5f0	1541	"DDA92CA6C3D80B32C4D109BE0F36D6AE" \
nexpaq	0:6c56fb4bc5f0	1542	"7130B9CED7ACDF54CFC7555AC14EEBAB" \
nexpaq	0:6c56fb4bc5f0	1543	"93A89813FBF3C4F8066D2D800F7C38A8" \
nexpaq	0:6c56fb4bc5f0	1544	"1AE31942917403FF4946B0A83D3D3E05" \
nexpaq	0:6c56fb4bc5f0	1545	"EE57C6F5F5606FB5D4BC6CD34EE0801A" \
nexpaq	0:6c56fb4bc5f0	1546	"5E94BB77B07507233A0BC7BAC8F90F79"
nexpaq	0:6c56fb4bc5f0	1547
nexpaq	0:6c56fb4bc5f0	1548	#define RSA_E "10001"
nexpaq	0:6c56fb4bc5f0	1549
nexpaq	0:6c56fb4bc5f0	1550	#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
nexpaq	0:6c56fb4bc5f0	1551	"66CA472BC44D253102F8B4A9D3BFA750" \
nexpaq	0:6c56fb4bc5f0	1552	"91386C0077937FE33FA3252D28855837" \
nexpaq	0:6c56fb4bc5f0	1553	"AE1B484A8A9A45F7EE8C0C634F99E8CD" \
nexpaq	0:6c56fb4bc5f0	1554	"DF79C5CE07EE72C7F123142198164234" \
nexpaq	0:6c56fb4bc5f0	1555	"CABB724CF78B8173B9F880FC86322407" \
nexpaq	0:6c56fb4bc5f0	1556	"AF1FEDFDDE2BEB674CA15F3E81A1521E" \
nexpaq	0:6c56fb4bc5f0	1557	"071513A1E85B5DFA031F21ECAE91A34D"
nexpaq	0:6c56fb4bc5f0	1558
nexpaq	0:6c56fb4bc5f0	1559	#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
nexpaq	0:6c56fb4bc5f0	1560	"2C01CAD19EA484A87EA4377637E75500" \
nexpaq	0:6c56fb4bc5f0	1561	"FCB2005C5C7DD6EC4AC023CDA285D796" \
nexpaq	0:6c56fb4bc5f0	1562	"C3D9E75E1EFC42488BB4F1D13AC30A57"
nexpaq	0:6c56fb4bc5f0	1563
nexpaq	0:6c56fb4bc5f0	1564	#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
nexpaq	0:6c56fb4bc5f0	1565	"E211C2B9E5DB1ED0BF61D0D9899620F4" \
nexpaq	0:6c56fb4bc5f0	1566	"910E4168387E3C30AA1E00C339A79508" \
nexpaq	0:6c56fb4bc5f0	1567	"8452DD96A9A5EA5D9DCA68DA636032AF"
nexpaq	0:6c56fb4bc5f0	1568
nexpaq	0:6c56fb4bc5f0	1569	#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
nexpaq	0:6c56fb4bc5f0	1570	"3C94D22288ACD763FD8E5600ED4A702D" \
nexpaq	0:6c56fb4bc5f0	1571	"F84198A5F06C2E72236AE490C93F07F8" \
nexpaq	0:6c56fb4bc5f0	1572	"3CC559CD27BC2D1CA488811730BB5725"
nexpaq	0:6c56fb4bc5f0	1573
nexpaq	0:6c56fb4bc5f0	1574	#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
nexpaq	0:6c56fb4bc5f0	1575	"D8AAEA56749EA28623272E4F7D0592AF" \
nexpaq	0:6c56fb4bc5f0	1576	"7C1F1313CAC9471B5C523BFE592F517B" \
nexpaq	0:6c56fb4bc5f0	1577	"407A1BD76C164B93DA2D32A383E58357"
nexpaq	0:6c56fb4bc5f0	1578
nexpaq	0:6c56fb4bc5f0	1579	#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
nexpaq	0:6c56fb4bc5f0	1580	"F38D18D2B2F0E2DD275AA977E2BF4411" \
nexpaq	0:6c56fb4bc5f0	1581	"F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
nexpaq	0:6c56fb4bc5f0	1582	"A74206CEC169D74BF5A8C50D6F48EA08"
nexpaq	0:6c56fb4bc5f0	1583
nexpaq	0:6c56fb4bc5f0	1584	#define PT_LEN 24
nexpaq	0:6c56fb4bc5f0	1585	#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
nexpaq	0:6c56fb4bc5f0	1586	"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
nexpaq	0:6c56fb4bc5f0	1587
nexpaq	0:6c56fb4bc5f0	1588	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	1589	static int myrand( void rng_state, unsigned char output, size_t len )
nexpaq	0:6c56fb4bc5f0	1590	{
nexpaq	0:6c56fb4bc5f0	1591	#if !defined(__OpenBSD__)
nexpaq	0:6c56fb4bc5f0	1592	size_t i;
nexpaq	0:6c56fb4bc5f0	1593
nexpaq	0:6c56fb4bc5f0	1594	if( rng_state != NULL )
nexpaq	0:6c56fb4bc5f0	1595	rng_state = NULL;
nexpaq	0:6c56fb4bc5f0	1596
nexpaq	0:6c56fb4bc5f0	1597	for( i = 0; i < len; ++i )
nexpaq	0:6c56fb4bc5f0	1598	output[i] = rand();
nexpaq	0:6c56fb4bc5f0	1599	#else
nexpaq	0:6c56fb4bc5f0	1600	if( rng_state != NULL )
nexpaq	0:6c56fb4bc5f0	1601	rng_state = NULL;
nexpaq	0:6c56fb4bc5f0	1602
nexpaq	0:6c56fb4bc5f0	1603	arc4random_buf( output, len );
nexpaq	0:6c56fb4bc5f0	1604	#endif /* !OpenBSD */
nexpaq	0:6c56fb4bc5f0	1605
nexpaq	0:6c56fb4bc5f0	1606	return( 0 );
nexpaq	0:6c56fb4bc5f0	1607	}
nexpaq	0:6c56fb4bc5f0	1608	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	0:6c56fb4bc5f0	1609
nexpaq	0:6c56fb4bc5f0	1610	/*
nexpaq	0:6c56fb4bc5f0	1611	* Checkup routine
nexpaq	0:6c56fb4bc5f0	1612	*/
nexpaq	0:6c56fb4bc5f0	1613	int mbedtls_rsa_self_test( int verbose )
nexpaq	0:6c56fb4bc5f0	1614	{
nexpaq	0:6c56fb4bc5f0	1615	int ret = 0;
nexpaq	0:6c56fb4bc5f0	1616	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	0:6c56fb4bc5f0	1617	size_t len;
nexpaq	0:6c56fb4bc5f0	1618	mbedtls_rsa_context rsa;
nexpaq	0:6c56fb4bc5f0	1619	unsigned char rsa_plaintext[PT_LEN];
nexpaq	0:6c56fb4bc5f0	1620	unsigned char rsa_decrypted[PT_LEN];
nexpaq	0:6c56fb4bc5f0	1621	unsigned char rsa_ciphertext[KEY_LEN];
nexpaq	0:6c56fb4bc5f0	1622	#if defined(MBEDTLS_SHA1_C)
nexpaq	0:6c56fb4bc5f0	1623	unsigned char sha1sum[20];
nexpaq	0:6c56fb4bc5f0	1624	#endif
nexpaq	0:6c56fb4bc5f0	1625
nexpaq	0:6c56fb4bc5f0	1626	mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
nexpaq	0:6c56fb4bc5f0	1627
nexpaq	0:6c56fb4bc5f0	1628	rsa.len = KEY_LEN;
nexpaq	0:6c56fb4bc5f0	1629	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
nexpaq	0:6c56fb4bc5f0	1630	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
nexpaq	0:6c56fb4bc5f0	1631	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
nexpaq	0:6c56fb4bc5f0	1632	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
nexpaq	0:6c56fb4bc5f0	1633	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
nexpaq	0:6c56fb4bc5f0	1634	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
nexpaq	0:6c56fb4bc5f0	1635	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
nexpaq	0:6c56fb4bc5f0	1636	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
nexpaq	0:6c56fb4bc5f0	1637
nexpaq	0:6c56fb4bc5f0	1638	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1639	mbedtls_printf( " RSA key validation: " );
nexpaq	0:6c56fb4bc5f0	1640
nexpaq	0:6c56fb4bc5f0	1641	if( mbedtls_rsa_check_pubkey( &rsa ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	1642	mbedtls_rsa_check_privkey( &rsa ) != 0 )
nexpaq	0:6c56fb4bc5f0	1643	{
nexpaq	0:6c56fb4bc5f0	1644	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1645	mbedtls_printf( "failed\n" );
nexpaq	0:6c56fb4bc5f0	1646
nexpaq	0:6c56fb4bc5f0	1647	return( 1 );
nexpaq	0:6c56fb4bc5f0	1648	}
nexpaq	0:6c56fb4bc5f0	1649
nexpaq	0:6c56fb4bc5f0	1650	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1651	mbedtls_printf( "passed\n PKCS#1 encryption : " );
nexpaq	0:6c56fb4bc5f0	1652
nexpaq	0:6c56fb4bc5f0	1653	memcpy( rsa_plaintext, RSA_PT, PT_LEN );
nexpaq	0:6c56fb4bc5f0	1654
nexpaq	0:6c56fb4bc5f0	1655	if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
nexpaq	0:6c56fb4bc5f0	1656	rsa_plaintext, rsa_ciphertext ) != 0 )
nexpaq	0:6c56fb4bc5f0	1657	{
nexpaq	0:6c56fb4bc5f0	1658	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1659	mbedtls_printf( "failed\n" );
nexpaq	0:6c56fb4bc5f0	1660
nexpaq	0:6c56fb4bc5f0	1661	return( 1 );
nexpaq	0:6c56fb4bc5f0	1662	}
nexpaq	0:6c56fb4bc5f0	1663
nexpaq	0:6c56fb4bc5f0	1664	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1665	mbedtls_printf( "passed\n PKCS#1 decryption : " );
nexpaq	0:6c56fb4bc5f0	1666
nexpaq	0:6c56fb4bc5f0	1667	if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
nexpaq	0:6c56fb4bc5f0	1668	rsa_ciphertext, rsa_decrypted,
nexpaq	0:6c56fb4bc5f0	1669	sizeof(rsa_decrypted) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1670	{
nexpaq	0:6c56fb4bc5f0	1671	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1672	mbedtls_printf( "failed\n" );
nexpaq	0:6c56fb4bc5f0	1673
nexpaq	0:6c56fb4bc5f0	1674	return( 1 );
nexpaq	0:6c56fb4bc5f0	1675	}
nexpaq	0:6c56fb4bc5f0	1676
nexpaq	0:6c56fb4bc5f0	1677	if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
nexpaq	0:6c56fb4bc5f0	1678	{
nexpaq	0:6c56fb4bc5f0	1679	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1680	mbedtls_printf( "failed\n" );
nexpaq	0:6c56fb4bc5f0	1681
nexpaq	0:6c56fb4bc5f0	1682	return( 1 );
nexpaq	0:6c56fb4bc5f0	1683	}
nexpaq	0:6c56fb4bc5f0	1684
nexpaq	0:6c56fb4bc5f0	1685	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1686	mbedtls_printf( "passed\n" );
nexpaq	0:6c56fb4bc5f0	1687
nexpaq	0:6c56fb4bc5f0	1688	#if defined(MBEDTLS_SHA1_C)
nexpaq	0:6c56fb4bc5f0	1689	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1690	mbedtls_printf( " PKCS#1 data sign : " );
nexpaq	0:6c56fb4bc5f0	1691
nexpaq	0:6c56fb4bc5f0	1692	mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
nexpaq	0:6c56fb4bc5f0	1693
nexpaq	0:6c56fb4bc5f0	1694	if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
nexpaq	0:6c56fb4bc5f0	1695	sha1sum, rsa_ciphertext ) != 0 )
nexpaq	0:6c56fb4bc5f0	1696	{
nexpaq	0:6c56fb4bc5f0	1697	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1698	mbedtls_printf( "failed\n" );
nexpaq	0:6c56fb4bc5f0	1699
nexpaq	0:6c56fb4bc5f0	1700	return( 1 );
nexpaq	0:6c56fb4bc5f0	1701	}
nexpaq	0:6c56fb4bc5f0	1702
nexpaq	0:6c56fb4bc5f0	1703	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1704	mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
nexpaq	0:6c56fb4bc5f0	1705
nexpaq	0:6c56fb4bc5f0	1706	if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
nexpaq	0:6c56fb4bc5f0	1707	sha1sum, rsa_ciphertext ) != 0 )
nexpaq	0:6c56fb4bc5f0	1708	{
nexpaq	0:6c56fb4bc5f0	1709	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1710	mbedtls_printf( "failed\n" );
nexpaq	0:6c56fb4bc5f0	1711
nexpaq	0:6c56fb4bc5f0	1712	return( 1 );
nexpaq	0:6c56fb4bc5f0	1713	}
nexpaq	0:6c56fb4bc5f0	1714
nexpaq	0:6c56fb4bc5f0	1715	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1716	mbedtls_printf( "passed\n" );
nexpaq	0:6c56fb4bc5f0	1717	#endif /* MBEDTLS_SHA1_C */
nexpaq	0:6c56fb4bc5f0	1718
nexpaq	0:6c56fb4bc5f0	1719	if( verbose != 0 )
nexpaq	0:6c56fb4bc5f0	1720	mbedtls_printf( "\n" );
nexpaq	0:6c56fb4bc5f0	1721
nexpaq	0:6c56fb4bc5f0	1722	cleanup:
nexpaq	0:6c56fb4bc5f0	1723	mbedtls_rsa_free( &rsa );
nexpaq	0:6c56fb4bc5f0	1724	#else /* MBEDTLS_PKCS1_V15 */
nexpaq	0:6c56fb4bc5f0	1725	((void) verbose);
nexpaq	0:6c56fb4bc5f0	1726	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	0:6c56fb4bc5f0	1727	return( ret );
nexpaq	0:6c56fb4bc5f0	1728	}
nexpaq	0:6c56fb4bc5f0	1729
nexpaq	0:6c56fb4bc5f0	1730	#endif /* MBEDTLS_SELF_TEST */
nexpaq	0:6c56fb4bc5f0	1731
nexpaq	0:6c56fb4bc5f0	1732	#endif /* MBEDTLS_RSA_C */

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	04 Nov 2016
Imports:	5
Forks:	0
Commits:	2
Dependents:	0
Dependencies:	0
Followers:	1

This repository is Public (Unlisted).

features/mbedtls/src/rsa.c@1:d96dbedaebdb, 2016-11-04 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning