LED_Demo - nkjnm

Users » nitsshukla » Code » LED_Demo

nkjnm

mbd_os/features/mbedtls/src/rsa.c@7:3a65ef12ba31, 2016-11-04 (annotated)

Committer:: nitsshukla
Date:: Fri Nov 04 12:06:04 2016 +0000
Revision:: 7:3a65ef12ba31
Parent:: 1:55a6170b404f

kghj;

Who changed what in which revision?

User	Revision	Line number	New contents of line
nexpaq	1:55a6170b404f	1	/*
nexpaq	1:55a6170b404f	2	* The RSA public-key cryptosystem
nexpaq	1:55a6170b404f	3	*
nexpaq	1:55a6170b404f	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
nexpaq	1:55a6170b404f	5	* SPDX-License-Identifier: Apache-2.0
nexpaq	1:55a6170b404f	6	*
nexpaq	1:55a6170b404f	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
nexpaq	1:55a6170b404f	8	* not use this file except in compliance with the License.
nexpaq	1:55a6170b404f	9	* You may obtain a copy of the License at
nexpaq	1:55a6170b404f	10	*
nexpaq	1:55a6170b404f	11	* http://www.apache.org/licenses/LICENSE-2.0
nexpaq	1:55a6170b404f	12	*
nexpaq	1:55a6170b404f	13	* Unless required by applicable law or agreed to in writing, software
nexpaq	1:55a6170b404f	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
nexpaq	1:55a6170b404f	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
nexpaq	1:55a6170b404f	16	* See the License for the specific language governing permissions and
nexpaq	1:55a6170b404f	17	* limitations under the License.
nexpaq	1:55a6170b404f	18	*
nexpaq	1:55a6170b404f	19	* This file is part of mbed TLS (https://tls.mbed.org)
nexpaq	1:55a6170b404f	20	*/
nexpaq	1:55a6170b404f	21	/*
nexpaq	1:55a6170b404f	22	* The following sources were referenced in the design of this implementation
nexpaq	1:55a6170b404f	23	* of the RSA algorithm:
nexpaq	1:55a6170b404f	24	*
nexpaq	1:55a6170b404f	25	* [1] A method for obtaining digital signatures and public-key cryptosystems
nexpaq	1:55a6170b404f	26	* R Rivest, A Shamir, and L Adleman
nexpaq	1:55a6170b404f	27	* http://people.csail.mit.edu/rivest/pubs.html#RSA78
nexpaq	1:55a6170b404f	28	*
nexpaq	1:55a6170b404f	29	* [2] Handbook of Applied Cryptography - 1997, Chapter 8
nexpaq	1:55a6170b404f	30	* Menezes, van Oorschot and Vanstone
nexpaq	1:55a6170b404f	31	*
nexpaq	1:55a6170b404f	32	*/
nexpaq	1:55a6170b404f	33
nexpaq	1:55a6170b404f	34	#if !defined(MBEDTLS_CONFIG_FILE)
nexpaq	1:55a6170b404f	35	#include "mbedtls/config.h"
nexpaq	1:55a6170b404f	36	#else
nexpaq	1:55a6170b404f	37	#include MBEDTLS_CONFIG_FILE
nexpaq	1:55a6170b404f	38	#endif
nexpaq	1:55a6170b404f	39
nexpaq	1:55a6170b404f	40	#if defined(MBEDTLS_RSA_C)
nexpaq	1:55a6170b404f	41
nexpaq	1:55a6170b404f	42	#include "mbedtls/rsa.h"
nexpaq	1:55a6170b404f	43	#include "mbedtls/oid.h"
nexpaq	1:55a6170b404f	44
nexpaq	1:55a6170b404f	45	#include <string.h>
nexpaq	1:55a6170b404f	46
nexpaq	1:55a6170b404f	47	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	48	#include "mbedtls/md.h"
nexpaq	1:55a6170b404f	49	#endif
nexpaq	1:55a6170b404f	50
nexpaq	1:55a6170b404f	51	#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
nexpaq	1:55a6170b404f	52	#include <stdlib.h>
nexpaq	1:55a6170b404f	53	#endif
nexpaq	1:55a6170b404f	54
nexpaq	1:55a6170b404f	55	#if defined(MBEDTLS_PLATFORM_C)
nexpaq	1:55a6170b404f	56	#include "mbedtls/platform.h"
nexpaq	1:55a6170b404f	57	#else
nexpaq	1:55a6170b404f	58	#include <stdio.h>
nexpaq	1:55a6170b404f	59	#define mbedtls_printf printf
nexpaq	1:55a6170b404f	60	#define mbedtls_calloc calloc
nexpaq	1:55a6170b404f	61	#define mbedtls_free free
nexpaq	1:55a6170b404f	62	#endif
nexpaq	1:55a6170b404f	63
nexpaq	1:55a6170b404f	64	/*
nexpaq	1:55a6170b404f	65	* Initialize an RSA context
nexpaq	1:55a6170b404f	66	*/
nexpaq	1:55a6170b404f	67	void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	68	int padding,
nexpaq	1:55a6170b404f	69	int hash_id )
nexpaq	1:55a6170b404f	70	{
nexpaq	1:55a6170b404f	71	memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
nexpaq	1:55a6170b404f	72
nexpaq	1:55a6170b404f	73	mbedtls_rsa_set_padding( ctx, padding, hash_id );
nexpaq	1:55a6170b404f	74
nexpaq	1:55a6170b404f	75	#if defined(MBEDTLS_THREADING_C)
nexpaq	1:55a6170b404f	76	mbedtls_mutex_init( &ctx->mutex );
nexpaq	1:55a6170b404f	77	#endif
nexpaq	1:55a6170b404f	78	}
nexpaq	1:55a6170b404f	79
nexpaq	1:55a6170b404f	80	/*
nexpaq	1:55a6170b404f	81	* Set padding for an existing RSA context
nexpaq	1:55a6170b404f	82	*/
nexpaq	1:55a6170b404f	83	void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
nexpaq	1:55a6170b404f	84	{
nexpaq	1:55a6170b404f	85	ctx->padding = padding;
nexpaq	1:55a6170b404f	86	ctx->hash_id = hash_id;
nexpaq	1:55a6170b404f	87	}
nexpaq	1:55a6170b404f	88
nexpaq	1:55a6170b404f	89	#if defined(MBEDTLS_GENPRIME)
nexpaq	1:55a6170b404f	90
nexpaq	1:55a6170b404f	91	/*
nexpaq	1:55a6170b404f	92	* Generate an RSA keypair
nexpaq	1:55a6170b404f	93	*/
nexpaq	1:55a6170b404f	94	int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	95	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	96	void *p_rng,
nexpaq	1:55a6170b404f	97	unsigned int nbits, int exponent )
nexpaq	1:55a6170b404f	98	{
nexpaq	1:55a6170b404f	99	int ret;
nexpaq	1:55a6170b404f	100	mbedtls_mpi P1, Q1, H, G;
nexpaq	1:55a6170b404f	101
nexpaq	1:55a6170b404f	102	if( f_rng == NULL \|\| nbits < 128 \|\| exponent < 3 )
nexpaq	1:55a6170b404f	103	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	104
nexpaq	1:55a6170b404f	105	mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
nexpaq	1:55a6170b404f	106	mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
nexpaq	1:55a6170b404f	107
nexpaq	1:55a6170b404f	108	/*
nexpaq	1:55a6170b404f	109	* find primes P and Q with Q < P so that:
nexpaq	1:55a6170b404f	110	* GCD( E, (P-1)*(Q-1) ) == 1
nexpaq	1:55a6170b404f	111	*/
nexpaq	1:55a6170b404f	112	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
nexpaq	1:55a6170b404f	113
nexpaq	1:55a6170b404f	114	do
nexpaq	1:55a6170b404f	115	{
nexpaq	1:55a6170b404f	116	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
nexpaq	1:55a6170b404f	117	f_rng, p_rng ) );
nexpaq	1:55a6170b404f	118
nexpaq	1:55a6170b404f	119	if( nbits % 2 )
nexpaq	1:55a6170b404f	120	{
nexpaq	1:55a6170b404f	121	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, ( nbits >> 1 ) + 1, 0,
nexpaq	1:55a6170b404f	122	f_rng, p_rng ) );
nexpaq	1:55a6170b404f	123	}
nexpaq	1:55a6170b404f	124	else
nexpaq	1:55a6170b404f	125	{
nexpaq	1:55a6170b404f	126	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
nexpaq	1:55a6170b404f	127	f_rng, p_rng ) );
nexpaq	1:55a6170b404f	128	}
nexpaq	1:55a6170b404f	129
nexpaq	1:55a6170b404f	130	if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
nexpaq	1:55a6170b404f	131	continue;
nexpaq	1:55a6170b404f	132
nexpaq	1:55a6170b404f	133	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
nexpaq	1:55a6170b404f	134	if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
nexpaq	1:55a6170b404f	135	continue;
nexpaq	1:55a6170b404f	136
nexpaq	1:55a6170b404f	137	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
nexpaq	1:55a6170b404f	138	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
nexpaq	1:55a6170b404f	139	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
nexpaq	1:55a6170b404f	140	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
nexpaq	1:55a6170b404f	141	}
nexpaq	1:55a6170b404f	142	while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
nexpaq	1:55a6170b404f	143
nexpaq	1:55a6170b404f	144	/*
nexpaq	1:55a6170b404f	145	* D = E^-1 mod ((P-1)*(Q-1))
nexpaq	1:55a6170b404f	146	* DP = D mod (P - 1)
nexpaq	1:55a6170b404f	147	* DQ = D mod (Q - 1)
nexpaq	1:55a6170b404f	148	* QP = Q^-1 mod P
nexpaq	1:55a6170b404f	149	*/
nexpaq	1:55a6170b404f	150	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
nexpaq	1:55a6170b404f	151	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
nexpaq	1:55a6170b404f	152	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
nexpaq	1:55a6170b404f	153	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
nexpaq	1:55a6170b404f	154
nexpaq	1:55a6170b404f	155	ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
nexpaq	1:55a6170b404f	156
nexpaq	1:55a6170b404f	157	cleanup:
nexpaq	1:55a6170b404f	158
nexpaq	1:55a6170b404f	159	mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
nexpaq	1:55a6170b404f	160
nexpaq	1:55a6170b404f	161	if( ret != 0 )
nexpaq	1:55a6170b404f	162	{
nexpaq	1:55a6170b404f	163	mbedtls_rsa_free( ctx );
nexpaq	1:55a6170b404f	164	return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
nexpaq	1:55a6170b404f	165	}
nexpaq	1:55a6170b404f	166
nexpaq	1:55a6170b404f	167	return( 0 );
nexpaq	1:55a6170b404f	168	}
nexpaq	1:55a6170b404f	169
nexpaq	1:55a6170b404f	170	#endif /* MBEDTLS_GENPRIME */
nexpaq	1:55a6170b404f	171
nexpaq	1:55a6170b404f	172	/*
nexpaq	1:55a6170b404f	173	* Check a public RSA key
nexpaq	1:55a6170b404f	174	*/
nexpaq	1:55a6170b404f	175	int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
nexpaq	1:55a6170b404f	176	{
nexpaq	1:55a6170b404f	177	if( !ctx->N.p \|\| !ctx->E.p )
nexpaq	1:55a6170b404f	178	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	1:55a6170b404f	179
nexpaq	1:55a6170b404f	180	if( ( ctx->N.p[0] & 1 ) == 0 \|\|
nexpaq	1:55a6170b404f	181	( ctx->E.p[0] & 1 ) == 0 )
nexpaq	1:55a6170b404f	182	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	1:55a6170b404f	183
nexpaq	1:55a6170b404f	184	if( mbedtls_mpi_bitlen( &ctx->N ) < 128 \|\|
nexpaq	1:55a6170b404f	185	mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
nexpaq	1:55a6170b404f	186	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	1:55a6170b404f	187
nexpaq	1:55a6170b404f	188	if( mbedtls_mpi_bitlen( &ctx->E ) < 2 \|\|
nexpaq	1:55a6170b404f	189	mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
nexpaq	1:55a6170b404f	190	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	1:55a6170b404f	191
nexpaq	1:55a6170b404f	192	return( 0 );
nexpaq	1:55a6170b404f	193	}
nexpaq	1:55a6170b404f	194
nexpaq	1:55a6170b404f	195	/*
nexpaq	1:55a6170b404f	196	* Check a private RSA key
nexpaq	1:55a6170b404f	197	*/
nexpaq	1:55a6170b404f	198	int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
nexpaq	1:55a6170b404f	199	{
nexpaq	1:55a6170b404f	200	int ret;
nexpaq	1:55a6170b404f	201	mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
nexpaq	1:55a6170b404f	202
nexpaq	1:55a6170b404f	203	if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
nexpaq	1:55a6170b404f	204	return( ret );
nexpaq	1:55a6170b404f	205
nexpaq	1:55a6170b404f	206	if( !ctx->P.p \|\| !ctx->Q.p \|\| !ctx->D.p )
nexpaq	1:55a6170b404f	207	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	1:55a6170b404f	208
nexpaq	1:55a6170b404f	209	mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
nexpaq	1:55a6170b404f	210	mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
nexpaq	1:55a6170b404f	211	mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
nexpaq	1:55a6170b404f	212	mbedtls_mpi_init( &QP );
nexpaq	1:55a6170b404f	213
nexpaq	1:55a6170b404f	214	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
nexpaq	1:55a6170b404f	215	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
nexpaq	1:55a6170b404f	216	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
nexpaq	1:55a6170b404f	217	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
nexpaq	1:55a6170b404f	218	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
nexpaq	1:55a6170b404f	219	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
nexpaq	1:55a6170b404f	220
nexpaq	1:55a6170b404f	221	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
nexpaq	1:55a6170b404f	222	MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
nexpaq	1:55a6170b404f	223	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
nexpaq	1:55a6170b404f	224
nexpaq	1:55a6170b404f	225	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
nexpaq	1:55a6170b404f	226	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
nexpaq	1:55a6170b404f	227	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
nexpaq	1:55a6170b404f	228	/*
nexpaq	1:55a6170b404f	229	* Check for a valid PKCS1v2 private key
nexpaq	1:55a6170b404f	230	*/
nexpaq	1:55a6170b404f	231	if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 \|\|
nexpaq	1:55a6170b404f	232	mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 \|\|
nexpaq	1:55a6170b404f	233	mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 \|\|
nexpaq	1:55a6170b404f	234	mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 \|\|
nexpaq	1:55a6170b404f	235	mbedtls_mpi_cmp_int( &L2, 0 ) != 0 \|\|
nexpaq	1:55a6170b404f	236	mbedtls_mpi_cmp_int( &I, 1 ) != 0 \|\|
nexpaq	1:55a6170b404f	237	mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
nexpaq	1:55a6170b404f	238	{
nexpaq	1:55a6170b404f	239	ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
nexpaq	1:55a6170b404f	240	}
nexpaq	1:55a6170b404f	241
nexpaq	1:55a6170b404f	242	cleanup:
nexpaq	1:55a6170b404f	243	mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
nexpaq	1:55a6170b404f	244	mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
nexpaq	1:55a6170b404f	245	mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
nexpaq	1:55a6170b404f	246	mbedtls_mpi_free( &QP );
nexpaq	1:55a6170b404f	247
nexpaq	1:55a6170b404f	248	if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
nexpaq	1:55a6170b404f	249	return( ret );
nexpaq	1:55a6170b404f	250
nexpaq	1:55a6170b404f	251	if( ret != 0 )
nexpaq	1:55a6170b404f	252	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
nexpaq	1:55a6170b404f	253
nexpaq	1:55a6170b404f	254	return( 0 );
nexpaq	1:55a6170b404f	255	}
nexpaq	1:55a6170b404f	256
nexpaq	1:55a6170b404f	257	/*
nexpaq	1:55a6170b404f	258	* Check if contexts holding a public and private key match
nexpaq	1:55a6170b404f	259	*/
nexpaq	1:55a6170b404f	260	int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context pub, const mbedtls_rsa_context prv )
nexpaq	1:55a6170b404f	261	{
nexpaq	1:55a6170b404f	262	if( mbedtls_rsa_check_pubkey( pub ) != 0 \|\|
nexpaq	1:55a6170b404f	263	mbedtls_rsa_check_privkey( prv ) != 0 )
nexpaq	1:55a6170b404f	264	{
nexpaq	1:55a6170b404f	265	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	1:55a6170b404f	266	}
nexpaq	1:55a6170b404f	267
nexpaq	1:55a6170b404f	268	if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 \|\|
nexpaq	1:55a6170b404f	269	mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
nexpaq	1:55a6170b404f	270	{
nexpaq	1:55a6170b404f	271	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
nexpaq	1:55a6170b404f	272	}
nexpaq	1:55a6170b404f	273
nexpaq	1:55a6170b404f	274	return( 0 );
nexpaq	1:55a6170b404f	275	}
nexpaq	1:55a6170b404f	276
nexpaq	1:55a6170b404f	277	/*
nexpaq	1:55a6170b404f	278	* Do an RSA public key operation
nexpaq	1:55a6170b404f	279	*/
nexpaq	1:55a6170b404f	280	int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	281	const unsigned char *input,
nexpaq	1:55a6170b404f	282	unsigned char *output )
nexpaq	1:55a6170b404f	283	{
nexpaq	1:55a6170b404f	284	int ret;
nexpaq	1:55a6170b404f	285	size_t olen;
nexpaq	1:55a6170b404f	286	mbedtls_mpi T;
nexpaq	1:55a6170b404f	287
nexpaq	1:55a6170b404f	288	mbedtls_mpi_init( &T );
nexpaq	1:55a6170b404f	289
nexpaq	1:55a6170b404f	290	#if defined(MBEDTLS_THREADING_C)
nexpaq	1:55a6170b404f	291	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
nexpaq	1:55a6170b404f	292	return( ret );
nexpaq	1:55a6170b404f	293	#endif
nexpaq	1:55a6170b404f	294
nexpaq	1:55a6170b404f	295	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
nexpaq	1:55a6170b404f	296
nexpaq	1:55a6170b404f	297	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
nexpaq	1:55a6170b404f	298	{
nexpaq	1:55a6170b404f	299	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
nexpaq	1:55a6170b404f	300	goto cleanup;
nexpaq	1:55a6170b404f	301	}
nexpaq	1:55a6170b404f	302
nexpaq	1:55a6170b404f	303	olen = ctx->len;
nexpaq	1:55a6170b404f	304	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
nexpaq	1:55a6170b404f	305	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
nexpaq	1:55a6170b404f	306
nexpaq	1:55a6170b404f	307	cleanup:
nexpaq	1:55a6170b404f	308	#if defined(MBEDTLS_THREADING_C)
nexpaq	1:55a6170b404f	309	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
nexpaq	1:55a6170b404f	310	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
nexpaq	1:55a6170b404f	311	#endif
nexpaq	1:55a6170b404f	312
nexpaq	1:55a6170b404f	313	mbedtls_mpi_free( &T );
nexpaq	1:55a6170b404f	314
nexpaq	1:55a6170b404f	315	if( ret != 0 )
nexpaq	1:55a6170b404f	316	return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
nexpaq	1:55a6170b404f	317
nexpaq	1:55a6170b404f	318	return( 0 );
nexpaq	1:55a6170b404f	319	}
nexpaq	1:55a6170b404f	320
nexpaq	1:55a6170b404f	321	/*
nexpaq	1:55a6170b404f	322	* Generate or update blinding values, see section 10 of:
nexpaq	1:55a6170b404f	323	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
nexpaq	1:55a6170b404f	324	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
nexpaq	1:55a6170b404f	325	* Berlin Heidelberg, 1996. p. 104-113.
nexpaq	1:55a6170b404f	326	*/
nexpaq	1:55a6170b404f	327	static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	328	int (f_rng)(void , unsigned char , size_t), void p_rng )
nexpaq	1:55a6170b404f	329	{
nexpaq	1:55a6170b404f	330	int ret, count = 0;
nexpaq	1:55a6170b404f	331
nexpaq	1:55a6170b404f	332	if( ctx->Vf.p != NULL )
nexpaq	1:55a6170b404f	333	{
nexpaq	1:55a6170b404f	334	/* We already have blinding values, just update them by squaring */
nexpaq	1:55a6170b404f	335	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
nexpaq	1:55a6170b404f	336	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
nexpaq	1:55a6170b404f	337	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
nexpaq	1:55a6170b404f	338	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
nexpaq	1:55a6170b404f	339
nexpaq	1:55a6170b404f	340	goto cleanup;
nexpaq	1:55a6170b404f	341	}
nexpaq	1:55a6170b404f	342
nexpaq	1:55a6170b404f	343	/* Unblinding value: Vf = random number, invertible mod N */
nexpaq	1:55a6170b404f	344	do {
nexpaq	1:55a6170b404f	345	if( count++ > 10 )
nexpaq	1:55a6170b404f	346	return( MBEDTLS_ERR_RSA_RNG_FAILED );
nexpaq	1:55a6170b404f	347
nexpaq	1:55a6170b404f	348	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
nexpaq	1:55a6170b404f	349	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
nexpaq	1:55a6170b404f	350	} while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
nexpaq	1:55a6170b404f	351
nexpaq	1:55a6170b404f	352	/* Blinding value: Vi = Vf^(-e) mod N */
nexpaq	1:55a6170b404f	353	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
nexpaq	1:55a6170b404f	354	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
nexpaq	1:55a6170b404f	355
nexpaq	1:55a6170b404f	356
nexpaq	1:55a6170b404f	357	cleanup:
nexpaq	1:55a6170b404f	358	return( ret );
nexpaq	1:55a6170b404f	359	}
nexpaq	1:55a6170b404f	360
nexpaq	1:55a6170b404f	361	/*
nexpaq	1:55a6170b404f	362	* Do an RSA private key operation
nexpaq	1:55a6170b404f	363	*/
nexpaq	1:55a6170b404f	364	int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	365	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	366	void *p_rng,
nexpaq	1:55a6170b404f	367	const unsigned char *input,
nexpaq	1:55a6170b404f	368	unsigned char *output )
nexpaq	1:55a6170b404f	369	{
nexpaq	1:55a6170b404f	370	int ret;
nexpaq	1:55a6170b404f	371	size_t olen;
nexpaq	1:55a6170b404f	372	mbedtls_mpi T, T1, T2;
nexpaq	1:55a6170b404f	373
nexpaq	1:55a6170b404f	374	/* Make sure we have private key info, prevent possible misuse */
nexpaq	1:55a6170b404f	375	if( ctx->P.p == NULL \|\| ctx->Q.p == NULL \|\| ctx->D.p == NULL )
nexpaq	1:55a6170b404f	376	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	377
nexpaq	1:55a6170b404f	378	mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
nexpaq	1:55a6170b404f	379
nexpaq	1:55a6170b404f	380	#if defined(MBEDTLS_THREADING_C)
nexpaq	1:55a6170b404f	381	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
nexpaq	1:55a6170b404f	382	return( ret );
nexpaq	1:55a6170b404f	383	#endif
nexpaq	1:55a6170b404f	384
nexpaq	1:55a6170b404f	385	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
nexpaq	1:55a6170b404f	386	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
nexpaq	1:55a6170b404f	387	{
nexpaq	1:55a6170b404f	388	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
nexpaq	1:55a6170b404f	389	goto cleanup;
nexpaq	1:55a6170b404f	390	}
nexpaq	1:55a6170b404f	391
nexpaq	1:55a6170b404f	392	if( f_rng != NULL )
nexpaq	1:55a6170b404f	393	{
nexpaq	1:55a6170b404f	394	/*
nexpaq	1:55a6170b404f	395	* Blinding
nexpaq	1:55a6170b404f	396	* T = T * Vi mod N
nexpaq	1:55a6170b404f	397	*/
nexpaq	1:55a6170b404f	398	MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
nexpaq	1:55a6170b404f	399	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
nexpaq	1:55a6170b404f	400	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
nexpaq	1:55a6170b404f	401	}
nexpaq	1:55a6170b404f	402
nexpaq	1:55a6170b404f	403	#if defined(MBEDTLS_RSA_NO_CRT)
nexpaq	1:55a6170b404f	404	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
nexpaq	1:55a6170b404f	405	#else
nexpaq	1:55a6170b404f	406	/*
nexpaq	1:55a6170b404f	407	* faster decryption using the CRT
nexpaq	1:55a6170b404f	408	*
nexpaq	1:55a6170b404f	409	* T1 = input ^ dP mod P
nexpaq	1:55a6170b404f	410	* T2 = input ^ dQ mod Q
nexpaq	1:55a6170b404f	411	*/
nexpaq	1:55a6170b404f	412	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
nexpaq	1:55a6170b404f	413	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
nexpaq	1:55a6170b404f	414
nexpaq	1:55a6170b404f	415	/*
nexpaq	1:55a6170b404f	416	* T = (T1 - T2) * (Q^-1 mod P) mod P
nexpaq	1:55a6170b404f	417	*/
nexpaq	1:55a6170b404f	418	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
nexpaq	1:55a6170b404f	419	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
nexpaq	1:55a6170b404f	420	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
nexpaq	1:55a6170b404f	421
nexpaq	1:55a6170b404f	422	/*
nexpaq	1:55a6170b404f	423	* T = T2 + T * Q
nexpaq	1:55a6170b404f	424	*/
nexpaq	1:55a6170b404f	425	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
nexpaq	1:55a6170b404f	426	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
nexpaq	1:55a6170b404f	427	#endif /* MBEDTLS_RSA_NO_CRT */
nexpaq	1:55a6170b404f	428
nexpaq	1:55a6170b404f	429	if( f_rng != NULL )
nexpaq	1:55a6170b404f	430	{
nexpaq	1:55a6170b404f	431	/*
nexpaq	1:55a6170b404f	432	* Unblind
nexpaq	1:55a6170b404f	433	* T = T * Vf mod N
nexpaq	1:55a6170b404f	434	*/
nexpaq	1:55a6170b404f	435	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
nexpaq	1:55a6170b404f	436	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
nexpaq	1:55a6170b404f	437	}
nexpaq	1:55a6170b404f	438
nexpaq	1:55a6170b404f	439	olen = ctx->len;
nexpaq	1:55a6170b404f	440	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
nexpaq	1:55a6170b404f	441
nexpaq	1:55a6170b404f	442	cleanup:
nexpaq	1:55a6170b404f	443	#if defined(MBEDTLS_THREADING_C)
nexpaq	1:55a6170b404f	444	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
nexpaq	1:55a6170b404f	445	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
nexpaq	1:55a6170b404f	446	#endif
nexpaq	1:55a6170b404f	447
nexpaq	1:55a6170b404f	448	mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
nexpaq	1:55a6170b404f	449
nexpaq	1:55a6170b404f	450	if( ret != 0 )
nexpaq	1:55a6170b404f	451	return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
nexpaq	1:55a6170b404f	452
nexpaq	1:55a6170b404f	453	return( 0 );
nexpaq	1:55a6170b404f	454	}
nexpaq	1:55a6170b404f	455
nexpaq	1:55a6170b404f	456	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	457	/**
nexpaq	1:55a6170b404f	458	* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
nexpaq	1:55a6170b404f	459	*
nexpaq	1:55a6170b404f	460	* \param dst buffer to mask
nexpaq	1:55a6170b404f	461	* \param dlen length of destination buffer
nexpaq	1:55a6170b404f	462	* \param src source of the mask generation
nexpaq	1:55a6170b404f	463	* \param slen length of the source buffer
nexpaq	1:55a6170b404f	464	* \param md_ctx message digest context to use
nexpaq	1:55a6170b404f	465	*/
nexpaq	1:55a6170b404f	466	static void mgf_mask( unsigned char dst, size_t dlen, unsigned char src,
nexpaq	1:55a6170b404f	467	size_t slen, mbedtls_md_context_t *md_ctx )
nexpaq	1:55a6170b404f	468	{
nexpaq	1:55a6170b404f	469	unsigned char mask[MBEDTLS_MD_MAX_SIZE];
nexpaq	1:55a6170b404f	470	unsigned char counter[4];
nexpaq	1:55a6170b404f	471	unsigned char *p;
nexpaq	1:55a6170b404f	472	unsigned int hlen;
nexpaq	1:55a6170b404f	473	size_t i, use_len;
nexpaq	1:55a6170b404f	474
nexpaq	1:55a6170b404f	475	memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
nexpaq	1:55a6170b404f	476	memset( counter, 0, 4 );
nexpaq	1:55a6170b404f	477
nexpaq	1:55a6170b404f	478	hlen = mbedtls_md_get_size( md_ctx->md_info );
nexpaq	1:55a6170b404f	479
nexpaq	1:55a6170b404f	480	/* Generate and apply dbMask */
nexpaq	1:55a6170b404f	481	p = dst;
nexpaq	1:55a6170b404f	482
nexpaq	1:55a6170b404f	483	while( dlen > 0 )
nexpaq	1:55a6170b404f	484	{
nexpaq	1:55a6170b404f	485	use_len = hlen;
nexpaq	1:55a6170b404f	486	if( dlen < hlen )
nexpaq	1:55a6170b404f	487	use_len = dlen;
nexpaq	1:55a6170b404f	488
nexpaq	1:55a6170b404f	489	mbedtls_md_starts( md_ctx );
nexpaq	1:55a6170b404f	490	mbedtls_md_update( md_ctx, src, slen );
nexpaq	1:55a6170b404f	491	mbedtls_md_update( md_ctx, counter, 4 );
nexpaq	1:55a6170b404f	492	mbedtls_md_finish( md_ctx, mask );
nexpaq	1:55a6170b404f	493
nexpaq	1:55a6170b404f	494	for( i = 0; i < use_len; ++i )
nexpaq	1:55a6170b404f	495	*p++ ^= mask[i];
nexpaq	1:55a6170b404f	496
nexpaq	1:55a6170b404f	497	counter[3]++;
nexpaq	1:55a6170b404f	498
nexpaq	1:55a6170b404f	499	dlen -= use_len;
nexpaq	1:55a6170b404f	500	}
nexpaq	1:55a6170b404f	501	}
nexpaq	1:55a6170b404f	502	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	1:55a6170b404f	503
nexpaq	1:55a6170b404f	504	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	505	/*
nexpaq	1:55a6170b404f	506	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
nexpaq	1:55a6170b404f	507	*/
nexpaq	1:55a6170b404f	508	int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	509	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	510	void *p_rng,
nexpaq	1:55a6170b404f	511	int mode,
nexpaq	1:55a6170b404f	512	const unsigned char *label, size_t label_len,
nexpaq	1:55a6170b404f	513	size_t ilen,
nexpaq	1:55a6170b404f	514	const unsigned char *input,
nexpaq	1:55a6170b404f	515	unsigned char *output )
nexpaq	1:55a6170b404f	516	{
nexpaq	1:55a6170b404f	517	size_t olen;
nexpaq	1:55a6170b404f	518	int ret;
nexpaq	1:55a6170b404f	519	unsigned char *p = output;
nexpaq	1:55a6170b404f	520	unsigned int hlen;
nexpaq	1:55a6170b404f	521	const mbedtls_md_info_t *md_info;
nexpaq	1:55a6170b404f	522	mbedtls_md_context_t md_ctx;
nexpaq	1:55a6170b404f	523
nexpaq	1:55a6170b404f	524	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
nexpaq	1:55a6170b404f	525	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	526
nexpaq	1:55a6170b404f	527	if( f_rng == NULL )
nexpaq	1:55a6170b404f	528	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	529
nexpaq	1:55a6170b404f	530	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
nexpaq	1:55a6170b404f	531	if( md_info == NULL )
nexpaq	1:55a6170b404f	532	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	533
nexpaq	1:55a6170b404f	534	olen = ctx->len;
nexpaq	1:55a6170b404f	535	hlen = mbedtls_md_get_size( md_info );
nexpaq	1:55a6170b404f	536
nexpaq	1:55a6170b404f	537	/* first comparison checks for overflow */
nexpaq	1:55a6170b404f	538	if( ilen + 2 * hlen + 2 < ilen \|\| olen < ilen + 2 * hlen + 2 )
nexpaq	1:55a6170b404f	539	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	540
nexpaq	1:55a6170b404f	541	memset( output, 0, olen );
nexpaq	1:55a6170b404f	542
nexpaq	1:55a6170b404f	543	*p++ = 0;
nexpaq	1:55a6170b404f	544
nexpaq	1:55a6170b404f	545	/* Generate a random octet string seed */
nexpaq	1:55a6170b404f	546	if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
nexpaq	1:55a6170b404f	547	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
nexpaq	1:55a6170b404f	548
nexpaq	1:55a6170b404f	549	p += hlen;
nexpaq	1:55a6170b404f	550
nexpaq	1:55a6170b404f	551	/* Construct DB */
nexpaq	1:55a6170b404f	552	mbedtls_md( md_info, label, label_len, p );
nexpaq	1:55a6170b404f	553	p += hlen;
nexpaq	1:55a6170b404f	554	p += olen - 2 * hlen - 2 - ilen;
nexpaq	1:55a6170b404f	555	*p++ = 1;
nexpaq	1:55a6170b404f	556	memcpy( p, input, ilen );
nexpaq	1:55a6170b404f	557
nexpaq	1:55a6170b404f	558	mbedtls_md_init( &md_ctx );
nexpaq	1:55a6170b404f	559	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
nexpaq	1:55a6170b404f	560	{
nexpaq	1:55a6170b404f	561	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	562	return( ret );
nexpaq	1:55a6170b404f	563	}
nexpaq	1:55a6170b404f	564
nexpaq	1:55a6170b404f	565	/* maskedDB: Apply dbMask to DB */
nexpaq	1:55a6170b404f	566	mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
nexpaq	1:55a6170b404f	567	&md_ctx );
nexpaq	1:55a6170b404f	568
nexpaq	1:55a6170b404f	569	/* maskedSeed: Apply seedMask to seed */
nexpaq	1:55a6170b404f	570	mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
nexpaq	1:55a6170b404f	571	&md_ctx );
nexpaq	1:55a6170b404f	572
nexpaq	1:55a6170b404f	573	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	574
nexpaq	1:55a6170b404f	575	return( ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	576	? mbedtls_rsa_public( ctx, output, output )
nexpaq	1:55a6170b404f	577	: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
nexpaq	1:55a6170b404f	578	}
nexpaq	1:55a6170b404f	579	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	1:55a6170b404f	580
nexpaq	1:55a6170b404f	581	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	582	/*
nexpaq	1:55a6170b404f	583	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
nexpaq	1:55a6170b404f	584	*/
nexpaq	1:55a6170b404f	585	int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	586	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	587	void *p_rng,
nexpaq	1:55a6170b404f	588	int mode, size_t ilen,
nexpaq	1:55a6170b404f	589	const unsigned char *input,
nexpaq	1:55a6170b404f	590	unsigned char *output )
nexpaq	1:55a6170b404f	591	{
nexpaq	1:55a6170b404f	592	size_t nb_pad, olen;
nexpaq	1:55a6170b404f	593	int ret;
nexpaq	1:55a6170b404f	594	unsigned char *p = output;
nexpaq	1:55a6170b404f	595
nexpaq	1:55a6170b404f	596	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
nexpaq	1:55a6170b404f	597	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	598
nexpaq	1:55a6170b404f	599	// We don't check p_rng because it won't be dereferenced here
nexpaq	1:55a6170b404f	600	if( f_rng == NULL \|\| input == NULL \|\| output == NULL )
nexpaq	1:55a6170b404f	601	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	602
nexpaq	1:55a6170b404f	603	olen = ctx->len;
nexpaq	1:55a6170b404f	604
nexpaq	1:55a6170b404f	605	/* first comparison checks for overflow */
nexpaq	1:55a6170b404f	606	if( ilen + 11 < ilen \|\| olen < ilen + 11 )
nexpaq	1:55a6170b404f	607	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	608
nexpaq	1:55a6170b404f	609	nb_pad = olen - 3 - ilen;
nexpaq	1:55a6170b404f	610
nexpaq	1:55a6170b404f	611	*p++ = 0;
nexpaq	1:55a6170b404f	612	if( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	613	{
nexpaq	1:55a6170b404f	614	*p++ = MBEDTLS_RSA_CRYPT;
nexpaq	1:55a6170b404f	615
nexpaq	1:55a6170b404f	616	while( nb_pad-- > 0 )
nexpaq	1:55a6170b404f	617	{
nexpaq	1:55a6170b404f	618	int rng_dl = 100;
nexpaq	1:55a6170b404f	619
nexpaq	1:55a6170b404f	620	do {
nexpaq	1:55a6170b404f	621	ret = f_rng( p_rng, p, 1 );
nexpaq	1:55a6170b404f	622	} while( *p == 0 && --rng_dl && ret == 0 );
nexpaq	1:55a6170b404f	623
nexpaq	1:55a6170b404f	624	/* Check if RNG failed to generate data */
nexpaq	1:55a6170b404f	625	if( rng_dl == 0 \|\| ret != 0 )
nexpaq	1:55a6170b404f	626	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
nexpaq	1:55a6170b404f	627
nexpaq	1:55a6170b404f	628	p++;
nexpaq	1:55a6170b404f	629	}
nexpaq	1:55a6170b404f	630	}
nexpaq	1:55a6170b404f	631	else
nexpaq	1:55a6170b404f	632	{
nexpaq	1:55a6170b404f	633	*p++ = MBEDTLS_RSA_SIGN;
nexpaq	1:55a6170b404f	634
nexpaq	1:55a6170b404f	635	while( nb_pad-- > 0 )
nexpaq	1:55a6170b404f	636	*p++ = 0xFF;
nexpaq	1:55a6170b404f	637	}
nexpaq	1:55a6170b404f	638
nexpaq	1:55a6170b404f	639	*p++ = 0;
nexpaq	1:55a6170b404f	640	memcpy( p, input, ilen );
nexpaq	1:55a6170b404f	641
nexpaq	1:55a6170b404f	642	return( ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	643	? mbedtls_rsa_public( ctx, output, output )
nexpaq	1:55a6170b404f	644	: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
nexpaq	1:55a6170b404f	645	}
nexpaq	1:55a6170b404f	646	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	1:55a6170b404f	647
nexpaq	1:55a6170b404f	648	/*
nexpaq	1:55a6170b404f	649	* Add the message padding, then do an RSA operation
nexpaq	1:55a6170b404f	650	*/
nexpaq	1:55a6170b404f	651	int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	652	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	653	void *p_rng,
nexpaq	1:55a6170b404f	654	int mode, size_t ilen,
nexpaq	1:55a6170b404f	655	const unsigned char *input,
nexpaq	1:55a6170b404f	656	unsigned char *output )
nexpaq	1:55a6170b404f	657	{
nexpaq	1:55a6170b404f	658	switch( ctx->padding )
nexpaq	1:55a6170b404f	659	{
nexpaq	1:55a6170b404f	660	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	661	case MBEDTLS_RSA_PKCS_V15:
nexpaq	1:55a6170b404f	662	return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
nexpaq	1:55a6170b404f	663	input, output );
nexpaq	1:55a6170b404f	664	#endif
nexpaq	1:55a6170b404f	665
nexpaq	1:55a6170b404f	666	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	667	case MBEDTLS_RSA_PKCS_V21:
nexpaq	1:55a6170b404f	668	return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
nexpaq	1:55a6170b404f	669	ilen, input, output );
nexpaq	1:55a6170b404f	670	#endif
nexpaq	1:55a6170b404f	671
nexpaq	1:55a6170b404f	672	default:
nexpaq	1:55a6170b404f	673	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	674	}
nexpaq	1:55a6170b404f	675	}
nexpaq	1:55a6170b404f	676
nexpaq	1:55a6170b404f	677	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	678	/*
nexpaq	1:55a6170b404f	679	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
nexpaq	1:55a6170b404f	680	*/
nexpaq	1:55a6170b404f	681	int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	682	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	683	void *p_rng,
nexpaq	1:55a6170b404f	684	int mode,
nexpaq	1:55a6170b404f	685	const unsigned char *label, size_t label_len,
nexpaq	1:55a6170b404f	686	size_t *olen,
nexpaq	1:55a6170b404f	687	const unsigned char *input,
nexpaq	1:55a6170b404f	688	unsigned char *output,
nexpaq	1:55a6170b404f	689	size_t output_max_len )
nexpaq	1:55a6170b404f	690	{
nexpaq	1:55a6170b404f	691	int ret;
nexpaq	1:55a6170b404f	692	size_t ilen, i, pad_len;
nexpaq	1:55a6170b404f	693	unsigned char *p, bad, pad_done;
nexpaq	1:55a6170b404f	694	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
nexpaq	1:55a6170b404f	695	unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
nexpaq	1:55a6170b404f	696	unsigned int hlen;
nexpaq	1:55a6170b404f	697	const mbedtls_md_info_t *md_info;
nexpaq	1:55a6170b404f	698	mbedtls_md_context_t md_ctx;
nexpaq	1:55a6170b404f	699
nexpaq	1:55a6170b404f	700	/*
nexpaq	1:55a6170b404f	701	* Parameters sanity checks
nexpaq	1:55a6170b404f	702	*/
nexpaq	1:55a6170b404f	703	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
nexpaq	1:55a6170b404f	704	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	705
nexpaq	1:55a6170b404f	706	ilen = ctx->len;
nexpaq	1:55a6170b404f	707
nexpaq	1:55a6170b404f	708	if( ilen < 16 \|\| ilen > sizeof( buf ) )
nexpaq	1:55a6170b404f	709	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	710
nexpaq	1:55a6170b404f	711	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
nexpaq	1:55a6170b404f	712	if( md_info == NULL )
nexpaq	1:55a6170b404f	713	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	714
nexpaq	1:55a6170b404f	715	hlen = mbedtls_md_get_size( md_info );
nexpaq	1:55a6170b404f	716
nexpaq	1:55a6170b404f	717	// checking for integer underflow
nexpaq	1:55a6170b404f	718	if( 2 * hlen + 2 > ilen )
nexpaq	1:55a6170b404f	719	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	720
nexpaq	1:55a6170b404f	721	/*
nexpaq	1:55a6170b404f	722	* RSA operation
nexpaq	1:55a6170b404f	723	*/
nexpaq	1:55a6170b404f	724	ret = ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	725	? mbedtls_rsa_public( ctx, input, buf )
nexpaq	1:55a6170b404f	726	: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
nexpaq	1:55a6170b404f	727
nexpaq	1:55a6170b404f	728	if( ret != 0 )
nexpaq	1:55a6170b404f	729	return( ret );
nexpaq	1:55a6170b404f	730
nexpaq	1:55a6170b404f	731	/*
nexpaq	1:55a6170b404f	732	* Unmask data and generate lHash
nexpaq	1:55a6170b404f	733	*/
nexpaq	1:55a6170b404f	734	mbedtls_md_init( &md_ctx );
nexpaq	1:55a6170b404f	735	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
nexpaq	1:55a6170b404f	736	{
nexpaq	1:55a6170b404f	737	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	738	return( ret );
nexpaq	1:55a6170b404f	739	}
nexpaq	1:55a6170b404f	740
nexpaq	1:55a6170b404f	741
nexpaq	1:55a6170b404f	742	/* Generate lHash */
nexpaq	1:55a6170b404f	743	mbedtls_md( md_info, label, label_len, lhash );
nexpaq	1:55a6170b404f	744
nexpaq	1:55a6170b404f	745	/* seed: Apply seedMask to maskedSeed */
nexpaq	1:55a6170b404f	746	mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
nexpaq	1:55a6170b404f	747	&md_ctx );
nexpaq	1:55a6170b404f	748
nexpaq	1:55a6170b404f	749	/* DB: Apply dbMask to maskedDB */
nexpaq	1:55a6170b404f	750	mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
nexpaq	1:55a6170b404f	751	&md_ctx );
nexpaq	1:55a6170b404f	752
nexpaq	1:55a6170b404f	753	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	754
nexpaq	1:55a6170b404f	755	/*
nexpaq	1:55a6170b404f	756	* Check contents, in "constant-time"
nexpaq	1:55a6170b404f	757	*/
nexpaq	1:55a6170b404f	758	p = buf;
nexpaq	1:55a6170b404f	759	bad = 0;
nexpaq	1:55a6170b404f	760
nexpaq	1:55a6170b404f	761	bad \|= p++; / First byte must be 0 */
nexpaq	1:55a6170b404f	762
nexpaq	1:55a6170b404f	763	p += hlen; /* Skip seed */
nexpaq	1:55a6170b404f	764
nexpaq	1:55a6170b404f	765	/* Check lHash */
nexpaq	1:55a6170b404f	766	for( i = 0; i < hlen; i++ )
nexpaq	1:55a6170b404f	767	bad \|= lhash[i] ^ *p++;
nexpaq	1:55a6170b404f	768
nexpaq	1:55a6170b404f	769	/* Get zero-padding len, but always read till end of buffer
nexpaq	1:55a6170b404f	770	* (minus one, for the 01 byte) */
nexpaq	1:55a6170b404f	771	pad_len = 0;
nexpaq	1:55a6170b404f	772	pad_done = 0;
nexpaq	1:55a6170b404f	773	for( i = 0; i < ilen - 2 * hlen - 2; i++ )
nexpaq	1:55a6170b404f	774	{
nexpaq	1:55a6170b404f	775	pad_done \|= p[i];
nexpaq	1:55a6170b404f	776	pad_len += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
nexpaq	1:55a6170b404f	777	}
nexpaq	1:55a6170b404f	778
nexpaq	1:55a6170b404f	779	p += pad_len;
nexpaq	1:55a6170b404f	780	bad \|= *p++ ^ 0x01;
nexpaq	1:55a6170b404f	781
nexpaq	1:55a6170b404f	782	/*
nexpaq	1:55a6170b404f	783	* The only information "leaked" is whether the padding was correct or not
nexpaq	1:55a6170b404f	784	* (eg, no data is copied if it was not correct). This meets the
nexpaq	1:55a6170b404f	785	* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
nexpaq	1:55a6170b404f	786	* the different error conditions.
nexpaq	1:55a6170b404f	787	*/
nexpaq	1:55a6170b404f	788	if( bad != 0 )
nexpaq	1:55a6170b404f	789	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	790
nexpaq	1:55a6170b404f	791	if( ilen - ( p - buf ) > output_max_len )
nexpaq	1:55a6170b404f	792	return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
nexpaq	1:55a6170b404f	793
nexpaq	1:55a6170b404f	794	*olen = ilen - (p - buf);
nexpaq	1:55a6170b404f	795	memcpy( output, p, *olen );
nexpaq	1:55a6170b404f	796
nexpaq	1:55a6170b404f	797	return( 0 );
nexpaq	1:55a6170b404f	798	}
nexpaq	1:55a6170b404f	799	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	1:55a6170b404f	800
nexpaq	1:55a6170b404f	801	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	802	/*
nexpaq	1:55a6170b404f	803	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
nexpaq	1:55a6170b404f	804	*/
nexpaq	1:55a6170b404f	805	int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	806	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	807	void *p_rng,
nexpaq	1:55a6170b404f	808	int mode, size_t *olen,
nexpaq	1:55a6170b404f	809	const unsigned char *input,
nexpaq	1:55a6170b404f	810	unsigned char *output,
nexpaq	1:55a6170b404f	811	size_t output_max_len)
nexpaq	1:55a6170b404f	812	{
nexpaq	1:55a6170b404f	813	int ret;
nexpaq	1:55a6170b404f	814	size_t ilen, pad_count = 0, i;
nexpaq	1:55a6170b404f	815	unsigned char *p, bad, pad_done = 0;
nexpaq	1:55a6170b404f	816	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
nexpaq	1:55a6170b404f	817
nexpaq	1:55a6170b404f	818	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
nexpaq	1:55a6170b404f	819	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	820
nexpaq	1:55a6170b404f	821	ilen = ctx->len;
nexpaq	1:55a6170b404f	822
nexpaq	1:55a6170b404f	823	if( ilen < 16 \|\| ilen > sizeof( buf ) )
nexpaq	1:55a6170b404f	824	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	825
nexpaq	1:55a6170b404f	826	ret = ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	827	? mbedtls_rsa_public( ctx, input, buf )
nexpaq	1:55a6170b404f	828	: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
nexpaq	1:55a6170b404f	829
nexpaq	1:55a6170b404f	830	if( ret != 0 )
nexpaq	1:55a6170b404f	831	return( ret );
nexpaq	1:55a6170b404f	832
nexpaq	1:55a6170b404f	833	p = buf;
nexpaq	1:55a6170b404f	834	bad = 0;
nexpaq	1:55a6170b404f	835
nexpaq	1:55a6170b404f	836	/*
nexpaq	1:55a6170b404f	837	* Check and get padding len in "constant-time"
nexpaq	1:55a6170b404f	838	*/
nexpaq	1:55a6170b404f	839	bad \|= p++; / First byte must be 0 */
nexpaq	1:55a6170b404f	840
nexpaq	1:55a6170b404f	841	/* This test does not depend on secret data */
nexpaq	1:55a6170b404f	842	if( mode == MBEDTLS_RSA_PRIVATE )
nexpaq	1:55a6170b404f	843	{
nexpaq	1:55a6170b404f	844	bad \|= *p++ ^ MBEDTLS_RSA_CRYPT;
nexpaq	1:55a6170b404f	845
nexpaq	1:55a6170b404f	846	/* Get padding len, but always read till end of buffer
nexpaq	1:55a6170b404f	847	* (minus one, for the 00 byte) */
nexpaq	1:55a6170b404f	848	for( i = 0; i < ilen - 3; i++ )
nexpaq	1:55a6170b404f	849	{
nexpaq	1:55a6170b404f	850	pad_done \|= ((p[i] \| (unsigned char)-p[i]) >> 7) ^ 1;
nexpaq	1:55a6170b404f	851	pad_count += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
nexpaq	1:55a6170b404f	852	}
nexpaq	1:55a6170b404f	853
nexpaq	1:55a6170b404f	854	p += pad_count;
nexpaq	1:55a6170b404f	855	bad \|= p++; / Must be zero */
nexpaq	1:55a6170b404f	856	}
nexpaq	1:55a6170b404f	857	else
nexpaq	1:55a6170b404f	858	{
nexpaq	1:55a6170b404f	859	bad \|= *p++ ^ MBEDTLS_RSA_SIGN;
nexpaq	1:55a6170b404f	860
nexpaq	1:55a6170b404f	861	/* Get padding len, but always read till end of buffer
nexpaq	1:55a6170b404f	862	* (minus one, for the 00 byte) */
nexpaq	1:55a6170b404f	863	for( i = 0; i < ilen - 3; i++ )
nexpaq	1:55a6170b404f	864	{
nexpaq	1:55a6170b404f	865	pad_done \|= ( p[i] != 0xFF );
nexpaq	1:55a6170b404f	866	pad_count += ( pad_done == 0 );
nexpaq	1:55a6170b404f	867	}
nexpaq	1:55a6170b404f	868
nexpaq	1:55a6170b404f	869	p += pad_count;
nexpaq	1:55a6170b404f	870	bad \|= p++; / Must be zero */
nexpaq	1:55a6170b404f	871	}
nexpaq	1:55a6170b404f	872
nexpaq	1:55a6170b404f	873	bad \|= ( pad_count < 8 );
nexpaq	1:55a6170b404f	874
nexpaq	1:55a6170b404f	875	if( bad )
nexpaq	1:55a6170b404f	876	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	877
nexpaq	1:55a6170b404f	878	if( ilen - ( p - buf ) > output_max_len )
nexpaq	1:55a6170b404f	879	return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
nexpaq	1:55a6170b404f	880
nexpaq	1:55a6170b404f	881	*olen = ilen - (p - buf);
nexpaq	1:55a6170b404f	882	memcpy( output, p, *olen );
nexpaq	1:55a6170b404f	883
nexpaq	1:55a6170b404f	884	return( 0 );
nexpaq	1:55a6170b404f	885	}
nexpaq	1:55a6170b404f	886	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	1:55a6170b404f	887
nexpaq	1:55a6170b404f	888	/*
nexpaq	1:55a6170b404f	889	* Do an RSA operation, then remove the message padding
nexpaq	1:55a6170b404f	890	*/
nexpaq	1:55a6170b404f	891	int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	892	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	893	void *p_rng,
nexpaq	1:55a6170b404f	894	int mode, size_t *olen,
nexpaq	1:55a6170b404f	895	const unsigned char *input,
nexpaq	1:55a6170b404f	896	unsigned char *output,
nexpaq	1:55a6170b404f	897	size_t output_max_len)
nexpaq	1:55a6170b404f	898	{
nexpaq	1:55a6170b404f	899	switch( ctx->padding )
nexpaq	1:55a6170b404f	900	{
nexpaq	1:55a6170b404f	901	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	902	case MBEDTLS_RSA_PKCS_V15:
nexpaq	1:55a6170b404f	903	return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
nexpaq	1:55a6170b404f	904	input, output, output_max_len );
nexpaq	1:55a6170b404f	905	#endif
nexpaq	1:55a6170b404f	906
nexpaq	1:55a6170b404f	907	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	908	case MBEDTLS_RSA_PKCS_V21:
nexpaq	1:55a6170b404f	909	return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
nexpaq	1:55a6170b404f	910	olen, input, output,
nexpaq	1:55a6170b404f	911	output_max_len );
nexpaq	1:55a6170b404f	912	#endif
nexpaq	1:55a6170b404f	913
nexpaq	1:55a6170b404f	914	default:
nexpaq	1:55a6170b404f	915	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	916	}
nexpaq	1:55a6170b404f	917	}
nexpaq	1:55a6170b404f	918
nexpaq	1:55a6170b404f	919	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	920	/*
nexpaq	1:55a6170b404f	921	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
nexpaq	1:55a6170b404f	922	*/
nexpaq	1:55a6170b404f	923	int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	924	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	925	void *p_rng,
nexpaq	1:55a6170b404f	926	int mode,
nexpaq	1:55a6170b404f	927	mbedtls_md_type_t md_alg,
nexpaq	1:55a6170b404f	928	unsigned int hashlen,
nexpaq	1:55a6170b404f	929	const unsigned char *hash,
nexpaq	1:55a6170b404f	930	unsigned char *sig )
nexpaq	1:55a6170b404f	931	{
nexpaq	1:55a6170b404f	932	size_t olen;
nexpaq	1:55a6170b404f	933	unsigned char *p = sig;
nexpaq	1:55a6170b404f	934	unsigned char salt[MBEDTLS_MD_MAX_SIZE];
nexpaq	1:55a6170b404f	935	unsigned int slen, hlen, offset = 0;
nexpaq	1:55a6170b404f	936	int ret;
nexpaq	1:55a6170b404f	937	size_t msb;
nexpaq	1:55a6170b404f	938	const mbedtls_md_info_t *md_info;
nexpaq	1:55a6170b404f	939	mbedtls_md_context_t md_ctx;
nexpaq	1:55a6170b404f	940
nexpaq	1:55a6170b404f	941	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
nexpaq	1:55a6170b404f	942	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	943
nexpaq	1:55a6170b404f	944	if( f_rng == NULL )
nexpaq	1:55a6170b404f	945	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	946
nexpaq	1:55a6170b404f	947	olen = ctx->len;
nexpaq	1:55a6170b404f	948
nexpaq	1:55a6170b404f	949	if( md_alg != MBEDTLS_MD_NONE )
nexpaq	1:55a6170b404f	950	{
nexpaq	1:55a6170b404f	951	/* Gather length of hash to sign */
nexpaq	1:55a6170b404f	952	md_info = mbedtls_md_info_from_type( md_alg );
nexpaq	1:55a6170b404f	953	if( md_info == NULL )
nexpaq	1:55a6170b404f	954	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	955
nexpaq	1:55a6170b404f	956	hashlen = mbedtls_md_get_size( md_info );
nexpaq	1:55a6170b404f	957	}
nexpaq	1:55a6170b404f	958
nexpaq	1:55a6170b404f	959	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
nexpaq	1:55a6170b404f	960	if( md_info == NULL )
nexpaq	1:55a6170b404f	961	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	962
nexpaq	1:55a6170b404f	963	hlen = mbedtls_md_get_size( md_info );
nexpaq	1:55a6170b404f	964	slen = hlen;
nexpaq	1:55a6170b404f	965
nexpaq	1:55a6170b404f	966	if( olen < hlen + slen + 2 )
nexpaq	1:55a6170b404f	967	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	968
nexpaq	1:55a6170b404f	969	memset( sig, 0, olen );
nexpaq	1:55a6170b404f	970
nexpaq	1:55a6170b404f	971	/* Generate salt of length slen */
nexpaq	1:55a6170b404f	972	if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
nexpaq	1:55a6170b404f	973	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
nexpaq	1:55a6170b404f	974
nexpaq	1:55a6170b404f	975	/* Note: EMSA-PSS encoding is over the length of N - 1 bits */
nexpaq	1:55a6170b404f	976	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
nexpaq	1:55a6170b404f	977	p += olen - hlen * 2 - 2;
nexpaq	1:55a6170b404f	978	*p++ = 0x01;
nexpaq	1:55a6170b404f	979	memcpy( p, salt, slen );
nexpaq	1:55a6170b404f	980	p += slen;
nexpaq	1:55a6170b404f	981
nexpaq	1:55a6170b404f	982	mbedtls_md_init( &md_ctx );
nexpaq	1:55a6170b404f	983	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
nexpaq	1:55a6170b404f	984	{
nexpaq	1:55a6170b404f	985	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	986	return( ret );
nexpaq	1:55a6170b404f	987	}
nexpaq	1:55a6170b404f	988
nexpaq	1:55a6170b404f	989	/* Generate H = Hash( M' ) */
nexpaq	1:55a6170b404f	990	mbedtls_md_starts( &md_ctx );
nexpaq	1:55a6170b404f	991	mbedtls_md_update( &md_ctx, p, 8 );
nexpaq	1:55a6170b404f	992	mbedtls_md_update( &md_ctx, hash, hashlen );
nexpaq	1:55a6170b404f	993	mbedtls_md_update( &md_ctx, salt, slen );
nexpaq	1:55a6170b404f	994	mbedtls_md_finish( &md_ctx, p );
nexpaq	1:55a6170b404f	995
nexpaq	1:55a6170b404f	996	/* Compensate for boundary condition when applying mask */
nexpaq	1:55a6170b404f	997	if( msb % 8 == 0 )
nexpaq	1:55a6170b404f	998	offset = 1;
nexpaq	1:55a6170b404f	999
nexpaq	1:55a6170b404f	1000	/* maskedDB: Apply dbMask to DB */
nexpaq	1:55a6170b404f	1001	mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
nexpaq	1:55a6170b404f	1002
nexpaq	1:55a6170b404f	1003	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	1004
nexpaq	1:55a6170b404f	1005	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
nexpaq	1:55a6170b404f	1006	sig[0] &= 0xFF >> ( olen * 8 - msb );
nexpaq	1:55a6170b404f	1007
nexpaq	1:55a6170b404f	1008	p += hlen;
nexpaq	1:55a6170b404f	1009	*p++ = 0xBC;
nexpaq	1:55a6170b404f	1010
nexpaq	1:55a6170b404f	1011	return( ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	1012	? mbedtls_rsa_public( ctx, sig, sig )
nexpaq	1:55a6170b404f	1013	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
nexpaq	1:55a6170b404f	1014	}
nexpaq	1:55a6170b404f	1015	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	1:55a6170b404f	1016
nexpaq	1:55a6170b404f	1017	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	1018	/*
nexpaq	1:55a6170b404f	1019	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
nexpaq	1:55a6170b404f	1020	*/
nexpaq	1:55a6170b404f	1021	/*
nexpaq	1:55a6170b404f	1022	* Do an RSA operation to sign the message digest
nexpaq	1:55a6170b404f	1023	*/
nexpaq	1:55a6170b404f	1024	int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	1025	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	1026	void *p_rng,
nexpaq	1:55a6170b404f	1027	int mode,
nexpaq	1:55a6170b404f	1028	mbedtls_md_type_t md_alg,
nexpaq	1:55a6170b404f	1029	unsigned int hashlen,
nexpaq	1:55a6170b404f	1030	const unsigned char *hash,
nexpaq	1:55a6170b404f	1031	unsigned char *sig )
nexpaq	1:55a6170b404f	1032	{
nexpaq	1:55a6170b404f	1033	size_t nb_pad, olen, oid_size = 0;
nexpaq	1:55a6170b404f	1034	unsigned char *p = sig;
nexpaq	1:55a6170b404f	1035	const char *oid = NULL;
nexpaq	1:55a6170b404f	1036	unsigned char sig_try = NULL, verif = NULL;
nexpaq	1:55a6170b404f	1037	size_t i;
nexpaq	1:55a6170b404f	1038	unsigned char diff;
nexpaq	1:55a6170b404f	1039	volatile unsigned char diff_no_optimize;
nexpaq	1:55a6170b404f	1040	int ret;
nexpaq	1:55a6170b404f	1041
nexpaq	1:55a6170b404f	1042	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
nexpaq	1:55a6170b404f	1043	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1044
nexpaq	1:55a6170b404f	1045	olen = ctx->len;
nexpaq	1:55a6170b404f	1046	nb_pad = olen - 3;
nexpaq	1:55a6170b404f	1047
nexpaq	1:55a6170b404f	1048	if( md_alg != MBEDTLS_MD_NONE )
nexpaq	1:55a6170b404f	1049	{
nexpaq	1:55a6170b404f	1050	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
nexpaq	1:55a6170b404f	1051	if( md_info == NULL )
nexpaq	1:55a6170b404f	1052	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1053
nexpaq	1:55a6170b404f	1054	if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
nexpaq	1:55a6170b404f	1055	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1056
nexpaq	1:55a6170b404f	1057	nb_pad -= 10 + oid_size;
nexpaq	1:55a6170b404f	1058
nexpaq	1:55a6170b404f	1059	hashlen = mbedtls_md_get_size( md_info );
nexpaq	1:55a6170b404f	1060	}
nexpaq	1:55a6170b404f	1061
nexpaq	1:55a6170b404f	1062	nb_pad -= hashlen;
nexpaq	1:55a6170b404f	1063
nexpaq	1:55a6170b404f	1064	if( ( nb_pad < 8 ) \|\| ( nb_pad > olen ) )
nexpaq	1:55a6170b404f	1065	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1066
nexpaq	1:55a6170b404f	1067	*p++ = 0;
nexpaq	1:55a6170b404f	1068	*p++ = MBEDTLS_RSA_SIGN;
nexpaq	1:55a6170b404f	1069	memset( p, 0xFF, nb_pad );
nexpaq	1:55a6170b404f	1070	p += nb_pad;
nexpaq	1:55a6170b404f	1071	*p++ = 0;
nexpaq	1:55a6170b404f	1072
nexpaq	1:55a6170b404f	1073	if( md_alg == MBEDTLS_MD_NONE )
nexpaq	1:55a6170b404f	1074	{
nexpaq	1:55a6170b404f	1075	memcpy( p, hash, hashlen );
nexpaq	1:55a6170b404f	1076	}
nexpaq	1:55a6170b404f	1077	else
nexpaq	1:55a6170b404f	1078	{
nexpaq	1:55a6170b404f	1079	/*
nexpaq	1:55a6170b404f	1080	* DigestInfo ::= SEQUENCE {
nexpaq	1:55a6170b404f	1081	* digestAlgorithm DigestAlgorithmIdentifier,
nexpaq	1:55a6170b404f	1082	* digest Digest }
nexpaq	1:55a6170b404f	1083	*
nexpaq	1:55a6170b404f	1084	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
nexpaq	1:55a6170b404f	1085	*
nexpaq	1:55a6170b404f	1086	* Digest ::= OCTET STRING
nexpaq	1:55a6170b404f	1087	*/
nexpaq	1:55a6170b404f	1088	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
nexpaq	1:55a6170b404f	1089	*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
nexpaq	1:55a6170b404f	1090	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
nexpaq	1:55a6170b404f	1091	*p++ = (unsigned char) ( 0x04 + oid_size );
nexpaq	1:55a6170b404f	1092	*p++ = MBEDTLS_ASN1_OID;
nexpaq	1:55a6170b404f	1093	*p++ = oid_size & 0xFF;
nexpaq	1:55a6170b404f	1094	memcpy( p, oid, oid_size );
nexpaq	1:55a6170b404f	1095	p += oid_size;
nexpaq	1:55a6170b404f	1096	*p++ = MBEDTLS_ASN1_NULL;
nexpaq	1:55a6170b404f	1097	*p++ = 0x00;
nexpaq	1:55a6170b404f	1098	*p++ = MBEDTLS_ASN1_OCTET_STRING;
nexpaq	1:55a6170b404f	1099	*p++ = hashlen;
nexpaq	1:55a6170b404f	1100	memcpy( p, hash, hashlen );
nexpaq	1:55a6170b404f	1101	}
nexpaq	1:55a6170b404f	1102
nexpaq	1:55a6170b404f	1103	if( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	1104	return( mbedtls_rsa_public( ctx, sig, sig ) );
nexpaq	1:55a6170b404f	1105
nexpaq	1:55a6170b404f	1106	/*
nexpaq	1:55a6170b404f	1107	* In order to prevent Lenstra's attack, make the signature in a
nexpaq	1:55a6170b404f	1108	* temporary buffer and check it before returning it.
nexpaq	1:55a6170b404f	1109	*/
nexpaq	1:55a6170b404f	1110	sig_try = mbedtls_calloc( 1, ctx->len );
nexpaq	1:55a6170b404f	1111	if( sig_try == NULL )
nexpaq	1:55a6170b404f	1112	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
nexpaq	1:55a6170b404f	1113
nexpaq	1:55a6170b404f	1114	verif = mbedtls_calloc( 1, ctx->len );
nexpaq	1:55a6170b404f	1115	if( verif == NULL )
nexpaq	1:55a6170b404f	1116	{
nexpaq	1:55a6170b404f	1117	mbedtls_free( sig_try );
nexpaq	1:55a6170b404f	1118	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
nexpaq	1:55a6170b404f	1119	}
nexpaq	1:55a6170b404f	1120
nexpaq	1:55a6170b404f	1121	MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
nexpaq	1:55a6170b404f	1122	MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
nexpaq	1:55a6170b404f	1123
nexpaq	1:55a6170b404f	1124	/* Compare in constant time just in case */
nexpaq	1:55a6170b404f	1125	for( diff = 0, i = 0; i < ctx->len; i++ )
nexpaq	1:55a6170b404f	1126	diff \|= verif[i] ^ sig[i];
nexpaq	1:55a6170b404f	1127	diff_no_optimize = diff;
nexpaq	1:55a6170b404f	1128
nexpaq	1:55a6170b404f	1129	if( diff_no_optimize != 0 )
nexpaq	1:55a6170b404f	1130	{
nexpaq	1:55a6170b404f	1131	ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
nexpaq	1:55a6170b404f	1132	goto cleanup;
nexpaq	1:55a6170b404f	1133	}
nexpaq	1:55a6170b404f	1134
nexpaq	1:55a6170b404f	1135	memcpy( sig, sig_try, ctx->len );
nexpaq	1:55a6170b404f	1136
nexpaq	1:55a6170b404f	1137	cleanup:
nexpaq	1:55a6170b404f	1138	mbedtls_free( sig_try );
nexpaq	1:55a6170b404f	1139	mbedtls_free( verif );
nexpaq	1:55a6170b404f	1140
nexpaq	1:55a6170b404f	1141	return( ret );
nexpaq	1:55a6170b404f	1142	}
nexpaq	1:55a6170b404f	1143	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	1:55a6170b404f	1144
nexpaq	1:55a6170b404f	1145	/*
nexpaq	1:55a6170b404f	1146	* Do an RSA operation to sign the message digest
nexpaq	1:55a6170b404f	1147	*/
nexpaq	1:55a6170b404f	1148	int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	1149	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	1150	void *p_rng,
nexpaq	1:55a6170b404f	1151	int mode,
nexpaq	1:55a6170b404f	1152	mbedtls_md_type_t md_alg,
nexpaq	1:55a6170b404f	1153	unsigned int hashlen,
nexpaq	1:55a6170b404f	1154	const unsigned char *hash,
nexpaq	1:55a6170b404f	1155	unsigned char *sig )
nexpaq	1:55a6170b404f	1156	{
nexpaq	1:55a6170b404f	1157	switch( ctx->padding )
nexpaq	1:55a6170b404f	1158	{
nexpaq	1:55a6170b404f	1159	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	1160	case MBEDTLS_RSA_PKCS_V15:
nexpaq	1:55a6170b404f	1161	return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
nexpaq	1:55a6170b404f	1162	hashlen, hash, sig );
nexpaq	1:55a6170b404f	1163	#endif
nexpaq	1:55a6170b404f	1164
nexpaq	1:55a6170b404f	1165	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	1166	case MBEDTLS_RSA_PKCS_V21:
nexpaq	1:55a6170b404f	1167	return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
nexpaq	1:55a6170b404f	1168	hashlen, hash, sig );
nexpaq	1:55a6170b404f	1169	#endif
nexpaq	1:55a6170b404f	1170
nexpaq	1:55a6170b404f	1171	default:
nexpaq	1:55a6170b404f	1172	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	1173	}
nexpaq	1:55a6170b404f	1174	}
nexpaq	1:55a6170b404f	1175
nexpaq	1:55a6170b404f	1176	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	1177	/*
nexpaq	1:55a6170b404f	1178	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
nexpaq	1:55a6170b404f	1179	*/
nexpaq	1:55a6170b404f	1180	int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	1181	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	1182	void *p_rng,
nexpaq	1:55a6170b404f	1183	int mode,
nexpaq	1:55a6170b404f	1184	mbedtls_md_type_t md_alg,
nexpaq	1:55a6170b404f	1185	unsigned int hashlen,
nexpaq	1:55a6170b404f	1186	const unsigned char *hash,
nexpaq	1:55a6170b404f	1187	mbedtls_md_type_t mgf1_hash_id,
nexpaq	1:55a6170b404f	1188	int expected_salt_len,
nexpaq	1:55a6170b404f	1189	const unsigned char *sig )
nexpaq	1:55a6170b404f	1190	{
nexpaq	1:55a6170b404f	1191	int ret;
nexpaq	1:55a6170b404f	1192	size_t siglen;
nexpaq	1:55a6170b404f	1193	unsigned char *p;
nexpaq	1:55a6170b404f	1194	unsigned char result[MBEDTLS_MD_MAX_SIZE];
nexpaq	1:55a6170b404f	1195	unsigned char zeros[8];
nexpaq	1:55a6170b404f	1196	unsigned int hlen;
nexpaq	1:55a6170b404f	1197	size_t slen, msb;
nexpaq	1:55a6170b404f	1198	const mbedtls_md_info_t *md_info;
nexpaq	1:55a6170b404f	1199	mbedtls_md_context_t md_ctx;
nexpaq	1:55a6170b404f	1200	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
nexpaq	1:55a6170b404f	1201
nexpaq	1:55a6170b404f	1202	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
nexpaq	1:55a6170b404f	1203	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1204
nexpaq	1:55a6170b404f	1205	siglen = ctx->len;
nexpaq	1:55a6170b404f	1206
nexpaq	1:55a6170b404f	1207	if( siglen < 16 \|\| siglen > sizeof( buf ) )
nexpaq	1:55a6170b404f	1208	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1209
nexpaq	1:55a6170b404f	1210	ret = ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	1211	? mbedtls_rsa_public( ctx, sig, buf )
nexpaq	1:55a6170b404f	1212	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
nexpaq	1:55a6170b404f	1213
nexpaq	1:55a6170b404f	1214	if( ret != 0 )
nexpaq	1:55a6170b404f	1215	return( ret );
nexpaq	1:55a6170b404f	1216
nexpaq	1:55a6170b404f	1217	p = buf;
nexpaq	1:55a6170b404f	1218
nexpaq	1:55a6170b404f	1219	if( buf[siglen - 1] != 0xBC )
nexpaq	1:55a6170b404f	1220	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	1221
nexpaq	1:55a6170b404f	1222	if( md_alg != MBEDTLS_MD_NONE )
nexpaq	1:55a6170b404f	1223	{
nexpaq	1:55a6170b404f	1224	/* Gather length of hash to sign */
nexpaq	1:55a6170b404f	1225	md_info = mbedtls_md_info_from_type( md_alg );
nexpaq	1:55a6170b404f	1226	if( md_info == NULL )
nexpaq	1:55a6170b404f	1227	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1228
nexpaq	1:55a6170b404f	1229	hashlen = mbedtls_md_get_size( md_info );
nexpaq	1:55a6170b404f	1230	}
nexpaq	1:55a6170b404f	1231
nexpaq	1:55a6170b404f	1232	md_info = mbedtls_md_info_from_type( mgf1_hash_id );
nexpaq	1:55a6170b404f	1233	if( md_info == NULL )
nexpaq	1:55a6170b404f	1234	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1235
nexpaq	1:55a6170b404f	1236	hlen = mbedtls_md_get_size( md_info );
nexpaq	1:55a6170b404f	1237	slen = siglen - hlen - 1; /* Currently length of salt + padding */
nexpaq	1:55a6170b404f	1238
nexpaq	1:55a6170b404f	1239	memset( zeros, 0, 8 );
nexpaq	1:55a6170b404f	1240
nexpaq	1:55a6170b404f	1241	/*
nexpaq	1:55a6170b404f	1242	* Note: EMSA-PSS verification is over the length of N - 1 bits
nexpaq	1:55a6170b404f	1243	*/
nexpaq	1:55a6170b404f	1244	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
nexpaq	1:55a6170b404f	1245
nexpaq	1:55a6170b404f	1246	/* Compensate for boundary condition when applying mask */
nexpaq	1:55a6170b404f	1247	if( msb % 8 == 0 )
nexpaq	1:55a6170b404f	1248	{
nexpaq	1:55a6170b404f	1249	p++;
nexpaq	1:55a6170b404f	1250	siglen -= 1;
nexpaq	1:55a6170b404f	1251	}
nexpaq	1:55a6170b404f	1252	if( buf[0] >> ( 8 - siglen * 8 + msb ) )
nexpaq	1:55a6170b404f	1253	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1254
nexpaq	1:55a6170b404f	1255	mbedtls_md_init( &md_ctx );
nexpaq	1:55a6170b404f	1256	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
nexpaq	1:55a6170b404f	1257	{
nexpaq	1:55a6170b404f	1258	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	1259	return( ret );
nexpaq	1:55a6170b404f	1260	}
nexpaq	1:55a6170b404f	1261
nexpaq	1:55a6170b404f	1262	mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
nexpaq	1:55a6170b404f	1263
nexpaq	1:55a6170b404f	1264	buf[0] &= 0xFF >> ( siglen * 8 - msb );
nexpaq	1:55a6170b404f	1265
nexpaq	1:55a6170b404f	1266	while( p < buf + siglen && *p == 0 )
nexpaq	1:55a6170b404f	1267	p++;
nexpaq	1:55a6170b404f	1268
nexpaq	1:55a6170b404f	1269	if( p == buf + siglen \|\|
nexpaq	1:55a6170b404f	1270	*p++ != 0x01 )
nexpaq	1:55a6170b404f	1271	{
nexpaq	1:55a6170b404f	1272	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	1273	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	1274	}
nexpaq	1:55a6170b404f	1275
nexpaq	1:55a6170b404f	1276	/* Actual salt len */
nexpaq	1:55a6170b404f	1277	slen -= p - buf;
nexpaq	1:55a6170b404f	1278
nexpaq	1:55a6170b404f	1279	if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
nexpaq	1:55a6170b404f	1280	slen != (size_t) expected_salt_len )
nexpaq	1:55a6170b404f	1281	{
nexpaq	1:55a6170b404f	1282	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	1283	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	1284	}
nexpaq	1:55a6170b404f	1285
nexpaq	1:55a6170b404f	1286	/*
nexpaq	1:55a6170b404f	1287	* Generate H = Hash( M' )
nexpaq	1:55a6170b404f	1288	*/
nexpaq	1:55a6170b404f	1289	mbedtls_md_starts( &md_ctx );
nexpaq	1:55a6170b404f	1290	mbedtls_md_update( &md_ctx, zeros, 8 );
nexpaq	1:55a6170b404f	1291	mbedtls_md_update( &md_ctx, hash, hashlen );
nexpaq	1:55a6170b404f	1292	mbedtls_md_update( &md_ctx, p, slen );
nexpaq	1:55a6170b404f	1293	mbedtls_md_finish( &md_ctx, result );
nexpaq	1:55a6170b404f	1294
nexpaq	1:55a6170b404f	1295	mbedtls_md_free( &md_ctx );
nexpaq	1:55a6170b404f	1296
nexpaq	1:55a6170b404f	1297	if( memcmp( p + slen, result, hlen ) == 0 )
nexpaq	1:55a6170b404f	1298	return( 0 );
nexpaq	1:55a6170b404f	1299	else
nexpaq	1:55a6170b404f	1300	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1301	}
nexpaq	1:55a6170b404f	1302
nexpaq	1:55a6170b404f	1303	/*
nexpaq	1:55a6170b404f	1304	* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
nexpaq	1:55a6170b404f	1305	*/
nexpaq	1:55a6170b404f	1306	int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	1307	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	1308	void *p_rng,
nexpaq	1:55a6170b404f	1309	int mode,
nexpaq	1:55a6170b404f	1310	mbedtls_md_type_t md_alg,
nexpaq	1:55a6170b404f	1311	unsigned int hashlen,
nexpaq	1:55a6170b404f	1312	const unsigned char *hash,
nexpaq	1:55a6170b404f	1313	const unsigned char *sig )
nexpaq	1:55a6170b404f	1314	{
nexpaq	1:55a6170b404f	1315	mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
nexpaq	1:55a6170b404f	1316	? (mbedtls_md_type_t) ctx->hash_id
nexpaq	1:55a6170b404f	1317	: md_alg;
nexpaq	1:55a6170b404f	1318
nexpaq	1:55a6170b404f	1319	return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
nexpaq	1:55a6170b404f	1320	md_alg, hashlen, hash,
nexpaq	1:55a6170b404f	1321	mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
nexpaq	1:55a6170b404f	1322	sig ) );
nexpaq	1:55a6170b404f	1323
nexpaq	1:55a6170b404f	1324	}
nexpaq	1:55a6170b404f	1325	#endif /* MBEDTLS_PKCS1_V21 */
nexpaq	1:55a6170b404f	1326
nexpaq	1:55a6170b404f	1327	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	1328	/*
nexpaq	1:55a6170b404f	1329	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
nexpaq	1:55a6170b404f	1330	*/
nexpaq	1:55a6170b404f	1331	int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	1332	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	1333	void *p_rng,
nexpaq	1:55a6170b404f	1334	int mode,
nexpaq	1:55a6170b404f	1335	mbedtls_md_type_t md_alg,
nexpaq	1:55a6170b404f	1336	unsigned int hashlen,
nexpaq	1:55a6170b404f	1337	const unsigned char *hash,
nexpaq	1:55a6170b404f	1338	const unsigned char *sig )
nexpaq	1:55a6170b404f	1339	{
nexpaq	1:55a6170b404f	1340	int ret;
nexpaq	1:55a6170b404f	1341	size_t len, siglen, asn1_len;
nexpaq	1:55a6170b404f	1342	unsigned char p, end;
nexpaq	1:55a6170b404f	1343	mbedtls_md_type_t msg_md_alg;
nexpaq	1:55a6170b404f	1344	const mbedtls_md_info_t *md_info;
nexpaq	1:55a6170b404f	1345	mbedtls_asn1_buf oid;
nexpaq	1:55a6170b404f	1346	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
nexpaq	1:55a6170b404f	1347
nexpaq	1:55a6170b404f	1348	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
nexpaq	1:55a6170b404f	1349	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1350
nexpaq	1:55a6170b404f	1351	siglen = ctx->len;
nexpaq	1:55a6170b404f	1352
nexpaq	1:55a6170b404f	1353	if( siglen < 16 \|\| siglen > sizeof( buf ) )
nexpaq	1:55a6170b404f	1354	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1355
nexpaq	1:55a6170b404f	1356	ret = ( mode == MBEDTLS_RSA_PUBLIC )
nexpaq	1:55a6170b404f	1357	? mbedtls_rsa_public( ctx, sig, buf )
nexpaq	1:55a6170b404f	1358	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
nexpaq	1:55a6170b404f	1359
nexpaq	1:55a6170b404f	1360	if( ret != 0 )
nexpaq	1:55a6170b404f	1361	return( ret );
nexpaq	1:55a6170b404f	1362
nexpaq	1:55a6170b404f	1363	p = buf;
nexpaq	1:55a6170b404f	1364
nexpaq	1:55a6170b404f	1365	if( p++ != 0 \|\| p++ != MBEDTLS_RSA_SIGN )
nexpaq	1:55a6170b404f	1366	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	1367
nexpaq	1:55a6170b404f	1368	while( *p != 0 )
nexpaq	1:55a6170b404f	1369	{
nexpaq	1:55a6170b404f	1370	if( p >= buf + siglen - 1 \|\| *p != 0xFF )
nexpaq	1:55a6170b404f	1371	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	1372	p++;
nexpaq	1:55a6170b404f	1373	}
nexpaq	1:55a6170b404f	1374	p++;
nexpaq	1:55a6170b404f	1375
nexpaq	1:55a6170b404f	1376	len = siglen - ( p - buf );
nexpaq	1:55a6170b404f	1377
nexpaq	1:55a6170b404f	1378	if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
nexpaq	1:55a6170b404f	1379	{
nexpaq	1:55a6170b404f	1380	if( memcmp( p, hash, hashlen ) == 0 )
nexpaq	1:55a6170b404f	1381	return( 0 );
nexpaq	1:55a6170b404f	1382	else
nexpaq	1:55a6170b404f	1383	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1384	}
nexpaq	1:55a6170b404f	1385
nexpaq	1:55a6170b404f	1386	md_info = mbedtls_md_info_from_type( md_alg );
nexpaq	1:55a6170b404f	1387	if( md_info == NULL )
nexpaq	1:55a6170b404f	1388	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
nexpaq	1:55a6170b404f	1389	hashlen = mbedtls_md_get_size( md_info );
nexpaq	1:55a6170b404f	1390
nexpaq	1:55a6170b404f	1391	end = p + len;
nexpaq	1:55a6170b404f	1392
nexpaq	1:55a6170b404f	1393	/*
nexpaq	1:55a6170b404f	1394	* Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
nexpaq	1:55a6170b404f	1395	*/
nexpaq	1:55a6170b404f	1396	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
nexpaq	1:55a6170b404f	1397	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	1:55a6170b404f	1398	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1399
nexpaq	1:55a6170b404f	1400	if( asn1_len + 2 != len )
nexpaq	1:55a6170b404f	1401	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1402
nexpaq	1:55a6170b404f	1403	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
nexpaq	1:55a6170b404f	1404	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	1:55a6170b404f	1405	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1406
nexpaq	1:55a6170b404f	1407	if( asn1_len + 6 + hashlen != len )
nexpaq	1:55a6170b404f	1408	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1409
nexpaq	1:55a6170b404f	1410	if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
nexpaq	1:55a6170b404f	1411	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1412
nexpaq	1:55a6170b404f	1413	oid.p = p;
nexpaq	1:55a6170b404f	1414	p += oid.len;
nexpaq	1:55a6170b404f	1415
nexpaq	1:55a6170b404f	1416	if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
nexpaq	1:55a6170b404f	1417	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1418
nexpaq	1:55a6170b404f	1419	if( md_alg != msg_md_alg )
nexpaq	1:55a6170b404f	1420	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1421
nexpaq	1:55a6170b404f	1422	/*
nexpaq	1:55a6170b404f	1423	* assume the algorithm parameters must be NULL
nexpaq	1:55a6170b404f	1424	*/
nexpaq	1:55a6170b404f	1425	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
nexpaq	1:55a6170b404f	1426	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1427
nexpaq	1:55a6170b404f	1428	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
nexpaq	1:55a6170b404f	1429	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1430
nexpaq	1:55a6170b404f	1431	if( asn1_len != hashlen )
nexpaq	1:55a6170b404f	1432	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1433
nexpaq	1:55a6170b404f	1434	if( memcmp( p, hash, hashlen ) != 0 )
nexpaq	1:55a6170b404f	1435	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1436
nexpaq	1:55a6170b404f	1437	p += hashlen;
nexpaq	1:55a6170b404f	1438
nexpaq	1:55a6170b404f	1439	if( p != end )
nexpaq	1:55a6170b404f	1440	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
nexpaq	1:55a6170b404f	1441
nexpaq	1:55a6170b404f	1442	return( 0 );
nexpaq	1:55a6170b404f	1443	}
nexpaq	1:55a6170b404f	1444	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	1:55a6170b404f	1445
nexpaq	1:55a6170b404f	1446	/*
nexpaq	1:55a6170b404f	1447	* Do an RSA operation and check the message digest
nexpaq	1:55a6170b404f	1448	*/
nexpaq	1:55a6170b404f	1449	int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
nexpaq	1:55a6170b404f	1450	int (f_rng)(void , unsigned char *, size_t),
nexpaq	1:55a6170b404f	1451	void *p_rng,
nexpaq	1:55a6170b404f	1452	int mode,
nexpaq	1:55a6170b404f	1453	mbedtls_md_type_t md_alg,
nexpaq	1:55a6170b404f	1454	unsigned int hashlen,
nexpaq	1:55a6170b404f	1455	const unsigned char *hash,
nexpaq	1:55a6170b404f	1456	const unsigned char *sig )
nexpaq	1:55a6170b404f	1457	{
nexpaq	1:55a6170b404f	1458	switch( ctx->padding )
nexpaq	1:55a6170b404f	1459	{
nexpaq	1:55a6170b404f	1460	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	1461	case MBEDTLS_RSA_PKCS_V15:
nexpaq	1:55a6170b404f	1462	return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
nexpaq	1:55a6170b404f	1463	hashlen, hash, sig );
nexpaq	1:55a6170b404f	1464	#endif
nexpaq	1:55a6170b404f	1465
nexpaq	1:55a6170b404f	1466	#if defined(MBEDTLS_PKCS1_V21)
nexpaq	1:55a6170b404f	1467	case MBEDTLS_RSA_PKCS_V21:
nexpaq	1:55a6170b404f	1468	return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
nexpaq	1:55a6170b404f	1469	hashlen, hash, sig );
nexpaq	1:55a6170b404f	1470	#endif
nexpaq	1:55a6170b404f	1471
nexpaq	1:55a6170b404f	1472	default:
nexpaq	1:55a6170b404f	1473	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
nexpaq	1:55a6170b404f	1474	}
nexpaq	1:55a6170b404f	1475	}
nexpaq	1:55a6170b404f	1476
nexpaq	1:55a6170b404f	1477	/*
nexpaq	1:55a6170b404f	1478	* Copy the components of an RSA key
nexpaq	1:55a6170b404f	1479	*/
nexpaq	1:55a6170b404f	1480	int mbedtls_rsa_copy( mbedtls_rsa_context dst, const mbedtls_rsa_context src )
nexpaq	1:55a6170b404f	1481	{
nexpaq	1:55a6170b404f	1482	int ret;
nexpaq	1:55a6170b404f	1483
nexpaq	1:55a6170b404f	1484	dst->ver = src->ver;
nexpaq	1:55a6170b404f	1485	dst->len = src->len;
nexpaq	1:55a6170b404f	1486
nexpaq	1:55a6170b404f	1487	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
nexpaq	1:55a6170b404f	1488	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
nexpaq	1:55a6170b404f	1489
nexpaq	1:55a6170b404f	1490	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
nexpaq	1:55a6170b404f	1491	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
nexpaq	1:55a6170b404f	1492	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
nexpaq	1:55a6170b404f	1493	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
nexpaq	1:55a6170b404f	1494	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
nexpaq	1:55a6170b404f	1495	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
nexpaq	1:55a6170b404f	1496
nexpaq	1:55a6170b404f	1497	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
nexpaq	1:55a6170b404f	1498	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
nexpaq	1:55a6170b404f	1499	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
nexpaq	1:55a6170b404f	1500
nexpaq	1:55a6170b404f	1501	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
nexpaq	1:55a6170b404f	1502	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
nexpaq	1:55a6170b404f	1503
nexpaq	1:55a6170b404f	1504	dst->padding = src->padding;
nexpaq	1:55a6170b404f	1505	dst->hash_id = src->hash_id;
nexpaq	1:55a6170b404f	1506
nexpaq	1:55a6170b404f	1507	cleanup:
nexpaq	1:55a6170b404f	1508	if( ret != 0 )
nexpaq	1:55a6170b404f	1509	mbedtls_rsa_free( dst );
nexpaq	1:55a6170b404f	1510
nexpaq	1:55a6170b404f	1511	return( ret );
nexpaq	1:55a6170b404f	1512	}
nexpaq	1:55a6170b404f	1513
nexpaq	1:55a6170b404f	1514	/*
nexpaq	1:55a6170b404f	1515	* Free the components of an RSA key
nexpaq	1:55a6170b404f	1516	*/
nexpaq	1:55a6170b404f	1517	void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
nexpaq	1:55a6170b404f	1518	{
nexpaq	1:55a6170b404f	1519	mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
nexpaq	1:55a6170b404f	1520	mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
nexpaq	1:55a6170b404f	1521	mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
nexpaq	1:55a6170b404f	1522	mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
nexpaq	1:55a6170b404f	1523	mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
nexpaq	1:55a6170b404f	1524
nexpaq	1:55a6170b404f	1525	#if defined(MBEDTLS_THREADING_C)
nexpaq	1:55a6170b404f	1526	mbedtls_mutex_free( &ctx->mutex );
nexpaq	1:55a6170b404f	1527	#endif
nexpaq	1:55a6170b404f	1528	}
nexpaq	1:55a6170b404f	1529
nexpaq	1:55a6170b404f	1530	#if defined(MBEDTLS_SELF_TEST)
nexpaq	1:55a6170b404f	1531
nexpaq	1:55a6170b404f	1532	#include "mbedtls/sha1.h"
nexpaq	1:55a6170b404f	1533
nexpaq	1:55a6170b404f	1534	/*
nexpaq	1:55a6170b404f	1535	* Example RSA-1024 keypair, for test purposes
nexpaq	1:55a6170b404f	1536	*/
nexpaq	1:55a6170b404f	1537	#define KEY_LEN 128
nexpaq	1:55a6170b404f	1538
nexpaq	1:55a6170b404f	1539	#define RSA_N "9292758453063D803DD603D5E777D788" \
nexpaq	1:55a6170b404f	1540	"8ED1D5BF35786190FA2F23EBC0848AEA" \
nexpaq	1:55a6170b404f	1541	"DDA92CA6C3D80B32C4D109BE0F36D6AE" \
nexpaq	1:55a6170b404f	1542	"7130B9CED7ACDF54CFC7555AC14EEBAB" \
nexpaq	1:55a6170b404f	1543	"93A89813FBF3C4F8066D2D800F7C38A8" \
nexpaq	1:55a6170b404f	1544	"1AE31942917403FF4946B0A83D3D3E05" \
nexpaq	1:55a6170b404f	1545	"EE57C6F5F5606FB5D4BC6CD34EE0801A" \
nexpaq	1:55a6170b404f	1546	"5E94BB77B07507233A0BC7BAC8F90F79"
nexpaq	1:55a6170b404f	1547
nexpaq	1:55a6170b404f	1548	#define RSA_E "10001"
nexpaq	1:55a6170b404f	1549
nexpaq	1:55a6170b404f	1550	#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
nexpaq	1:55a6170b404f	1551	"66CA472BC44D253102F8B4A9D3BFA750" \
nexpaq	1:55a6170b404f	1552	"91386C0077937FE33FA3252D28855837" \
nexpaq	1:55a6170b404f	1553	"AE1B484A8A9A45F7EE8C0C634F99E8CD" \
nexpaq	1:55a6170b404f	1554	"DF79C5CE07EE72C7F123142198164234" \
nexpaq	1:55a6170b404f	1555	"CABB724CF78B8173B9F880FC86322407" \
nexpaq	1:55a6170b404f	1556	"AF1FEDFDDE2BEB674CA15F3E81A1521E" \
nexpaq	1:55a6170b404f	1557	"071513A1E85B5DFA031F21ECAE91A34D"
nexpaq	1:55a6170b404f	1558
nexpaq	1:55a6170b404f	1559	#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
nexpaq	1:55a6170b404f	1560	"2C01CAD19EA484A87EA4377637E75500" \
nexpaq	1:55a6170b404f	1561	"FCB2005C5C7DD6EC4AC023CDA285D796" \
nexpaq	1:55a6170b404f	1562	"C3D9E75E1EFC42488BB4F1D13AC30A57"
nexpaq	1:55a6170b404f	1563
nexpaq	1:55a6170b404f	1564	#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
nexpaq	1:55a6170b404f	1565	"E211C2B9E5DB1ED0BF61D0D9899620F4" \
nexpaq	1:55a6170b404f	1566	"910E4168387E3C30AA1E00C339A79508" \
nexpaq	1:55a6170b404f	1567	"8452DD96A9A5EA5D9DCA68DA636032AF"
nexpaq	1:55a6170b404f	1568
nexpaq	1:55a6170b404f	1569	#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
nexpaq	1:55a6170b404f	1570	"3C94D22288ACD763FD8E5600ED4A702D" \
nexpaq	1:55a6170b404f	1571	"F84198A5F06C2E72236AE490C93F07F8" \
nexpaq	1:55a6170b404f	1572	"3CC559CD27BC2D1CA488811730BB5725"
nexpaq	1:55a6170b404f	1573
nexpaq	1:55a6170b404f	1574	#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
nexpaq	1:55a6170b404f	1575	"D8AAEA56749EA28623272E4F7D0592AF" \
nexpaq	1:55a6170b404f	1576	"7C1F1313CAC9471B5C523BFE592F517B" \
nexpaq	1:55a6170b404f	1577	"407A1BD76C164B93DA2D32A383E58357"
nexpaq	1:55a6170b404f	1578
nexpaq	1:55a6170b404f	1579	#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
nexpaq	1:55a6170b404f	1580	"F38D18D2B2F0E2DD275AA977E2BF4411" \
nexpaq	1:55a6170b404f	1581	"F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
nexpaq	1:55a6170b404f	1582	"A74206CEC169D74BF5A8C50D6F48EA08"
nexpaq	1:55a6170b404f	1583
nexpaq	1:55a6170b404f	1584	#define PT_LEN 24
nexpaq	1:55a6170b404f	1585	#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
nexpaq	1:55a6170b404f	1586	"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
nexpaq	1:55a6170b404f	1587
nexpaq	1:55a6170b404f	1588	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	1589	static int myrand( void rng_state, unsigned char output, size_t len )
nexpaq	1:55a6170b404f	1590	{
nexpaq	1:55a6170b404f	1591	#if !defined(__OpenBSD__)
nexpaq	1:55a6170b404f	1592	size_t i;
nexpaq	1:55a6170b404f	1593
nexpaq	1:55a6170b404f	1594	if( rng_state != NULL )
nexpaq	1:55a6170b404f	1595	rng_state = NULL;
nexpaq	1:55a6170b404f	1596
nexpaq	1:55a6170b404f	1597	for( i = 0; i < len; ++i )
nexpaq	1:55a6170b404f	1598	output[i] = rand();
nexpaq	1:55a6170b404f	1599	#else
nexpaq	1:55a6170b404f	1600	if( rng_state != NULL )
nexpaq	1:55a6170b404f	1601	rng_state = NULL;
nexpaq	1:55a6170b404f	1602
nexpaq	1:55a6170b404f	1603	arc4random_buf( output, len );
nexpaq	1:55a6170b404f	1604	#endif /* !OpenBSD */
nexpaq	1:55a6170b404f	1605
nexpaq	1:55a6170b404f	1606	return( 0 );
nexpaq	1:55a6170b404f	1607	}
nexpaq	1:55a6170b404f	1608	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	1:55a6170b404f	1609
nexpaq	1:55a6170b404f	1610	/*
nexpaq	1:55a6170b404f	1611	* Checkup routine
nexpaq	1:55a6170b404f	1612	*/
nexpaq	1:55a6170b404f	1613	int mbedtls_rsa_self_test( int verbose )
nexpaq	1:55a6170b404f	1614	{
nexpaq	1:55a6170b404f	1615	int ret = 0;
nexpaq	1:55a6170b404f	1616	#if defined(MBEDTLS_PKCS1_V15)
nexpaq	1:55a6170b404f	1617	size_t len;
nexpaq	1:55a6170b404f	1618	mbedtls_rsa_context rsa;
nexpaq	1:55a6170b404f	1619	unsigned char rsa_plaintext[PT_LEN];
nexpaq	1:55a6170b404f	1620	unsigned char rsa_decrypted[PT_LEN];
nexpaq	1:55a6170b404f	1621	unsigned char rsa_ciphertext[KEY_LEN];
nexpaq	1:55a6170b404f	1622	#if defined(MBEDTLS_SHA1_C)
nexpaq	1:55a6170b404f	1623	unsigned char sha1sum[20];
nexpaq	1:55a6170b404f	1624	#endif
nexpaq	1:55a6170b404f	1625
nexpaq	1:55a6170b404f	1626	mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
nexpaq	1:55a6170b404f	1627
nexpaq	1:55a6170b404f	1628	rsa.len = KEY_LEN;
nexpaq	1:55a6170b404f	1629	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
nexpaq	1:55a6170b404f	1630	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
nexpaq	1:55a6170b404f	1631	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
nexpaq	1:55a6170b404f	1632	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
nexpaq	1:55a6170b404f	1633	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
nexpaq	1:55a6170b404f	1634	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
nexpaq	1:55a6170b404f	1635	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
nexpaq	1:55a6170b404f	1636	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
nexpaq	1:55a6170b404f	1637
nexpaq	1:55a6170b404f	1638	if( verbose != 0 )
nexpaq	1:55a6170b404f	1639	mbedtls_printf( " RSA key validation: " );
nexpaq	1:55a6170b404f	1640
nexpaq	1:55a6170b404f	1641	if( mbedtls_rsa_check_pubkey( &rsa ) != 0 \|\|
nexpaq	1:55a6170b404f	1642	mbedtls_rsa_check_privkey( &rsa ) != 0 )
nexpaq	1:55a6170b404f	1643	{
nexpaq	1:55a6170b404f	1644	if( verbose != 0 )
nexpaq	1:55a6170b404f	1645	mbedtls_printf( "failed\n" );
nexpaq	1:55a6170b404f	1646
nexpaq	1:55a6170b404f	1647	return( 1 );
nexpaq	1:55a6170b404f	1648	}
nexpaq	1:55a6170b404f	1649
nexpaq	1:55a6170b404f	1650	if( verbose != 0 )
nexpaq	1:55a6170b404f	1651	mbedtls_printf( "passed\n PKCS#1 encryption : " );
nexpaq	1:55a6170b404f	1652
nexpaq	1:55a6170b404f	1653	memcpy( rsa_plaintext, RSA_PT, PT_LEN );
nexpaq	1:55a6170b404f	1654
nexpaq	1:55a6170b404f	1655	if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
nexpaq	1:55a6170b404f	1656	rsa_plaintext, rsa_ciphertext ) != 0 )
nexpaq	1:55a6170b404f	1657	{
nexpaq	1:55a6170b404f	1658	if( verbose != 0 )
nexpaq	1:55a6170b404f	1659	mbedtls_printf( "failed\n" );
nexpaq	1:55a6170b404f	1660
nexpaq	1:55a6170b404f	1661	return( 1 );
nexpaq	1:55a6170b404f	1662	}
nexpaq	1:55a6170b404f	1663
nexpaq	1:55a6170b404f	1664	if( verbose != 0 )
nexpaq	1:55a6170b404f	1665	mbedtls_printf( "passed\n PKCS#1 decryption : " );
nexpaq	1:55a6170b404f	1666
nexpaq	1:55a6170b404f	1667	if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
nexpaq	1:55a6170b404f	1668	rsa_ciphertext, rsa_decrypted,
nexpaq	1:55a6170b404f	1669	sizeof(rsa_decrypted) ) != 0 )
nexpaq	1:55a6170b404f	1670	{
nexpaq	1:55a6170b404f	1671	if( verbose != 0 )
nexpaq	1:55a6170b404f	1672	mbedtls_printf( "failed\n" );
nexpaq	1:55a6170b404f	1673
nexpaq	1:55a6170b404f	1674	return( 1 );
nexpaq	1:55a6170b404f	1675	}
nexpaq	1:55a6170b404f	1676
nexpaq	1:55a6170b404f	1677	if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
nexpaq	1:55a6170b404f	1678	{
nexpaq	1:55a6170b404f	1679	if( verbose != 0 )
nexpaq	1:55a6170b404f	1680	mbedtls_printf( "failed\n" );
nexpaq	1:55a6170b404f	1681
nexpaq	1:55a6170b404f	1682	return( 1 );
nexpaq	1:55a6170b404f	1683	}
nexpaq	1:55a6170b404f	1684
nexpaq	1:55a6170b404f	1685	if( verbose != 0 )
nexpaq	1:55a6170b404f	1686	mbedtls_printf( "passed\n" );
nexpaq	1:55a6170b404f	1687
nexpaq	1:55a6170b404f	1688	#if defined(MBEDTLS_SHA1_C)
nexpaq	1:55a6170b404f	1689	if( verbose != 0 )
nexpaq	1:55a6170b404f	1690	mbedtls_printf( " PKCS#1 data sign : " );
nexpaq	1:55a6170b404f	1691
nexpaq	1:55a6170b404f	1692	mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
nexpaq	1:55a6170b404f	1693
nexpaq	1:55a6170b404f	1694	if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
nexpaq	1:55a6170b404f	1695	sha1sum, rsa_ciphertext ) != 0 )
nexpaq	1:55a6170b404f	1696	{
nexpaq	1:55a6170b404f	1697	if( verbose != 0 )
nexpaq	1:55a6170b404f	1698	mbedtls_printf( "failed\n" );
nexpaq	1:55a6170b404f	1699
nexpaq	1:55a6170b404f	1700	return( 1 );
nexpaq	1:55a6170b404f	1701	}
nexpaq	1:55a6170b404f	1702
nexpaq	1:55a6170b404f	1703	if( verbose != 0 )
nexpaq	1:55a6170b404f	1704	mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
nexpaq	1:55a6170b404f	1705
nexpaq	1:55a6170b404f	1706	if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
nexpaq	1:55a6170b404f	1707	sha1sum, rsa_ciphertext ) != 0 )
nexpaq	1:55a6170b404f	1708	{
nexpaq	1:55a6170b404f	1709	if( verbose != 0 )
nexpaq	1:55a6170b404f	1710	mbedtls_printf( "failed\n" );
nexpaq	1:55a6170b404f	1711
nexpaq	1:55a6170b404f	1712	return( 1 );
nexpaq	1:55a6170b404f	1713	}
nexpaq	1:55a6170b404f	1714
nexpaq	1:55a6170b404f	1715	if( verbose != 0 )
nexpaq	1:55a6170b404f	1716	mbedtls_printf( "passed\n" );
nexpaq	1:55a6170b404f	1717	#endif /* MBEDTLS_SHA1_C */
nexpaq	1:55a6170b404f	1718
nexpaq	1:55a6170b404f	1719	if( verbose != 0 )
nexpaq	1:55a6170b404f	1720	mbedtls_printf( "\n" );
nexpaq	1:55a6170b404f	1721
nexpaq	1:55a6170b404f	1722	cleanup:
nexpaq	1:55a6170b404f	1723	mbedtls_rsa_free( &rsa );
nexpaq	1:55a6170b404f	1724	#else /* MBEDTLS_PKCS1_V15 */
nexpaq	1:55a6170b404f	1725	((void) verbose);
nexpaq	1:55a6170b404f	1726	#endif /* MBEDTLS_PKCS1_V15 */
nexpaq	1:55a6170b404f	1727	return( ret );
nexpaq	1:55a6170b404f	1728	}
nexpaq	1:55a6170b404f	1729
nexpaq	1:55a6170b404f	1730	#endif /* MBEDTLS_SELF_TEST */
nexpaq	1:55a6170b404f	1731
nexpaq	1:55a6170b404f	1732	#endif /* MBEDTLS_RSA_C */

Repository toolbox

Export to desktop IDE

Build repository

Repository details

Type:	Program
Created:	04 Nov 2016
Imports:	0
Forks:	0
Commits:	8
Dependents:	0
Dependencies:	2
Followers:	1

mbd_os/features/mbedtls/src/rsa.c@7:3a65ef12ba31, 2016-11-04 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning