]> cvs.zerfleddert.de Git - proxmark3-svn/blame_incremental - common/mbedtls/rsa.c
Merge pull request #969 from pwpiwi/gcc10_fixes
[proxmark3-svn] / common / mbedtls / rsa.c
... / ...
CommitLineData
1/*
2 * The RSA public-key cryptosystem
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24/*
25 * The following sources were referenced in the design of this implementation
26 * of the RSA algorithm:
27 *
28 * [1] A method for obtaining digital signatures and public-key cryptosystems
29 * R Rivest, A Shamir, and L Adleman
30 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
31 *
32 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
33 * Menezes, van Oorschot and Vanstone
34 *
35 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
36 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
37 * Stefan Mangard
38 * https://arxiv.org/abs/1702.08719v2
39 *
40 */
41
42#if !defined(MBEDTLS_CONFIG_FILE)
43#include "mbedtls/config.h"
44#else
45#include MBEDTLS_CONFIG_FILE
46#endif
47
48#if defined(MBEDTLS_RSA_C)
49
50#include "mbedtls/rsa.h"
51#include "mbedtls/rsa_internal.h"
52#include "mbedtls/oid.h"
53#include "mbedtls/platform_util.h"
54
55#include <string.h>
56
57#if defined(MBEDTLS_PKCS1_V21)
58#include "mbedtls/md.h"
59#endif
60
61#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
62#include <stdlib.h>
63#endif
64
65#if defined(MBEDTLS_PLATFORM_C)
66#include "mbedtls/platform.h"
67#else
68#include <stdio.h>
69#define mbedtls_printf printf
70#define mbedtls_calloc calloc
71#define mbedtls_free free
72#endif
73
74#if !defined(MBEDTLS_RSA_ALT)
75
76#if defined(MBEDTLS_PKCS1_V15)
77/* constant-time buffer comparison */
78static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
79{
80 size_t i;
81 const unsigned char *A = (const unsigned char *) a;
82 const unsigned char *B = (const unsigned char *) b;
83 unsigned char diff = 0;
84
85 for( i = 0; i < n; i++ )
86 diff |= A[i] ^ B[i];
87
88 return( diff );
89}
90#endif /* MBEDTLS_PKCS1_V15 */
91
92int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
93 const mbedtls_mpi *N,
94 const mbedtls_mpi *P, const mbedtls_mpi *Q,
95 const mbedtls_mpi *D, const mbedtls_mpi *E )
96{
97 int ret;
98
99 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
100 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
101 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
102 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
103 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
104 {
105 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
106 }
107
108 if( N != NULL )
109 ctx->len = mbedtls_mpi_size( &ctx->N );
110
111 return( 0 );
112}
113
114int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
115 unsigned char const *N, size_t N_len,
116 unsigned char const *P, size_t P_len,
117 unsigned char const *Q, size_t Q_len,
118 unsigned char const *D, size_t D_len,
119 unsigned char const *E, size_t E_len )
120{
121 int ret = 0;
122
123 if( N != NULL )
124 {
125 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
126 ctx->len = mbedtls_mpi_size( &ctx->N );
127 }
128
129 if( P != NULL )
130 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
131
132 if( Q != NULL )
133 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
134
135 if( D != NULL )
136 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
137
138 if( E != NULL )
139 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
140
141cleanup:
142
143 if( ret != 0 )
144 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
145
146 return( 0 );
147}
148
149/*
150 * Checks whether the context fields are set in such a way
151 * that the RSA primitives will be able to execute without error.
152 * It does *not* make guarantees for consistency of the parameters.
153 */
154static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
155 int blinding_needed )
156{
157#if !defined(MBEDTLS_RSA_NO_CRT)
158 /* blinding_needed is only used for NO_CRT to decide whether
159 * P,Q need to be present or not. */
160 ((void) blinding_needed);
161#endif
162
163 if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
164 ctx->len > MBEDTLS_MPI_MAX_SIZE )
165 {
166 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
167 }
168
169 /*
170 * 1. Modular exponentiation needs positive, odd moduli.
171 */
172
173 /* Modular exponentiation wrt. N is always used for
174 * RSA public key operations. */
175 if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
176 mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )
177 {
178 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
179 }
180
181#if !defined(MBEDTLS_RSA_NO_CRT)
182 /* Modular exponentiation for P and Q is only
183 * used for private key operations and if CRT
184 * is used. */
185 if( is_priv &&
186 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
187 mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||
188 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
189 mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
190 {
191 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
192 }
193#endif /* !MBEDTLS_RSA_NO_CRT */
194
195 /*
196 * 2. Exponents must be positive
197 */
198
199 /* Always need E for public key operations */
200 if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
201 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
202
203#if defined(MBEDTLS_RSA_NO_CRT)
204 /* For private key operations, use D or DP & DQ
205 * as (unblinded) exponents. */
206 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
207 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
208#else
209 if( is_priv &&
210 ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
211 mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
212 {
213 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
214 }
215#endif /* MBEDTLS_RSA_NO_CRT */
216
217 /* Blinding shouldn't make exponents negative either,
218 * so check that P, Q >= 1 if that hasn't yet been
219 * done as part of 1. */
220#if defined(MBEDTLS_RSA_NO_CRT)
221 if( is_priv && blinding_needed &&
222 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
223 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
224 {
225 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
226 }
227#endif
228
229 /* It wouldn't lead to an error if it wasn't satisfied,
230 * but check for QP >= 1 nonetheless. */
231#if !defined(MBEDTLS_RSA_NO_CRT)
232 if( is_priv &&
233 mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
234 {
235 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
236 }
237#endif
238
239 return( 0 );
240}
241
242int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
243{
244 int ret = 0;
245
246 const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
247 const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
248 const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
249 const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
250 const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
251
252 /*
253 * Check whether provided parameters are enough
254 * to deduce all others. The following incomplete
255 * parameter sets for private keys are supported:
256 *
257 * (1) P, Q missing.
258 * (2) D and potentially N missing.
259 *
260 */
261
262 const int n_missing = have_P && have_Q && have_D && have_E;
263 const int pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
264 const int d_missing = have_P && have_Q && !have_D && have_E;
265 const int is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
266
267 /* These three alternatives are mutually exclusive */
268 const int is_priv = n_missing || pq_missing || d_missing;
269
270 if( !is_priv && !is_pub )
271 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
272
273 /*
274 * Step 1: Deduce N if P, Q are provided.
275 */
276
277 if( !have_N && have_P && have_Q )
278 {
279 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
280 &ctx->Q ) ) != 0 )
281 {
282 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
283 }
284
285 ctx->len = mbedtls_mpi_size( &ctx->N );
286 }
287
288 /*
289 * Step 2: Deduce and verify all remaining core parameters.
290 */
291
292 if( pq_missing )
293 {
294 ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
295 &ctx->P, &ctx->Q );
296 if( ret != 0 )
297 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
298
299 }
300 else if( d_missing )
301 {
302 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
303 &ctx->Q,
304 &ctx->E,
305 &ctx->D ) ) != 0 )
306 {
307 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
308 }
309 }
310
311 /*
312 * Step 3: Deduce all additional parameters specific
313 * to our current RSA implementation.
314 */
315
316#if !defined(MBEDTLS_RSA_NO_CRT)
317 if( is_priv )
318 {
319 ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
320 &ctx->DP, &ctx->DQ, &ctx->QP );
321 if( ret != 0 )
322 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
323 }
324#endif /* MBEDTLS_RSA_NO_CRT */
325
326 /*
327 * Step 3: Basic sanity checks
328 */
329
330 return( rsa_check_context( ctx, is_priv, 1 ) );
331}
332
333int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
334 unsigned char *N, size_t N_len,
335 unsigned char *P, size_t P_len,
336 unsigned char *Q, size_t Q_len,
337 unsigned char *D, size_t D_len,
338 unsigned char *E, size_t E_len )
339{
340 int ret = 0;
341
342 /* Check if key is private or public */
343 const int is_priv =
344 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
345 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
346 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
347 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
348 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
349
350 if( !is_priv )
351 {
352 /* If we're trying to export private parameters for a public key,
353 * something must be wrong. */
354 if( P != NULL || Q != NULL || D != NULL )
355 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
356
357 }
358
359 if( N != NULL )
360 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
361
362 if( P != NULL )
363 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
364
365 if( Q != NULL )
366 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
367
368 if( D != NULL )
369 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
370
371 if( E != NULL )
372 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
373
374cleanup:
375
376 return( ret );
377}
378
379int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
380 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
381 mbedtls_mpi *D, mbedtls_mpi *E )
382{
383 int ret;
384
385 /* Check if key is private or public */
386 int is_priv =
387 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
388 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
389 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
390 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
391 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
392
393 if( !is_priv )
394 {
395 /* If we're trying to export private parameters for a public key,
396 * something must be wrong. */
397 if( P != NULL || Q != NULL || D != NULL )
398 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
399
400 }
401
402 /* Export all requested core parameters. */
403
404 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||
405 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||
406 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
407 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||
408 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
409 {
410 return( ret );
411 }
412
413 return( 0 );
414}
415
416/*
417 * Export CRT parameters
418 * This must also be implemented if CRT is not used, for being able to
419 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
420 * can be used in this case.
421 */
422int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
423 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
424{
425 int ret;
426
427 /* Check if key is private or public */
428 int is_priv =
429 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
430 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
431 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
432 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
433 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
434
435 if( !is_priv )
436 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
437
438#if !defined(MBEDTLS_RSA_NO_CRT)
439 /* Export all requested blinding parameters. */
440 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
441 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
442 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
443 {
444 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
445 }
446#else
447 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
448 DP, DQ, QP ) ) != 0 )
449 {
450 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
451 }
452#endif
453
454 return( 0 );
455}
456
457/*
458 * Initialize an RSA context
459 */
460void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
461 int padding,
462 int hash_id )
463{
464 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
465
466 mbedtls_rsa_set_padding( ctx, padding, hash_id );
467
468#if defined(MBEDTLS_THREADING_C)
469 mbedtls_mutex_init( &ctx->mutex );
470#endif
471}
472
473/*
474 * Set padding for an existing RSA context
475 */
476void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
477{
478 ctx->padding = padding;
479 ctx->hash_id = hash_id;
480}
481
482/*
483 * Get length in bytes of RSA modulus
484 */
485
486size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
487{
488 return( ctx->len );
489}
490
491
492#if defined(MBEDTLS_GENPRIME)
493
494/*
495 * Generate an RSA keypair
496 *
497 * This generation method follows the RSA key pair generation procedure of
498 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
499 */
500int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
501 int (*f_rng)(void *, unsigned char *, size_t),
502 void *p_rng,
503 unsigned int nbits, int exponent )
504{
505 int ret;
506 mbedtls_mpi H, G, L;
507
508 if( f_rng == NULL || nbits < 128 || exponent < 3 )
509 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
510
511 if( nbits % 2 )
512 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
513
514 mbedtls_mpi_init( &H );
515 mbedtls_mpi_init( &G );
516 mbedtls_mpi_init( &L );
517
518 /*
519 * find primes P and Q with Q < P so that:
520 * 1. |P-Q| > 2^( nbits / 2 - 100 )
521 * 2. GCD( E, (P-1)*(Q-1) ) == 1
522 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
523 */
524 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
525
526 do
527 {
528 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
529 f_rng, p_rng ) );
530
531 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
532 f_rng, p_rng ) );
533
534 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
535 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
536 if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
537 continue;
538
539 /* not required by any standards, but some users rely on the fact that P > Q */
540 if( H.s < 0 )
541 mbedtls_mpi_swap( &ctx->P, &ctx->Q );
542
543 /* Temporarily replace P,Q by P-1, Q-1 */
544 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
545 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
546 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
547
548 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
549 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
550 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
551 continue;
552
553 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
554 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
555 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
556 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
557
558 if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
559 continue;
560
561 break;
562 }
563 while( 1 );
564
565 /* Restore P,Q */
566 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
567 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
568
569 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
570
571 ctx->len = mbedtls_mpi_size( &ctx->N );
572
573#if !defined(MBEDTLS_RSA_NO_CRT)
574 /*
575 * DP = D mod (P - 1)
576 * DQ = D mod (Q - 1)
577 * QP = Q^-1 mod P
578 */
579 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
580 &ctx->DP, &ctx->DQ, &ctx->QP ) );
581#endif /* MBEDTLS_RSA_NO_CRT */
582
583 /* Double-check */
584 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
585
586cleanup:
587
588 mbedtls_mpi_free( &H );
589 mbedtls_mpi_free( &G );
590 mbedtls_mpi_free( &L );
591
592 if( ret != 0 )
593 {
594 mbedtls_rsa_free( ctx );
595 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
596 }
597
598 return( 0 );
599}
600
601#endif /* MBEDTLS_GENPRIME */
602
603/*
604 * Check a public RSA key
605 */
606int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
607{
608 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
609 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
610
611 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
612 {
613 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
614 }
615
616 if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||
617 mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
618 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
619 {
620 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
621 }
622
623 return( 0 );
624}
625
626/*
627 * Check for the consistency of all fields in an RSA private key context
628 */
629int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
630{
631 if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
632 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
633 {
634 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
635 }
636
637 if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
638 &ctx->D, &ctx->E, NULL, NULL ) != 0 )
639 {
640 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
641 }
642
643#if !defined(MBEDTLS_RSA_NO_CRT)
644 else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
645 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
646 {
647 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
648 }
649#endif
650
651 return( 0 );
652}
653
654/*
655 * Check if contexts holding a public and private key match
656 */
657int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
658 const mbedtls_rsa_context *prv )
659{
660 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
661 mbedtls_rsa_check_privkey( prv ) != 0 )
662 {
663 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
664 }
665
666 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
667 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
668 {
669 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
670 }
671
672 return( 0 );
673}
674
675/*
676 * Do an RSA public key operation
677 */
678int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
679 const unsigned char *input,
680 unsigned char *output )
681{
682 int ret;
683 size_t olen;
684 mbedtls_mpi T;
685
686 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
687 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
688
689 mbedtls_mpi_init( &T );
690
691#if defined(MBEDTLS_THREADING_C)
692 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
693 return( ret );
694#endif
695
696 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
697
698 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
699 {
700 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
701 goto cleanup;
702 }
703
704 olen = ctx->len;
705 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
706 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
707
708cleanup:
709#if defined(MBEDTLS_THREADING_C)
710 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
711 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
712#endif
713
714 mbedtls_mpi_free( &T );
715
716 if( ret != 0 )
717 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
718
719 return( 0 );
720}
721
722/*
723 * Generate or update blinding values, see section 10 of:
724 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
725 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
726 * Berlin Heidelberg, 1996. p. 104-113.
727 */
728static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
729 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
730{
731 int ret, count = 0;
732
733 if( ctx->Vf.p != NULL )
734 {
735 /* We already have blinding values, just update them by squaring */
736 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
737 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
738 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
739 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
740
741 goto cleanup;
742 }
743
744 /* Unblinding value: Vf = random number, invertible mod N */
745 do {
746 if( count++ > 10 )
747 return( MBEDTLS_ERR_RSA_RNG_FAILED );
748
749 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
750 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
751 } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
752
753 /* Blinding value: Vi = Vf^(-e) mod N */
754 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
755 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
756
757
758cleanup:
759 return( ret );
760}
761
762/*
763 * Exponent blinding supposed to prevent side-channel attacks using multiple
764 * traces of measurements to recover the RSA key. The more collisions are there,
765 * the more bits of the key can be recovered. See [3].
766 *
767 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
768 * observations on avarage.
769 *
770 * For example with 28 byte blinding to achieve 2 collisions the adversary has
771 * to make 2^112 observations on avarage.
772 *
773 * (With the currently (as of 2017 April) known best algorithms breaking 2048
774 * bit RSA requires approximately as much time as trying out 2^112 random keys.
775 * Thus in this sense with 28 byte blinding the security is not reduced by
776 * side-channel attacks like the one in [3])
777 *
778 * This countermeasure does not help if the key recovery is possible with a
779 * single trace.
780 */
781#define RSA_EXPONENT_BLINDING 28
782
783/*
784 * Do an RSA private key operation
785 */
786int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
787 int (*f_rng)(void *, unsigned char *, size_t),
788 void *p_rng,
789 const unsigned char *input,
790 unsigned char *output )
791{
792 int ret;
793 size_t olen;
794
795 /* Temporary holding the result */
796 mbedtls_mpi T;
797
798 /* Temporaries holding P-1, Q-1 and the
799 * exponent blinding factor, respectively. */
800 mbedtls_mpi P1, Q1, R;
801
802#if !defined(MBEDTLS_RSA_NO_CRT)
803 /* Temporaries holding the results mod p resp. mod q. */
804 mbedtls_mpi TP, TQ;
805
806 /* Temporaries holding the blinded exponents for
807 * the mod p resp. mod q computation (if used). */
808 mbedtls_mpi DP_blind, DQ_blind;
809
810 /* Pointers to actual exponents to be used - either the unblinded
811 * or the blinded ones, depending on the presence of a PRNG. */
812 mbedtls_mpi *DP = &ctx->DP;
813 mbedtls_mpi *DQ = &ctx->DQ;
814#else
815 /* Temporary holding the blinded exponent (if used). */
816 mbedtls_mpi D_blind;
817
818 /* Pointer to actual exponent to be used - either the unblinded
819 * or the blinded one, depending on the presence of a PRNG. */
820 mbedtls_mpi *D = &ctx->D;
821#endif /* MBEDTLS_RSA_NO_CRT */
822
823 /* Temporaries holding the initial input and the double
824 * checked result; should be the same in the end. */
825 mbedtls_mpi I, C;
826
827 if( rsa_check_context( ctx, 1 /* private key checks */,
828 f_rng != NULL /* blinding y/n */ ) != 0 )
829 {
830 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
831 }
832
833#if defined(MBEDTLS_THREADING_C)
834 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
835 return( ret );
836#endif
837
838 /* MPI Initialization */
839 mbedtls_mpi_init( &T );
840
841 mbedtls_mpi_init( &P1 );
842 mbedtls_mpi_init( &Q1 );
843 mbedtls_mpi_init( &R );
844
845 if( f_rng != NULL )
846 {
847#if defined(MBEDTLS_RSA_NO_CRT)
848 mbedtls_mpi_init( &D_blind );
849#else
850 mbedtls_mpi_init( &DP_blind );
851 mbedtls_mpi_init( &DQ_blind );
852#endif
853 }
854
855#if !defined(MBEDTLS_RSA_NO_CRT)
856 mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
857#endif
858
859 mbedtls_mpi_init( &I );
860 mbedtls_mpi_init( &C );
861
862 /* End of MPI initialization */
863
864 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
865 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
866 {
867 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
868 goto cleanup;
869 }
870
871 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
872
873 if( f_rng != NULL )
874 {
875 /*
876 * Blinding
877 * T = T * Vi mod N
878 */
879 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
880 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
881 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
882
883 /*
884 * Exponent blinding
885 */
886 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
887 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
888
889#if defined(MBEDTLS_RSA_NO_CRT)
890 /*
891 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
892 */
893 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
894 f_rng, p_rng ) );
895 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
896 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
897 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
898
899 D = &D_blind;
900#else
901 /*
902 * DP_blind = ( P - 1 ) * R + DP
903 */
904 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
905 f_rng, p_rng ) );
906 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
907 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
908 &ctx->DP ) );
909
910 DP = &DP_blind;
911
912 /*
913 * DQ_blind = ( Q - 1 ) * R + DQ
914 */
915 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
916 f_rng, p_rng ) );
917 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
918 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
919 &ctx->DQ ) );
920
921 DQ = &DQ_blind;
922#endif /* MBEDTLS_RSA_NO_CRT */
923 }
924
925#if defined(MBEDTLS_RSA_NO_CRT)
926 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
927#else
928 /*
929 * Faster decryption using the CRT
930 *
931 * TP = input ^ dP mod P
932 * TQ = input ^ dQ mod Q
933 */
934
935 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
936 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
937
938 /*
939 * T = (TP - TQ) * (Q^-1 mod P) mod P
940 */
941 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
942 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
943 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
944
945 /*
946 * T = TQ + T * Q
947 */
948 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
949 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
950#endif /* MBEDTLS_RSA_NO_CRT */
951
952 if( f_rng != NULL )
953 {
954 /*
955 * Unblind
956 * T = T * Vf mod N
957 */
958 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
959 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
960 }
961
962 /* Verify the result to prevent glitching attacks. */
963 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
964 &ctx->N, &ctx->RN ) );
965 if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
966 {
967 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
968 goto cleanup;
969 }
970
971 olen = ctx->len;
972 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
973
974cleanup:
975#if defined(MBEDTLS_THREADING_C)
976 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
977 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
978#endif
979
980 mbedtls_mpi_free( &P1 );
981 mbedtls_mpi_free( &Q1 );
982 mbedtls_mpi_free( &R );
983
984 if( f_rng != NULL )
985 {
986#if defined(MBEDTLS_RSA_NO_CRT)
987 mbedtls_mpi_free( &D_blind );
988#else
989 mbedtls_mpi_free( &DP_blind );
990 mbedtls_mpi_free( &DQ_blind );
991#endif
992 }
993
994 mbedtls_mpi_free( &T );
995
996#if !defined(MBEDTLS_RSA_NO_CRT)
997 mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
998#endif
999
1000 mbedtls_mpi_free( &C );
1001 mbedtls_mpi_free( &I );
1002
1003 if( ret != 0 )
1004 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
1005
1006 return( 0 );
1007}
1008
1009#if defined(MBEDTLS_PKCS1_V21)
1010/**
1011 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1012 *
1013 * \param dst buffer to mask
1014 * \param dlen length of destination buffer
1015 * \param src source of the mask generation
1016 * \param slen length of the source buffer
1017 * \param md_ctx message digest context to use
1018 */
1019static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
1020 size_t slen, mbedtls_md_context_t *md_ctx )
1021{
1022 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
1023 unsigned char counter[4];
1024 unsigned char *p;
1025 unsigned int hlen;
1026 size_t i, use_len;
1027 int ret = 0;
1028
1029 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
1030 memset( counter, 0, 4 );
1031
1032 hlen = mbedtls_md_get_size( md_ctx->md_info );
1033
1034 /* Generate and apply dbMask */
1035 p = dst;
1036
1037 while( dlen > 0 )
1038 {
1039 use_len = hlen;
1040 if( dlen < hlen )
1041 use_len = dlen;
1042
1043 if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
1044 goto exit;
1045 if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
1046 goto exit;
1047 if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
1048 goto exit;
1049 if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
1050 goto exit;
1051
1052 for( i = 0; i < use_len; ++i )
1053 *p++ ^= mask[i];
1054
1055 counter[3]++;
1056
1057 dlen -= use_len;
1058 }
1059
1060exit:
1061 mbedtls_platform_zeroize( mask, sizeof( mask ) );
1062
1063 return( ret );
1064}
1065#endif /* MBEDTLS_PKCS1_V21 */
1066
1067#if defined(MBEDTLS_PKCS1_V21)
1068/*
1069 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1070 */
1071int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
1072 int (*f_rng)(void *, unsigned char *, size_t),
1073 void *p_rng,
1074 int mode,
1075 const unsigned char *label, size_t label_len,
1076 size_t ilen,
1077 const unsigned char *input,
1078 unsigned char *output )
1079{
1080 size_t olen;
1081 int ret;
1082 unsigned char *p = output;
1083 unsigned int hlen;
1084 const mbedtls_md_info_t *md_info;
1085 mbedtls_md_context_t md_ctx;
1086
1087 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1088 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1089
1090 if( f_rng == NULL )
1091 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1092
1093 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1094 if( md_info == NULL )
1095 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1096
1097 olen = ctx->len;
1098 hlen = mbedtls_md_get_size( md_info );
1099
1100 /* first comparison checks for overflow */
1101 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
1102 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1103
1104 memset( output, 0, olen );
1105
1106 *p++ = 0;
1107
1108 /* Generate a random octet string seed */
1109 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
1110 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1111
1112 p += hlen;
1113
1114 /* Construct DB */
1115 if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
1116 return( ret );
1117 p += hlen;
1118 p += olen - 2 * hlen - 2 - ilen;
1119 *p++ = 1;
1120 memcpy( p, input, ilen );
1121
1122 mbedtls_md_init( &md_ctx );
1123 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1124 goto exit;
1125
1126 /* maskedDB: Apply dbMask to DB */
1127 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1128 &md_ctx ) ) != 0 )
1129 goto exit;
1130
1131 /* maskedSeed: Apply seedMask to seed */
1132 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1133 &md_ctx ) ) != 0 )
1134 goto exit;
1135
1136exit:
1137 mbedtls_md_free( &md_ctx );
1138
1139 if( ret != 0 )
1140 return( ret );
1141
1142 return( ( mode == MBEDTLS_RSA_PUBLIC )
1143 ? mbedtls_rsa_public( ctx, output, output )
1144 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
1145}
1146#endif /* MBEDTLS_PKCS1_V21 */
1147
1148#if defined(MBEDTLS_PKCS1_V15)
1149/*
1150 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1151 */
1152int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
1153 int (*f_rng)(void *, unsigned char *, size_t),
1154 void *p_rng,
1155 int mode, size_t ilen,
1156 const unsigned char *input,
1157 unsigned char *output )
1158{
1159 size_t nb_pad, olen;
1160 int ret;
1161 unsigned char *p = output;
1162
1163 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1164 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1165
1166 // We don't check p_rng because it won't be dereferenced here
1167 if( f_rng == NULL || input == NULL || output == NULL )
1168 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1169
1170 olen = ctx->len;
1171
1172 /* first comparison checks for overflow */
1173 if( ilen + 11 < ilen || olen < ilen + 11 )
1174 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1175
1176 nb_pad = olen - 3 - ilen;
1177
1178 *p++ = 0;
1179 if( mode == MBEDTLS_RSA_PUBLIC )
1180 {
1181 *p++ = MBEDTLS_RSA_CRYPT;
1182
1183 while( nb_pad-- > 0 )
1184 {
1185 int rng_dl = 100;
1186
1187 do {
1188 ret = f_rng( p_rng, p, 1 );
1189 } while( *p == 0 && --rng_dl && ret == 0 );
1190
1191 /* Check if RNG failed to generate data */
1192 if( rng_dl == 0 || ret != 0 )
1193 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1194
1195 p++;
1196 }
1197 }
1198 else
1199 {
1200 *p++ = MBEDTLS_RSA_SIGN;
1201
1202 while( nb_pad-- > 0 )
1203 *p++ = 0xFF;
1204 }
1205
1206 *p++ = 0;
1207 memcpy( p, input, ilen );
1208
1209 return( ( mode == MBEDTLS_RSA_PUBLIC )
1210 ? mbedtls_rsa_public( ctx, output, output )
1211 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
1212}
1213#endif /* MBEDTLS_PKCS1_V15 */
1214
1215/*
1216 * Add the message padding, then do an RSA operation
1217 */
1218int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
1219 int (*f_rng)(void *, unsigned char *, size_t),
1220 void *p_rng,
1221 int mode, size_t ilen,
1222 const unsigned char *input,
1223 unsigned char *output )
1224{
1225 switch( ctx->padding )
1226 {
1227#if defined(MBEDTLS_PKCS1_V15)
1228 case MBEDTLS_RSA_PKCS_V15:
1229 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
1230 input, output );
1231#endif
1232
1233#if defined(MBEDTLS_PKCS1_V21)
1234 case MBEDTLS_RSA_PKCS_V21:
1235 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1236 ilen, input, output );
1237#endif
1238
1239 default:
1240 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1241 }
1242}
1243
1244#if defined(MBEDTLS_PKCS1_V21)
1245/*
1246 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1247 */
1248int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
1249 int (*f_rng)(void *, unsigned char *, size_t),
1250 void *p_rng,
1251 int mode,
1252 const unsigned char *label, size_t label_len,
1253 size_t *olen,
1254 const unsigned char *input,
1255 unsigned char *output,
1256 size_t output_max_len )
1257{
1258 int ret;
1259 size_t ilen, i, pad_len;
1260 unsigned char *p, bad, pad_done;
1261 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1262 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
1263 unsigned int hlen;
1264 const mbedtls_md_info_t *md_info;
1265 mbedtls_md_context_t md_ctx;
1266
1267 /*
1268 * Parameters sanity checks
1269 */
1270 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1271 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1272
1273 ilen = ctx->len;
1274
1275 if( ilen < 16 || ilen > sizeof( buf ) )
1276 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1277
1278 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1279 if( md_info == NULL )
1280 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1281
1282 hlen = mbedtls_md_get_size( md_info );
1283
1284 // checking for integer underflow
1285 if( 2 * hlen + 2 > ilen )
1286 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1287
1288 /*
1289 * RSA operation
1290 */
1291 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1292 ? mbedtls_rsa_public( ctx, input, buf )
1293 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
1294
1295 if( ret != 0 )
1296 goto cleanup;
1297
1298 /*
1299 * Unmask data and generate lHash
1300 */
1301 mbedtls_md_init( &md_ctx );
1302 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1303 {
1304 mbedtls_md_free( &md_ctx );
1305 goto cleanup;
1306 }
1307
1308 /* seed: Apply seedMask to maskedSeed */
1309 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1310 &md_ctx ) ) != 0 ||
1311 /* DB: Apply dbMask to maskedDB */
1312 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1313 &md_ctx ) ) != 0 )
1314 {
1315 mbedtls_md_free( &md_ctx );
1316 goto cleanup;
1317 }
1318
1319 mbedtls_md_free( &md_ctx );
1320
1321 /* Generate lHash */
1322 if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
1323 goto cleanup;
1324
1325 /*
1326 * Check contents, in "constant-time"
1327 */
1328 p = buf;
1329 bad = 0;
1330
1331 bad |= *p++; /* First byte must be 0 */
1332
1333 p += hlen; /* Skip seed */
1334
1335 /* Check lHash */
1336 for( i = 0; i < hlen; i++ )
1337 bad |= lhash[i] ^ *p++;
1338
1339 /* Get zero-padding len, but always read till end of buffer
1340 * (minus one, for the 01 byte) */
1341 pad_len = 0;
1342 pad_done = 0;
1343 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
1344 {
1345 pad_done |= p[i];
1346 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1347 }
1348
1349 p += pad_len;
1350 bad |= *p++ ^ 0x01;
1351
1352 /*
1353 * The only information "leaked" is whether the padding was correct or not
1354 * (eg, no data is copied if it was not correct). This meets the
1355 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1356 * the different error conditions.
1357 */
1358 if( bad != 0 )
1359 {
1360 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1361 goto cleanup;
1362 }
1363
1364 if( ilen - ( p - buf ) > output_max_len )
1365 {
1366 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1367 goto cleanup;
1368 }
1369
1370 *olen = ilen - (p - buf);
1371 memcpy( output, p, *olen );
1372 ret = 0;
1373
1374cleanup:
1375 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1376 mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
1377
1378 return( ret );
1379}
1380#endif /* MBEDTLS_PKCS1_V21 */
1381
1382#if defined(MBEDTLS_PKCS1_V15)
1383/*
1384 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1385 */
1386int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
1387 int (*f_rng)(void *, unsigned char *, size_t),
1388 void *p_rng,
1389 int mode, size_t *olen,
1390 const unsigned char *input,
1391 unsigned char *output,
1392 size_t output_max_len)
1393{
1394 int ret;
1395 size_t ilen, pad_count = 0, i;
1396 unsigned char *p, bad, pad_done = 0;
1397 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1398
1399 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1400 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1401
1402 ilen = ctx->len;
1403
1404 if( ilen < 16 || ilen > sizeof( buf ) )
1405 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1406
1407 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1408 ? mbedtls_rsa_public( ctx, input, buf )
1409 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
1410
1411 if( ret != 0 )
1412 goto cleanup;
1413
1414 p = buf;
1415 bad = 0;
1416
1417 /*
1418 * Check and get padding len in "constant-time"
1419 */
1420 bad |= *p++; /* First byte must be 0 */
1421
1422 /* This test does not depend on secret data */
1423 if( mode == MBEDTLS_RSA_PRIVATE )
1424 {
1425 bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
1426
1427 /* Get padding len, but always read till end of buffer
1428 * (minus one, for the 00 byte) */
1429 for( i = 0; i < ilen - 3; i++ )
1430 {
1431 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
1432 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1433 }
1434
1435 p += pad_count;
1436 bad |= *p++; /* Must be zero */
1437 }
1438 else
1439 {
1440 bad |= *p++ ^ MBEDTLS_RSA_SIGN;
1441
1442 /* Get padding len, but always read till end of buffer
1443 * (minus one, for the 00 byte) */
1444 for( i = 0; i < ilen - 3; i++ )
1445 {
1446 pad_done |= ( p[i] != 0xFF );
1447 pad_count += ( pad_done == 0 );
1448 }
1449
1450 p += pad_count;
1451 bad |= *p++; /* Must be zero */
1452 }
1453
1454 bad |= ( pad_count < 8 );
1455
1456 if( bad )
1457 {
1458 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1459 goto cleanup;
1460 }
1461
1462 if( ilen - ( p - buf ) > output_max_len )
1463 {
1464 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1465 goto cleanup;
1466 }
1467
1468 *olen = ilen - (p - buf);
1469 memcpy( output, p, *olen );
1470 ret = 0;
1471
1472cleanup:
1473 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1474
1475 return( ret );
1476}
1477#endif /* MBEDTLS_PKCS1_V15 */
1478
1479/*
1480 * Do an RSA operation, then remove the message padding
1481 */
1482int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
1483 int (*f_rng)(void *, unsigned char *, size_t),
1484 void *p_rng,
1485 int mode, size_t *olen,
1486 const unsigned char *input,
1487 unsigned char *output,
1488 size_t output_max_len)
1489{
1490 switch( ctx->padding )
1491 {
1492#if defined(MBEDTLS_PKCS1_V15)
1493 case MBEDTLS_RSA_PKCS_V15:
1494 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
1495 input, output, output_max_len );
1496#endif
1497
1498#if defined(MBEDTLS_PKCS1_V21)
1499 case MBEDTLS_RSA_PKCS_V21:
1500 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1501 olen, input, output,
1502 output_max_len );
1503#endif
1504
1505 default:
1506 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1507 }
1508}
1509
1510#if defined(MBEDTLS_PKCS1_V21)
1511/*
1512 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1513 */
1514int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
1515 int (*f_rng)(void *, unsigned char *, size_t),
1516 void *p_rng,
1517 int mode,
1518 mbedtls_md_type_t md_alg,
1519 unsigned int hashlen,
1520 const unsigned char *hash,
1521 unsigned char *sig )
1522{
1523 size_t olen;
1524 unsigned char *p = sig;
1525 unsigned char salt[MBEDTLS_MD_MAX_SIZE];
1526 unsigned int slen, hlen, offset = 0;
1527 int ret;
1528 size_t msb;
1529 const mbedtls_md_info_t *md_info;
1530 mbedtls_md_context_t md_ctx;
1531
1532 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1533 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1534
1535 if( f_rng == NULL )
1536 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1537
1538 olen = ctx->len;
1539
1540 if( md_alg != MBEDTLS_MD_NONE )
1541 {
1542 /* Gather length of hash to sign */
1543 md_info = mbedtls_md_info_from_type( md_alg );
1544 if( md_info == NULL )
1545 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1546
1547 hashlen = mbedtls_md_get_size( md_info );
1548 }
1549
1550 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1551 if( md_info == NULL )
1552 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1553
1554 hlen = mbedtls_md_get_size( md_info );
1555 slen = hlen;
1556
1557 if( olen < hlen + slen + 2 )
1558 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1559
1560 memset( sig, 0, olen );
1561
1562 /* Generate salt of length slen */
1563 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
1564 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1565
1566 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1567 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1568 p += olen - hlen * 2 - 2;
1569 *p++ = 0x01;
1570 memcpy( p, salt, slen );
1571 p += slen;
1572
1573 mbedtls_md_init( &md_ctx );
1574 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1575 goto exit;
1576
1577 /* Generate H = Hash( M' ) */
1578 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
1579 goto exit;
1580 if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
1581 goto exit;
1582 if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
1583 goto exit;
1584 if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
1585 goto exit;
1586 if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
1587 goto exit;
1588
1589 /* Compensate for boundary condition when applying mask */
1590 if( msb % 8 == 0 )
1591 offset = 1;
1592
1593 /* maskedDB: Apply dbMask to DB */
1594 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
1595 &md_ctx ) ) != 0 )
1596 goto exit;
1597
1598 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1599 sig[0] &= 0xFF >> ( olen * 8 - msb );
1600
1601 p += hlen;
1602 *p++ = 0xBC;
1603
1604 mbedtls_platform_zeroize( salt, sizeof( salt ) );
1605
1606exit:
1607 mbedtls_md_free( &md_ctx );
1608
1609 if( ret != 0 )
1610 return( ret );
1611
1612 return( ( mode == MBEDTLS_RSA_PUBLIC )
1613 ? mbedtls_rsa_public( ctx, sig, sig )
1614 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1615}
1616#endif /* MBEDTLS_PKCS1_V21 */
1617
1618#if defined(MBEDTLS_PKCS1_V15)
1619/*
1620 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1621 */
1622
1623/* Construct a PKCS v1.5 encoding of a hashed message
1624 *
1625 * This is used both for signature generation and verification.
1626 *
1627 * Parameters:
1628 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1629 * MBEDTLS_MD_NONE if raw data is signed.
1630 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
1631 * - hash: Buffer containing the hashed message or the raw data.
1632 * - dst_len: Length of the encoded message.
1633 * - dst: Buffer to hold the encoded message.
1634 *
1635 * Assumptions:
1636 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
1637 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
1638 * - dst points to a buffer of size at least dst_len.
1639 *
1640 */
1641static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
1642 unsigned int hashlen,
1643 const unsigned char *hash,
1644 size_t dst_len,
1645 unsigned char *dst )
1646{
1647 size_t oid_size = 0;
1648 size_t nb_pad = dst_len;
1649 unsigned char *p = dst;
1650 const char *oid = NULL;
1651
1652 /* Are we signing hashed or raw data? */
1653 if( md_alg != MBEDTLS_MD_NONE )
1654 {
1655 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
1656 if( md_info == NULL )
1657 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1658
1659 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1660 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1661
1662 hashlen = mbedtls_md_get_size( md_info );
1663
1664 /* Double-check that 8 + hashlen + oid_size can be used as a
1665 * 1-byte ASN.1 length encoding and that there's no overflow. */
1666 if( 8 + hashlen + oid_size >= 0x80 ||
1667 10 + hashlen < hashlen ||
1668 10 + hashlen + oid_size < 10 + hashlen )
1669 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1670
1671 /*
1672 * Static bounds check:
1673 * - Need 10 bytes for five tag-length pairs.
1674 * (Insist on 1-byte length encodings to protect against variants of
1675 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1676 * - Need hashlen bytes for hash
1677 * - Need oid_size bytes for hash alg OID.
1678 */
1679 if( nb_pad < 10 + hashlen + oid_size )
1680 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1681 nb_pad -= 10 + hashlen + oid_size;
1682 }
1683 else
1684 {
1685 if( nb_pad < hashlen )
1686 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1687
1688 nb_pad -= hashlen;
1689 }
1690
1691 /* Need space for signature header and padding delimiter (3 bytes),
1692 * and 8 bytes for the minimal padding */
1693 if( nb_pad < 3 + 8 )
1694 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1695 nb_pad -= 3;
1696
1697 /* Now nb_pad is the amount of memory to be filled
1698 * with padding, and at least 8 bytes long. */
1699
1700 /* Write signature header and padding */
1701 *p++ = 0;
1702 *p++ = MBEDTLS_RSA_SIGN;
1703 memset( p, 0xFF, nb_pad );
1704 p += nb_pad;
1705 *p++ = 0;
1706
1707 /* Are we signing raw data? */
1708 if( md_alg == MBEDTLS_MD_NONE )
1709 {
1710 memcpy( p, hash, hashlen );
1711 return( 0 );
1712 }
1713
1714 /* Signing hashed data, add corresponding ASN.1 structure
1715 *
1716 * DigestInfo ::= SEQUENCE {
1717 * digestAlgorithm DigestAlgorithmIdentifier,
1718 * digest Digest }
1719 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1720 * Digest ::= OCTET STRING
1721 *
1722 * Schematic:
1723 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1724 * TAG-NULL + LEN [ NULL ] ]
1725 * TAG-OCTET + LEN [ HASH ] ]
1726 */
1727 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1728 *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
1729 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1730 *p++ = (unsigned char)( 0x04 + oid_size );
1731 *p++ = MBEDTLS_ASN1_OID;
1732 *p++ = (unsigned char) oid_size;
1733 memcpy( p, oid, oid_size );
1734 p += oid_size;
1735 *p++ = MBEDTLS_ASN1_NULL;
1736 *p++ = 0x00;
1737 *p++ = MBEDTLS_ASN1_OCTET_STRING;
1738 *p++ = (unsigned char) hashlen;
1739 memcpy( p, hash, hashlen );
1740 p += hashlen;
1741
1742 /* Just a sanity-check, should be automatic
1743 * after the initial bounds check. */
1744 if( p != dst + dst_len )
1745 {
1746 mbedtls_platform_zeroize( dst, dst_len );
1747 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1748 }
1749
1750 return( 0 );
1751}
1752
1753/*
1754 * Do an RSA operation to sign the message digest
1755 */
1756int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
1757 int (*f_rng)(void *, unsigned char *, size_t),
1758 void *p_rng,
1759 int mode,
1760 mbedtls_md_type_t md_alg,
1761 unsigned int hashlen,
1762 const unsigned char *hash,
1763 unsigned char *sig )
1764{
1765 int ret;
1766 unsigned char *sig_try = NULL, *verif = NULL;
1767
1768 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1769 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1770
1771 /*
1772 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
1773 */
1774
1775 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
1776 ctx->len, sig ) ) != 0 )
1777 return( ret );
1778
1779 /*
1780 * Call respective RSA primitive
1781 */
1782
1783 if( mode == MBEDTLS_RSA_PUBLIC )
1784 {
1785 /* Skip verification on a public key operation */
1786 return( mbedtls_rsa_public( ctx, sig, sig ) );
1787 }
1788
1789 /* Private key operation
1790 *
1791 * In order to prevent Lenstra's attack, make the signature in a
1792 * temporary buffer and check it before returning it.
1793 */
1794
1795 sig_try = mbedtls_calloc( 1, ctx->len );
1796 if( sig_try == NULL )
1797 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1798
1799 verif = mbedtls_calloc( 1, ctx->len );
1800 if( verif == NULL )
1801 {
1802 mbedtls_free( sig_try );
1803 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1804 }
1805
1806 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1807 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
1808
1809 if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )
1810 {
1811 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1812 goto cleanup;
1813 }
1814
1815 memcpy( sig, sig_try, ctx->len );
1816
1817cleanup:
1818 mbedtls_free( sig_try );
1819 mbedtls_free( verif );
1820
1821 return( ret );
1822}
1823#endif /* MBEDTLS_PKCS1_V15 */
1824
1825/*
1826 * Do an RSA operation to sign the message digest
1827 */
1828int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
1829 int (*f_rng)(void *, unsigned char *, size_t),
1830 void *p_rng,
1831 int mode,
1832 mbedtls_md_type_t md_alg,
1833 unsigned int hashlen,
1834 const unsigned char *hash,
1835 unsigned char *sig )
1836{
1837 switch( ctx->padding )
1838 {
1839#if defined(MBEDTLS_PKCS1_V15)
1840 case MBEDTLS_RSA_PKCS_V15:
1841 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
1842 hashlen, hash, sig );
1843#endif
1844
1845#if defined(MBEDTLS_PKCS1_V21)
1846 case MBEDTLS_RSA_PKCS_V21:
1847 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
1848 hashlen, hash, sig );
1849#endif
1850
1851 default:
1852 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1853 }
1854}
1855
1856#if defined(MBEDTLS_PKCS1_V21)
1857/*
1858 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1859 */
1860int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
1861 int (*f_rng)(void *, unsigned char *, size_t),
1862 void *p_rng,
1863 int mode,
1864 mbedtls_md_type_t md_alg,
1865 unsigned int hashlen,
1866 const unsigned char *hash,
1867 mbedtls_md_type_t mgf1_hash_id,
1868 int expected_salt_len,
1869 const unsigned char *sig )
1870{
1871 int ret;
1872 size_t siglen;
1873 unsigned char *p;
1874 unsigned char *hash_start;
1875 unsigned char result[MBEDTLS_MD_MAX_SIZE];
1876 unsigned char zeros[8];
1877 unsigned int hlen;
1878 size_t observed_salt_len, msb;
1879 const mbedtls_md_info_t *md_info;
1880 mbedtls_md_context_t md_ctx;
1881 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1882
1883 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1884 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1885
1886 siglen = ctx->len;
1887
1888 if( siglen < 16 || siglen > sizeof( buf ) )
1889 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1890
1891 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1892 ? mbedtls_rsa_public( ctx, sig, buf )
1893 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
1894
1895 if( ret != 0 )
1896 return( ret );
1897
1898 p = buf;
1899
1900 if( buf[siglen - 1] != 0xBC )
1901 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1902
1903 if( md_alg != MBEDTLS_MD_NONE )
1904 {
1905 /* Gather length of hash to sign */
1906 md_info = mbedtls_md_info_from_type( md_alg );
1907 if( md_info == NULL )
1908 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1909
1910 hashlen = mbedtls_md_get_size( md_info );
1911 }
1912
1913 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
1914 if( md_info == NULL )
1915 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1916
1917 hlen = mbedtls_md_get_size( md_info );
1918
1919 memset( zeros, 0, 8 );
1920
1921 /*
1922 * Note: EMSA-PSS verification is over the length of N - 1 bits
1923 */
1924 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1925
1926 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1927 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1928
1929 /* Compensate for boundary condition when applying mask */
1930 if( msb % 8 == 0 )
1931 {
1932 p++;
1933 siglen -= 1;
1934 }
1935
1936 if( siglen < hlen + 2 )
1937 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1938 hash_start = p + siglen - hlen - 1;
1939
1940 mbedtls_md_init( &md_ctx );
1941 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1942 goto exit;
1943
1944 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
1945 if( ret != 0 )
1946 goto exit;
1947
1948 buf[0] &= 0xFF >> ( siglen * 8 - msb );
1949
1950 while( p < hash_start - 1 && *p == 0 )
1951 p++;
1952
1953 if( *p++ != 0x01 )
1954 {
1955 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1956 goto exit;
1957 }
1958
1959 observed_salt_len = hash_start - p;
1960
1961 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
1962 observed_salt_len != (size_t) expected_salt_len )
1963 {
1964 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1965 goto exit;
1966 }
1967
1968 /*
1969 * Generate H = Hash( M' )
1970 */
1971 ret = mbedtls_md_starts( &md_ctx );
1972 if ( ret != 0 )
1973 goto exit;
1974 ret = mbedtls_md_update( &md_ctx, zeros, 8 );
1975 if ( ret != 0 )
1976 goto exit;
1977 ret = mbedtls_md_update( &md_ctx, hash, hashlen );
1978 if ( ret != 0 )
1979 goto exit;
1980 ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
1981 if ( ret != 0 )
1982 goto exit;
1983 ret = mbedtls_md_finish( &md_ctx, result );
1984 if ( ret != 0 )
1985 goto exit;
1986
1987 if( memcmp( hash_start, result, hlen ) != 0 )
1988 {
1989 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1990 goto exit;
1991 }
1992
1993exit:
1994 mbedtls_md_free( &md_ctx );
1995
1996 return( ret );
1997}
1998
1999/*
2000 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2001 */
2002int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
2003 int (*f_rng)(void *, unsigned char *, size_t),
2004 void *p_rng,
2005 int mode,
2006 mbedtls_md_type_t md_alg,
2007 unsigned int hashlen,
2008 const unsigned char *hash,
2009 const unsigned char *sig )
2010{
2011 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
2012 ? (mbedtls_md_type_t) ctx->hash_id
2013 : md_alg;
2014
2015 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
2016 md_alg, hashlen, hash,
2017 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
2018 sig ) );
2019
2020}
2021#endif /* MBEDTLS_PKCS1_V21 */
2022
2023#if defined(MBEDTLS_PKCS1_V15)
2024/*
2025 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2026 */
2027int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
2028 int (*f_rng)(void *, unsigned char *, size_t),
2029 void *p_rng,
2030 int mode,
2031 mbedtls_md_type_t md_alg,
2032 unsigned int hashlen,
2033 const unsigned char *hash,
2034 const unsigned char *sig )
2035{
2036 int ret = 0;
2037 const size_t sig_len = ctx->len;
2038 unsigned char *encoded = NULL, *encoded_expected = NULL;
2039
2040 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
2041 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2042
2043 /*
2044 * Prepare expected PKCS1 v1.5 encoding of hash.
2045 */
2046
2047 if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL ||
2048 ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
2049 {
2050 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2051 goto cleanup;
2052 }
2053
2054 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
2055 encoded_expected ) ) != 0 )
2056 goto cleanup;
2057
2058 /*
2059 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2060 */
2061
2062 ret = ( mode == MBEDTLS_RSA_PUBLIC )
2063 ? mbedtls_rsa_public( ctx, sig, encoded )
2064 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
2065 if( ret != 0 )
2066 goto cleanup;
2067
2068 /*
2069 * Compare
2070 */
2071
2072 if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,
2073 sig_len ) ) != 0 )
2074 {
2075 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2076 goto cleanup;
2077 }
2078
2079cleanup:
2080
2081 if( encoded != NULL )
2082 {
2083 mbedtls_platform_zeroize( encoded, sig_len );
2084 mbedtls_free( encoded );
2085 }
2086
2087 if( encoded_expected != NULL )
2088 {
2089 mbedtls_platform_zeroize( encoded_expected, sig_len );
2090 mbedtls_free( encoded_expected );
2091 }
2092
2093 return( ret );
2094}
2095#endif /* MBEDTLS_PKCS1_V15 */
2096
2097/*
2098 * Do an RSA operation and check the message digest
2099 */
2100int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
2101 int (*f_rng)(void *, unsigned char *, size_t),
2102 void *p_rng,
2103 int mode,
2104 mbedtls_md_type_t md_alg,
2105 unsigned int hashlen,
2106 const unsigned char *hash,
2107 const unsigned char *sig )
2108{
2109 switch( ctx->padding )
2110 {
2111#if defined(MBEDTLS_PKCS1_V15)
2112 case MBEDTLS_RSA_PKCS_V15:
2113 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
2114 hashlen, hash, sig );
2115#endif
2116
2117#if defined(MBEDTLS_PKCS1_V21)
2118 case MBEDTLS_RSA_PKCS_V21:
2119 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
2120 hashlen, hash, sig );
2121#endif
2122
2123 default:
2124 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2125 }
2126}
2127
2128/*
2129 * Copy the components of an RSA key
2130 */
2131int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
2132{
2133 int ret;
2134
2135 dst->ver = src->ver;
2136 dst->len = src->len;
2137
2138 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
2139 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
2140
2141 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
2142 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
2143 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
2144
2145#if !defined(MBEDTLS_RSA_NO_CRT)
2146 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
2147 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
2148 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
2149 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
2150 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
2151#endif
2152
2153 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
2154
2155 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
2156 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
2157
2158 dst->padding = src->padding;
2159 dst->hash_id = src->hash_id;
2160
2161cleanup:
2162 if( ret != 0 )
2163 mbedtls_rsa_free( dst );
2164
2165 return( ret );
2166}
2167
2168/*
2169 * Free the components of an RSA key
2170 */
2171void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
2172{
2173 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
2174 mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D );
2175 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P );
2176 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
2177
2178#if !defined(MBEDTLS_RSA_NO_CRT)
2179 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );
2180 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );
2181 mbedtls_mpi_free( &ctx->DP );
2182#endif /* MBEDTLS_RSA_NO_CRT */
2183
2184#if defined(MBEDTLS_THREADING_C)
2185 mbedtls_mutex_free( &ctx->mutex );
2186#endif
2187}
2188
2189#endif /* !MBEDTLS_RSA_ALT */
2190
2191#if defined(MBEDTLS_SELF_TEST)
2192
2193#include "mbedtls/sha1.h"
2194
2195/*
2196 * Example RSA-1024 keypair, for test purposes
2197 */
2198#define KEY_LEN 128
2199
2200#define RSA_N "9292758453063D803DD603D5E777D788" \
2201 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2202 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2203 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2204 "93A89813FBF3C4F8066D2D800F7C38A8" \
2205 "1AE31942917403FF4946B0A83D3D3E05" \
2206 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2207 "5E94BB77B07507233A0BC7BAC8F90F79"
2208
2209#define RSA_E "10001"
2210
2211#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2212 "66CA472BC44D253102F8B4A9D3BFA750" \
2213 "91386C0077937FE33FA3252D28855837" \
2214 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2215 "DF79C5CE07EE72C7F123142198164234" \
2216 "CABB724CF78B8173B9F880FC86322407" \
2217 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2218 "071513A1E85B5DFA031F21ECAE91A34D"
2219
2220#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2221 "2C01CAD19EA484A87EA4377637E75500" \
2222 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2223 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2224
2225#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2226 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2227 "910E4168387E3C30AA1E00C339A79508" \
2228 "8452DD96A9A5EA5D9DCA68DA636032AF"
2229
2230#define PT_LEN 24
2231#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2232 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2233
2234#if defined(MBEDTLS_PKCS1_V15)
2235static int myrand( void *rng_state, unsigned char *output, size_t len )
2236{
2237#if !defined(__OpenBSD__)
2238 size_t i;
2239
2240 if( rng_state != NULL )
2241 rng_state = NULL;
2242
2243 for( i = 0; i < len; ++i )
2244 output[i] = rand();
2245#else
2246 if( rng_state != NULL )
2247 rng_state = NULL;
2248
2249 arc4random_buf( output, len );
2250#endif /* !OpenBSD */
2251
2252 return( 0 );
2253}
2254#endif /* MBEDTLS_PKCS1_V15 */
2255
2256/*
2257 * Checkup routine
2258 */
2259int mbedtls_rsa_self_test( int verbose )
2260{
2261 int ret = 0;
2262#if defined(MBEDTLS_PKCS1_V15)
2263 size_t len;
2264 mbedtls_rsa_context rsa;
2265 unsigned char rsa_plaintext[PT_LEN];
2266 unsigned char rsa_decrypted[PT_LEN];
2267 unsigned char rsa_ciphertext[KEY_LEN];
2268#if defined(MBEDTLS_SHA1_C)
2269 unsigned char sha1sum[20];
2270#endif
2271
2272 mbedtls_mpi K;
2273
2274 mbedtls_mpi_init( &K );
2275 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
2276
2277 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );
2278 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
2279 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );
2280 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
2281 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );
2282 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
2283 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );
2284 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
2285 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );
2286 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
2287
2288 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
2289
2290 if( verbose != 0 )
2291 mbedtls_printf( " RSA key validation: " );
2292
2293 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
2294 mbedtls_rsa_check_privkey( &rsa ) != 0 )
2295 {
2296 if( verbose != 0 )
2297 mbedtls_printf( "failed\n" );
2298
2299 ret = 1;
2300 goto cleanup;
2301 }
2302
2303 if( verbose != 0 )
2304 mbedtls_printf( "passed\n PKCS#1 encryption : " );
2305
2306 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
2307
2308 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
2309 PT_LEN, rsa_plaintext,
2310 rsa_ciphertext ) != 0 )
2311 {
2312 if( verbose != 0 )
2313 mbedtls_printf( "failed\n" );
2314
2315 ret = 1;
2316 goto cleanup;
2317 }
2318
2319 if( verbose != 0 )
2320 mbedtls_printf( "passed\n PKCS#1 decryption : " );
2321
2322 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
2323 &len, rsa_ciphertext, rsa_decrypted,
2324 sizeof(rsa_decrypted) ) != 0 )
2325 {
2326 if( verbose != 0 )
2327 mbedtls_printf( "failed\n" );
2328
2329 ret = 1;
2330 goto cleanup;
2331 }
2332
2333 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
2334 {
2335 if( verbose != 0 )
2336 mbedtls_printf( "failed\n" );
2337
2338 ret = 1;
2339 goto cleanup;
2340 }
2341
2342 if( verbose != 0 )
2343 mbedtls_printf( "passed\n" );
2344
2345#if defined(MBEDTLS_SHA1_C)
2346 if( verbose != 0 )
2347 mbedtls_printf( " PKCS#1 data sign : " );
2348
2349 if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
2350 {
2351 if( verbose != 0 )
2352 mbedtls_printf( "failed\n" );
2353
2354 return( 1 );
2355 }
2356
2357 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
2358 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
2359 sha1sum, rsa_ciphertext ) != 0 )
2360 {
2361 if( verbose != 0 )
2362 mbedtls_printf( "failed\n" );
2363
2364 ret = 1;
2365 goto cleanup;
2366 }
2367
2368 if( verbose != 0 )
2369 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
2370
2371 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
2372 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
2373 sha1sum, rsa_ciphertext ) != 0 )
2374 {
2375 if( verbose != 0 )
2376 mbedtls_printf( "failed\n" );
2377
2378 ret = 1;
2379 goto cleanup;
2380 }
2381
2382 if( verbose != 0 )
2383 mbedtls_printf( "passed\n" );
2384#endif /* MBEDTLS_SHA1_C */
2385
2386 if( verbose != 0 )
2387 mbedtls_printf( "\n" );
2388
2389cleanup:
2390 mbedtls_mpi_free( &K );
2391 mbedtls_rsa_free( &rsa );
2392#else /* MBEDTLS_PKCS1_V15 */
2393 ((void) verbose);
2394#endif /* MBEDTLS_PKCS1_V15 */
2395 return( ret );
2396}
2397
2398#endif /* MBEDTLS_SELF_TEST */
2399
2400#endif /* MBEDTLS_RSA_C */
Impressum, Datenschutz