rsa.c 50 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740
  1. /*
  2. * The RSA public-key cryptosystem
  3. *
  4. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. *
  19. * This file is part of mbed TLS (https://tls.mbed.org)
  20. */
  21. /*
  22. * The following sources were referenced in the design of this implementation
  23. * of the RSA algorithm:
  24. *
  25. * [1] A method for obtaining digital signatures and public-key cryptosystems
  26. * R Rivest, A Shamir, and L Adleman
  27. * http://people.csail.mit.edu/rivest/pubs.html#RSA78
  28. *
  29. * [2] Handbook of Applied Cryptography - 1997, Chapter 8
  30. * Menezes, van Oorschot and Vanstone
  31. *
  32. */
  33. #if !defined(MBEDTLS_CONFIG_FILE)
  34. #include "mbedtls/config.h"
  35. #else
  36. #include MBEDTLS_CONFIG_FILE
  37. #endif
  38. #if defined(MBEDTLS_RSA_C)
  39. #include "mbedtls/rsa.h"
  40. #ifdef MBEDTLS_PKCS1_V15
  41. #include "mbedtls/oid.h"
  42. #endif
  43. #if defined(MBEDTLS_PKCS1_V21)
  44. #include "mbedtls/md.h"
  45. #endif
  46. #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
  47. #include <stdlib.h>
  48. #endif
  49. #if defined(MBEDTLS_PLATFORM_C)
  50. #include "mbedtls/platform.h"
  51. #else
  52. #include <stdio.h>
  53. #include <string.h>
  54. #define mbedtls_printf printf
  55. #define mbedtls_calloc calloc
  56. #define mbedtls_free free
  57. #endif
  58. /*
  59. * Initialize an RSA context
  60. */
  61. void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
  62. int padding,
  63. int hash_id )
  64. {
  65. memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
  66. mbedtls_rsa_set_padding( ctx, padding, hash_id );
  67. #if defined(MBEDTLS_THREADING_C)
  68. mbedtls_mutex_init( &ctx->mutex );
  69. #endif
  70. }
  71. /*
  72. * Set padding for an existing RSA context
  73. */
  74. void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
  75. {
  76. ctx->padding = padding;
  77. ctx->hash_id = hash_id;
  78. }
  79. #if defined(MBEDTLS_GENPRIME)
  80. /*
  81. * Generate an RSA keypair
  82. */
  83. int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
  84. int (*f_rng)(void *, unsigned char *, size_t),
  85. void *p_rng,
  86. unsigned int nbits, int exponent )
  87. {
  88. int ret;
  89. mbedtls_mpi P1, Q1, H, G;
  90. if( f_rng == NULL || nbits < 128 || exponent < 3 )
  91. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  92. if( nbits % 2 )
  93. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  94. mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
  95. mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
  96. /*
  97. * find primes P and Q with Q < P so that:
  98. * GCD( E, (P-1)*(Q-1) ) == 1
  99. */
  100. MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
  101. do
  102. {
  103. MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
  104. f_rng, p_rng ) );
  105. MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
  106. f_rng, p_rng ) );
  107. if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
  108. continue;
  109. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
  110. if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
  111. continue;
  112. if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
  113. mbedtls_mpi_swap( &ctx->P, &ctx->Q );
  114. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
  115. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
  116. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
  117. MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
  118. }
  119. while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
  120. /*
  121. * D = E^-1 mod ((P-1)*(Q-1))
  122. * DP = D mod (P - 1)
  123. * DQ = D mod (Q - 1)
  124. * QP = Q^-1 mod P
  125. */
  126. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
  127. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
  128. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
  129. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
  130. ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
  131. cleanup:
  132. mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
  133. if( ret != 0 )
  134. {
  135. mbedtls_rsa_free( ctx );
  136. return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
  137. }
  138. return( 0 );
  139. }
  140. #endif /* MBEDTLS_GENPRIME */
  141. /*
  142. * Check a public RSA key
  143. */
  144. int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
  145. {
  146. if( !ctx->N.p || !ctx->E.p )
  147. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  148. if( ( ctx->N.p[0] & 1 ) == 0 ||
  149. ( ctx->E.p[0] & 1 ) == 0 )
  150. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  151. if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
  152. mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
  153. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  154. if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
  155. mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
  156. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  157. return( 0 );
  158. }
  159. /*
  160. * Check a private RSA key
  161. */
  162. int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
  163. {
  164. int ret;
  165. mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
  166. if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
  167. return( ret );
  168. if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
  169. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  170. mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
  171. mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
  172. mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
  173. mbedtls_mpi_init( &QP );
  174. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
  175. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
  176. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
  177. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
  178. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
  179. MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
  180. MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
  181. MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
  182. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
  183. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
  184. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
  185. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
  186. /*
  187. * Check for a valid PKCS1v2 private key
  188. */
  189. if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
  190. mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
  191. mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
  192. mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
  193. mbedtls_mpi_cmp_int( &L2, 0 ) != 0 ||
  194. mbedtls_mpi_cmp_int( &I, 1 ) != 0 ||
  195. mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
  196. {
  197. ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
  198. }
  199. cleanup:
  200. mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
  201. mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
  202. mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
  203. mbedtls_mpi_free( &QP );
  204. if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
  205. return( ret );
  206. if( ret != 0 )
  207. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
  208. return( 0 );
  209. }
  210. /*
  211. * Check if contexts holding a public and private key match
  212. */
  213. int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv )
  214. {
  215. if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
  216. mbedtls_rsa_check_privkey( prv ) != 0 )
  217. {
  218. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  219. }
  220. if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
  221. mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
  222. {
  223. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  224. }
  225. return( 0 );
  226. }
  227. /*
  228. * Do an RSA public key operation
  229. */
  230. int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
  231. const unsigned char *input,
  232. unsigned char *output )
  233. {
  234. int ret;
  235. size_t olen;
  236. mbedtls_mpi T;
  237. mbedtls_mpi_init( &T );
  238. #if defined(MBEDTLS_THREADING_C)
  239. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  240. return( ret );
  241. #endif
  242. MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
  243. if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
  244. {
  245. ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
  246. goto cleanup;
  247. }
  248. olen = ctx->len;
  249. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
  250. MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
  251. cleanup:
  252. #if defined(MBEDTLS_THREADING_C)
  253. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  254. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  255. #endif
  256. mbedtls_mpi_free( &T );
  257. if( ret != 0 )
  258. return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
  259. return( 0 );
  260. }
  261. /*
  262. * Generate or update blinding values, see section 10 of:
  263. * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
  264. * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
  265. * Berlin Heidelberg, 1996. p. 104-113.
  266. */
  267. static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
  268. int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
  269. {
  270. int ret, count = 0;
  271. if( ctx->Vf.p != NULL )
  272. {
  273. /* We already have blinding values, just update them by squaring */
  274. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
  275. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
  276. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
  277. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
  278. goto cleanup;
  279. }
  280. /* Unblinding value: Vf = random number, invertible mod N */
  281. do {
  282. if( count++ > 10 )
  283. return( MBEDTLS_ERR_RSA_RNG_FAILED );
  284. MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
  285. MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
  286. } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
  287. /* Blinding value: Vi = Vf^(-e) mod N */
  288. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
  289. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
  290. cleanup:
  291. return( ret );
  292. }
  293. /*
  294. * Do an RSA private key operation
  295. */
  296. int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
  297. int (*f_rng)(void *, unsigned char *, size_t),
  298. void *p_rng,
  299. const unsigned char *input,
  300. unsigned char *output )
  301. {
  302. int ret;
  303. size_t olen;
  304. mbedtls_mpi T, T1, T2;
  305. /* Make sure we have private key info, prevent possible misuse */
  306. if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
  307. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  308. mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
  309. #if defined(MBEDTLS_THREADING_C)
  310. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  311. return( ret );
  312. #endif
  313. MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
  314. if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
  315. {
  316. ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
  317. goto cleanup;
  318. }
  319. if( f_rng != NULL )
  320. {
  321. /*
  322. * Blinding
  323. * T = T * Vi mod N
  324. */
  325. MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
  326. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
  327. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
  328. }
  329. #if defined(MBEDTLS_RSA_NO_CRT)
  330. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
  331. #else
  332. /*
  333. * faster decryption using the CRT
  334. *
  335. * T1 = input ^ dP mod P
  336. * T2 = input ^ dQ mod Q
  337. */
  338. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
  339. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
  340. /*
  341. * T = (T1 - T2) * (Q^-1 mod P) mod P
  342. */
  343. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
  344. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
  345. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
  346. /*
  347. * T = T2 + T * Q
  348. */
  349. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
  350. MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
  351. #endif /* MBEDTLS_RSA_NO_CRT */
  352. if( f_rng != NULL )
  353. {
  354. /*
  355. * Unblind
  356. * T = T * Vf mod N
  357. */
  358. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
  359. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
  360. }
  361. olen = ctx->len;
  362. MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
  363. cleanup:
  364. #if defined(MBEDTLS_THREADING_C)
  365. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  366. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  367. #endif
  368. mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
  369. if( ret != 0 )
  370. return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
  371. return( 0 );
  372. }
  373. #if defined(MBEDTLS_PKCS1_V21) || defined(MBEDTLS_PKCS1_V15)
  374. /**
  375. * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
  376. *
  377. * \param dst buffer to mask
  378. * \param dlen length of destination buffer
  379. * \param src source of the mask generation
  380. * \param slen length of the source buffer
  381. * \param md_ctx message digest context to use
  382. */
  383. static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
  384. size_t slen, mbedtls_md_context_t *md_ctx )
  385. {
  386. unsigned char mask[MBEDTLS_MD_MAX_SIZE];
  387. unsigned char counter[4];
  388. unsigned char *p;
  389. unsigned int hlen;
  390. size_t i, use_len;
  391. memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
  392. memset( counter, 0, 4 );
  393. hlen = mbedtls_md_get_size( md_ctx->md_info );
  394. /* Generate and apply dbMask */
  395. p = dst;
  396. while( dlen > 0 )
  397. {
  398. use_len = hlen;
  399. if( dlen < hlen )
  400. use_len = dlen;
  401. mbedtls_md_starts( md_ctx );
  402. mbedtls_md_update( md_ctx, src, slen );
  403. mbedtls_md_update( md_ctx, counter, 4 );
  404. mbedtls_md_finish( md_ctx, mask );
  405. for( i = 0; i < use_len; ++i )
  406. *p++ ^= mask[i];
  407. counter[3]++;
  408. dlen -= use_len;
  409. }
  410. }
  411. #endif /* MBEDTLS_PKCS1_V21 */
  412. #if defined(MBEDTLS_PKCS1_V21)
  413. /*
  414. * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
  415. */
  416. int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
  417. int (*f_rng)(void *, unsigned char *, size_t),
  418. void *p_rng,
  419. int mode,
  420. const unsigned char *label, size_t label_len,
  421. size_t ilen,
  422. const unsigned char *input,
  423. unsigned char *output )
  424. {
  425. size_t olen;
  426. int ret;
  427. unsigned char *p = output;
  428. unsigned int hlen;
  429. const mbedtls_md_info_t *md_info;
  430. mbedtls_md_context_t md_ctx;
  431. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
  432. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  433. if( f_rng == NULL )
  434. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  435. md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
  436. if( md_info == NULL )
  437. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  438. olen = ctx->len;
  439. hlen = mbedtls_md_get_size( md_info );
  440. /* first comparison checks for overflow */
  441. if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
  442. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  443. memset( output, 0, olen );
  444. *p++ = 0;
  445. /* Generate a random octet string seed */
  446. if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
  447. return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
  448. p += hlen;
  449. /* Construct DB */
  450. mbedtls_md( md_info, label, label_len, p );
  451. p += hlen;
  452. p += olen - 2 * hlen - 2 - ilen;
  453. *p++ = 1;
  454. memcpy( p, input, ilen );
  455. mbedtls_md_init( &md_ctx );
  456. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
  457. {
  458. mbedtls_md_free( &md_ctx );
  459. return( ret );
  460. }
  461. /* maskedDB: Apply dbMask to DB */
  462. mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
  463. &md_ctx );
  464. /* maskedSeed: Apply seedMask to seed */
  465. mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
  466. &md_ctx );
  467. mbedtls_md_free( &md_ctx );
  468. return( ( mode == MBEDTLS_RSA_PUBLIC )
  469. ? mbedtls_rsa_public( ctx, output, output )
  470. : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
  471. }
  472. #endif /* MBEDTLS_PKCS1_V21 */
  473. #if defined(MBEDTLS_PKCS1_V15)
  474. /*
  475. * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
  476. */
  477. int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
  478. int (*f_rng)(void *, unsigned char *, size_t),
  479. void *p_rng,
  480. int mode, size_t ilen,
  481. const unsigned char *input,
  482. unsigned char *output )
  483. {
  484. size_t nb_pad, olen;
  485. int ret;
  486. unsigned char *p = output;
  487. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
  488. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  489. // We don't check p_rng because it won't be dereferenced here
  490. if( f_rng == NULL || input == NULL || output == NULL )
  491. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  492. olen = ctx->len;
  493. /* first comparison checks for overflow */
  494. if( ilen + 11 < ilen || olen < ilen + 11 )
  495. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  496. nb_pad = olen - 3 - ilen;
  497. *p++ = 0;
  498. if( mode == MBEDTLS_RSA_PUBLIC )
  499. {
  500. *p++ = MBEDTLS_RSA_CRYPT;
  501. while( nb_pad-- > 0 )
  502. {
  503. int rng_dl = 100;
  504. do {
  505. ret = f_rng( p_rng, p, 1 );
  506. } while( *p == 0 && --rng_dl && ret == 0 );
  507. /* Check if RNG failed to generate data */
  508. if( rng_dl == 0 || ret != 0 )
  509. return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
  510. p++;
  511. }
  512. }
  513. else
  514. {
  515. *p++ = MBEDTLS_RSA_SIGN;
  516. while( nb_pad-- > 0 )
  517. *p++ = 0xFF;
  518. }
  519. *p++ = 0;
  520. memcpy( p, input, ilen );
  521. return( ( mode == MBEDTLS_RSA_PUBLIC )
  522. ? mbedtls_rsa_public( ctx, output, output )
  523. : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
  524. }
  525. #endif /* MBEDTLS_PKCS1_V15 */
  526. #ifdef MBEDTLS_PKCS1
  527. /*
  528. * Add the message padding, then do an RSA operation
  529. */
  530. int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
  531. int (*f_rng)(void *, unsigned char *, size_t),
  532. void *p_rng,
  533. int mode, size_t ilen,
  534. const unsigned char *input,
  535. unsigned char *output )
  536. {
  537. switch( ctx->padding )
  538. {
  539. #if defined(MBEDTLS_PKCS1_V15)
  540. case MBEDTLS_RSA_PKCS_V15:
  541. return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
  542. input, output );
  543. #endif
  544. #if defined(MBEDTLS_PKCS1_V21)
  545. case MBEDTLS_RSA_PKCS_V21:
  546. return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
  547. ilen, input, output );
  548. #endif
  549. default:
  550. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  551. }
  552. }
  553. #endif /* MBEDTLS_PKCS1 */
  554. #if defined(MBEDTLS_PKCS1_V21)
  555. /*
  556. * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
  557. */
  558. int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
  559. int (*f_rng)(void *, unsigned char *, size_t),
  560. void *p_rng,
  561. int mode,
  562. const unsigned char *label, size_t label_len,
  563. size_t *olen,
  564. const unsigned char *input,
  565. unsigned char *output,
  566. size_t output_max_len )
  567. {
  568. int ret;
  569. size_t ilen, i, pad_len;
  570. unsigned char *p, bad, pad_done;
  571. unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
  572. unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
  573. unsigned int hlen;
  574. const mbedtls_md_info_t *md_info;
  575. mbedtls_md_context_t md_ctx;
  576. /*
  577. * Parameters sanity checks
  578. */
  579. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
  580. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  581. ilen = ctx->len;
  582. if( ilen < 16 || ilen > sizeof( buf ) )
  583. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  584. md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
  585. if( md_info == NULL )
  586. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  587. hlen = mbedtls_md_get_size( md_info );
  588. // checking for integer underflow
  589. if( 2 * hlen + 2 > ilen )
  590. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  591. /*
  592. * RSA operation
  593. */
  594. ret = ( mode == MBEDTLS_RSA_PUBLIC )
  595. ? mbedtls_rsa_public( ctx, input, buf )
  596. : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
  597. if( ret != 0 )
  598. return( ret );
  599. /*
  600. * Unmask data and generate lHash
  601. */
  602. mbedtls_md_init( &md_ctx );
  603. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
  604. {
  605. mbedtls_md_free( &md_ctx );
  606. return( ret );
  607. }
  608. /* Generate lHash */
  609. mbedtls_md( md_info, label, label_len, lhash );
  610. /* seed: Apply seedMask to maskedSeed */
  611. mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
  612. &md_ctx );
  613. /* DB: Apply dbMask to maskedDB */
  614. mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
  615. &md_ctx );
  616. mbedtls_md_free( &md_ctx );
  617. /*
  618. * Check contents, in "constant-time"
  619. */
  620. p = buf;
  621. bad = 0;
  622. bad |= *p++; /* First byte must be 0 */
  623. p += hlen; /* Skip seed */
  624. /* Check lHash */
  625. for( i = 0; i < hlen; i++ )
  626. bad |= lhash[i] ^ *p++;
  627. /* Get zero-padding len, but always read till end of buffer
  628. * (minus one, for the 01 byte) */
  629. pad_len = 0;
  630. pad_done = 0;
  631. for( i = 0; i < ilen - 2 * hlen - 2; i++ )
  632. {
  633. pad_done |= p[i];
  634. pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
  635. }
  636. p += pad_len;
  637. bad |= *p++ ^ 0x01;
  638. /*
  639. * The only information "leaked" is whether the padding was correct or not
  640. * (eg, no data is copied if it was not correct). This meets the
  641. * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
  642. * the different error conditions.
  643. */
  644. if( bad != 0 )
  645. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  646. if( ilen - ( p - buf ) > output_max_len )
  647. return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
  648. *olen = ilen - (p - buf);
  649. memcpy( output, p, *olen );
  650. return( 0 );
  651. }
  652. #endif /* MBEDTLS_PKCS1_V21 */
  653. #if defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V15_BASIC)
  654. /*
  655. * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
  656. */
  657. int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
  658. int (*f_rng)(void *, unsigned char *, size_t),
  659. void *p_rng,
  660. int mode, size_t *olen,
  661. const unsigned char *input,
  662. unsigned char *output,
  663. size_t output_max_len)
  664. {
  665. int ret;
  666. size_t ilen, pad_count = 0, i;
  667. unsigned char *p, bad, pad_done = 0;
  668. unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
  669. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
  670. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  671. ilen = ctx->len;
  672. if( ilen < 16 || ilen > sizeof( buf ) )
  673. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  674. ret = ( mode == MBEDTLS_RSA_PUBLIC )
  675. ? mbedtls_rsa_public( ctx, input, buf )
  676. : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
  677. if( ret != 0 )
  678. return( ret );
  679. p = buf;
  680. bad = 0;
  681. /*
  682. * Check and get padding len in "constant-time"
  683. */
  684. bad |= *p++; /* First byte must be 0 */
  685. /* This test does not depend on secret data */
  686. if( mode == MBEDTLS_RSA_PRIVATE )
  687. {
  688. bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
  689. /* Get padding len, but always read till end of buffer
  690. * (minus one, for the 00 byte) */
  691. for( i = 0; i < ilen - 3; i++ )
  692. {
  693. pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
  694. pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
  695. }
  696. p += pad_count;
  697. bad |= *p++; /* Must be zero */
  698. }
  699. else
  700. {
  701. bad |= *p++ ^ MBEDTLS_RSA_SIGN;
  702. /* Get padding len, but always read till end of buffer
  703. * (minus one, for the 00 byte) */
  704. for( i = 0; i < ilen - 3; i++ )
  705. {
  706. pad_done |= ( p[i] != 0xFF );
  707. pad_count += ( pad_done == 0 );
  708. }
  709. p += pad_count;
  710. bad |= *p++; /* Must be zero */
  711. }
  712. bad |= ( pad_count < 8 );
  713. if( bad )
  714. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  715. if( ilen - ( p - buf ) > output_max_len )
  716. return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
  717. *olen = ilen - (p - buf);
  718. memcpy( output, p, *olen );
  719. return( 0 );
  720. }
  721. #endif /* MBEDTLS_PKCS1_V15 */
  722. #ifdef MBEDTLS_PKCS1
  723. /*
  724. * Do an RSA operation, then remove the message padding
  725. */
  726. int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
  727. int (*f_rng)(void *, unsigned char *, size_t),
  728. void *p_rng,
  729. int mode, size_t *olen,
  730. const unsigned char *input,
  731. unsigned char *output,
  732. size_t output_max_len)
  733. {
  734. switch( ctx->padding )
  735. {
  736. #if defined(MBEDTLS_PKCS1_V15)
  737. case MBEDTLS_RSA_PKCS_V15:
  738. return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
  739. input, output, output_max_len );
  740. #endif
  741. #if defined(MBEDTLS_PKCS1_V21)
  742. case MBEDTLS_RSA_PKCS_V21:
  743. return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
  744. olen, input, output,
  745. output_max_len );
  746. #endif
  747. default:
  748. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  749. }
  750. }
  751. #endif /* MBEDTLS_PKCS1 */
  752. #if defined(MBEDTLS_PKCS1_V21)
  753. /*
  754. * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
  755. */
  756. int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
  757. int (*f_rng)(void *, unsigned char *, size_t),
  758. void *p_rng,
  759. int mode,
  760. mbedtls_md_type_t md_alg,
  761. unsigned int hashlen,
  762. const unsigned char *hash,
  763. unsigned char *sig )
  764. {
  765. size_t olen;
  766. unsigned char *p = sig;
  767. unsigned char salt[MBEDTLS_MD_MAX_SIZE];
  768. unsigned int slen, hlen, offset = 0;
  769. int ret;
  770. size_t msb;
  771. const mbedtls_md_info_t *md_info;
  772. mbedtls_md_context_t md_ctx;
  773. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
  774. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  775. if( f_rng == NULL )
  776. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  777. olen = ctx->len;
  778. if( md_alg != MBEDTLS_MD_NONE )
  779. {
  780. /* Gather length of hash to sign */
  781. md_info = mbedtls_md_info_from_type( md_alg );
  782. if( md_info == NULL )
  783. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  784. hashlen = mbedtls_md_get_size( md_info );
  785. }
  786. md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
  787. if( md_info == NULL )
  788. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  789. hlen = mbedtls_md_get_size( md_info );
  790. slen = hlen;
  791. if( olen < hlen + slen + 2 )
  792. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  793. memset( sig, 0, olen );
  794. /* Generate salt of length slen */
  795. if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
  796. return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
  797. /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
  798. msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
  799. p += olen - hlen * 2 - 2;
  800. *p++ = 0x01;
  801. memcpy( p, salt, slen );
  802. p += slen;
  803. mbedtls_md_init( &md_ctx );
  804. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
  805. {
  806. mbedtls_md_free( &md_ctx );
  807. return( ret );
  808. }
  809. /* Generate H = Hash( M' ) */
  810. mbedtls_md_starts( &md_ctx );
  811. mbedtls_md_update( &md_ctx, p, 8 );
  812. mbedtls_md_update( &md_ctx, hash, hashlen );
  813. mbedtls_md_update( &md_ctx, salt, slen );
  814. mbedtls_md_finish( &md_ctx, p );
  815. /* Compensate for boundary condition when applying mask */
  816. if( msb % 8 == 0 )
  817. offset = 1;
  818. /* maskedDB: Apply dbMask to DB */
  819. mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
  820. mbedtls_md_free( &md_ctx );
  821. msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
  822. sig[0] &= 0xFF >> ( olen * 8 - msb );
  823. p += hlen;
  824. *p++ = 0xBC;
  825. return( ( mode == MBEDTLS_RSA_PUBLIC )
  826. ? mbedtls_rsa_public( ctx, sig, sig )
  827. : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
  828. }
  829. #endif /* MBEDTLS_PKCS1_V21 */
  830. #if defined(MBEDTLS_PKCS1_V15)
  831. /*
  832. * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
  833. */
  834. /*
  835. * Do an RSA operation to sign the message digest
  836. */
  837. int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
  838. int (*f_rng)(void *, unsigned char *, size_t),
  839. void *p_rng,
  840. int mode,
  841. mbedtls_md_type_t md_alg,
  842. unsigned int hashlen,
  843. const unsigned char *hash,
  844. unsigned char *sig )
  845. {
  846. size_t nb_pad, olen, oid_size = 0;
  847. unsigned char *p = sig;
  848. const char *oid = NULL;
  849. unsigned char *sig_try = NULL, *verif = NULL;
  850. size_t i;
  851. unsigned char diff;
  852. volatile unsigned char diff_no_optimize;
  853. int ret;
  854. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
  855. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  856. olen = ctx->len;
  857. nb_pad = olen - 3;
  858. if( md_alg != MBEDTLS_MD_NONE )
  859. {
  860. const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
  861. if( md_info == NULL )
  862. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  863. if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
  864. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  865. nb_pad -= 10 + oid_size;
  866. hashlen = mbedtls_md_get_size( md_info );
  867. }
  868. nb_pad -= hashlen;
  869. if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
  870. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  871. *p++ = 0;
  872. *p++ = MBEDTLS_RSA_SIGN;
  873. memset( p, 0xFF, nb_pad );
  874. p += nb_pad;
  875. *p++ = 0;
  876. if( md_alg == MBEDTLS_MD_NONE )
  877. {
  878. memcpy( p, hash, hashlen );
  879. }
  880. else
  881. {
  882. /*
  883. * DigestInfo ::= SEQUENCE {
  884. * digestAlgorithm DigestAlgorithmIdentifier,
  885. * digest Digest }
  886. *
  887. * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
  888. *
  889. * Digest ::= OCTET STRING
  890. */
  891. *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
  892. *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
  893. *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
  894. *p++ = (unsigned char) ( 0x04 + oid_size );
  895. *p++ = MBEDTLS_ASN1_OID;
  896. *p++ = oid_size & 0xFF;
  897. memcpy( p, oid, oid_size );
  898. p += oid_size;
  899. *p++ = MBEDTLS_ASN1_NULL;
  900. *p++ = 0x00;
  901. *p++ = MBEDTLS_ASN1_OCTET_STRING;
  902. *p++ = hashlen;
  903. memcpy( p, hash, hashlen );
  904. }
  905. if( mode == MBEDTLS_RSA_PUBLIC )
  906. return( mbedtls_rsa_public( ctx, sig, sig ) );
  907. /*
  908. * In order to prevent Lenstra's attack, make the signature in a
  909. * temporary buffer and check it before returning it.
  910. */
  911. sig_try = mbedtls_calloc( 1, ctx->len );
  912. if( sig_try == NULL )
  913. return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
  914. verif = mbedtls_calloc( 1, ctx->len );
  915. if( verif == NULL )
  916. {
  917. mbedtls_free( sig_try );
  918. return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
  919. }
  920. MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
  921. MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
  922. /* Compare in constant time just in case */
  923. for( diff = 0, i = 0; i < ctx->len; i++ )
  924. diff |= verif[i] ^ sig[i];
  925. diff_no_optimize = diff;
  926. if( diff_no_optimize != 0 )
  927. {
  928. ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
  929. goto cleanup;
  930. }
  931. memcpy( sig, sig_try, ctx->len );
  932. cleanup:
  933. mbedtls_free( sig_try );
  934. mbedtls_free( verif );
  935. return( ret );
  936. }
  937. #endif /* MBEDTLS_PKCS1_V15 */
  938. #ifdef MBEDTLS_PKCS1
  939. /*
  940. * Do an RSA operation to sign the message digest
  941. */
  942. int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
  943. int (*f_rng)(void *, unsigned char *, size_t),
  944. void *p_rng,
  945. int mode,
  946. mbedtls_md_type_t md_alg,
  947. unsigned int hashlen,
  948. const unsigned char *hash,
  949. unsigned char *sig )
  950. {
  951. switch( ctx->padding )
  952. {
  953. #if defined(MBEDTLS_PKCS1_V15)
  954. case MBEDTLS_RSA_PKCS_V15:
  955. return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
  956. hashlen, hash, sig );
  957. #endif
  958. #if defined(MBEDTLS_PKCS1_V21)
  959. case MBEDTLS_RSA_PKCS_V21:
  960. return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
  961. hashlen, hash, sig );
  962. #endif
  963. default:
  964. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  965. }
  966. }
  967. /*
  968. * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
  969. */
  970. int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
  971. int (*f_rng)(void *, unsigned char *, size_t),
  972. void *p_rng,
  973. int mode,
  974. mbedtls_md_type_t md_alg,
  975. unsigned int hashlen,
  976. const unsigned char *hash,
  977. mbedtls_md_type_t mgf1_hash_id,
  978. int expected_salt_len,
  979. const unsigned char *sig )
  980. {
  981. int ret;
  982. size_t siglen;
  983. unsigned char *p;
  984. unsigned char result[MBEDTLS_MD_MAX_SIZE];
  985. unsigned char zeros[8];
  986. unsigned int hlen;
  987. size_t slen, msb;
  988. const mbedtls_md_info_t *md_info;
  989. mbedtls_md_context_t md_ctx;
  990. unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
  991. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
  992. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  993. siglen = ctx->len;
  994. if( siglen < 16 || siglen > sizeof( buf ) )
  995. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  996. ret = ( mode == MBEDTLS_RSA_PUBLIC )
  997. ? mbedtls_rsa_public( ctx, sig, buf )
  998. : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
  999. if( ret != 0 )
  1000. return( ret );
  1001. p = buf;
  1002. if( buf[siglen - 1] != 0xBC )
  1003. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1004. if( md_alg != MBEDTLS_MD_NONE )
  1005. {
  1006. /* Gather length of hash to sign */
  1007. md_info = mbedtls_md_info_from_type( md_alg );
  1008. if( md_info == NULL )
  1009. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1010. hashlen = mbedtls_md_get_size( md_info );
  1011. }
  1012. md_info = mbedtls_md_info_from_type( mgf1_hash_id );
  1013. if( md_info == NULL )
  1014. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1015. hlen = mbedtls_md_get_size( md_info );
  1016. slen = siglen - hlen - 1; /* Currently length of salt + padding */
  1017. memset( zeros, 0, 8 );
  1018. /*
  1019. * Note: EMSA-PSS verification is over the length of N - 1 bits
  1020. */
  1021. msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
  1022. /* Compensate for boundary condition when applying mask */
  1023. if( msb % 8 == 0 )
  1024. {
  1025. p++;
  1026. siglen -= 1;
  1027. }
  1028. if( buf[0] >> ( 8 - siglen * 8 + msb ) )
  1029. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1030. mbedtls_md_init( &md_ctx );
  1031. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
  1032. {
  1033. mbedtls_md_free( &md_ctx );
  1034. return( ret );
  1035. }
  1036. mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
  1037. buf[0] &= 0xFF >> ( siglen * 8 - msb );
  1038. while( p < buf + siglen && *p == 0 )
  1039. p++;
  1040. if( p == buf + siglen ||
  1041. *p++ != 0x01 )
  1042. {
  1043. mbedtls_md_free( &md_ctx );
  1044. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1045. }
  1046. /* Actual salt len */
  1047. slen -= p - buf;
  1048. if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
  1049. slen != (size_t) expected_salt_len )
  1050. {
  1051. mbedtls_md_free( &md_ctx );
  1052. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1053. }
  1054. /*
  1055. * Generate H = Hash( M' )
  1056. */
  1057. mbedtls_md_starts( &md_ctx );
  1058. mbedtls_md_update( &md_ctx, zeros, 8 );
  1059. mbedtls_md_update( &md_ctx, hash, hashlen );
  1060. mbedtls_md_update( &md_ctx, p, slen );
  1061. mbedtls_md_finish( &md_ctx, result );
  1062. mbedtls_md_free( &md_ctx );
  1063. if( memcmp( p + slen, result, hlen ) == 0 )
  1064. return( 0 );
  1065. else
  1066. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1067. }
  1068. /*
  1069. * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
  1070. */
  1071. int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
  1072. int (*f_rng)(void *, unsigned char *, size_t),
  1073. void *p_rng,
  1074. int mode,
  1075. mbedtls_md_type_t md_alg,
  1076. unsigned int hashlen,
  1077. const unsigned char *hash,
  1078. const unsigned char *sig )
  1079. {
  1080. mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
  1081. ? (mbedtls_md_type_t) ctx->hash_id
  1082. : md_alg;
  1083. return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
  1084. md_alg, hashlen, hash,
  1085. mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
  1086. sig ) );
  1087. }
  1088. #endif /* MBEDTLS_PKCS1_V21 */
  1089. #if defined(MBEDTLS_PKCS1_V15)
  1090. /*
  1091. * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
  1092. */
  1093. int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
  1094. int (*f_rng)(void *, unsigned char *, size_t),
  1095. void *p_rng,
  1096. int mode,
  1097. mbedtls_md_type_t md_alg,
  1098. unsigned int hashlen,
  1099. const unsigned char *hash,
  1100. const unsigned char *sig )
  1101. {
  1102. int ret;
  1103. size_t len, siglen, asn1_len;
  1104. unsigned char *p, *end;
  1105. mbedtls_md_type_t msg_md_alg;
  1106. const mbedtls_md_info_t *md_info;
  1107. mbedtls_asn1_buf oid;
  1108. unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
  1109. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
  1110. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1111. siglen = ctx->len;
  1112. if( siglen < 16 || siglen > sizeof( buf ) )
  1113. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1114. ret = ( mode == MBEDTLS_RSA_PUBLIC )
  1115. ? mbedtls_rsa_public( ctx, sig, buf )
  1116. : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
  1117. if( ret != 0 )
  1118. return( ret );
  1119. p = buf;
  1120. if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )
  1121. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1122. while( *p != 0 )
  1123. {
  1124. if( p >= buf + siglen - 1 || *p != 0xFF )
  1125. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1126. p++;
  1127. }
  1128. p++;
  1129. len = siglen - ( p - buf );
  1130. if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
  1131. {
  1132. if( memcmp( p, hash, hashlen ) == 0 )
  1133. return( 0 );
  1134. else
  1135. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1136. }
  1137. md_info = mbedtls_md_info_from_type( md_alg );
  1138. if( md_info == NULL )
  1139. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1140. hashlen = mbedtls_md_get_size( md_info );
  1141. end = p + len;
  1142. /*
  1143. * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
  1144. */
  1145. if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
  1146. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  1147. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1148. if( asn1_len + 2 != len )
  1149. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1150. if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
  1151. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  1152. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1153. if( asn1_len + 6 + hashlen != len )
  1154. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1155. if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
  1156. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1157. oid.p = p;
  1158. p += oid.len;
  1159. if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
  1160. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1161. if( md_alg != msg_md_alg )
  1162. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1163. /*
  1164. * assume the algorithm parameters must be NULL
  1165. */
  1166. if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
  1167. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1168. if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
  1169. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1170. if( asn1_len != hashlen )
  1171. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1172. if( memcmp( p, hash, hashlen ) != 0 )
  1173. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1174. p += hashlen;
  1175. if( p != end )
  1176. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1177. return( 0 );
  1178. }
  1179. #endif /* MBEDTLS_PKCS1_V15 */
  1180. #ifdef MBEDTLS_PKCS1
  1181. /*
  1182. * Do an RSA operation and check the message digest
  1183. */
  1184. int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
  1185. int (*f_rng)(void *, unsigned char *, size_t),
  1186. void *p_rng,
  1187. int mode,
  1188. mbedtls_md_type_t md_alg,
  1189. unsigned int hashlen,
  1190. const unsigned char *hash,
  1191. const unsigned char *sig )
  1192. {
  1193. switch( ctx->padding )
  1194. {
  1195. #if defined(MBEDTLS_PKCS1_V15)
  1196. case MBEDTLS_RSA_PKCS_V15:
  1197. return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
  1198. hashlen, hash, sig );
  1199. #endif
  1200. #if defined(MBEDTLS_PKCS1_V21)
  1201. case MBEDTLS_RSA_PKCS_V21:
  1202. return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
  1203. hashlen, hash, sig );
  1204. #endif
  1205. default:
  1206. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1207. }
  1208. }
  1209. #endif /* MBEDTLS_PKCS1 */
  1210. /*
  1211. * Copy the components of an RSA key
  1212. */
  1213. int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
  1214. {
  1215. int ret;
  1216. dst->ver = src->ver;
  1217. dst->len = src->len;
  1218. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
  1219. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
  1220. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
  1221. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
  1222. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
  1223. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
  1224. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
  1225. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
  1226. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
  1227. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
  1228. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
  1229. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
  1230. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
  1231. dst->padding = src->padding;
  1232. dst->hash_id = src->hash_id;
  1233. cleanup:
  1234. if( ret != 0 )
  1235. mbedtls_rsa_free( dst );
  1236. return( ret );
  1237. }
  1238. /*
  1239. * Free the components of an RSA key
  1240. */
  1241. void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
  1242. {
  1243. mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
  1244. mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
  1245. mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
  1246. mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
  1247. mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
  1248. #if defined(MBEDTLS_THREADING_C)
  1249. mbedtls_mutex_free( &ctx->mutex );
  1250. #endif
  1251. }
  1252. #if defined(MBEDTLS_SELF_TEST)
  1253. #include "mbedtls/sha1.h"
  1254. /*
  1255. * Example RSA-1024 keypair, for test purposes
  1256. */
  1257. #define KEY_LEN 128
  1258. #define RSA_N "9292758453063D803DD603D5E777D788" \
  1259. "8ED1D5BF35786190FA2F23EBC0848AEA" \
  1260. "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
  1261. "7130B9CED7ACDF54CFC7555AC14EEBAB" \
  1262. "93A89813FBF3C4F8066D2D800F7C38A8" \
  1263. "1AE31942917403FF4946B0A83D3D3E05" \
  1264. "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
  1265. "5E94BB77B07507233A0BC7BAC8F90F79"
  1266. #define RSA_E "10001"
  1267. #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
  1268. "66CA472BC44D253102F8B4A9D3BFA750" \
  1269. "91386C0077937FE33FA3252D28855837" \
  1270. "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
  1271. "DF79C5CE07EE72C7F123142198164234" \
  1272. "CABB724CF78B8173B9F880FC86322407" \
  1273. "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
  1274. "071513A1E85B5DFA031F21ECAE91A34D"
  1275. #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
  1276. "2C01CAD19EA484A87EA4377637E75500" \
  1277. "FCB2005C5C7DD6EC4AC023CDA285D796" \
  1278. "C3D9E75E1EFC42488BB4F1D13AC30A57"
  1279. #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
  1280. "E211C2B9E5DB1ED0BF61D0D9899620F4" \
  1281. "910E4168387E3C30AA1E00C339A79508" \
  1282. "8452DD96A9A5EA5D9DCA68DA636032AF"
  1283. #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
  1284. "3C94D22288ACD763FD8E5600ED4A702D" \
  1285. "F84198A5F06C2E72236AE490C93F07F8" \
  1286. "3CC559CD27BC2D1CA488811730BB5725"
  1287. #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
  1288. "D8AAEA56749EA28623272E4F7D0592AF" \
  1289. "7C1F1313CAC9471B5C523BFE592F517B" \
  1290. "407A1BD76C164B93DA2D32A383E58357"
  1291. #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
  1292. "F38D18D2B2F0E2DD275AA977E2BF4411" \
  1293. "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
  1294. "A74206CEC169D74BF5A8C50D6F48EA08"
  1295. #define PT_LEN 24
  1296. #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
  1297. "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
  1298. #if defined(MBEDTLS_PKCS1_V15)
  1299. static int myrand( void *rng_state, unsigned char *output, size_t len )
  1300. {
  1301. #if !defined(__OpenBSD__)
  1302. size_t i;
  1303. if( rng_state != NULL )
  1304. rng_state = NULL;
  1305. for( i = 0; i < len; ++i )
  1306. output[i] = rand();
  1307. #else
  1308. if( rng_state != NULL )
  1309. rng_state = NULL;
  1310. arc4random_buf( output, len );
  1311. #endif /* !OpenBSD */
  1312. return( 0 );
  1313. }
  1314. #endif /* MBEDTLS_PKCS1_V15 */
  1315. /*
  1316. * Checkup routine
  1317. */
  1318. int mbedtls_rsa_self_test( int verbose )
  1319. {
  1320. int ret = 0;
  1321. #if defined(MBEDTLS_PKCS1_V15)
  1322. size_t len;
  1323. mbedtls_rsa_context rsa;
  1324. unsigned char rsa_plaintext[PT_LEN];
  1325. unsigned char rsa_decrypted[PT_LEN];
  1326. unsigned char rsa_ciphertext[KEY_LEN];
  1327. #if defined(MBEDTLS_SHA1_C)
  1328. unsigned char sha1sum[20];
  1329. #endif
  1330. mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
  1331. rsa.len = KEY_LEN;
  1332. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
  1333. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
  1334. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
  1335. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
  1336. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
  1337. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
  1338. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
  1339. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
  1340. if( verbose != 0 )
  1341. mbedtls_printf( " RSA key validation: " );
  1342. if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
  1343. mbedtls_rsa_check_privkey( &rsa ) != 0 )
  1344. {
  1345. if( verbose != 0 )
  1346. mbedtls_printf( "failed\n" );
  1347. return( 1 );
  1348. }
  1349. if( verbose != 0 )
  1350. mbedtls_printf( "passed\n PKCS#1 encryption : " );
  1351. memcpy( rsa_plaintext, RSA_PT, PT_LEN );
  1352. if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
  1353. rsa_plaintext, rsa_ciphertext ) != 0 )
  1354. {
  1355. if( verbose != 0 )
  1356. mbedtls_printf( "failed\n" );
  1357. return( 1 );
  1358. }
  1359. if( verbose != 0 )
  1360. mbedtls_printf( "passed\n PKCS#1 decryption : " );
  1361. if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
  1362. rsa_ciphertext, rsa_decrypted,
  1363. sizeof(rsa_decrypted) ) != 0 )
  1364. {
  1365. if( verbose != 0 )
  1366. mbedtls_printf( "failed\n" );
  1367. return( 1 );
  1368. }
  1369. if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
  1370. {
  1371. if( verbose != 0 )
  1372. mbedtls_printf( "failed\n" );
  1373. return( 1 );
  1374. }
  1375. if( verbose != 0 )
  1376. mbedtls_printf( "passed\n" );
  1377. #if defined(MBEDTLS_SHA1_C)
  1378. if( verbose != 0 )
  1379. mbedtls_printf( " PKCS#1 data sign : " );
  1380. mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
  1381. if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
  1382. sha1sum, rsa_ciphertext ) != 0 )
  1383. {
  1384. if( verbose != 0 )
  1385. mbedtls_printf( "failed\n" );
  1386. return( 1 );
  1387. }
  1388. if( verbose != 0 )
  1389. mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
  1390. if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
  1391. sha1sum, rsa_ciphertext ) != 0 )
  1392. {
  1393. if( verbose != 0 )
  1394. mbedtls_printf( "failed\n" );
  1395. return( 1 );
  1396. }
  1397. if( verbose != 0 )
  1398. mbedtls_printf( "passed\n" );
  1399. #endif /* MBEDTLS_SHA1_C */
  1400. if( verbose != 0 )
  1401. mbedtls_printf( "\n" );
  1402. cleanup:
  1403. mbedtls_rsa_free( &rsa );
  1404. #else /* MBEDTLS_PKCS1_V15 */
  1405. ((void) verbose);
  1406. #endif /* MBEDTLS_PKCS1_V15 */
  1407. return( ret );
  1408. }
  1409. #endif /* MBEDTLS_SELF_TEST */
  1410. #endif /* MBEDTLS_RSA_C */