rsa.c 50 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735
  1. /*
  2. * The RSA public-key cryptosystem
  3. *
  4. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. *
  19. * This file is part of mbed TLS (https://tls.mbed.org)
  20. */
  21. /*
  22. * The following sources were referenced in the design of this implementation
  23. * of the RSA algorithm:
  24. *
  25. * [1] A method for obtaining digital signatures and public-key cryptosystems
  26. * R Rivest, A Shamir, and L Adleman
  27. * http://people.csail.mit.edu/rivest/pubs.html#RSA78
  28. *
  29. * [2] Handbook of Applied Cryptography - 1997, Chapter 8
  30. * Menezes, van Oorschot and Vanstone
  31. *
  32. */
  33. #if !defined(MBEDTLS_CONFIG_FILE)
  34. #include "mbedtls/config.h"
  35. #else
  36. #include MBEDTLS_CONFIG_FILE
  37. #endif
  38. #if defined(MBEDTLS_RSA_C)
  39. #include "mbedtls/rsa.h"
  40. #ifdef MBEDTLS_PKCS1_V15
  41. #include "mbedtls/oid.h"
  42. #endif
  43. #if defined(MBEDTLS_PKCS1_V21)
  44. #include "mbedtls/md.h"
  45. #endif
  46. #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
  47. #include <stdlib.h>
  48. #endif
  49. #if defined(MBEDTLS_PLATFORM_C)
  50. #include "mbedtls/platform.h"
  51. #else
  52. #include <stdio.h>
  53. #include <string.h>
  54. #define mbedtls_printf printf
  55. #define mbedtls_calloc calloc
  56. #define mbedtls_free free
  57. #endif
  58. /*
  59. * Initialize an RSA context
  60. */
  61. void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
  62. int padding,
  63. int hash_id )
  64. {
  65. memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
  66. mbedtls_rsa_set_padding( ctx, padding, hash_id );
  67. #if defined(MBEDTLS_THREADING_C)
  68. mbedtls_mutex_init( &ctx->mutex );
  69. #endif
  70. }
  71. /*
  72. * Set padding for an existing RSA context
  73. */
  74. void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
  75. {
  76. ctx->padding = padding;
  77. ctx->hash_id = hash_id;
  78. }
  79. #if defined(MBEDTLS_GENPRIME)
  80. /*
  81. * Generate an RSA keypair
  82. */
  83. int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
  84. int (*f_rng)(void *, unsigned char *, size_t),
  85. void *p_rng,
  86. unsigned int nbits, int exponent )
  87. {
  88. int ret;
  89. mbedtls_mpi P1, Q1, H, G;
  90. if( f_rng == NULL || nbits < 128 || exponent < 3 )
  91. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  92. if( nbits % 2 )
  93. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  94. mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
  95. mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
  96. /*
  97. * find primes P and Q with Q < P so that:
  98. * GCD( E, (P-1)*(Q-1) ) == 1
  99. */
  100. MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
  101. do
  102. {
  103. MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
  104. f_rng, p_rng ) );
  105. MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
  106. f_rng, p_rng ) );
  107. if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
  108. continue;
  109. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
  110. if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
  111. continue;
  112. if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
  113. mbedtls_mpi_swap( &ctx->P, &ctx->Q );
  114. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
  115. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
  116. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
  117. MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
  118. }
  119. while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
  120. /*
  121. * D = E^-1 mod ((P-1)*(Q-1))
  122. * DP = D mod (P - 1)
  123. * DQ = D mod (Q - 1)
  124. * QP = Q^-1 mod P
  125. */
  126. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
  127. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
  128. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
  129. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
  130. ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
  131. cleanup:
  132. mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
  133. if( ret != 0 )
  134. {
  135. mbedtls_rsa_free( ctx );
  136. return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
  137. }
  138. return( 0 );
  139. }
  140. #endif /* MBEDTLS_GENPRIME */
  141. /*
  142. * Check a public RSA key
  143. */
  144. int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
  145. {
  146. if( !ctx->N.p || !ctx->E.p )
  147. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  148. if( ( ctx->N.p[0] & 1 ) == 0 ||
  149. ( ctx->E.p[0] & 1 ) == 0 )
  150. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  151. if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
  152. mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
  153. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  154. if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
  155. mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
  156. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  157. return( 0 );
  158. }
  159. /*
  160. * Check a private RSA key
  161. */
  162. int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
  163. {
  164. int ret;
  165. mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
  166. if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
  167. return( ret );
  168. if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
  169. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  170. mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
  171. mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
  172. mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
  173. mbedtls_mpi_init( &QP );
  174. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
  175. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
  176. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
  177. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
  178. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
  179. MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
  180. MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
  181. MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
  182. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
  183. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
  184. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
  185. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
  186. /*
  187. * Check for a valid PKCS1v2 private key
  188. */
  189. if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
  190. mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
  191. mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
  192. mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
  193. mbedtls_mpi_cmp_int( &L2, 0 ) != 0 ||
  194. mbedtls_mpi_cmp_int( &I, 1 ) != 0 ||
  195. mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
  196. {
  197. ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
  198. }
  199. cleanup:
  200. mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
  201. mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
  202. mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
  203. mbedtls_mpi_free( &QP );
  204. if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
  205. return( ret );
  206. if( ret != 0 )
  207. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
  208. return( 0 );
  209. }
  210. /*
  211. * Check if contexts holding a public and private key match
  212. */
  213. int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv )
  214. {
  215. if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
  216. mbedtls_rsa_check_privkey( prv ) != 0 )
  217. {
  218. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  219. }
  220. if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
  221. mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
  222. {
  223. return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
  224. }
  225. return( 0 );
  226. }
  227. /*
  228. * Do an RSA public key operation
  229. */
  230. int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
  231. const unsigned char *input,
  232. unsigned char *output )
  233. {
  234. int ret;
  235. size_t olen;
  236. mbedtls_mpi T;
  237. mbedtls_mpi_init( &T );
  238. #if defined(MBEDTLS_THREADING_C)
  239. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  240. return( ret );
  241. #endif
  242. MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
  243. if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
  244. {
  245. ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
  246. goto cleanup;
  247. }
  248. olen = ctx->len;
  249. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
  250. MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
  251. cleanup:
  252. #if defined(MBEDTLS_THREADING_C)
  253. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  254. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  255. #endif
  256. mbedtls_mpi_free( &T );
  257. if( ret != 0 )
  258. return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
  259. return( 0 );
  260. }
  261. /*
  262. * Generate or update blinding values, see section 10 of:
  263. * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
  264. * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
  265. * Berlin Heidelberg, 1996. p. 104-113.
  266. */
  267. static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
  268. int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
  269. {
  270. int ret, count = 0;
  271. if( ctx->Vf.p != NULL )
  272. {
  273. /* We already have blinding values, just update them by squaring */
  274. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
  275. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
  276. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
  277. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
  278. goto cleanup;
  279. }
  280. /* Unblinding value: Vf = random number, invertible mod N */
  281. do {
  282. if( count++ > 10 )
  283. return( MBEDTLS_ERR_RSA_RNG_FAILED );
  284. MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
  285. MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
  286. } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
  287. /* Blinding value: Vi = Vf^(-e) mod N */
  288. MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
  289. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
  290. cleanup:
  291. return( ret );
  292. }
  293. /*
  294. * Do an RSA private key operation
  295. */
  296. int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
  297. int (*f_rng)(void *, unsigned char *, size_t),
  298. void *p_rng,
  299. const unsigned char *input,
  300. unsigned char *output )
  301. {
  302. int ret;
  303. size_t olen;
  304. mbedtls_mpi T, T1, T2;
  305. /* Make sure we have private key info, prevent possible misuse */
  306. if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
  307. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  308. mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
  309. #if defined(MBEDTLS_THREADING_C)
  310. if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
  311. return( ret );
  312. #endif
  313. MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
  314. if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
  315. {
  316. ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
  317. goto cleanup;
  318. }
  319. if( f_rng != NULL )
  320. {
  321. /*
  322. * Blinding
  323. * T = T * Vi mod N
  324. */
  325. MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
  326. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
  327. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
  328. }
  329. #if defined(MBEDTLS_RSA_NO_CRT)
  330. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
  331. #else
  332. /*
  333. * faster decryption using the CRT
  334. *
  335. * T1 = input ^ dP mod P
  336. * T2 = input ^ dQ mod Q
  337. */
  338. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
  339. MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
  340. /*
  341. * T = (T1 - T2) * (Q^-1 mod P) mod P
  342. */
  343. MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
  344. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
  345. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
  346. /*
  347. * T = T2 + T * Q
  348. */
  349. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
  350. MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
  351. #endif /* MBEDTLS_RSA_NO_CRT */
  352. if( f_rng != NULL )
  353. {
  354. /*
  355. * Unblind
  356. * T = T * Vf mod N
  357. */
  358. MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
  359. MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
  360. }
  361. olen = ctx->len;
  362. MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
  363. cleanup:
  364. #if defined(MBEDTLS_THREADING_C)
  365. if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
  366. return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
  367. #endif
  368. mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
  369. if( ret != 0 )
  370. return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
  371. return( 0 );
  372. }
  373. #if defined(MBEDTLS_PKCS1_V21)
  374. /**
  375. * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
  376. *
  377. * \param dst buffer to mask
  378. * \param dlen length of destination buffer
  379. * \param src source of the mask generation
  380. * \param slen length of the source buffer
  381. * \param md_ctx message digest context to use
  382. */
  383. static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
  384. size_t slen, mbedtls_md_context_t *md_ctx )
  385. {
  386. unsigned char mask[MBEDTLS_MD_MAX_SIZE];
  387. unsigned char counter[4];
  388. unsigned char *p;
  389. unsigned int hlen;
  390. size_t i, use_len;
  391. memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
  392. memset( counter, 0, 4 );
  393. hlen = mbedtls_md_get_size( md_ctx->md_info );
  394. /* Generate and apply dbMask */
  395. p = dst;
  396. while( dlen > 0 )
  397. {
  398. use_len = hlen;
  399. if( dlen < hlen )
  400. use_len = dlen;
  401. mbedtls_md_starts( md_ctx );
  402. mbedtls_md_update( md_ctx, src, slen );
  403. mbedtls_md_update( md_ctx, counter, 4 );
  404. mbedtls_md_finish( md_ctx, mask );
  405. for( i = 0; i < use_len; ++i )
  406. *p++ ^= mask[i];
  407. counter[3]++;
  408. dlen -= use_len;
  409. }
  410. }
  411. #endif /* MBEDTLS_PKCS1_V21 */
  412. #if defined(MBEDTLS_PKCS1_V21)
  413. /*
  414. * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
  415. */
  416. int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
  417. int (*f_rng)(void *, unsigned char *, size_t),
  418. void *p_rng,
  419. int mode,
  420. const unsigned char *label, size_t label_len,
  421. size_t ilen,
  422. const unsigned char *input,
  423. unsigned char *output )
  424. {
  425. size_t olen;
  426. int ret;
  427. unsigned char *p = output;
  428. unsigned int hlen;
  429. const mbedtls_md_info_t *md_info;
  430. mbedtls_md_context_t md_ctx;
  431. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
  432. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  433. if( f_rng == NULL )
  434. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  435. md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
  436. if( md_info == NULL )
  437. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  438. olen = ctx->len;
  439. hlen = mbedtls_md_get_size( md_info );
  440. /* first comparison checks for overflow */
  441. if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
  442. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  443. memset( output, 0, olen );
  444. *p++ = 0;
  445. /* Generate a random octet string seed */
  446. if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
  447. return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
  448. p += hlen;
  449. /* Construct DB */
  450. mbedtls_md( md_info, label, label_len, p );
  451. p += hlen;
  452. p += olen - 2 * hlen - 2 - ilen;
  453. *p++ = 1;
  454. memcpy( p, input, ilen );
  455. mbedtls_md_init( &md_ctx );
  456. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
  457. {
  458. mbedtls_md_free( &md_ctx );
  459. return( ret );
  460. }
  461. /* maskedDB: Apply dbMask to DB */
  462. mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
  463. &md_ctx );
  464. /* maskedSeed: Apply seedMask to seed */
  465. mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
  466. &md_ctx );
  467. mbedtls_md_free( &md_ctx );
  468. return( ( mode == MBEDTLS_RSA_PUBLIC )
  469. ? mbedtls_rsa_public( ctx, output, output )
  470. : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
  471. }
  472. #endif /* MBEDTLS_PKCS1_V21 */
  473. #if defined(MBEDTLS_PKCS1_V15)
  474. /*
  475. * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
  476. */
  477. int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
  478. int (*f_rng)(void *, unsigned char *, size_t),
  479. void *p_rng,
  480. int mode, size_t ilen,
  481. const unsigned char *input,
  482. unsigned char *output )
  483. {
  484. size_t nb_pad, olen;
  485. int ret;
  486. unsigned char *p = output;
  487. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
  488. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  489. // We don't check p_rng because it won't be dereferenced here
  490. if( f_rng == NULL || input == NULL || output == NULL )
  491. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  492. olen = ctx->len;
  493. /* first comparison checks for overflow */
  494. if( ilen + 11 < ilen || olen < ilen + 11 )
  495. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  496. nb_pad = olen - 3 - ilen;
  497. *p++ = 0;
  498. if( mode == MBEDTLS_RSA_PUBLIC )
  499. {
  500. *p++ = MBEDTLS_RSA_CRYPT;
  501. while( nb_pad-- > 0 )
  502. {
  503. int rng_dl = 100;
  504. do {
  505. ret = f_rng( p_rng, p, 1 );
  506. } while( *p == 0 && --rng_dl && ret == 0 );
  507. /* Check if RNG failed to generate data */
  508. if( rng_dl == 0 || ret != 0 )
  509. return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
  510. p++;
  511. }
  512. }
  513. else
  514. {
  515. *p++ = MBEDTLS_RSA_SIGN;
  516. while( nb_pad-- > 0 )
  517. *p++ = 0xFF;
  518. }
  519. *p++ = 0;
  520. memcpy( p, input, ilen );
  521. return( ( mode == MBEDTLS_RSA_PUBLIC )
  522. ? mbedtls_rsa_public( ctx, output, output )
  523. : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
  524. }
  525. #endif /* MBEDTLS_PKCS1_V15 */
  526. /*
  527. * Add the message padding, then do an RSA operation
  528. */
  529. int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
  530. int (*f_rng)(void *, unsigned char *, size_t),
  531. void *p_rng,
  532. int mode, size_t ilen,
  533. const unsigned char *input,
  534. unsigned char *output )
  535. {
  536. switch( ctx->padding )
  537. {
  538. #if defined(MBEDTLS_PKCS1_V15)
  539. case MBEDTLS_RSA_PKCS_V15:
  540. return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
  541. input, output );
  542. #endif
  543. #if defined(MBEDTLS_PKCS1_V21)
  544. case MBEDTLS_RSA_PKCS_V21:
  545. return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
  546. ilen, input, output );
  547. #endif
  548. default:
  549. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  550. }
  551. }
  552. #if defined(MBEDTLS_PKCS1_V21)
  553. /*
  554. * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
  555. */
  556. int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
  557. int (*f_rng)(void *, unsigned char *, size_t),
  558. void *p_rng,
  559. int mode,
  560. const unsigned char *label, size_t label_len,
  561. size_t *olen,
  562. const unsigned char *input,
  563. unsigned char *output,
  564. size_t output_max_len )
  565. {
  566. int ret;
  567. size_t ilen, i, pad_len;
  568. unsigned char *p, bad, pad_done;
  569. unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
  570. unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
  571. unsigned int hlen;
  572. const mbedtls_md_info_t *md_info;
  573. mbedtls_md_context_t md_ctx;
  574. /*
  575. * Parameters sanity checks
  576. */
  577. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
  578. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  579. ilen = ctx->len;
  580. if( ilen < 16 || ilen > sizeof( buf ) )
  581. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  582. md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
  583. if( md_info == NULL )
  584. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  585. hlen = mbedtls_md_get_size( md_info );
  586. // checking for integer underflow
  587. if( 2 * hlen + 2 > ilen )
  588. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  589. /*
  590. * RSA operation
  591. */
  592. ret = ( mode == MBEDTLS_RSA_PUBLIC )
  593. ? mbedtls_rsa_public( ctx, input, buf )
  594. : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
  595. if( ret != 0 )
  596. return( ret );
  597. /*
  598. * Unmask data and generate lHash
  599. */
  600. mbedtls_md_init( &md_ctx );
  601. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
  602. {
  603. mbedtls_md_free( &md_ctx );
  604. return( ret );
  605. }
  606. /* Generate lHash */
  607. mbedtls_md( md_info, label, label_len, lhash );
  608. /* seed: Apply seedMask to maskedSeed */
  609. mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
  610. &md_ctx );
  611. /* DB: Apply dbMask to maskedDB */
  612. mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
  613. &md_ctx );
  614. mbedtls_md_free( &md_ctx );
  615. /*
  616. * Check contents, in "constant-time"
  617. */
  618. p = buf;
  619. bad = 0;
  620. bad |= *p++; /* First byte must be 0 */
  621. p += hlen; /* Skip seed */
  622. /* Check lHash */
  623. for( i = 0; i < hlen; i++ )
  624. bad |= lhash[i] ^ *p++;
  625. /* Get zero-padding len, but always read till end of buffer
  626. * (minus one, for the 01 byte) */
  627. pad_len = 0;
  628. pad_done = 0;
  629. for( i = 0; i < ilen - 2 * hlen - 2; i++ )
  630. {
  631. pad_done |= p[i];
  632. pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
  633. }
  634. p += pad_len;
  635. bad |= *p++ ^ 0x01;
  636. /*
  637. * The only information "leaked" is whether the padding was correct or not
  638. * (eg, no data is copied if it was not correct). This meets the
  639. * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
  640. * the different error conditions.
  641. */
  642. if( bad != 0 )
  643. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  644. if( ilen - ( p - buf ) > output_max_len )
  645. return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
  646. *olen = ilen - (p - buf);
  647. memcpy( output, p, *olen );
  648. return( 0 );
  649. }
  650. #endif /* MBEDTLS_PKCS1_V21 */
  651. #if defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V15_BASIC)
  652. /*
  653. * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
  654. */
  655. int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
  656. int (*f_rng)(void *, unsigned char *, size_t),
  657. void *p_rng,
  658. int mode, size_t *olen,
  659. const unsigned char *input,
  660. unsigned char *output,
  661. size_t output_max_len)
  662. {
  663. int ret;
  664. size_t ilen, pad_count = 0, i;
  665. unsigned char *p, bad, pad_done = 0;
  666. unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
  667. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
  668. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  669. ilen = ctx->len;
  670. if( ilen < 16 || ilen > sizeof( buf ) )
  671. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  672. ret = ( mode == MBEDTLS_RSA_PUBLIC )
  673. ? mbedtls_rsa_public( ctx, input, buf )
  674. : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
  675. if( ret != 0 )
  676. return( ret );
  677. p = buf;
  678. bad = 0;
  679. /*
  680. * Check and get padding len in "constant-time"
  681. */
  682. bad |= *p++; /* First byte must be 0 */
  683. /* This test does not depend on secret data */
  684. if( mode == MBEDTLS_RSA_PRIVATE )
  685. {
  686. bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
  687. /* Get padding len, but always read till end of buffer
  688. * (minus one, for the 00 byte) */
  689. for( i = 0; i < ilen - 3; i++ )
  690. {
  691. pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
  692. pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
  693. }
  694. p += pad_count;
  695. bad |= *p++; /* Must be zero */
  696. }
  697. else
  698. {
  699. bad |= *p++ ^ MBEDTLS_RSA_SIGN;
  700. /* Get padding len, but always read till end of buffer
  701. * (minus one, for the 00 byte) */
  702. for( i = 0; i < ilen - 3; i++ )
  703. {
  704. pad_done |= ( p[i] != 0xFF );
  705. pad_count += ( pad_done == 0 );
  706. }
  707. p += pad_count;
  708. bad |= *p++; /* Must be zero */
  709. }
  710. bad |= ( pad_count < 8 );
  711. if( bad )
  712. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  713. if( ilen - ( p - buf ) > output_max_len )
  714. return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
  715. *olen = ilen - (p - buf);
  716. memcpy( output, p, *olen );
  717. return( 0 );
  718. }
  719. #endif /* MBEDTLS_PKCS1_V15 */
  720. /*
  721. * Do an RSA operation, then remove the message padding
  722. */
  723. int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
  724. int (*f_rng)(void *, unsigned char *, size_t),
  725. void *p_rng,
  726. int mode, size_t *olen,
  727. const unsigned char *input,
  728. unsigned char *output,
  729. size_t output_max_len)
  730. {
  731. switch( ctx->padding )
  732. {
  733. #if defined(MBEDTLS_PKCS1_V15)
  734. case MBEDTLS_RSA_PKCS_V15:
  735. return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
  736. input, output, output_max_len );
  737. #endif
  738. #if defined(MBEDTLS_PKCS1_V21)
  739. case MBEDTLS_RSA_PKCS_V21:
  740. return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
  741. olen, input, output,
  742. output_max_len );
  743. #endif
  744. default:
  745. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  746. }
  747. }
  748. #if defined(MBEDTLS_PKCS1_V21)
  749. /*
  750. * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
  751. */
  752. int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
  753. int (*f_rng)(void *, unsigned char *, size_t),
  754. void *p_rng,
  755. int mode,
  756. mbedtls_md_type_t md_alg,
  757. unsigned int hashlen,
  758. const unsigned char *hash,
  759. unsigned char *sig )
  760. {
  761. size_t olen;
  762. unsigned char *p = sig;
  763. unsigned char salt[MBEDTLS_MD_MAX_SIZE];
  764. unsigned int slen, hlen, offset = 0;
  765. int ret;
  766. size_t msb;
  767. const mbedtls_md_info_t *md_info;
  768. mbedtls_md_context_t md_ctx;
  769. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
  770. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  771. if( f_rng == NULL )
  772. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  773. olen = ctx->len;
  774. if( md_alg != MBEDTLS_MD_NONE )
  775. {
  776. /* Gather length of hash to sign */
  777. md_info = mbedtls_md_info_from_type( md_alg );
  778. if( md_info == NULL )
  779. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  780. hashlen = mbedtls_md_get_size( md_info );
  781. }
  782. md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
  783. if( md_info == NULL )
  784. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  785. hlen = mbedtls_md_get_size( md_info );
  786. slen = hlen;
  787. if( olen < hlen + slen + 2 )
  788. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  789. memset( sig, 0, olen );
  790. /* Generate salt of length slen */
  791. if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
  792. return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
  793. /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
  794. msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
  795. p += olen - hlen * 2 - 2;
  796. *p++ = 0x01;
  797. memcpy( p, salt, slen );
  798. p += slen;
  799. mbedtls_md_init( &md_ctx );
  800. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
  801. {
  802. mbedtls_md_free( &md_ctx );
  803. return( ret );
  804. }
  805. /* Generate H = Hash( M' ) */
  806. mbedtls_md_starts( &md_ctx );
  807. mbedtls_md_update( &md_ctx, p, 8 );
  808. mbedtls_md_update( &md_ctx, hash, hashlen );
  809. mbedtls_md_update( &md_ctx, salt, slen );
  810. mbedtls_md_finish( &md_ctx, p );
  811. /* Compensate for boundary condition when applying mask */
  812. if( msb % 8 == 0 )
  813. offset = 1;
  814. /* maskedDB: Apply dbMask to DB */
  815. mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
  816. mbedtls_md_free( &md_ctx );
  817. msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
  818. sig[0] &= 0xFF >> ( olen * 8 - msb );
  819. p += hlen;
  820. *p++ = 0xBC;
  821. return( ( mode == MBEDTLS_RSA_PUBLIC )
  822. ? mbedtls_rsa_public( ctx, sig, sig )
  823. : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
  824. }
  825. #endif /* MBEDTLS_PKCS1_V21 */
  826. #if defined(MBEDTLS_PKCS1_V15)
  827. /*
  828. * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
  829. */
  830. /*
  831. * Do an RSA operation to sign the message digest
  832. */
  833. int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
  834. int (*f_rng)(void *, unsigned char *, size_t),
  835. void *p_rng,
  836. int mode,
  837. mbedtls_md_type_t md_alg,
  838. unsigned int hashlen,
  839. const unsigned char *hash,
  840. unsigned char *sig )
  841. {
  842. size_t nb_pad, olen, oid_size = 0;
  843. unsigned char *p = sig;
  844. const char *oid = NULL;
  845. unsigned char *sig_try = NULL, *verif = NULL;
  846. size_t i;
  847. unsigned char diff;
  848. volatile unsigned char diff_no_optimize;
  849. int ret;
  850. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
  851. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  852. olen = ctx->len;
  853. nb_pad = olen - 3;
  854. if( md_alg != MBEDTLS_MD_NONE )
  855. {
  856. const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
  857. if( md_info == NULL )
  858. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  859. if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
  860. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  861. nb_pad -= 10 + oid_size;
  862. hashlen = mbedtls_md_get_size( md_info );
  863. }
  864. nb_pad -= hashlen;
  865. if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
  866. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  867. *p++ = 0;
  868. *p++ = MBEDTLS_RSA_SIGN;
  869. memset( p, 0xFF, nb_pad );
  870. p += nb_pad;
  871. *p++ = 0;
  872. if( md_alg == MBEDTLS_MD_NONE )
  873. {
  874. memcpy( p, hash, hashlen );
  875. }
  876. else
  877. {
  878. /*
  879. * DigestInfo ::= SEQUENCE {
  880. * digestAlgorithm DigestAlgorithmIdentifier,
  881. * digest Digest }
  882. *
  883. * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
  884. *
  885. * Digest ::= OCTET STRING
  886. */
  887. *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
  888. *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
  889. *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
  890. *p++ = (unsigned char) ( 0x04 + oid_size );
  891. *p++ = MBEDTLS_ASN1_OID;
  892. *p++ = oid_size & 0xFF;
  893. memcpy( p, oid, oid_size );
  894. p += oid_size;
  895. *p++ = MBEDTLS_ASN1_NULL;
  896. *p++ = 0x00;
  897. *p++ = MBEDTLS_ASN1_OCTET_STRING;
  898. *p++ = hashlen;
  899. memcpy( p, hash, hashlen );
  900. }
  901. if( mode == MBEDTLS_RSA_PUBLIC )
  902. return( mbedtls_rsa_public( ctx, sig, sig ) );
  903. /*
  904. * In order to prevent Lenstra's attack, make the signature in a
  905. * temporary buffer and check it before returning it.
  906. */
  907. sig_try = mbedtls_calloc( 1, ctx->len );
  908. if( sig_try == NULL )
  909. return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
  910. verif = mbedtls_calloc( 1, ctx->len );
  911. if( verif == NULL )
  912. {
  913. mbedtls_free( sig_try );
  914. return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
  915. }
  916. MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
  917. MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
  918. /* Compare in constant time just in case */
  919. for( diff = 0, i = 0; i < ctx->len; i++ )
  920. diff |= verif[i] ^ sig[i];
  921. diff_no_optimize = diff;
  922. if( diff_no_optimize != 0 )
  923. {
  924. ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
  925. goto cleanup;
  926. }
  927. memcpy( sig, sig_try, ctx->len );
  928. cleanup:
  929. mbedtls_free( sig_try );
  930. mbedtls_free( verif );
  931. return( ret );
  932. }
  933. #endif /* MBEDTLS_PKCS1_V15 */
  934. #ifdef MBEDTLS_PKCS1
  935. /*
  936. * Do an RSA operation to sign the message digest
  937. */
  938. int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
  939. int (*f_rng)(void *, unsigned char *, size_t),
  940. void *p_rng,
  941. int mode,
  942. mbedtls_md_type_t md_alg,
  943. unsigned int hashlen,
  944. const unsigned char *hash,
  945. unsigned char *sig )
  946. {
  947. switch( ctx->padding )
  948. {
  949. #if defined(MBEDTLS_PKCS1_V15)
  950. case MBEDTLS_RSA_PKCS_V15:
  951. return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
  952. hashlen, hash, sig );
  953. #endif
  954. #if defined(MBEDTLS_PKCS1_V21)
  955. case MBEDTLS_RSA_PKCS_V21:
  956. return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
  957. hashlen, hash, sig );
  958. #endif
  959. default:
  960. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  961. }
  962. }
  963. /*
  964. * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
  965. */
  966. int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
  967. int (*f_rng)(void *, unsigned char *, size_t),
  968. void *p_rng,
  969. int mode,
  970. mbedtls_md_type_t md_alg,
  971. unsigned int hashlen,
  972. const unsigned char *hash,
  973. mbedtls_md_type_t mgf1_hash_id,
  974. int expected_salt_len,
  975. const unsigned char *sig )
  976. {
  977. int ret;
  978. size_t siglen;
  979. unsigned char *p;
  980. unsigned char result[MBEDTLS_MD_MAX_SIZE];
  981. unsigned char zeros[8];
  982. unsigned int hlen;
  983. size_t slen, msb;
  984. const mbedtls_md_info_t *md_info;
  985. mbedtls_md_context_t md_ctx;
  986. unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
  987. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
  988. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  989. siglen = ctx->len;
  990. if( siglen < 16 || siglen > sizeof( buf ) )
  991. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  992. ret = ( mode == MBEDTLS_RSA_PUBLIC )
  993. ? mbedtls_rsa_public( ctx, sig, buf )
  994. : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
  995. if( ret != 0 )
  996. return( ret );
  997. p = buf;
  998. if( buf[siglen - 1] != 0xBC )
  999. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1000. if( md_alg != MBEDTLS_MD_NONE )
  1001. {
  1002. /* Gather length of hash to sign */
  1003. md_info = mbedtls_md_info_from_type( md_alg );
  1004. if( md_info == NULL )
  1005. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1006. hashlen = mbedtls_md_get_size( md_info );
  1007. }
  1008. md_info = mbedtls_md_info_from_type( mgf1_hash_id );
  1009. if( md_info == NULL )
  1010. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1011. hlen = mbedtls_md_get_size( md_info );
  1012. slen = siglen - hlen - 1; /* Currently length of salt + padding */
  1013. memset( zeros, 0, 8 );
  1014. /*
  1015. * Note: EMSA-PSS verification is over the length of N - 1 bits
  1016. */
  1017. msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
  1018. /* Compensate for boundary condition when applying mask */
  1019. if( msb % 8 == 0 )
  1020. {
  1021. p++;
  1022. siglen -= 1;
  1023. }
  1024. if( buf[0] >> ( 8 - siglen * 8 + msb ) )
  1025. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1026. mbedtls_md_init( &md_ctx );
  1027. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
  1028. {
  1029. mbedtls_md_free( &md_ctx );
  1030. return( ret );
  1031. }
  1032. mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
  1033. buf[0] &= 0xFF >> ( siglen * 8 - msb );
  1034. while( p < buf + siglen && *p == 0 )
  1035. p++;
  1036. if( p == buf + siglen ||
  1037. *p++ != 0x01 )
  1038. {
  1039. mbedtls_md_free( &md_ctx );
  1040. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1041. }
  1042. /* Actual salt len */
  1043. slen -= p - buf;
  1044. if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
  1045. slen != (size_t) expected_salt_len )
  1046. {
  1047. mbedtls_md_free( &md_ctx );
  1048. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1049. }
  1050. /*
  1051. * Generate H = Hash( M' )
  1052. */
  1053. mbedtls_md_starts( &md_ctx );
  1054. mbedtls_md_update( &md_ctx, zeros, 8 );
  1055. mbedtls_md_update( &md_ctx, hash, hashlen );
  1056. mbedtls_md_update( &md_ctx, p, slen );
  1057. mbedtls_md_finish( &md_ctx, result );
  1058. mbedtls_md_free( &md_ctx );
  1059. if( memcmp( p + slen, result, hlen ) == 0 )
  1060. return( 0 );
  1061. else
  1062. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1063. }
  1064. /*
  1065. * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
  1066. */
  1067. int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
  1068. int (*f_rng)(void *, unsigned char *, size_t),
  1069. void *p_rng,
  1070. int mode,
  1071. mbedtls_md_type_t md_alg,
  1072. unsigned int hashlen,
  1073. const unsigned char *hash,
  1074. const unsigned char *sig )
  1075. {
  1076. mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
  1077. ? (mbedtls_md_type_t) ctx->hash_id
  1078. : md_alg;
  1079. return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
  1080. md_alg, hashlen, hash,
  1081. mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
  1082. sig ) );
  1083. }
  1084. #endif /* MBEDTLS_PKCS1_V21 */
  1085. #if defined(MBEDTLS_PKCS1_V15)
  1086. /*
  1087. * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
  1088. */
  1089. int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
  1090. int (*f_rng)(void *, unsigned char *, size_t),
  1091. void *p_rng,
  1092. int mode,
  1093. mbedtls_md_type_t md_alg,
  1094. unsigned int hashlen,
  1095. const unsigned char *hash,
  1096. const unsigned char *sig )
  1097. {
  1098. int ret;
  1099. size_t len, siglen, asn1_len;
  1100. unsigned char *p, *end;
  1101. mbedtls_md_type_t msg_md_alg;
  1102. const mbedtls_md_info_t *md_info;
  1103. mbedtls_asn1_buf oid;
  1104. unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
  1105. if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
  1106. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1107. siglen = ctx->len;
  1108. if( siglen < 16 || siglen > sizeof( buf ) )
  1109. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1110. ret = ( mode == MBEDTLS_RSA_PUBLIC )
  1111. ? mbedtls_rsa_public( ctx, sig, buf )
  1112. : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
  1113. if( ret != 0 )
  1114. return( ret );
  1115. p = buf;
  1116. if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )
  1117. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1118. while( *p != 0 )
  1119. {
  1120. if( p >= buf + siglen - 1 || *p != 0xFF )
  1121. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1122. p++;
  1123. }
  1124. p++;
  1125. len = siglen - ( p - buf );
  1126. if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
  1127. {
  1128. if( memcmp( p, hash, hashlen ) == 0 )
  1129. return( 0 );
  1130. else
  1131. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1132. }
  1133. md_info = mbedtls_md_info_from_type( md_alg );
  1134. if( md_info == NULL )
  1135. return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
  1136. hashlen = mbedtls_md_get_size( md_info );
  1137. end = p + len;
  1138. /*
  1139. * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
  1140. */
  1141. if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
  1142. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  1143. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1144. if( asn1_len + 2 != len )
  1145. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1146. if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
  1147. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  1148. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1149. if( asn1_len + 6 + hashlen != len )
  1150. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1151. if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
  1152. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1153. oid.p = p;
  1154. p += oid.len;
  1155. if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
  1156. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1157. if( md_alg != msg_md_alg )
  1158. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1159. /*
  1160. * assume the algorithm parameters must be NULL
  1161. */
  1162. if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
  1163. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1164. if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
  1165. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1166. if( asn1_len != hashlen )
  1167. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1168. if( memcmp( p, hash, hashlen ) != 0 )
  1169. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1170. p += hashlen;
  1171. if( p != end )
  1172. return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
  1173. return( 0 );
  1174. }
  1175. #endif /* MBEDTLS_PKCS1_V15 */
  1176. #ifdef MBEDTLS_PKCS1
  1177. /*
  1178. * Do an RSA operation and check the message digest
  1179. */
  1180. int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
  1181. int (*f_rng)(void *, unsigned char *, size_t),
  1182. void *p_rng,
  1183. int mode,
  1184. mbedtls_md_type_t md_alg,
  1185. unsigned int hashlen,
  1186. const unsigned char *hash,
  1187. const unsigned char *sig )
  1188. {
  1189. switch( ctx->padding )
  1190. {
  1191. #if defined(MBEDTLS_PKCS1_V15)
  1192. case MBEDTLS_RSA_PKCS_V15:
  1193. return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
  1194. hashlen, hash, sig );
  1195. #endif
  1196. #if defined(MBEDTLS_PKCS1_V21)
  1197. case MBEDTLS_RSA_PKCS_V21:
  1198. return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
  1199. hashlen, hash, sig );
  1200. #endif
  1201. default:
  1202. return( MBEDTLS_ERR_RSA_INVALID_PADDING );
  1203. }
  1204. }
  1205. #endif /* MBEDTLS_PKCS1 */
  1206. /*
  1207. * Copy the components of an RSA key
  1208. */
  1209. int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
  1210. {
  1211. int ret;
  1212. dst->ver = src->ver;
  1213. dst->len = src->len;
  1214. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
  1215. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
  1216. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
  1217. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
  1218. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
  1219. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
  1220. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
  1221. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
  1222. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
  1223. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
  1224. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
  1225. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
  1226. MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
  1227. dst->padding = src->padding;
  1228. dst->hash_id = src->hash_id;
  1229. cleanup:
  1230. if( ret != 0 )
  1231. mbedtls_rsa_free( dst );
  1232. return( ret );
  1233. }
  1234. /*
  1235. * Free the components of an RSA key
  1236. */
  1237. void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
  1238. {
  1239. mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
  1240. mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
  1241. mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
  1242. mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
  1243. mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
  1244. #if defined(MBEDTLS_THREADING_C)
  1245. mbedtls_mutex_free( &ctx->mutex );
  1246. #endif
  1247. }
  1248. #if defined(MBEDTLS_SELF_TEST)
  1249. #include "mbedtls/sha1.h"
  1250. /*
  1251. * Example RSA-1024 keypair, for test purposes
  1252. */
  1253. #define KEY_LEN 128
  1254. #define RSA_N "9292758453063D803DD603D5E777D788" \
  1255. "8ED1D5BF35786190FA2F23EBC0848AEA" \
  1256. "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
  1257. "7130B9CED7ACDF54CFC7555AC14EEBAB" \
  1258. "93A89813FBF3C4F8066D2D800F7C38A8" \
  1259. "1AE31942917403FF4946B0A83D3D3E05" \
  1260. "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
  1261. "5E94BB77B07507233A0BC7BAC8F90F79"
  1262. #define RSA_E "10001"
  1263. #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
  1264. "66CA472BC44D253102F8B4A9D3BFA750" \
  1265. "91386C0077937FE33FA3252D28855837" \
  1266. "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
  1267. "DF79C5CE07EE72C7F123142198164234" \
  1268. "CABB724CF78B8173B9F880FC86322407" \
  1269. "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
  1270. "071513A1E85B5DFA031F21ECAE91A34D"
  1271. #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
  1272. "2C01CAD19EA484A87EA4377637E75500" \
  1273. "FCB2005C5C7DD6EC4AC023CDA285D796" \
  1274. "C3D9E75E1EFC42488BB4F1D13AC30A57"
  1275. #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
  1276. "E211C2B9E5DB1ED0BF61D0D9899620F4" \
  1277. "910E4168387E3C30AA1E00C339A79508" \
  1278. "8452DD96A9A5EA5D9DCA68DA636032AF"
  1279. #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
  1280. "3C94D22288ACD763FD8E5600ED4A702D" \
  1281. "F84198A5F06C2E72236AE490C93F07F8" \
  1282. "3CC559CD27BC2D1CA488811730BB5725"
  1283. #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
  1284. "D8AAEA56749EA28623272E4F7D0592AF" \
  1285. "7C1F1313CAC9471B5C523BFE592F517B" \
  1286. "407A1BD76C164B93DA2D32A383E58357"
  1287. #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
  1288. "F38D18D2B2F0E2DD275AA977E2BF4411" \
  1289. "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
  1290. "A74206CEC169D74BF5A8C50D6F48EA08"
  1291. #define PT_LEN 24
  1292. #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
  1293. "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
  1294. #if defined(MBEDTLS_PKCS1_V15)
  1295. static int myrand( void *rng_state, unsigned char *output, size_t len )
  1296. {
  1297. #if !defined(__OpenBSD__)
  1298. size_t i;
  1299. if( rng_state != NULL )
  1300. rng_state = NULL;
  1301. for( i = 0; i < len; ++i )
  1302. output[i] = rand();
  1303. #else
  1304. if( rng_state != NULL )
  1305. rng_state = NULL;
  1306. arc4random_buf( output, len );
  1307. #endif /* !OpenBSD */
  1308. return( 0 );
  1309. }
  1310. #endif /* MBEDTLS_PKCS1_V15 */
  1311. /*
  1312. * Checkup routine
  1313. */
  1314. int mbedtls_rsa_self_test( int verbose )
  1315. {
  1316. int ret = 0;
  1317. #if defined(MBEDTLS_PKCS1_V15)
  1318. size_t len;
  1319. mbedtls_rsa_context rsa;
  1320. unsigned char rsa_plaintext[PT_LEN];
  1321. unsigned char rsa_decrypted[PT_LEN];
  1322. unsigned char rsa_ciphertext[KEY_LEN];
  1323. #if defined(MBEDTLS_SHA1_C)
  1324. unsigned char sha1sum[20];
  1325. #endif
  1326. mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
  1327. rsa.len = KEY_LEN;
  1328. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
  1329. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
  1330. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
  1331. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
  1332. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
  1333. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
  1334. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
  1335. MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
  1336. if( verbose != 0 )
  1337. mbedtls_printf( " RSA key validation: " );
  1338. if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
  1339. mbedtls_rsa_check_privkey( &rsa ) != 0 )
  1340. {
  1341. if( verbose != 0 )
  1342. mbedtls_printf( "failed\n" );
  1343. return( 1 );
  1344. }
  1345. if( verbose != 0 )
  1346. mbedtls_printf( "passed\n PKCS#1 encryption : " );
  1347. memcpy( rsa_plaintext, RSA_PT, PT_LEN );
  1348. if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
  1349. rsa_plaintext, rsa_ciphertext ) != 0 )
  1350. {
  1351. if( verbose != 0 )
  1352. mbedtls_printf( "failed\n" );
  1353. return( 1 );
  1354. }
  1355. if( verbose != 0 )
  1356. mbedtls_printf( "passed\n PKCS#1 decryption : " );
  1357. if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
  1358. rsa_ciphertext, rsa_decrypted,
  1359. sizeof(rsa_decrypted) ) != 0 )
  1360. {
  1361. if( verbose != 0 )
  1362. mbedtls_printf( "failed\n" );
  1363. return( 1 );
  1364. }
  1365. if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
  1366. {
  1367. if( verbose != 0 )
  1368. mbedtls_printf( "failed\n" );
  1369. return( 1 );
  1370. }
  1371. if( verbose != 0 )
  1372. mbedtls_printf( "passed\n" );
  1373. #if defined(MBEDTLS_SHA1_C)
  1374. if( verbose != 0 )
  1375. mbedtls_printf( " PKCS#1 data sign : " );
  1376. mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
  1377. if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
  1378. sha1sum, rsa_ciphertext ) != 0 )
  1379. {
  1380. if( verbose != 0 )
  1381. mbedtls_printf( "failed\n" );
  1382. return( 1 );
  1383. }
  1384. if( verbose != 0 )
  1385. mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
  1386. if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
  1387. sha1sum, rsa_ciphertext ) != 0 )
  1388. {
  1389. if( verbose != 0 )
  1390. mbedtls_printf( "failed\n" );
  1391. return( 1 );
  1392. }
  1393. if( verbose != 0 )
  1394. mbedtls_printf( "passed\n" );
  1395. #endif /* MBEDTLS_SHA1_C */
  1396. if( verbose != 0 )
  1397. mbedtls_printf( "\n" );
  1398. cleanup:
  1399. mbedtls_rsa_free( &rsa );
  1400. #else /* MBEDTLS_PKCS1_V15 */
  1401. ((void) verbose);
  1402. #endif /* MBEDTLS_PKCS1_V15 */
  1403. return( ret );
  1404. }
  1405. #endif /* MBEDTLS_SELF_TEST */
  1406. #endif /* MBEDTLS_RSA_C */