projects / reactos.git / blob
? search:


1f907b7645bed8341728688af26497c4d23b10a6
[reactos.git] / reactos / dll / 3rdparty / mbedtls / rsa.c
1 /*
2 * The RSA public-key cryptosystem
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21 /*
22 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
23 *
24 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
25 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
26 */
27
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33
34 #if defined(MBEDTLS_RSA_C)
35
36 #include "mbedtls/rsa.h"
37 #include "mbedtls/oid.h"
38
39 #include <string.h>
40
41 #if defined(MBEDTLS_PKCS1_V21)
42 #include "mbedtls/md.h"
43 #endif
44
45 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
46 #include <stdlib.h>
47 #endif
48
49 #if defined(MBEDTLS_PLATFORM_C)
50 #include "mbedtls/platform.h"
51 #else
52 #include <stdio.h>
53 #define mbedtls_printf printf
54 #define mbedtls_calloc calloc
55 #define mbedtls_free free
56 #endif
57
58 /*
59 * Initialize an RSA context
60 */
61 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
62 int padding,
63 int hash_id )
64 {
65 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
66
67 mbedtls_rsa_set_padding( ctx, padding, hash_id );
68
69 #if defined(MBEDTLS_THREADING_C)
70 mbedtls_mutex_init( &ctx->mutex );
71 #endif
72 }
73
74 /*
75 * Set padding for an existing RSA context
76 */
77 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
78 {
79 ctx->padding = padding;
80 ctx->hash_id = hash_id;
81 }
82
83 #if defined(MBEDTLS_GENPRIME)
84
85 /*
86 * Generate an RSA keypair
87 */
88 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
89 int (*f_rng)(void *, unsigned char *, size_t),
90 void *p_rng,
91 unsigned int nbits, int exponent )
92 {
93 int ret;
94 mbedtls_mpi P1, Q1, H, G;
95
96 if( f_rng == NULL || nbits < 128 || exponent < 3 )
97 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
98
99 mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
100
101 /*
102 * find primes P and Q with Q < P so that:
103 * GCD( E, (P-1)*(Q-1) ) == 1
104 */
105 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
106
107 do
108 {
109 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
110 f_rng, p_rng ) );
111
112 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
113 f_rng, p_rng ) );
114
115 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
116 mbedtls_mpi_swap( &ctx->P, &ctx->Q );
117
118 if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
119 continue;
120
121 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
122 if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
123 continue;
124
125 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
126 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
127 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
128 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
129 }
130 while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
131
132 /*
133 * D = E^-1 mod ((P-1)*(Q-1))
134 * DP = D mod (P - 1)
135 * DQ = D mod (Q - 1)
136 * QP = Q^-1 mod P
137 */
138 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
139 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
140 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
141 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
142
143 ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
144
145 cleanup:
146
147 mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
148
149 if( ret != 0 )
150 {
151 mbedtls_rsa_free( ctx );
152 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
153 }
154
155 return( 0 );
156 }
157
158 #endif /* MBEDTLS_GENPRIME */
159
160 /*
161 * Check a public RSA key
162 */
163 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
164 {
165 if( !ctx->N.p || !ctx->E.p )
166 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
167
168 if( ( ctx->N.p[0] & 1 ) == 0 ||
169 ( ctx->E.p[0] & 1 ) == 0 )
170 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
171
172 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ||
173 mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
174 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
175
176 if( mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
177 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
178 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
179
180 return( 0 );
181 }
182
183 /*
184 * Check a private RSA key
185 */
186 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
187 {
188 int ret;
189 mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
190
191 if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
192 return( ret );
193
194 if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
195 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
196
197 mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
198 mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
199 mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
200 mbedtls_mpi_init( &QP );
201
202 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
203 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
204 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
205 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
206 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
207 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
208
209 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
210 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
211 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
212
213 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
214 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
215 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
216 /*
217 * Check for a valid PKCS1v2 private key
218 */
219 if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
220 mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
221 mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
222 mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
223 mbedtls_mpi_cmp_int( &L2, 0 ) != 0 ||
224 mbedtls_mpi_cmp_int( &I, 1 ) != 0 ||
225 mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
226 {
227 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
228 }
229
230 cleanup:
231 mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
232 mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
233 mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
234 mbedtls_mpi_free( &QP );
235
236 if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
237 return( ret );
238
239 if( ret != 0 )
240 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
241
242 return( 0 );
243 }
244
245 /*
246 * Check if contexts holding a public and private key match
247 */
248 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv )
249 {
250 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
251 mbedtls_rsa_check_privkey( prv ) != 0 )
252 {
253 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
254 }
255
256 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
257 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
258 {
259 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
260 }
261
262 return( 0 );
263 }
264
265 /*
266 * Do an RSA public key operation
267 */
268 int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
269 const unsigned char *input,
270 unsigned char *output )
271 {
272 int ret;
273 size_t olen;
274 mbedtls_mpi T;
275
276 mbedtls_mpi_init( &T );
277
278 #if defined(MBEDTLS_THREADING_C)
279 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
280 return( ret );
281 #endif
282
283 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
284
285 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
286 {
287 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
288 goto cleanup;
289 }
290
291 olen = ctx->len;
292 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
293 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
294
295 cleanup:
296 #if defined(MBEDTLS_THREADING_C)
297 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
298 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
299 #endif
300
301 mbedtls_mpi_free( &T );
302
303 if( ret != 0 )
304 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
305
306 return( 0 );
307 }
308
309 /*
310 * Generate or update blinding values, see section 10 of:
311 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
312 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
313 * Berlin Heidelberg, 1996. p. 104-113.
314 */
315 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
316 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
317 {
318 int ret, count = 0;
319
320 if( ctx->Vf.p != NULL )
321 {
322 /* We already have blinding values, just update them by squaring */
323 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
324 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
325 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
326 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
327
328 goto cleanup;
329 }
330
331 /* Unblinding value: Vf = random number, invertible mod N */
332 do {
333 if( count++ > 10 )
334 return( MBEDTLS_ERR_RSA_RNG_FAILED );
335
336 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
337 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
338 } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
339
340 /* Blinding value: Vi = Vf^(-e) mod N */
341 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
342 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
343
344
345 cleanup:
346 return( ret );
347 }
348
349 /*
350 * Do an RSA private key operation
351 */
352 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
353 int (*f_rng)(void *, unsigned char *, size_t),
354 void *p_rng,
355 const unsigned char *input,
356 unsigned char *output )
357 {
358 int ret;
359 size_t olen;
360 mbedtls_mpi T, T1, T2;
361
362 /* Make sure we have private key info, prevent possible misuse */
363 if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
364 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
365
366 mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
367
368 #if defined(MBEDTLS_THREADING_C)
369 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
370 return( ret );
371 #endif
372
373 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
374 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
375 {
376 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
377 goto cleanup;
378 }
379
380 if( f_rng != NULL )
381 {
382 /*
383 * Blinding
384 * T = T * Vi mod N
385 */
386 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
387 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
388 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
389 }
390
391 #if defined(MBEDTLS_RSA_NO_CRT)
392 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
393 #else
394 /*
395 * faster decryption using the CRT
396 *
397 * T1 = input ^ dP mod P
398 * T2 = input ^ dQ mod Q
399 */
400 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
401 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
402
403 /*
404 * T = (T1 - T2) * (Q^-1 mod P) mod P
405 */
406 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
407 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
408 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
409
410 /*
411 * T = T2 + T * Q
412 */
413 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
414 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
415 #endif /* MBEDTLS_RSA_NO_CRT */
416
417 if( f_rng != NULL )
418 {
419 /*
420 * Unblind
421 * T = T * Vf mod N
422 */
423 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
424 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
425 }
426
427 olen = ctx->len;
428 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
429
430 cleanup:
431 #if defined(MBEDTLS_THREADING_C)
432 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
433 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
434 #endif
435
436 mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
437
438 if( ret != 0 )
439 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
440
441 return( 0 );
442 }
443
444 #if defined(MBEDTLS_PKCS1_V21)
445 /**
446 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
447 *
448 * \param dst buffer to mask
449 * \param dlen length of destination buffer
450 * \param src source of the mask generation
451 * \param slen length of the source buffer
452 * \param md_ctx message digest context to use
453 */
454 static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
455 size_t slen, mbedtls_md_context_t *md_ctx )
456 {
457 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
458 unsigned char counter[4];
459 unsigned char *p;
460 unsigned int hlen;
461 size_t i, use_len;
462
463 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
464 memset( counter, 0, 4 );
465
466 hlen = mbedtls_md_get_size( md_ctx->md_info );
467
468 // Generate and apply dbMask
469 //
470 p = dst;
471
472 while( dlen > 0 )
473 {
474 use_len = hlen;
475 if( dlen < hlen )
476 use_len = dlen;
477
478 mbedtls_md_starts( md_ctx );
479 mbedtls_md_update( md_ctx, src, slen );
480 mbedtls_md_update( md_ctx, counter, 4 );
481 mbedtls_md_finish( md_ctx, mask );
482
483 for( i = 0; i < use_len; ++i )
484 *p++ ^= mask[i];
485
486 counter[3]++;
487
488 dlen -= use_len;
489 }
490 }
491 #endif /* MBEDTLS_PKCS1_V21 */
492
493 #if defined(MBEDTLS_PKCS1_V21)
494 /*
495 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
496 */
497 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
498 int (*f_rng)(void *, unsigned char *, size_t),
499 void *p_rng,
500 int mode,
501 const unsigned char *label, size_t label_len,
502 size_t ilen,
503 const unsigned char *input,
504 unsigned char *output )
505 {
506 size_t olen;
507 int ret;
508 unsigned char *p = output;
509 unsigned int hlen;
510 const mbedtls_md_info_t *md_info;
511 mbedtls_md_context_t md_ctx;
512
513 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
514 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
515
516 if( f_rng == NULL )
517 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
518
519 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
520 if( md_info == NULL )
521 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
522
523 olen = ctx->len;
524 hlen = mbedtls_md_get_size( md_info );
525
526 if( olen < ilen + 2 * hlen + 2 )
527 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
528
529 memset( output, 0, olen );
530
531 *p++ = 0;
532
533 // Generate a random octet string seed
534 //
535 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
536 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
537
538 p += hlen;
539
540 // Construct DB
541 //
542 mbedtls_md( md_info, label, label_len, p );
543 p += hlen;
544 p += olen - 2 * hlen - 2 - ilen;
545 *p++ = 1;
546 memcpy( p, input, ilen );
547
548 mbedtls_md_init( &md_ctx );
549 mbedtls_md_setup( &md_ctx, md_info, 0 );
550
551 // maskedDB: Apply dbMask to DB
552 //
553 mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
554 &md_ctx );
555
556 // maskedSeed: Apply seedMask to seed
557 //
558 mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
559 &md_ctx );
560
561 mbedtls_md_free( &md_ctx );
562
563 return( ( mode == MBEDTLS_RSA_PUBLIC )
564 ? mbedtls_rsa_public( ctx, output, output )
565 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
566 }
567 #endif /* MBEDTLS_PKCS1_V21 */
568
569 #if defined(MBEDTLS_PKCS1_V15)
570 /*
571 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
572 */
573 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
574 int (*f_rng)(void *, unsigned char *, size_t),
575 void *p_rng,
576 int mode, size_t ilen,
577 const unsigned char *input,
578 unsigned char *output )
579 {
580 size_t nb_pad, olen;
581 int ret;
582 unsigned char *p = output;
583
584 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
585 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
586
587 if( f_rng == NULL )
588 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
589
590 olen = ctx->len;
591
592 if( olen < ilen + 11 )
593 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
594
595 nb_pad = olen - 3 - ilen;
596
597 *p++ = 0;
598 if( mode == MBEDTLS_RSA_PUBLIC )
599 {
600 *p++ = MBEDTLS_RSA_CRYPT;
601
602 while( nb_pad-- > 0 )
603 {
604 int rng_dl = 100;
605
606 do {
607 ret = f_rng( p_rng, p, 1 );
608 } while( *p == 0 && --rng_dl && ret == 0 );
609
610 // Check if RNG failed to generate data
611 //
612 if( rng_dl == 0 || ret != 0 )
613 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
614
615 p++;
616 }
617 }
618 else
619 {
620 *p++ = MBEDTLS_RSA_SIGN;
621
622 while( nb_pad-- > 0 )
623 *p++ = 0xFF;
624 }
625
626 *p++ = 0;
627 memcpy( p, input, ilen );
628
629 return( ( mode == MBEDTLS_RSA_PUBLIC )
630 ? mbedtls_rsa_public( ctx, output, output )
631 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
632 }
633 #endif /* MBEDTLS_PKCS1_V15 */
634
635 /*
636 * Add the message padding, then do an RSA operation
637 */
638 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
639 int (*f_rng)(void *, unsigned char *, size_t),
640 void *p_rng,
641 int mode, size_t ilen,
642 const unsigned char *input,
643 unsigned char *output )
644 {
645 switch( ctx->padding )
646 {
647 #if defined(MBEDTLS_PKCS1_V15)
648 case MBEDTLS_RSA_PKCS_V15:
649 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
650 input, output );
651 #endif
652
653 #if defined(MBEDTLS_PKCS1_V21)
654 case MBEDTLS_RSA_PKCS_V21:
655 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
656 ilen, input, output );
657 #endif
658
659 default:
660 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
661 }
662 }
663
664 #if defined(MBEDTLS_PKCS1_V21)
665 /*
666 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
667 */
668 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
669 int (*f_rng)(void *, unsigned char *, size_t),
670 void *p_rng,
671 int mode,
672 const unsigned char *label, size_t label_len,
673 size_t *olen,
674 const unsigned char *input,
675 unsigned char *output,
676 size_t output_max_len )
677 {
678 int ret;
679 size_t ilen, i, pad_len;
680 unsigned char *p, bad, pad_done;
681 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
682 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
683 unsigned int hlen;
684 const mbedtls_md_info_t *md_info;
685 mbedtls_md_context_t md_ctx;
686
687 /*
688 * Parameters sanity checks
689 */
690 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
691 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
692
693 ilen = ctx->len;
694
695 if( ilen < 16 || ilen > sizeof( buf ) )
696 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
697
698 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
699 if( md_info == NULL )
700 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
701
702 /*
703 * RSA operation
704 */
705 ret = ( mode == MBEDTLS_RSA_PUBLIC )
706 ? mbedtls_rsa_public( ctx, input, buf )
707 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
708
709 if( ret != 0 )
710 return( ret );
711
712 /*
713 * Unmask data and generate lHash
714 */
715 hlen = mbedtls_md_get_size( md_info );
716
717 mbedtls_md_init( &md_ctx );
718 mbedtls_md_setup( &md_ctx, md_info, 0 );
719
720 /* Generate lHash */
721 mbedtls_md( md_info, label, label_len, lhash );
722
723 /* seed: Apply seedMask to maskedSeed */
724 mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
725 &md_ctx );
726
727 /* DB: Apply dbMask to maskedDB */
728 mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
729 &md_ctx );
730
731 mbedtls_md_free( &md_ctx );
732
733 /*
734 * Check contents, in "constant-time"
735 */
736 p = buf;
737 bad = 0;
738
739 bad |= *p++; /* First byte must be 0 */
740
741 p += hlen; /* Skip seed */
742
743 /* Check lHash */
744 for( i = 0; i < hlen; i++ )
745 bad |= lhash[i] ^ *p++;
746
747 /* Get zero-padding len, but always read till end of buffer
748 * (minus one, for the 01 byte) */
749 pad_len = 0;
750 pad_done = 0;
751 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
752 {
753 pad_done |= p[i];
754 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
755 }
756
757 p += pad_len;
758 bad |= *p++ ^ 0x01;
759
760 /*
761 * The only information "leaked" is whether the padding was correct or not
762 * (eg, no data is copied if it was not correct). This meets the
763 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
764 * the different error conditions.
765 */
766 if( bad != 0 )
767 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
768
769 if( ilen - ( p - buf ) > output_max_len )
770 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
771
772 *olen = ilen - (p - buf);
773 memcpy( output, p, *olen );
774
775 return( 0 );
776 }
777 #endif /* MBEDTLS_PKCS1_V21 */
778
779 #if defined(MBEDTLS_PKCS1_V15)
780 /*
781 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
782 */
783 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
784 int (*f_rng)(void *, unsigned char *, size_t),
785 void *p_rng,
786 int mode, size_t *olen,
787 const unsigned char *input,
788 unsigned char *output,
789 size_t output_max_len)
790 {
791 int ret;
792 size_t ilen, pad_count = 0, i;
793 unsigned char *p, bad, pad_done = 0;
794 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
795
796 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
797 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
798
799 ilen = ctx->len;
800
801 if( ilen < 16 || ilen > sizeof( buf ) )
802 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
803
804 ret = ( mode == MBEDTLS_RSA_PUBLIC )
805 ? mbedtls_rsa_public( ctx, input, buf )
806 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
807
808 if( ret != 0 )
809 return( ret );
810
811 p = buf;
812 bad = 0;
813
814 /*
815 * Check and get padding len in "constant-time"
816 */
817 bad |= *p++; /* First byte must be 0 */
818
819 /* This test does not depend on secret data */
820 if( mode == MBEDTLS_RSA_PRIVATE )
821 {
822 bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
823
824 /* Get padding len, but always read till end of buffer
825 * (minus one, for the 00 byte) */
826 for( i = 0; i < ilen - 3; i++ )
827 {
828 pad_done |= ((p[i] | (unsigned char)-p[i]) >> 7) ^ 1;
829 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
830 }
831
832 p += pad_count;
833 bad |= *p++; /* Must be zero */
834 }
835 else
836 {
837 bad |= *p++ ^ MBEDTLS_RSA_SIGN;
838
839 /* Get padding len, but always read till end of buffer
840 * (minus one, for the 00 byte) */
841 for( i = 0; i < ilen - 3; i++ )
842 {
843 pad_done |= ( p[i] != 0xFF );
844 pad_count += ( pad_done == 0 );
845 }
846
847 p += pad_count;
848 bad |= *p++; /* Must be zero */
849 }
850
851 if( bad )
852 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
853
854 if( ilen - ( p - buf ) > output_max_len )
855 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
856
857 *olen = ilen - (p - buf);
858 memcpy( output, p, *olen );
859
860 return( 0 );
861 }
862 #endif /* MBEDTLS_PKCS1_V15 */
863
864 /*
865 * Do an RSA operation, then remove the message padding
866 */
867 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
868 int (*f_rng)(void *, unsigned char *, size_t),
869 void *p_rng,
870 int mode, size_t *olen,
871 const unsigned char *input,
872 unsigned char *output,
873 size_t output_max_len)
874 {
875 switch( ctx->padding )
876 {
877 #if defined(MBEDTLS_PKCS1_V15)
878 case MBEDTLS_RSA_PKCS_V15:
879 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
880 input, output, output_max_len );
881 #endif
882
883 #if defined(MBEDTLS_PKCS1_V21)
884 case MBEDTLS_RSA_PKCS_V21:
885 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
886 olen, input, output,
887 output_max_len );
888 #endif
889
890 default:
891 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
892 }
893 }
894
895 #if defined(MBEDTLS_PKCS1_V21)
896 /*
897 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
898 */
899 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
900 int (*f_rng)(void *, unsigned char *, size_t),
901 void *p_rng,
902 int mode,
903 mbedtls_md_type_t md_alg,
904 unsigned int hashlen,
905 const unsigned char *hash,
906 unsigned char *sig )
907 {
908 size_t olen;
909 unsigned char *p = sig;
910 unsigned char salt[MBEDTLS_MD_MAX_SIZE];
911 unsigned int slen, hlen, offset = 0;
912 int ret;
913 size_t msb;
914 const mbedtls_md_info_t *md_info;
915 mbedtls_md_context_t md_ctx;
916
917 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
918 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
919
920 if( f_rng == NULL )
921 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
922
923 olen = ctx->len;
924
925 if( md_alg != MBEDTLS_MD_NONE )
926 {
927 // Gather length of hash to sign
928 //
929 md_info = mbedtls_md_info_from_type( md_alg );
930 if( md_info == NULL )
931 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
932
933 hashlen = mbedtls_md_get_size( md_info );
934 }
935
936 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
937 if( md_info == NULL )
938 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
939
940 hlen = mbedtls_md_get_size( md_info );
941 slen = hlen;
942
943 if( olen < hlen + slen + 2 )
944 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
945
946 memset( sig, 0, olen );
947
948 // Generate salt of length slen
949 //
950 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
951 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
952
953 // Note: EMSA-PSS encoding is over the length of N - 1 bits
954 //
955 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
956 p += olen - hlen * 2 - 2;
957 *p++ = 0x01;
958 memcpy( p, salt, slen );
959 p += slen;
960
961 mbedtls_md_init( &md_ctx );
962 mbedtls_md_setup( &md_ctx, md_info, 0 );
963
964 // Generate H = Hash( M' )
965 //
966 mbedtls_md_starts( &md_ctx );
967 mbedtls_md_update( &md_ctx, p, 8 );
968 mbedtls_md_update( &md_ctx, hash, hashlen );
969 mbedtls_md_update( &md_ctx, salt, slen );
970 mbedtls_md_finish( &md_ctx, p );
971
972 // Compensate for boundary condition when applying mask
973 //
974 if( msb % 8 == 0 )
975 offset = 1;
976
977 // maskedDB: Apply dbMask to DB
978 //
979 mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
980
981 mbedtls_md_free( &md_ctx );
982
983 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
984 sig[0] &= 0xFF >> ( olen * 8 - msb );
985
986 p += hlen;
987 *p++ = 0xBC;
988
989 return( ( mode == MBEDTLS_RSA_PUBLIC )
990 ? mbedtls_rsa_public( ctx, sig, sig )
991 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
992 }
993 #endif /* MBEDTLS_PKCS1_V21 */
994
995 #if defined(MBEDTLS_PKCS1_V15)
996 /*
997 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
998 */
999 /*
1000 * Do an RSA operation to sign the message digest
1001 */
1002 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
1003 int (*f_rng)(void *, unsigned char *, size_t),
1004 void *p_rng,
1005 int mode,
1006 mbedtls_md_type_t md_alg,
1007 unsigned int hashlen,
1008 const unsigned char *hash,
1009 unsigned char *sig )
1010 {
1011 size_t nb_pad, olen, oid_size = 0;
1012 unsigned char *p = sig;
1013 const char *oid = NULL;
1014 unsigned char *sig_try = NULL, *verif = NULL;
1015 size_t i;
1016 unsigned char diff;
1017 volatile unsigned char diff_no_optimize;
1018 int ret;
1019
1020 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1021 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1022
1023 olen = ctx->len;
1024 nb_pad = olen - 3;
1025
1026 if( md_alg != MBEDTLS_MD_NONE )
1027 {
1028 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
1029 if( md_info == NULL )
1030 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1031
1032 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1033 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1034
1035 nb_pad -= 10 + oid_size;
1036
1037 hashlen = mbedtls_md_get_size( md_info );
1038 }
1039
1040 nb_pad -= hashlen;
1041
1042 if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
1043 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1044
1045 *p++ = 0;
1046 *p++ = MBEDTLS_RSA_SIGN;
1047 memset( p, 0xFF, nb_pad );
1048 p += nb_pad;
1049 *p++ = 0;
1050
1051 if( md_alg == MBEDTLS_MD_NONE )
1052 {
1053 memcpy( p, hash, hashlen );
1054 }
1055 else
1056 {
1057 /*
1058 * DigestInfo ::= SEQUENCE {
1059 * digestAlgorithm DigestAlgorithmIdentifier,
1060 * digest Digest }
1061 *
1062 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1063 *
1064 * Digest ::= OCTET STRING
1065 */
1066 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1067 *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
1068 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1069 *p++ = (unsigned char) ( 0x04 + oid_size );
1070 *p++ = MBEDTLS_ASN1_OID;
1071 *p++ = oid_size & 0xFF;
1072 memcpy( p, oid, oid_size );
1073 p += oid_size;
1074 *p++ = MBEDTLS_ASN1_NULL;
1075 *p++ = 0x00;
1076 *p++ = MBEDTLS_ASN1_OCTET_STRING;
1077 *p++ = hashlen;
1078 memcpy( p, hash, hashlen );
1079 }
1080
1081 if( mode == MBEDTLS_RSA_PUBLIC )
1082 return( mbedtls_rsa_public( ctx, sig, sig ) );
1083
1084 /*
1085 * In order to prevent Lenstra's attack, make the signature in a
1086 * temporary buffer and check it before returning it.
1087 */
1088 sig_try = mbedtls_calloc( 1, ctx->len );
1089 verif = mbedtls_calloc( 1, ctx->len );
1090 if( sig_try == NULL || verif == NULL )
1091 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1092
1093 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1094 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
1095
1096 /* Compare in constant time just in case */
1097 for( diff = 0, i = 0; i < ctx->len; i++ )
1098 diff |= verif[i] ^ sig[i];
1099 diff_no_optimize = diff;
1100
1101 if( diff_no_optimize != 0 )
1102 {
1103 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1104 goto cleanup;
1105 }
1106
1107 memcpy( sig, sig_try, ctx->len );
1108
1109 cleanup:
1110 mbedtls_free( sig_try );
1111 mbedtls_free( verif );
1112
1113 return( ret );
1114 }
1115 #endif /* MBEDTLS_PKCS1_V15 */
1116
1117 /*
1118 * Do an RSA operation to sign the message digest
1119 */
1120 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
1121 int (*f_rng)(void *, unsigned char *, size_t),
1122 void *p_rng,
1123 int mode,
1124 mbedtls_md_type_t md_alg,
1125 unsigned int hashlen,
1126 const unsigned char *hash,
1127 unsigned char *sig )
1128 {
1129 switch( ctx->padding )
1130 {
1131 #if defined(MBEDTLS_PKCS1_V15)
1132 case MBEDTLS_RSA_PKCS_V15:
1133 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
1134 hashlen, hash, sig );
1135 #endif
1136
1137 #if defined(MBEDTLS_PKCS1_V21)
1138 case MBEDTLS_RSA_PKCS_V21:
1139 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
1140 hashlen, hash, sig );
1141 #endif
1142
1143 default:
1144 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1145 }
1146 }
1147
1148 #if defined(MBEDTLS_PKCS1_V21)
1149 /*
1150 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1151 */
1152 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
1153 int (*f_rng)(void *, unsigned char *, size_t),
1154 void *p_rng,
1155 int mode,
1156 mbedtls_md_type_t md_alg,
1157 unsigned int hashlen,
1158 const unsigned char *hash,
1159 mbedtls_md_type_t mgf1_hash_id,
1160 int expected_salt_len,
1161 const unsigned char *sig )
1162 {
1163 int ret;
1164 size_t siglen;
1165 unsigned char *p;
1166 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1167 unsigned char result[MBEDTLS_MD_MAX_SIZE];
1168 unsigned char zeros[8];
1169 unsigned int hlen;
1170 size_t slen, msb;
1171 const mbedtls_md_info_t *md_info;
1172 mbedtls_md_context_t md_ctx;
1173
1174 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1175 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1176
1177 siglen = ctx->len;
1178
1179 if( siglen < 16 || siglen > sizeof( buf ) )
1180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1181
1182 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1183 ? mbedtls_rsa_public( ctx, sig, buf )
1184 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
1185
1186 if( ret != 0 )
1187 return( ret );
1188
1189 p = buf;
1190
1191 if( buf[siglen - 1] != 0xBC )
1192 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1193
1194 if( md_alg != MBEDTLS_MD_NONE )
1195 {
1196 // Gather length of hash to sign
1197 //
1198 md_info = mbedtls_md_info_from_type( md_alg );
1199 if( md_info == NULL )
1200 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1201
1202 hashlen = mbedtls_md_get_size( md_info );
1203 }
1204
1205 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
1206 if( md_info == NULL )
1207 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1208
1209 hlen = mbedtls_md_get_size( md_info );
1210 slen = siglen - hlen - 1; /* Currently length of salt + padding */
1211
1212 memset( zeros, 0, 8 );
1213
1214 // Note: EMSA-PSS verification is over the length of N - 1 bits
1215 //
1216 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1217
1218 // Compensate for boundary condition when applying mask
1219 //
1220 if( msb % 8 == 0 )
1221 {
1222 p++;
1223 siglen -= 1;
1224 }
1225 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1226 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1227
1228 mbedtls_md_init( &md_ctx );
1229 mbedtls_md_setup( &md_ctx, md_info, 0 );
1230
1231 mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
1232
1233 buf[0] &= 0xFF >> ( siglen * 8 - msb );
1234
1235 while( p < buf + siglen && *p == 0 )
1236 p++;
1237
1238 if( p == buf + siglen ||
1239 *p++ != 0x01 )
1240 {
1241 mbedtls_md_free( &md_ctx );
1242 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1243 }
1244
1245 /* Actual salt len */
1246 slen -= p - buf;
1247
1248 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
1249 slen != (size_t) expected_salt_len )
1250 {
1251 mbedtls_md_free( &md_ctx );
1252 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1253 }
1254
1255 // Generate H = Hash( M' )
1256 //
1257 mbedtls_md_starts( &md_ctx );
1258 mbedtls_md_update( &md_ctx, zeros, 8 );
1259 mbedtls_md_update( &md_ctx, hash, hashlen );
1260 mbedtls_md_update( &md_ctx, p, slen );
1261 mbedtls_md_finish( &md_ctx, result );
1262
1263 mbedtls_md_free( &md_ctx );
1264
1265 if( memcmp( p + slen, result, hlen ) == 0 )
1266 return( 0 );
1267 else
1268 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1269 }
1270
1271 /*
1272 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1273 */
1274 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
1275 int (*f_rng)(void *, unsigned char *, size_t),
1276 void *p_rng,
1277 int mode,
1278 mbedtls_md_type_t md_alg,
1279 unsigned int hashlen,
1280 const unsigned char *hash,
1281 const unsigned char *sig )
1282 {
1283 mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
1284 ? (mbedtls_md_type_t) ctx->hash_id
1285 : md_alg;
1286
1287 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
1288 md_alg, hashlen, hash,
1289 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
1290 sig ) );
1291
1292 }
1293 #endif /* MBEDTLS_PKCS1_V21 */
1294
1295 #if defined(MBEDTLS_PKCS1_V15)
1296 /*
1297 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1298 */
1299 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
1300 int (*f_rng)(void *, unsigned char *, size_t),
1301 void *p_rng,
1302 int mode,
1303 mbedtls_md_type_t md_alg,
1304 unsigned int hashlen,
1305 const unsigned char *hash,
1306 const unsigned char *sig )
1307 {
1308 int ret;
1309 size_t len, siglen, asn1_len;
1310 unsigned char *p, *end;
1311 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1312 mbedtls_md_type_t msg_md_alg;
1313 const mbedtls_md_info_t *md_info;
1314 mbedtls_asn1_buf oid;
1315
1316 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1317 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1318
1319 siglen = ctx->len;
1320
1321 if( siglen < 16 || siglen > sizeof( buf ) )
1322 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1323
1324 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1325 ? mbedtls_rsa_public( ctx, sig, buf )
1326 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
1327
1328 if( ret != 0 )
1329 return( ret );
1330
1331 p = buf;
1332
1333 if( *p++ != 0 || *p++ != MBEDTLS_RSA_SIGN )
1334 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1335
1336 while( *p != 0 )
1337 {
1338 if( p >= buf + siglen - 1 || *p != 0xFF )
1339 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1340 p++;
1341 }
1342 p++;
1343
1344 len = siglen - ( p - buf );
1345
1346 if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
1347 {
1348 if( memcmp( p, hash, hashlen ) == 0 )
1349 return( 0 );
1350 else
1351 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1352 }
1353
1354 md_info = mbedtls_md_info_from_type( md_alg );
1355 if( md_info == NULL )
1356 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1357 hashlen = mbedtls_md_get_size( md_info );
1358
1359 end = p + len;
1360
1361 // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
1362 //
1363 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
1364 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1365 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1366
1367 if( asn1_len + 2 != len )
1368 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1369
1370 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
1371 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1372 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1373
1374 if( asn1_len + 6 + hashlen != len )
1375 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1376
1377 if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
1378 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1379
1380 oid.p = p;
1381 p += oid.len;
1382
1383 if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
1384 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1385
1386 if( md_alg != msg_md_alg )
1387 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1388
1389 /*
1390 * assume the algorithm parameters must be NULL
1391 */
1392 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
1393 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1394
1395 if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1396 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1397
1398 if( asn1_len != hashlen )
1399 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1400
1401 if( memcmp( p, hash, hashlen ) != 0 )
1402 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1403
1404 p += hashlen;
1405
1406 if( p != end )
1407 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1408
1409 return( 0 );
1410 }
1411 #endif /* MBEDTLS_PKCS1_V15 */
1412
1413 /*
1414 * Do an RSA operation and check the message digest
1415 */
1416 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
1417 int (*f_rng)(void *, unsigned char *, size_t),
1418 void *p_rng,
1419 int mode,
1420 mbedtls_md_type_t md_alg,
1421 unsigned int hashlen,
1422 const unsigned char *hash,
1423 const unsigned char *sig )
1424 {
1425 switch( ctx->padding )
1426 {
1427 #if defined(MBEDTLS_PKCS1_V15)
1428 case MBEDTLS_RSA_PKCS_V15:
1429 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
1430 hashlen, hash, sig );
1431 #endif
1432
1433 #if defined(MBEDTLS_PKCS1_V21)
1434 case MBEDTLS_RSA_PKCS_V21:
1435 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
1436 hashlen, hash, sig );
1437 #endif
1438
1439 default:
1440 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1441 }
1442 }
1443
1444 /*
1445 * Copy the components of an RSA key
1446 */
1447 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
1448 {
1449 int ret;
1450
1451 dst->ver = src->ver;
1452 dst->len = src->len;
1453
1454 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
1455 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
1456
1457 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
1458 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
1459 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
1460 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
1461 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
1462 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
1463
1464 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
1465 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
1466 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
1467
1468 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
1469 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
1470
1471 dst->padding = src->padding;
1472 dst->hash_id = src->hash_id;
1473
1474 cleanup:
1475 if( ret != 0 )
1476 mbedtls_rsa_free( dst );
1477
1478 return( ret );
1479 }
1480
1481 /*
1482 * Free the components of an RSA key
1483 */
1484 void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
1485 {
1486 mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
1487 mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
1488 mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
1489 mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
1490 mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
1491
1492 #if defined(MBEDTLS_THREADING_C)
1493 mbedtls_mutex_free( &ctx->mutex );
1494 #endif
1495 }
1496
1497 #if defined(MBEDTLS_SELF_TEST)
1498
1499 #include "mbedtls/sha1.h"
1500
1501 /*
1502 * Example RSA-1024 keypair, for test purposes
1503 */
1504 #define KEY_LEN 128
1505
1506 #define RSA_N "9292758453063D803DD603D5E777D788" \
1507 "8ED1D5BF35786190FA2F23EBC0848AEA" \
1508 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1509 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1510 "93A89813FBF3C4F8066D2D800F7C38A8" \
1511 "1AE31942917403FF4946B0A83D3D3E05" \
1512 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1513 "5E94BB77B07507233A0BC7BAC8F90F79"
1514
1515 #define RSA_E "10001"
1516
1517 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1518 "66CA472BC44D253102F8B4A9D3BFA750" \
1519 "91386C0077937FE33FA3252D28855837" \
1520 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1521 "DF79C5CE07EE72C7F123142198164234" \
1522 "CABB724CF78B8173B9F880FC86322407" \
1523 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1524 "071513A1E85B5DFA031F21ECAE91A34D"
1525
1526 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1527 "2C01CAD19EA484A87EA4377637E75500" \
1528 "FCB2005C5C7DD6EC4AC023CDA285D796" \
1529 "C3D9E75E1EFC42488BB4F1D13AC30A57"
1530
1531 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1532 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1533 "910E4168387E3C30AA1E00C339A79508" \
1534 "8452DD96A9A5EA5D9DCA68DA636032AF"
1535
1536 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1537 "3C94D22288ACD763FD8E5600ED4A702D" \
1538 "F84198A5F06C2E72236AE490C93F07F8" \
1539 "3CC559CD27BC2D1CA488811730BB5725"
1540
1541 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1542 "D8AAEA56749EA28623272E4F7D0592AF" \
1543 "7C1F1313CAC9471B5C523BFE592F517B" \
1544 "407A1BD76C164B93DA2D32A383E58357"
1545
1546 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1547 "F38D18D2B2F0E2DD275AA977E2BF4411" \
1548 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1549 "A74206CEC169D74BF5A8C50D6F48EA08"
1550
1551 #define PT_LEN 24
1552 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1553 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1554
1555 #if defined(MBEDTLS_PKCS1_V15)
1556 static int myrand( void *rng_state, unsigned char *output, size_t len )
1557 {
1558 #if !defined(__OpenBSD__)
1559 size_t i;
1560
1561 if( rng_state != NULL )
1562 rng_state = NULL;
1563
1564 for( i = 0; i < len; ++i )
1565 output[i] = rand();
1566 #else
1567 if( rng_state != NULL )
1568 rng_state = NULL;
1569
1570 arc4random_buf( output, len );
1571 #endif /* !OpenBSD */
1572
1573 return( 0 );
1574 }
1575 #endif /* MBEDTLS_PKCS1_V15 */
1576
1577 /*
1578 * Checkup routine
1579 */
1580 int mbedtls_rsa_self_test( int verbose )
1581 {
1582 int ret = 0;
1583 #if defined(MBEDTLS_PKCS1_V15)
1584 size_t len;
1585 mbedtls_rsa_context rsa;
1586 unsigned char rsa_plaintext[PT_LEN];
1587 unsigned char rsa_decrypted[PT_LEN];
1588 unsigned char rsa_ciphertext[KEY_LEN];
1589 #if defined(MBEDTLS_SHA1_C)
1590 unsigned char sha1sum[20];
1591 #endif
1592
1593 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
1594
1595 rsa.len = KEY_LEN;
1596 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
1597 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
1598 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
1599 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
1600 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
1601 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
1602 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
1603 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
1604
1605 if( verbose != 0 )
1606 mbedtls_printf( " RSA key validation: " );
1607
1608 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
1609 mbedtls_rsa_check_privkey( &rsa ) != 0 )
1610 {
1611 if( verbose != 0 )
1612 mbedtls_printf( "failed\n" );
1613
1614 return( 1 );
1615 }
1616
1617 if( verbose != 0 )
1618 mbedtls_printf( "passed\n PKCS#1 encryption : " );
1619
1620 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1621
1622 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
1623 rsa_plaintext, rsa_ciphertext ) != 0 )
1624 {
1625 if( verbose != 0 )
1626 mbedtls_printf( "failed\n" );
1627
1628 return( 1 );
1629 }
1630
1631 if( verbose != 0 )
1632 mbedtls_printf( "passed\n PKCS#1 decryption : " );
1633
1634 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
1635 rsa_ciphertext, rsa_decrypted,
1636 sizeof(rsa_decrypted) ) != 0 )
1637 {
1638 if( verbose != 0 )
1639 mbedtls_printf( "failed\n" );
1640
1641 return( 1 );
1642 }
1643
1644 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1645 {
1646 if( verbose != 0 )
1647 mbedtls_printf( "failed\n" );
1648
1649 return( 1 );
1650 }
1651
1652 if( verbose != 0 )
1653 mbedtls_printf( "passed\n" );
1654
1655 #if defined(MBEDTLS_SHA1_C)
1656 if( verbose != 0 )
1657 mbedtls_printf( "PKCS#1 data sign : " );
1658
1659 mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
1660
1661 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
1662 sha1sum, rsa_ciphertext ) != 0 )
1663 {
1664 if( verbose != 0 )
1665 mbedtls_printf( "failed\n" );
1666
1667 return( 1 );
1668 }
1669
1670 if( verbose != 0 )
1671 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
1672
1673 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
1674 sha1sum, rsa_ciphertext ) != 0 )
1675 {
1676 if( verbose != 0 )
1677 mbedtls_printf( "failed\n" );
1678
1679 return( 1 );
1680 }
1681
1682 if( verbose != 0 )
1683 mbedtls_printf( "passed\n" );
1684 #endif /* MBEDTLS_SHA1_C */
1685
1686 if( verbose != 0 )
1687 mbedtls_printf( "\n" );
1688
1689 cleanup:
1690 mbedtls_rsa_free( &rsa );
1691 #else /* MBEDTLS_PKCS1_V15 */
1692 ((void) verbose);
1693 #endif /* MBEDTLS_PKCS1_V15 */
1694 return( ret );
1695 }
1696
1697 #endif /* MBEDTLS_SELF_TEST */
1698
1699 #endif /* MBEDTLS_RSA_C */
A free Windows-compatible Operating System