2 * The RSA public-key cryptosystem
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
24 * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
25 * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
31 #include MBEDTLS_CONFIG_FILE
34 #if defined(MBEDTLS_RSA_C)
36 #include "mbedtls/rsa.h"
37 #include "mbedtls/oid.h"
41 #if defined(MBEDTLS_PKCS1_V21)
42 #include "mbedtls/md.h"
45 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
49 #if defined(MBEDTLS_PLATFORM_C)
50 #include "mbedtls/platform.h"
53 #define mbedtls_printf printf
54 #define mbedtls_calloc calloc
55 #define mbedtls_free free
59 * Initialize an RSA context
61 void mbedtls_rsa_init( mbedtls_rsa_context
*ctx
,
65 memset( ctx
, 0, sizeof( mbedtls_rsa_context
) );
67 mbedtls_rsa_set_padding( ctx
, padding
, hash_id
);
69 #if defined(MBEDTLS_THREADING_C)
70 mbedtls_mutex_init( &ctx
->mutex
);
75 * Set padding for an existing RSA context
77 void mbedtls_rsa_set_padding( mbedtls_rsa_context
*ctx
, int padding
, int hash_id
)
79 ctx
->padding
= padding
;
80 ctx
->hash_id
= hash_id
;
83 #if defined(MBEDTLS_GENPRIME)
86 * Generate an RSA keypair
88 int mbedtls_rsa_gen_key( mbedtls_rsa_context
*ctx
,
89 int (*f_rng
)(void *, unsigned char *, size_t),
91 unsigned int nbits
, int exponent
)
94 mbedtls_mpi P1
, Q1
, H
, G
;
96 if( f_rng
== NULL
|| nbits
< 128 || exponent
< 3 )
97 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
99 mbedtls_mpi_init( &P1
); mbedtls_mpi_init( &Q1
); mbedtls_mpi_init( &H
); mbedtls_mpi_init( &G
);
102 * find primes P and Q with Q < P so that:
103 * GCD( E, (P-1)*(Q-1) ) == 1
105 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx
->E
, exponent
) );
109 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx
->P
, ( nbits
+ 1 ) >> 1, 0,
112 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx
->Q
, ( nbits
+ 1 ) >> 1, 0,
115 if( mbedtls_mpi_cmp_mpi( &ctx
->P
, &ctx
->Q
) < 0 )
116 mbedtls_mpi_swap( &ctx
->P
, &ctx
->Q
);
118 if( mbedtls_mpi_cmp_mpi( &ctx
->P
, &ctx
->Q
) == 0 )
121 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->N
, &ctx
->P
, &ctx
->Q
) );
122 if( mbedtls_mpi_bitlen( &ctx
->N
) != nbits
)
125 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1
, &ctx
->P
, 1 ) );
126 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1
, &ctx
->Q
, 1 ) );
127 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H
, &P1
, &Q1
) );
128 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G
, &ctx
->E
, &H
) );
130 while( mbedtls_mpi_cmp_int( &G
, 1 ) != 0 );
133 * D = E^-1 mod ((P-1)*(Q-1))
138 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx
->D
, &ctx
->E
, &H
) );
139 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->DP
, &ctx
->D
, &P1
) );
140 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->DQ
, &ctx
->D
, &Q1
) );
141 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx
->QP
, &ctx
->Q
, &ctx
->P
) );
143 ctx
->len
= ( mbedtls_mpi_bitlen( &ctx
->N
) + 7 ) >> 3;
147 mbedtls_mpi_free( &P1
); mbedtls_mpi_free( &Q1
); mbedtls_mpi_free( &H
); mbedtls_mpi_free( &G
);
151 mbedtls_rsa_free( ctx
);
152 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED
+ ret
);
158 #endif /* MBEDTLS_GENPRIME */
161 * Check a public RSA key
163 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context
*ctx
)
165 if( !ctx
->N
.p
|| !ctx
->E
.p
)
166 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
168 if( ( ctx
->N
.p
[0] & 1 ) == 0 ||
169 ( ctx
->E
.p
[0] & 1 ) == 0 )
170 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
172 if( mbedtls_mpi_bitlen( &ctx
->N
) < 128 ||
173 mbedtls_mpi_bitlen( &ctx
->N
) > MBEDTLS_MPI_MAX_BITS
)
174 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
176 if( mbedtls_mpi_bitlen( &ctx
->E
) < 2 ||
177 mbedtls_mpi_cmp_mpi( &ctx
->E
, &ctx
->N
) >= 0 )
178 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
184 * Check a private RSA key
186 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context
*ctx
)
189 mbedtls_mpi PQ
, DE
, P1
, Q1
, H
, I
, G
, G2
, L1
, L2
, DP
, DQ
, QP
;
191 if( ( ret
= mbedtls_rsa_check_pubkey( ctx
) ) != 0 )
194 if( !ctx
->P
.p
|| !ctx
->Q
.p
|| !ctx
->D
.p
)
195 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
197 mbedtls_mpi_init( &PQ
); mbedtls_mpi_init( &DE
); mbedtls_mpi_init( &P1
); mbedtls_mpi_init( &Q1
);
198 mbedtls_mpi_init( &H
); mbedtls_mpi_init( &I
); mbedtls_mpi_init( &G
); mbedtls_mpi_init( &G2
);
199 mbedtls_mpi_init( &L1
); mbedtls_mpi_init( &L2
); mbedtls_mpi_init( &DP
); mbedtls_mpi_init( &DQ
);
200 mbedtls_mpi_init( &QP
);
202 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ
, &ctx
->P
, &ctx
->Q
) );
203 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE
, &ctx
->D
, &ctx
->E
) );
204 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1
, &ctx
->P
, 1 ) );
205 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1
, &ctx
->Q
, 1 ) );
206 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H
, &P1
, &Q1
) );
207 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G
, &ctx
->E
, &H
) );
209 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2
, &P1
, &Q1
) );
210 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1
, &L2
, &H
, &G2
) );
211 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I
, &DE
, &L1
) );
213 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP
, &ctx
->D
, &P1
) );
214 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ
, &ctx
->D
, &Q1
) );
215 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP
, &ctx
->Q
, &ctx
->P
) );
217 * Check for a valid PKCS1v2 private key
219 if( mbedtls_mpi_cmp_mpi( &PQ
, &ctx
->N
) != 0 ||
220 mbedtls_mpi_cmp_mpi( &DP
, &ctx
->DP
) != 0 ||
221 mbedtls_mpi_cmp_mpi( &DQ
, &ctx
->DQ
) != 0 ||
222 mbedtls_mpi_cmp_mpi( &QP
, &ctx
->QP
) != 0 ||
223 mbedtls_mpi_cmp_int( &L2
, 0 ) != 0 ||
224 mbedtls_mpi_cmp_int( &I
, 1 ) != 0 ||
225 mbedtls_mpi_cmp_int( &G
, 1 ) != 0 )
227 ret
= MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
;
231 mbedtls_mpi_free( &PQ
); mbedtls_mpi_free( &DE
); mbedtls_mpi_free( &P1
); mbedtls_mpi_free( &Q1
);
232 mbedtls_mpi_free( &H
); mbedtls_mpi_free( &I
); mbedtls_mpi_free( &G
); mbedtls_mpi_free( &G2
);
233 mbedtls_mpi_free( &L1
); mbedtls_mpi_free( &L2
); mbedtls_mpi_free( &DP
); mbedtls_mpi_free( &DQ
);
234 mbedtls_mpi_free( &QP
);
236 if( ret
== MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
)
240 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
+ ret
);
246 * Check if contexts holding a public and private key match
248 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context
*pub
, const mbedtls_rsa_context
*prv
)
250 if( mbedtls_rsa_check_pubkey( pub
) != 0 ||
251 mbedtls_rsa_check_privkey( prv
) != 0 )
253 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
256 if( mbedtls_mpi_cmp_mpi( &pub
->N
, &prv
->N
) != 0 ||
257 mbedtls_mpi_cmp_mpi( &pub
->E
, &prv
->E
) != 0 )
259 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
266 * Do an RSA public key operation
268 int mbedtls_rsa_public( mbedtls_rsa_context
*ctx
,
269 const unsigned char *input
,
270 unsigned char *output
)
276 mbedtls_mpi_init( &T
);
278 #if defined(MBEDTLS_THREADING_C)
279 if( ( ret
= mbedtls_mutex_lock( &ctx
->mutex
) ) != 0 )
283 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T
, input
, ctx
->len
) );
285 if( mbedtls_mpi_cmp_mpi( &T
, &ctx
->N
) >= 0 )
287 ret
= MBEDTLS_ERR_MPI_BAD_INPUT_DATA
;
292 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T
, &T
, &ctx
->E
, &ctx
->N
, &ctx
->RN
) );
293 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T
, output
, olen
) );
296 #if defined(MBEDTLS_THREADING_C)
297 if( mbedtls_mutex_unlock( &ctx
->mutex
) != 0 )
298 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR
);
301 mbedtls_mpi_free( &T
);
304 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED
+ ret
);
310 * Generate or update blinding values, see section 10 of:
311 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
312 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
313 * Berlin Heidelberg, 1996. p. 104-113.
315 static int rsa_prepare_blinding( mbedtls_rsa_context
*ctx
,
316 int (*f_rng
)(void *, unsigned char *, size_t), void *p_rng
)
320 if( ctx
->Vf
.p
!= NULL
)
322 /* We already have blinding values, just update them by squaring */
323 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->Vi
, &ctx
->Vi
, &ctx
->Vi
) );
324 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->Vi
, &ctx
->Vi
, &ctx
->N
) );
325 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->Vf
, &ctx
->Vf
, &ctx
->Vf
) );
326 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->Vf
, &ctx
->Vf
, &ctx
->N
) );
331 /* Unblinding value: Vf = random number, invertible mod N */
334 return( MBEDTLS_ERR_RSA_RNG_FAILED
);
336 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx
->Vf
, ctx
->len
- 1, f_rng
, p_rng
) );
337 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx
->Vi
, &ctx
->Vf
, &ctx
->N
) );
338 } while( mbedtls_mpi_cmp_int( &ctx
->Vi
, 1 ) != 0 );
340 /* Blinding value: Vi = Vf^(-e) mod N */
341 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx
->Vi
, &ctx
->Vf
, &ctx
->N
) );
342 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx
->Vi
, &ctx
->Vi
, &ctx
->E
, &ctx
->N
, &ctx
->RN
) );
350 * Do an RSA private key operation
352 int mbedtls_rsa_private( mbedtls_rsa_context
*ctx
,
353 int (*f_rng
)(void *, unsigned char *, size_t),
355 const unsigned char *input
,
356 unsigned char *output
)
360 mbedtls_mpi T
, T1
, T2
;
362 /* Make sure we have private key info, prevent possible misuse */
363 if( ctx
->P
.p
== NULL
|| ctx
->Q
.p
== NULL
|| ctx
->D
.p
== NULL
)
364 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
366 mbedtls_mpi_init( &T
); mbedtls_mpi_init( &T1
); mbedtls_mpi_init( &T2
);
368 #if defined(MBEDTLS_THREADING_C)
369 if( ( ret
= mbedtls_mutex_lock( &ctx
->mutex
) ) != 0 )
373 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T
, input
, ctx
->len
) );
374 if( mbedtls_mpi_cmp_mpi( &T
, &ctx
->N
) >= 0 )
376 ret
= MBEDTLS_ERR_MPI_BAD_INPUT_DATA
;
386 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx
, f_rng
, p_rng
) );
387 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T
, &T
, &ctx
->Vi
) );
388 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &T
, &ctx
->N
) );
391 #if defined(MBEDTLS_RSA_NO_CRT)
392 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T
, &T
, &ctx
->D
, &ctx
->N
, &ctx
->RN
) );
395 * faster decryption using the CRT
397 * T1 = input ^ dP mod P
398 * T2 = input ^ dQ mod Q
400 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1
, &T
, &ctx
->DP
, &ctx
->P
, &ctx
->RP
) );
401 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2
, &T
, &ctx
->DQ
, &ctx
->Q
, &ctx
->RQ
) );
404 * T = (T1 - T2) * (Q^-1 mod P) mod P
406 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T
, &T1
, &T2
) );
407 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1
, &T
, &ctx
->QP
) );
408 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &T1
, &ctx
->P
) );
413 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1
, &T
, &ctx
->Q
) );
414 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T
, &T2
, &T1
) );
415 #endif /* MBEDTLS_RSA_NO_CRT */
423 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T
, &T
, &ctx
->Vf
) );
424 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &T
, &ctx
->N
) );
428 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T
, output
, olen
) );
431 #if defined(MBEDTLS_THREADING_C)
432 if( mbedtls_mutex_unlock( &ctx
->mutex
) != 0 )
433 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR
);
436 mbedtls_mpi_free( &T
); mbedtls_mpi_free( &T1
); mbedtls_mpi_free( &T2
);
439 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED
+ ret
);
444 #if defined(MBEDTLS_PKCS1_V21)
446 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
448 * \param dst buffer to mask
449 * \param dlen length of destination buffer
450 * \param src source of the mask generation
451 * \param slen length of the source buffer
452 * \param md_ctx message digest context to use
454 static void mgf_mask( unsigned char *dst
, size_t dlen
, unsigned char *src
,
455 size_t slen
, mbedtls_md_context_t
*md_ctx
)
457 unsigned char mask
[MBEDTLS_MD_MAX_SIZE
];
458 unsigned char counter
[4];
463 memset( mask
, 0, MBEDTLS_MD_MAX_SIZE
);
464 memset( counter
, 0, 4 );
466 hlen
= mbedtls_md_get_size( md_ctx
->md_info
);
468 // Generate and apply dbMask
478 mbedtls_md_starts( md_ctx
);
479 mbedtls_md_update( md_ctx
, src
, slen
);
480 mbedtls_md_update( md_ctx
, counter
, 4 );
481 mbedtls_md_finish( md_ctx
, mask
);
483 for( i
= 0; i
< use_len
; ++i
)
491 #endif /* MBEDTLS_PKCS1_V21 */
493 #if defined(MBEDTLS_PKCS1_V21)
495 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
497 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context
*ctx
,
498 int (*f_rng
)(void *, unsigned char *, size_t),
501 const unsigned char *label
, size_t label_len
,
503 const unsigned char *input
,
504 unsigned char *output
)
508 unsigned char *p
= output
;
510 const mbedtls_md_info_t
*md_info
;
511 mbedtls_md_context_t md_ctx
;
513 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
514 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
517 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
519 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
520 if( md_info
== NULL
)
521 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
524 hlen
= mbedtls_md_get_size( md_info
);
526 if( olen
< ilen
+ 2 * hlen
+ 2 )
527 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
529 memset( output
, 0, olen
);
533 // Generate a random octet string seed
535 if( ( ret
= f_rng( p_rng
, p
, hlen
) ) != 0 )
536 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
542 mbedtls_md( md_info
, label
, label_len
, p
);
544 p
+= olen
- 2 * hlen
- 2 - ilen
;
546 memcpy( p
, input
, ilen
);
548 mbedtls_md_init( &md_ctx
);
549 mbedtls_md_setup( &md_ctx
, md_info
, 0 );
551 // maskedDB: Apply dbMask to DB
553 mgf_mask( output
+ hlen
+ 1, olen
- hlen
- 1, output
+ 1, hlen
,
556 // maskedSeed: Apply seedMask to seed
558 mgf_mask( output
+ 1, hlen
, output
+ hlen
+ 1, olen
- hlen
- 1,
561 mbedtls_md_free( &md_ctx
);
563 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
564 ? mbedtls_rsa_public( ctx
, output
, output
)
565 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, output
, output
) );
567 #endif /* MBEDTLS_PKCS1_V21 */
569 #if defined(MBEDTLS_PKCS1_V15)
571 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
573 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context
*ctx
,
574 int (*f_rng
)(void *, unsigned char *, size_t),
576 int mode
, size_t ilen
,
577 const unsigned char *input
,
578 unsigned char *output
)
582 unsigned char *p
= output
;
584 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
585 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
588 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
592 if( olen
< ilen
+ 11 )
593 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
595 nb_pad
= olen
- 3 - ilen
;
598 if( mode
== MBEDTLS_RSA_PUBLIC
)
600 *p
++ = MBEDTLS_RSA_CRYPT
;
602 while( nb_pad
-- > 0 )
607 ret
= f_rng( p_rng
, p
, 1 );
608 } while( *p
== 0 && --rng_dl
&& ret
== 0 );
610 // Check if RNG failed to generate data
612 if( rng_dl
== 0 || ret
!= 0 )
613 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
620 *p
++ = MBEDTLS_RSA_SIGN
;
622 while( nb_pad
-- > 0 )
627 memcpy( p
, input
, ilen
);
629 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
630 ? mbedtls_rsa_public( ctx
, output
, output
)
631 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, output
, output
) );
633 #endif /* MBEDTLS_PKCS1_V15 */
636 * Add the message padding, then do an RSA operation
638 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context
*ctx
,
639 int (*f_rng
)(void *, unsigned char *, size_t),
641 int mode
, size_t ilen
,
642 const unsigned char *input
,
643 unsigned char *output
)
645 switch( ctx
->padding
)
647 #if defined(MBEDTLS_PKCS1_V15)
648 case MBEDTLS_RSA_PKCS_V15
:
649 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx
, f_rng
, p_rng
, mode
, ilen
,
653 #if defined(MBEDTLS_PKCS1_V21)
654 case MBEDTLS_RSA_PKCS_V21
:
655 return mbedtls_rsa_rsaes_oaep_encrypt( ctx
, f_rng
, p_rng
, mode
, NULL
, 0,
656 ilen
, input
, output
);
660 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
664 #if defined(MBEDTLS_PKCS1_V21)
666 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
668 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context
*ctx
,
669 int (*f_rng
)(void *, unsigned char *, size_t),
672 const unsigned char *label
, size_t label_len
,
674 const unsigned char *input
,
675 unsigned char *output
,
676 size_t output_max_len
)
679 size_t ilen
, i
, pad_len
;
680 unsigned char *p
, bad
, pad_done
;
681 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
682 unsigned char lhash
[MBEDTLS_MD_MAX_SIZE
];
684 const mbedtls_md_info_t
*md_info
;
685 mbedtls_md_context_t md_ctx
;
688 * Parameters sanity checks
690 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
691 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
695 if( ilen
< 16 || ilen
> sizeof( buf
) )
696 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
698 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
699 if( md_info
== NULL
)
700 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
705 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
706 ? mbedtls_rsa_public( ctx
, input
, buf
)
707 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, input
, buf
);
713 * Unmask data and generate lHash
715 hlen
= mbedtls_md_get_size( md_info
);
717 mbedtls_md_init( &md_ctx
);
718 mbedtls_md_setup( &md_ctx
, md_info
, 0 );
721 mbedtls_md( md_info
, label
, label_len
, lhash
);
723 /* seed: Apply seedMask to maskedSeed */
724 mgf_mask( buf
+ 1, hlen
, buf
+ hlen
+ 1, ilen
- hlen
- 1,
727 /* DB: Apply dbMask to maskedDB */
728 mgf_mask( buf
+ hlen
+ 1, ilen
- hlen
- 1, buf
+ 1, hlen
,
731 mbedtls_md_free( &md_ctx
);
734 * Check contents, in "constant-time"
739 bad
|= *p
++; /* First byte must be 0 */
741 p
+= hlen
; /* Skip seed */
744 for( i
= 0; i
< hlen
; i
++ )
745 bad
|= lhash
[i
] ^ *p
++;
747 /* Get zero-padding len, but always read till end of buffer
748 * (minus one, for the 01 byte) */
751 for( i
= 0; i
< ilen
- 2 * hlen
- 2; i
++ )
754 pad_len
+= ((pad_done
| (unsigned char)-pad_done
) >> 7) ^ 1;
761 * The only information "leaked" is whether the padding was correct or not
762 * (eg, no data is copied if it was not correct). This meets the
763 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
764 * the different error conditions.
767 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
769 if( ilen
- ( p
- buf
) > output_max_len
)
770 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
);
772 *olen
= ilen
- (p
- buf
);
773 memcpy( output
, p
, *olen
);
777 #endif /* MBEDTLS_PKCS1_V21 */
779 #if defined(MBEDTLS_PKCS1_V15)
781 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
783 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context
*ctx
,
784 int (*f_rng
)(void *, unsigned char *, size_t),
786 int mode
, size_t *olen
,
787 const unsigned char *input
,
788 unsigned char *output
,
789 size_t output_max_len
)
792 size_t ilen
, pad_count
= 0, i
;
793 unsigned char *p
, bad
, pad_done
= 0;
794 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
796 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
797 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
801 if( ilen
< 16 || ilen
> sizeof( buf
) )
802 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
804 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
805 ? mbedtls_rsa_public( ctx
, input
, buf
)
806 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, input
, buf
);
815 * Check and get padding len in "constant-time"
817 bad
|= *p
++; /* First byte must be 0 */
819 /* This test does not depend on secret data */
820 if( mode
== MBEDTLS_RSA_PRIVATE
)
822 bad
|= *p
++ ^ MBEDTLS_RSA_CRYPT
;
824 /* Get padding len, but always read till end of buffer
825 * (minus one, for the 00 byte) */
826 for( i
= 0; i
< ilen
- 3; i
++ )
828 pad_done
|= ((p
[i
] | (unsigned char)-p
[i
]) >> 7) ^ 1;
829 pad_count
+= ((pad_done
| (unsigned char)-pad_done
) >> 7) ^ 1;
833 bad
|= *p
++; /* Must be zero */
837 bad
|= *p
++ ^ MBEDTLS_RSA_SIGN
;
839 /* Get padding len, but always read till end of buffer
840 * (minus one, for the 00 byte) */
841 for( i
= 0; i
< ilen
- 3; i
++ )
843 pad_done
|= ( p
[i
] != 0xFF );
844 pad_count
+= ( pad_done
== 0 );
848 bad
|= *p
++; /* Must be zero */
852 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
854 if( ilen
- ( p
- buf
) > output_max_len
)
855 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
);
857 *olen
= ilen
- (p
- buf
);
858 memcpy( output
, p
, *olen
);
862 #endif /* MBEDTLS_PKCS1_V15 */
865 * Do an RSA operation, then remove the message padding
867 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context
*ctx
,
868 int (*f_rng
)(void *, unsigned char *, size_t),
870 int mode
, size_t *olen
,
871 const unsigned char *input
,
872 unsigned char *output
,
873 size_t output_max_len
)
875 switch( ctx
->padding
)
877 #if defined(MBEDTLS_PKCS1_V15)
878 case MBEDTLS_RSA_PKCS_V15
:
879 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx
, f_rng
, p_rng
, mode
, olen
,
880 input
, output
, output_max_len
);
883 #if defined(MBEDTLS_PKCS1_V21)
884 case MBEDTLS_RSA_PKCS_V21
:
885 return mbedtls_rsa_rsaes_oaep_decrypt( ctx
, f_rng
, p_rng
, mode
, NULL
, 0,
891 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
895 #if defined(MBEDTLS_PKCS1_V21)
897 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
899 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context
*ctx
,
900 int (*f_rng
)(void *, unsigned char *, size_t),
903 mbedtls_md_type_t md_alg
,
904 unsigned int hashlen
,
905 const unsigned char *hash
,
909 unsigned char *p
= sig
;
910 unsigned char salt
[MBEDTLS_MD_MAX_SIZE
];
911 unsigned int slen
, hlen
, offset
= 0;
914 const mbedtls_md_info_t
*md_info
;
915 mbedtls_md_context_t md_ctx
;
917 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
918 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
921 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
925 if( md_alg
!= MBEDTLS_MD_NONE
)
927 // Gather length of hash to sign
929 md_info
= mbedtls_md_info_from_type( md_alg
);
930 if( md_info
== NULL
)
931 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
933 hashlen
= mbedtls_md_get_size( md_info
);
936 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
937 if( md_info
== NULL
)
938 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
940 hlen
= mbedtls_md_get_size( md_info
);
943 if( olen
< hlen
+ slen
+ 2 )
944 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
946 memset( sig
, 0, olen
);
948 // Generate salt of length slen
950 if( ( ret
= f_rng( p_rng
, salt
, slen
) ) != 0 )
951 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
953 // Note: EMSA-PSS encoding is over the length of N - 1 bits
955 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
956 p
+= olen
- hlen
* 2 - 2;
958 memcpy( p
, salt
, slen
);
961 mbedtls_md_init( &md_ctx
);
962 mbedtls_md_setup( &md_ctx
, md_info
, 0 );
964 // Generate H = Hash( M' )
966 mbedtls_md_starts( &md_ctx
);
967 mbedtls_md_update( &md_ctx
, p
, 8 );
968 mbedtls_md_update( &md_ctx
, hash
, hashlen
);
969 mbedtls_md_update( &md_ctx
, salt
, slen
);
970 mbedtls_md_finish( &md_ctx
, p
);
972 // Compensate for boundary condition when applying mask
977 // maskedDB: Apply dbMask to DB
979 mgf_mask( sig
+ offset
, olen
- hlen
- 1 - offset
, p
, hlen
, &md_ctx
);
981 mbedtls_md_free( &md_ctx
);
983 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
984 sig
[0] &= 0xFF >> ( olen
* 8 - msb
);
989 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
990 ? mbedtls_rsa_public( ctx
, sig
, sig
)
991 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, sig
) );
993 #endif /* MBEDTLS_PKCS1_V21 */
995 #if defined(MBEDTLS_PKCS1_V15)
997 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1000 * Do an RSA operation to sign the message digest
1002 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context
*ctx
,
1003 int (*f_rng
)(void *, unsigned char *, size_t),
1006 mbedtls_md_type_t md_alg
,
1007 unsigned int hashlen
,
1008 const unsigned char *hash
,
1009 unsigned char *sig
)
1011 size_t nb_pad
, olen
, oid_size
= 0;
1012 unsigned char *p
= sig
;
1013 const char *oid
= NULL
;
1014 unsigned char *sig_try
= NULL
, *verif
= NULL
;
1017 volatile unsigned char diff_no_optimize
;
1020 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
1021 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1026 if( md_alg
!= MBEDTLS_MD_NONE
)
1028 const mbedtls_md_info_t
*md_info
= mbedtls_md_info_from_type( md_alg
);
1029 if( md_info
== NULL
)
1030 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1032 if( mbedtls_oid_get_oid_by_md( md_alg
, &oid
, &oid_size
) != 0 )
1033 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1035 nb_pad
-= 10 + oid_size
;
1037 hashlen
= mbedtls_md_get_size( md_info
);
1042 if( ( nb_pad
< 8 ) || ( nb_pad
> olen
) )
1043 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1046 *p
++ = MBEDTLS_RSA_SIGN
;
1047 memset( p
, 0xFF, nb_pad
);
1051 if( md_alg
== MBEDTLS_MD_NONE
)
1053 memcpy( p
, hash
, hashlen
);
1058 * DigestInfo ::= SEQUENCE {
1059 * digestAlgorithm DigestAlgorithmIdentifier,
1062 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1064 * Digest ::= OCTET STRING
1066 *p
++ = MBEDTLS_ASN1_SEQUENCE
| MBEDTLS_ASN1_CONSTRUCTED
;
1067 *p
++ = (unsigned char) ( 0x08 + oid_size
+ hashlen
);
1068 *p
++ = MBEDTLS_ASN1_SEQUENCE
| MBEDTLS_ASN1_CONSTRUCTED
;
1069 *p
++ = (unsigned char) ( 0x04 + oid_size
);
1070 *p
++ = MBEDTLS_ASN1_OID
;
1071 *p
++ = oid_size
& 0xFF;
1072 memcpy( p
, oid
, oid_size
);
1074 *p
++ = MBEDTLS_ASN1_NULL
;
1076 *p
++ = MBEDTLS_ASN1_OCTET_STRING
;
1078 memcpy( p
, hash
, hashlen
);
1081 if( mode
== MBEDTLS_RSA_PUBLIC
)
1082 return( mbedtls_rsa_public( ctx
, sig
, sig
) );
1085 * In order to prevent Lenstra's attack, make the signature in a
1086 * temporary buffer and check it before returning it.
1088 sig_try
= mbedtls_calloc( 1, ctx
->len
);
1089 verif
= mbedtls_calloc( 1, ctx
->len
);
1090 if( sig_try
== NULL
|| verif
== NULL
)
1091 return( MBEDTLS_ERR_MPI_ALLOC_FAILED
);
1093 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, sig_try
) );
1094 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx
, sig_try
, verif
) );
1096 /* Compare in constant time just in case */
1097 for( diff
= 0, i
= 0; i
< ctx
->len
; i
++ )
1098 diff
|= verif
[i
] ^ sig
[i
];
1099 diff_no_optimize
= diff
;
1101 if( diff_no_optimize
!= 0 )
1103 ret
= MBEDTLS_ERR_RSA_PRIVATE_FAILED
;
1107 memcpy( sig
, sig_try
, ctx
->len
);
1110 mbedtls_free( sig_try
);
1111 mbedtls_free( verif
);
1115 #endif /* MBEDTLS_PKCS1_V15 */
1118 * Do an RSA operation to sign the message digest
1120 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context
*ctx
,
1121 int (*f_rng
)(void *, unsigned char *, size_t),
1124 mbedtls_md_type_t md_alg
,
1125 unsigned int hashlen
,
1126 const unsigned char *hash
,
1127 unsigned char *sig
)
1129 switch( ctx
->padding
)
1131 #if defined(MBEDTLS_PKCS1_V15)
1132 case MBEDTLS_RSA_PKCS_V15
:
1133 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1134 hashlen
, hash
, sig
);
1137 #if defined(MBEDTLS_PKCS1_V21)
1138 case MBEDTLS_RSA_PKCS_V21
:
1139 return mbedtls_rsa_rsassa_pss_sign( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1140 hashlen
, hash
, sig
);
1144 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1148 #if defined(MBEDTLS_PKCS1_V21)
1150 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1152 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context
*ctx
,
1153 int (*f_rng
)(void *, unsigned char *, size_t),
1156 mbedtls_md_type_t md_alg
,
1157 unsigned int hashlen
,
1158 const unsigned char *hash
,
1159 mbedtls_md_type_t mgf1_hash_id
,
1160 int expected_salt_len
,
1161 const unsigned char *sig
)
1166 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
1167 unsigned char result
[MBEDTLS_MD_MAX_SIZE
];
1168 unsigned char zeros
[8];
1171 const mbedtls_md_info_t
*md_info
;
1172 mbedtls_md_context_t md_ctx
;
1174 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
1175 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1179 if( siglen
< 16 || siglen
> sizeof( buf
) )
1180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1182 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
1183 ? mbedtls_rsa_public( ctx
, sig
, buf
)
1184 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, buf
);
1191 if( buf
[siglen
- 1] != 0xBC )
1192 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1194 if( md_alg
!= MBEDTLS_MD_NONE
)
1196 // Gather length of hash to sign
1198 md_info
= mbedtls_md_info_from_type( md_alg
);
1199 if( md_info
== NULL
)
1200 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1202 hashlen
= mbedtls_md_get_size( md_info
);
1205 md_info
= mbedtls_md_info_from_type( mgf1_hash_id
);
1206 if( md_info
== NULL
)
1207 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1209 hlen
= mbedtls_md_get_size( md_info
);
1210 slen
= siglen
- hlen
- 1; /* Currently length of salt + padding */
1212 memset( zeros
, 0, 8 );
1214 // Note: EMSA-PSS verification is over the length of N - 1 bits
1216 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
1218 // Compensate for boundary condition when applying mask
1225 if( buf
[0] >> ( 8 - siglen
* 8 + msb
) )
1226 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1228 mbedtls_md_init( &md_ctx
);
1229 mbedtls_md_setup( &md_ctx
, md_info
, 0 );
1231 mgf_mask( p
, siglen
- hlen
- 1, p
+ siglen
- hlen
- 1, hlen
, &md_ctx
);
1233 buf
[0] &= 0xFF >> ( siglen
* 8 - msb
);
1235 while( p
< buf
+ siglen
&& *p
== 0 )
1238 if( p
== buf
+ siglen
||
1241 mbedtls_md_free( &md_ctx
);
1242 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1245 /* Actual salt len */
1248 if( expected_salt_len
!= MBEDTLS_RSA_SALT_LEN_ANY
&&
1249 slen
!= (size_t) expected_salt_len
)
1251 mbedtls_md_free( &md_ctx
);
1252 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1255 // Generate H = Hash( M' )
1257 mbedtls_md_starts( &md_ctx
);
1258 mbedtls_md_update( &md_ctx
, zeros
, 8 );
1259 mbedtls_md_update( &md_ctx
, hash
, hashlen
);
1260 mbedtls_md_update( &md_ctx
, p
, slen
);
1261 mbedtls_md_finish( &md_ctx
, result
);
1263 mbedtls_md_free( &md_ctx
);
1265 if( memcmp( p
+ slen
, result
, hlen
) == 0 )
1268 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1272 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1274 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context
*ctx
,
1275 int (*f_rng
)(void *, unsigned char *, size_t),
1278 mbedtls_md_type_t md_alg
,
1279 unsigned int hashlen
,
1280 const unsigned char *hash
,
1281 const unsigned char *sig
)
1283 mbedtls_md_type_t mgf1_hash_id
= ( ctx
->hash_id
!= MBEDTLS_MD_NONE
)
1284 ? (mbedtls_md_type_t
) ctx
->hash_id
1287 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx
, f_rng
, p_rng
, mode
,
1288 md_alg
, hashlen
, hash
,
1289 mgf1_hash_id
, MBEDTLS_RSA_SALT_LEN_ANY
,
1293 #endif /* MBEDTLS_PKCS1_V21 */
1295 #if defined(MBEDTLS_PKCS1_V15)
1297 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1299 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context
*ctx
,
1300 int (*f_rng
)(void *, unsigned char *, size_t),
1303 mbedtls_md_type_t md_alg
,
1304 unsigned int hashlen
,
1305 const unsigned char *hash
,
1306 const unsigned char *sig
)
1309 size_t len
, siglen
, asn1_len
;
1310 unsigned char *p
, *end
;
1311 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
1312 mbedtls_md_type_t msg_md_alg
;
1313 const mbedtls_md_info_t
*md_info
;
1314 mbedtls_asn1_buf oid
;
1316 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
1317 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1321 if( siglen
< 16 || siglen
> sizeof( buf
) )
1322 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1324 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
1325 ? mbedtls_rsa_public( ctx
, sig
, buf
)
1326 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, buf
);
1333 if( *p
++ != 0 || *p
++ != MBEDTLS_RSA_SIGN
)
1334 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1338 if( p
>= buf
+ siglen
- 1 || *p
!= 0xFF )
1339 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1344 len
= siglen
- ( p
- buf
);
1346 if( len
== hashlen
&& md_alg
== MBEDTLS_MD_NONE
)
1348 if( memcmp( p
, hash
, hashlen
) == 0 )
1351 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1354 md_info
= mbedtls_md_info_from_type( md_alg
);
1355 if( md_info
== NULL
)
1356 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1357 hashlen
= mbedtls_md_get_size( md_info
);
1361 // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
1363 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &asn1_len
,
1364 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
1365 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1367 if( asn1_len
+ 2 != len
)
1368 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1370 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &asn1_len
,
1371 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
1372 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1374 if( asn1_len
+ 6 + hashlen
!= len
)
1375 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1377 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &oid
.len
, MBEDTLS_ASN1_OID
) ) != 0 )
1378 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1383 if( mbedtls_oid_get_md_alg( &oid
, &msg_md_alg
) != 0 )
1384 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1386 if( md_alg
!= msg_md_alg
)
1387 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1390 * assume the algorithm parameters must be NULL
1392 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &asn1_len
, MBEDTLS_ASN1_NULL
) ) != 0 )
1393 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1395 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &asn1_len
, MBEDTLS_ASN1_OCTET_STRING
) ) != 0 )
1396 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1398 if( asn1_len
!= hashlen
)
1399 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1401 if( memcmp( p
, hash
, hashlen
) != 0 )
1402 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1407 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1411 #endif /* MBEDTLS_PKCS1_V15 */
1414 * Do an RSA operation and check the message digest
1416 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context
*ctx
,
1417 int (*f_rng
)(void *, unsigned char *, size_t),
1420 mbedtls_md_type_t md_alg
,
1421 unsigned int hashlen
,
1422 const unsigned char *hash
,
1423 const unsigned char *sig
)
1425 switch( ctx
->padding
)
1427 #if defined(MBEDTLS_PKCS1_V15)
1428 case MBEDTLS_RSA_PKCS_V15
:
1429 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1430 hashlen
, hash
, sig
);
1433 #if defined(MBEDTLS_PKCS1_V21)
1434 case MBEDTLS_RSA_PKCS_V21
:
1435 return mbedtls_rsa_rsassa_pss_verify( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1436 hashlen
, hash
, sig
);
1440 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1445 * Copy the components of an RSA key
1447 int mbedtls_rsa_copy( mbedtls_rsa_context
*dst
, const mbedtls_rsa_context
*src
)
1451 dst
->ver
= src
->ver
;
1452 dst
->len
= src
->len
;
1454 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->N
, &src
->N
) );
1455 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->E
, &src
->E
) );
1457 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->D
, &src
->D
) );
1458 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->P
, &src
->P
) );
1459 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Q
, &src
->Q
) );
1460 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->DP
, &src
->DP
) );
1461 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->DQ
, &src
->DQ
) );
1462 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->QP
, &src
->QP
) );
1464 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RN
, &src
->RN
) );
1465 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RP
, &src
->RP
) );
1466 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RQ
, &src
->RQ
) );
1468 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Vi
, &src
->Vi
) );
1469 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Vf
, &src
->Vf
) );
1471 dst
->padding
= src
->padding
;
1472 dst
->hash_id
= src
->hash_id
;
1476 mbedtls_rsa_free( dst
);
1482 * Free the components of an RSA key
1484 void mbedtls_rsa_free( mbedtls_rsa_context
*ctx
)
1486 mbedtls_mpi_free( &ctx
->Vi
); mbedtls_mpi_free( &ctx
->Vf
);
1487 mbedtls_mpi_free( &ctx
->RQ
); mbedtls_mpi_free( &ctx
->RP
); mbedtls_mpi_free( &ctx
->RN
);
1488 mbedtls_mpi_free( &ctx
->QP
); mbedtls_mpi_free( &ctx
->DQ
); mbedtls_mpi_free( &ctx
->DP
);
1489 mbedtls_mpi_free( &ctx
->Q
); mbedtls_mpi_free( &ctx
->P
); mbedtls_mpi_free( &ctx
->D
);
1490 mbedtls_mpi_free( &ctx
->E
); mbedtls_mpi_free( &ctx
->N
);
1492 #if defined(MBEDTLS_THREADING_C)
1493 mbedtls_mutex_free( &ctx
->mutex
);
1497 #if defined(MBEDTLS_SELF_TEST)
1499 #include "mbedtls/sha1.h"
1502 * Example RSA-1024 keypair, for test purposes
1506 #define RSA_N "9292758453063D803DD603D5E777D788" \
1507 "8ED1D5BF35786190FA2F23EBC0848AEA" \
1508 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1509 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1510 "93A89813FBF3C4F8066D2D800F7C38A8" \
1511 "1AE31942917403FF4946B0A83D3D3E05" \
1512 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1513 "5E94BB77B07507233A0BC7BAC8F90F79"
1515 #define RSA_E "10001"
1517 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1518 "66CA472BC44D253102F8B4A9D3BFA750" \
1519 "91386C0077937FE33FA3252D28855837" \
1520 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1521 "DF79C5CE07EE72C7F123142198164234" \
1522 "CABB724CF78B8173B9F880FC86322407" \
1523 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1524 "071513A1E85B5DFA031F21ECAE91A34D"
1526 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1527 "2C01CAD19EA484A87EA4377637E75500" \
1528 "FCB2005C5C7DD6EC4AC023CDA285D796" \
1529 "C3D9E75E1EFC42488BB4F1D13AC30A57"
1531 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1532 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1533 "910E4168387E3C30AA1E00C339A79508" \
1534 "8452DD96A9A5EA5D9DCA68DA636032AF"
1536 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1537 "3C94D22288ACD763FD8E5600ED4A702D" \
1538 "F84198A5F06C2E72236AE490C93F07F8" \
1539 "3CC559CD27BC2D1CA488811730BB5725"
1541 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1542 "D8AAEA56749EA28623272E4F7D0592AF" \
1543 "7C1F1313CAC9471B5C523BFE592F517B" \
1544 "407A1BD76C164B93DA2D32A383E58357"
1546 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1547 "F38D18D2B2F0E2DD275AA977E2BF4411" \
1548 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1549 "A74206CEC169D74BF5A8C50D6F48EA08"
1552 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1553 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1555 #if defined(MBEDTLS_PKCS1_V15)
1556 static int myrand( void *rng_state
, unsigned char *output
, size_t len
)
1558 #if !defined(__OpenBSD__)
1561 if( rng_state
!= NULL
)
1564 for( i
= 0; i
< len
; ++i
)
1567 if( rng_state
!= NULL
)
1570 arc4random_buf( output
, len
);
1571 #endif /* !OpenBSD */
1575 #endif /* MBEDTLS_PKCS1_V15 */
1580 int mbedtls_rsa_self_test( int verbose
)
1583 #if defined(MBEDTLS_PKCS1_V15)
1585 mbedtls_rsa_context rsa
;
1586 unsigned char rsa_plaintext
[PT_LEN
];
1587 unsigned char rsa_decrypted
[PT_LEN
];
1588 unsigned char rsa_ciphertext
[KEY_LEN
];
1589 #if defined(MBEDTLS_SHA1_C)
1590 unsigned char sha1sum
[20];
1593 mbedtls_rsa_init( &rsa
, MBEDTLS_RSA_PKCS_V15
, 0 );
1596 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.N
, 16, RSA_N
) );
1597 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.E
, 16, RSA_E
) );
1598 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.D
, 16, RSA_D
) );
1599 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.P
, 16, RSA_P
) );
1600 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.Q
, 16, RSA_Q
) );
1601 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.DP
, 16, RSA_DP
) );
1602 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.DQ
, 16, RSA_DQ
) );
1603 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.QP
, 16, RSA_QP
) );
1606 mbedtls_printf( " RSA key validation: " );
1608 if( mbedtls_rsa_check_pubkey( &rsa
) != 0 ||
1609 mbedtls_rsa_check_privkey( &rsa
) != 0 )
1612 mbedtls_printf( "failed\n" );
1618 mbedtls_printf( "passed\n PKCS#1 encryption : " );
1620 memcpy( rsa_plaintext
, RSA_PT
, PT_LEN
);
1622 if( mbedtls_rsa_pkcs1_encrypt( &rsa
, myrand
, NULL
, MBEDTLS_RSA_PUBLIC
, PT_LEN
,
1623 rsa_plaintext
, rsa_ciphertext
) != 0 )
1626 mbedtls_printf( "failed\n" );
1632 mbedtls_printf( "passed\n PKCS#1 decryption : " );
1634 if( mbedtls_rsa_pkcs1_decrypt( &rsa
, myrand
, NULL
, MBEDTLS_RSA_PRIVATE
, &len
,
1635 rsa_ciphertext
, rsa_decrypted
,
1636 sizeof(rsa_decrypted
) ) != 0 )
1639 mbedtls_printf( "failed\n" );
1644 if( memcmp( rsa_decrypted
, rsa_plaintext
, len
) != 0 )
1647 mbedtls_printf( "failed\n" );
1653 mbedtls_printf( "passed\n" );
1655 #if defined(MBEDTLS_SHA1_C)
1657 mbedtls_printf( "PKCS#1 data sign : " );
1659 mbedtls_sha1( rsa_plaintext
, PT_LEN
, sha1sum
);
1661 if( mbedtls_rsa_pkcs1_sign( &rsa
, myrand
, NULL
, MBEDTLS_RSA_PRIVATE
, MBEDTLS_MD_SHA1
, 0,
1662 sha1sum
, rsa_ciphertext
) != 0 )
1665 mbedtls_printf( "failed\n" );
1671 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
1673 if( mbedtls_rsa_pkcs1_verify( &rsa
, NULL
, NULL
, MBEDTLS_RSA_PUBLIC
, MBEDTLS_MD_SHA1
, 0,
1674 sha1sum
, rsa_ciphertext
) != 0 )
1677 mbedtls_printf( "failed\n" );
1683 mbedtls_printf( "passed\n" );
1684 #endif /* MBEDTLS_SHA1_C */
1687 mbedtls_printf( "\n" );
1690 mbedtls_rsa_free( &rsa
);
1691 #else /* MBEDTLS_PKCS1_V15 */
1693 #endif /* MBEDTLS_PKCS1_V15 */
1697 #endif /* MBEDTLS_SELF_TEST */
1699 #endif /* MBEDTLS_RSA_C */