1 /*
2 * The RSA public-key cryptosystem
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * The following sources were referenced in the design of this implementation
22 * of the RSA algorithm:
23 *
24 * [1] A method for obtaining digital signatures and public-key cryptosystems
25 * R Rivest, A Shamir, and L Adleman
26 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
27 *
28 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
29 * Menezes, van Oorschot and Vanstone
30 *
31 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
32 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
33 * Stefan Mangard
34 * https://arxiv.org/abs/1702.08719v2
35 *
36 */
37
38 #include "common.h"
39
40 #if defined(MBEDTLS_RSA_C)
41
42 #include "mbedtls/rsa.h"
43 #include "mbedtls/rsa_internal.h"
44 #include "mbedtls/oid.h"
45 #include "mbedtls/platform_util.h"
46 #include "mbedtls/error.h"
47 #include "constant_time_internal.h"
48 #include "mbedtls/constant_time.h"
49
50 #include <string.h>
51
52 #if defined(MBEDTLS_PKCS1_V21)
53 #include "mbedtls/md.h"
54 #endif
55
56 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
57 #include <stdlib.h>
58 #endif
59
60 #if defined(MBEDTLS_PLATFORM_C)
61 #include "mbedtls/platform.h"
62 #else
63 #include <stdio.h>
64 #define mbedtls_printf printf
65 #define mbedtls_calloc calloc
66 #define mbedtls_free free
67 #endif
68
69 #include <fault_mitigation.h>
70
71 #if !defined(MBEDTLS_RSA_ALT)
72
73 /* Parameter validation macros */
74 #define RSA_VALIDATE_RET( cond ) \
75 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
76 #define RSA_VALIDATE( cond ) \
77 MBEDTLS_INTERNAL_VALIDATE( cond )
78
mbedtls_rsa_import(mbedtls_rsa_context * ctx,const mbedtls_mpi * N,const mbedtls_mpi * P,const mbedtls_mpi * Q,const mbedtls_mpi * D,const mbedtls_mpi * E)79 int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
80 const mbedtls_mpi *N,
81 const mbedtls_mpi *P, const mbedtls_mpi *Q,
82 const mbedtls_mpi *D, const mbedtls_mpi *E )
83 {
84 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
85 RSA_VALIDATE_RET( ctx != NULL );
86
87 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
88 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
89 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
90 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
91 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
92 {
93 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
94 }
95
96 if( N != NULL )
97 ctx->len = mbedtls_mpi_size( &ctx->N );
98
99 return( 0 );
100 }
101
mbedtls_rsa_import_raw(mbedtls_rsa_context * ctx,unsigned char const * N,size_t N_len,unsigned char const * P,size_t P_len,unsigned char const * Q,size_t Q_len,unsigned char const * D,size_t D_len,unsigned char const * E,size_t E_len)102 int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
103 unsigned char const *N, size_t N_len,
104 unsigned char const *P, size_t P_len,
105 unsigned char const *Q, size_t Q_len,
106 unsigned char const *D, size_t D_len,
107 unsigned char const *E, size_t E_len )
108 {
109 int ret = 0;
110 RSA_VALIDATE_RET( ctx != NULL );
111
112 if( N != NULL )
113 {
114 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
115 ctx->len = mbedtls_mpi_size( &ctx->N );
116 }
117
118 if( P != NULL )
119 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
120
121 if( Q != NULL )
122 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
123
124 if( D != NULL )
125 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
126
127 if( E != NULL )
128 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
129
130 cleanup:
131
132 if( ret != 0 )
133 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
134
135 return( 0 );
136 }
137
138 /*
139 * Checks whether the context fields are set in such a way
140 * that the RSA primitives will be able to execute without error.
141 * It does *not* make guarantees for consistency of the parameters.
142 */
rsa_check_context(mbedtls_rsa_context const * ctx,int is_priv,int blinding_needed)143 static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
144 int blinding_needed )
145 {
146 #if !defined(MBEDTLS_RSA_NO_CRT)
147 /* blinding_needed is only used for NO_CRT to decide whether
148 * P,Q need to be present or not. */
149 ((void) blinding_needed);
150 #endif
151
152 if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
153 ctx->len > MBEDTLS_MPI_MAX_SIZE )
154 {
155 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
156 }
157
158 /*
159 * 1. Modular exponentiation needs positive, odd moduli.
160 */
161
162 /* Modular exponentiation wrt. N is always used for
163 * RSA public key operations. */
164 if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
165 mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )
166 {
167 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
168 }
169
170 #if !defined(MBEDTLS_RSA_NO_CRT)
171 /* Modular exponentiation for P and Q is only
172 * used for private key operations and if CRT
173 * is used. */
174 if( is_priv &&
175 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
176 mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||
177 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
178 mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
179 {
180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
181 }
182 #endif /* !MBEDTLS_RSA_NO_CRT */
183
184 /*
185 * 2. Exponents must be positive
186 */
187
188 /* Always need E for public key operations */
189 if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
190 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
191
192 #if defined(MBEDTLS_RSA_NO_CRT)
193 /* For private key operations, use D or DP & DQ
194 * as (unblinded) exponents. */
195 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
196 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
197 #else
198 if( is_priv &&
199 ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
200 mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
201 {
202 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
203 }
204 #endif /* MBEDTLS_RSA_NO_CRT */
205
206 /* Blinding shouldn't make exponents negative either,
207 * so check that P, Q >= 1 if that hasn't yet been
208 * done as part of 1. */
209 #if defined(MBEDTLS_RSA_NO_CRT)
210 if( is_priv && blinding_needed &&
211 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
212 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
213 {
214 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
215 }
216 #endif
217
218 /* It wouldn't lead to an error if it wasn't satisfied,
219 * but check for QP >= 1 nonetheless. */
220 #if !defined(MBEDTLS_RSA_NO_CRT)
221 if( is_priv &&
222 mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
223 {
224 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
225 }
226 #endif
227
228 return( 0 );
229 }
230
mbedtls_rsa_complete(mbedtls_rsa_context * ctx)231 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
232 {
233 int ret = 0;
234 int have_N, have_P, have_Q, have_D, have_E;
235 #if !defined(MBEDTLS_RSA_NO_CRT)
236 int have_DP, have_DQ, have_QP;
237 #endif
238 int n_missing, pq_missing, d_missing, is_pub, is_priv;
239
240 RSA_VALIDATE_RET( ctx != NULL );
241
242 have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
243 have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
244 have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
245 have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
246 have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
247
248 #if !defined(MBEDTLS_RSA_NO_CRT)
249 have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
250 have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
251 have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
252 #endif
253
254 /*
255 * Check whether provided parameters are enough
256 * to deduce all others. The following incomplete
257 * parameter sets for private keys are supported:
258 *
259 * (1) P, Q missing.
260 * (2) D and potentially N missing.
261 *
262 */
263
264 n_missing = have_P && have_Q && have_D && have_E;
265 pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
266 d_missing = have_P && have_Q && !have_D && have_E;
267 is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
268
269 /* These three alternatives are mutually exclusive */
270 is_priv = n_missing || pq_missing || d_missing;
271
272 if( !is_priv && !is_pub )
273 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
274
275 /*
276 * Step 1: Deduce N if P, Q are provided.
277 */
278
279 if( !have_N && have_P && have_Q )
280 {
281 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
282 &ctx->Q ) ) != 0 )
283 {
284 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
285 }
286
287 ctx->len = mbedtls_mpi_size( &ctx->N );
288 }
289
290 /*
291 * Step 2: Deduce and verify all remaining core parameters.
292 */
293
294 if( pq_missing )
295 {
296 ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
297 &ctx->P, &ctx->Q );
298 if( ret != 0 )
299 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
300
301 }
302 else if( d_missing )
303 {
304 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
305 &ctx->Q,
306 &ctx->E,
307 &ctx->D ) ) != 0 )
308 {
309 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
310 }
311 }
312
313 /*
314 * Step 3: Deduce all additional parameters specific
315 * to our current RSA implementation.
316 */
317
318 #if !defined(MBEDTLS_RSA_NO_CRT)
319 if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
320 {
321 ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
322 &ctx->DP, &ctx->DQ, &ctx->QP );
323 if( ret != 0 )
324 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
325 }
326 #endif /* MBEDTLS_RSA_NO_CRT */
327
328 /*
329 * Step 3: Basic sanity checks
330 */
331
332 return( rsa_check_context( ctx, is_priv, 1 ) );
333 }
334
mbedtls_rsa_export_raw(const mbedtls_rsa_context * ctx,unsigned char * N,size_t N_len,unsigned char * P,size_t P_len,unsigned char * Q,size_t Q_len,unsigned char * D,size_t D_len,unsigned char * E,size_t E_len)335 int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
336 unsigned char *N, size_t N_len,
337 unsigned char *P, size_t P_len,
338 unsigned char *Q, size_t Q_len,
339 unsigned char *D, size_t D_len,
340 unsigned char *E, size_t E_len )
341 {
342 int ret = 0;
343 int is_priv;
344 RSA_VALIDATE_RET( ctx != NULL );
345
346 /* Check if key is private or public */
347 is_priv =
348 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
349 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
350 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
351 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
352 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
353
354 if( !is_priv )
355 {
356 /* If we're trying to export private parameters for a public key,
357 * something must be wrong. */
358 if( P != NULL || Q != NULL || D != NULL )
359 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
360
361 }
362
363 if( N != NULL )
364 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
365
366 if( P != NULL )
367 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
368
369 if( Q != NULL )
370 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
371
372 if( D != NULL )
373 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
374
375 if( E != NULL )
376 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
377
378 cleanup:
379
380 return( ret );
381 }
382
mbedtls_rsa_export(const mbedtls_rsa_context * ctx,mbedtls_mpi * N,mbedtls_mpi * P,mbedtls_mpi * Q,mbedtls_mpi * D,mbedtls_mpi * E)383 int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
384 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
385 mbedtls_mpi *D, mbedtls_mpi *E )
386 {
387 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
388 int is_priv;
389 RSA_VALIDATE_RET( ctx != NULL );
390
391 /* Check if key is private or public */
392 is_priv =
393 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
394 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
395 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
396 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
397 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
398
399 if( !is_priv )
400 {
401 /* If we're trying to export private parameters for a public key,
402 * something must be wrong. */
403 if( P != NULL || Q != NULL || D != NULL )
404 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
405
406 }
407
408 /* Export all requested core parameters. */
409
410 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||
411 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||
412 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
413 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||
414 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
415 {
416 return( ret );
417 }
418
419 return( 0 );
420 }
421
422 /*
423 * Export CRT parameters
424 * This must also be implemented if CRT is not used, for being able to
425 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
426 * can be used in this case.
427 */
mbedtls_rsa_export_crt(const mbedtls_rsa_context * ctx,mbedtls_mpi * DP,mbedtls_mpi * DQ,mbedtls_mpi * QP)428 int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
429 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
430 {
431 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
432 int is_priv;
433 RSA_VALIDATE_RET( ctx != NULL );
434
435 /* Check if key is private or public */
436 is_priv =
437 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
438 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
439 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
440 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
441 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
442
443 if( !is_priv )
444 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
445
446 #if !defined(MBEDTLS_RSA_NO_CRT)
447 /* Export all requested blinding parameters. */
448 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
449 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
450 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
451 {
452 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
453 }
454 #else
455 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
456 DP, DQ, QP ) ) != 0 )
457 {
458 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
459 }
460 #endif
461
462 return( 0 );
463 }
464
465 /*
466 * Initialize an RSA context
467 */
mbedtls_rsa_init(mbedtls_rsa_context * ctx,int padding,int hash_id)468 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
469 int padding,
470 int hash_id )
471 {
472 RSA_VALIDATE( ctx != NULL );
473 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
474 padding == MBEDTLS_RSA_PKCS_V21 );
475
476 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
477
478 mbedtls_rsa_set_padding( ctx, padding, hash_id );
479
480 #if defined(MBEDTLS_THREADING_C)
481 /* Set ctx->ver to nonzero to indicate that the mutex has been
482 * initialized and will need to be freed. */
483 ctx->ver = 1;
484 mbedtls_mutex_init( &ctx->mutex );
485 #endif
486 }
487
488 /*
489 * Set padding for an existing RSA context
490 */
mbedtls_rsa_set_padding(mbedtls_rsa_context * ctx,int padding,int hash_id)491 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
492 int hash_id )
493 {
494 RSA_VALIDATE( ctx != NULL );
495 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
496 padding == MBEDTLS_RSA_PKCS_V21 );
497
498 ctx->padding = padding;
499 ctx->hash_id = hash_id;
500 }
501
502 /*
503 * Get length in bytes of RSA modulus
504 */
505
mbedtls_rsa_get_len(const mbedtls_rsa_context * ctx)506 size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
507 {
508 return( ctx->len );
509 }
510
511
512 #if defined(MBEDTLS_GENPRIME)
513
514 /*
515 * Generate an RSA keypair
516 *
517 * This generation method follows the RSA key pair generation procedure of
518 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
519 */
mbedtls_rsa_gen_key(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,unsigned int nbits,int exponent)520 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
521 int (*f_rng)(void *, unsigned char *, size_t),
522 void *p_rng,
523 unsigned int nbits, int exponent )
524 {
525 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
526 mbedtls_mpi H, G, L;
527 int prime_quality = 0;
528 RSA_VALIDATE_RET( ctx != NULL );
529 RSA_VALIDATE_RET( f_rng != NULL );
530
531 /*
532 * If the modulus is 1024 bit long or shorter, then the security strength of
533 * the RSA algorithm is less than or equal to 80 bits and therefore an error
534 * rate of 2^-80 is sufficient.
535 */
536 if( nbits > 1024 )
537 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
538
539 mbedtls_mpi_init( &H );
540 mbedtls_mpi_init( &G );
541 mbedtls_mpi_init( &L );
542
543 if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
544 {
545 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
546 goto cleanup;
547 }
548
549 /*
550 * find primes P and Q with Q < P so that:
551 * 1. |P-Q| > 2^( nbits / 2 - 100 )
552 * 2. GCD( E, (P-1)*(Q-1) ) == 1
553 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
554 */
555 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
556
557 do
558 {
559 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
560 prime_quality, f_rng, p_rng ) );
561
562 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
563 prime_quality, f_rng, p_rng ) );
564
565 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
566 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
567 if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
568 continue;
569
570 /* not required by any standards, but some users rely on the fact that P > Q */
571 if( H.s < 0 )
572 mbedtls_mpi_swap( &ctx->P, &ctx->Q );
573
574 /* Temporarily replace P,Q by P-1, Q-1 */
575 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
576 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
577 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
578
579 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
580 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
581 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
582 continue;
583
584 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
585 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
586 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
587 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
588
589 if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
590 continue;
591
592 break;
593 }
594 while( 1 );
595
596 /* Restore P,Q */
597 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
598 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
599
600 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
601
602 ctx->len = mbedtls_mpi_size( &ctx->N );
603
604 #if !defined(MBEDTLS_RSA_NO_CRT)
605 /*
606 * DP = D mod (P - 1)
607 * DQ = D mod (Q - 1)
608 * QP = Q^-1 mod P
609 */
610 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
611 &ctx->DP, &ctx->DQ, &ctx->QP ) );
612 #endif /* MBEDTLS_RSA_NO_CRT */
613
614 /* Double-check */
615 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
616
617 cleanup:
618
619 mbedtls_mpi_free( &H );
620 mbedtls_mpi_free( &G );
621 mbedtls_mpi_free( &L );
622
623 if( ret != 0 )
624 {
625 mbedtls_rsa_free( ctx );
626
627 if( ( -ret & ~0x7f ) == 0 )
628 ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret );
629 return( ret );
630 }
631
632 return( 0 );
633 }
634
635 #endif /* MBEDTLS_GENPRIME */
636
637 /*
638 * Check a public RSA key
639 */
mbedtls_rsa_check_pubkey(const mbedtls_rsa_context * ctx)640 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
641 {
642 RSA_VALIDATE_RET( ctx != NULL );
643
644 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
645 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
646
647 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
648 {
649 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
650 }
651
652 if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||
653 mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
654 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
655 {
656 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
657 }
658
659 return( 0 );
660 }
661
662 /*
663 * Check for the consistency of all fields in an RSA private key context
664 */
mbedtls_rsa_check_privkey(const mbedtls_rsa_context * ctx)665 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
666 {
667 RSA_VALIDATE_RET( ctx != NULL );
668
669 if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
670 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
671 {
672 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
673 }
674
675 if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
676 &ctx->D, &ctx->E, NULL, NULL ) != 0 )
677 {
678 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
679 }
680
681 #if !defined(MBEDTLS_RSA_NO_CRT)
682 else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
683 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
684 {
685 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
686 }
687 #endif
688
689 return( 0 );
690 }
691
692 /*
693 * Check if contexts holding a public and private key match
694 */
mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context * pub,const mbedtls_rsa_context * prv)695 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
696 const mbedtls_rsa_context *prv )
697 {
698 RSA_VALIDATE_RET( pub != NULL );
699 RSA_VALIDATE_RET( prv != NULL );
700
701 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
702 mbedtls_rsa_check_privkey( prv ) != 0 )
703 {
704 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
705 }
706
707 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
708 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
709 {
710 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
711 }
712
713 return( 0 );
714 }
715
716 /*
717 * Do an RSA public key operation
718 */
mbedtls_rsa_public(mbedtls_rsa_context * ctx,const unsigned char * input,unsigned char * output)719 int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
720 const unsigned char *input,
721 unsigned char *output )
722 {
723 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
724 size_t olen;
725 mbedtls_mpi T;
726 RSA_VALIDATE_RET( ctx != NULL );
727 RSA_VALIDATE_RET( input != NULL );
728 RSA_VALIDATE_RET( output != NULL );
729
730 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
731 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
732
733 mbedtls_mpi_init( &T );
734
735 #if defined(MBEDTLS_THREADING_C)
736 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
737 return( ret );
738 #endif
739
740 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
741
742 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
743 {
744 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
745 goto cleanup;
746 }
747
748 olen = ctx->len;
749 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
750 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
751
752 cleanup:
753 #if defined(MBEDTLS_THREADING_C)
754 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
755 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
756 #endif
757
758 mbedtls_mpi_free( &T );
759
760 if( ret != 0 )
761 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret ) );
762
763 return( 0 );
764 }
765
766 /*
767 * Generate or update blinding values, see section 10 of:
768 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
769 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
770 * Berlin Heidelberg, 1996. p. 104-113.
771 */
rsa_prepare_blinding(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)772 static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
773 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
774 {
775 int ret, count = 0;
776 mbedtls_mpi R;
777
778 mbedtls_mpi_init( &R );
779
780 if( ctx->Vf.p != NULL )
781 {
782 /* We already have blinding values, just update them by squaring */
783 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
784 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
785 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
786 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
787
788 goto cleanup;
789 }
790
791 /* Unblinding value: Vf = random number, invertible mod N */
792 do {
793 if( count++ > 10 )
794 {
795 ret = MBEDTLS_ERR_RSA_RNG_FAILED;
796 goto cleanup;
797 }
798
799 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
800
801 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
802 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
803 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
804 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
805
806 /* At this point, Vi is invertible mod N if and only if both Vf and R
807 * are invertible mod N. If one of them isn't, we don't need to know
808 * which one, we just loop and choose new values for both of them.
809 * (Each iteration succeeds with overwhelming probability.) */
810 ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
811 if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
812 goto cleanup;
813
814 } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
815
816 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
817 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
818 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
819
820 /* Blinding value: Vi = Vf^(-e) mod N
821 * (Vi already contains Vf^-1 at this point) */
822 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
823
824
825 cleanup:
826 mbedtls_mpi_free( &R );
827
828 return( ret );
829 }
830
831 /*
832 * Exponent blinding supposed to prevent side-channel attacks using multiple
833 * traces of measurements to recover the RSA key. The more collisions are there,
834 * the more bits of the key can be recovered. See [3].
835 *
836 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
837 * observations on average.
838 *
839 * For example with 28 byte blinding to achieve 2 collisions the adversary has
840 * to make 2^112 observations on average.
841 *
842 * (With the currently (as of 2017 April) known best algorithms breaking 2048
843 * bit RSA requires approximately as much time as trying out 2^112 random keys.
844 * Thus in this sense with 28 byte blinding the security is not reduced by
845 * side-channel attacks like the one in [3])
846 *
847 * This countermeasure does not help if the key recovery is possible with a
848 * single trace.
849 */
850 #define RSA_EXPONENT_BLINDING 28
851
852 /*
853 * Do an RSA private key operation
854 */
mbedtls_rsa_private(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * input,unsigned char * output)855 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
856 int (*f_rng)(void *, unsigned char *, size_t),
857 void *p_rng,
858 const unsigned char *input,
859 unsigned char *output )
860 {
861 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
862 size_t olen;
863
864 /* Temporary holding the result */
865 mbedtls_mpi T;
866
867 /* Temporaries holding P-1, Q-1 and the
868 * exponent blinding factor, respectively. */
869 mbedtls_mpi P1, Q1, R;
870
871 #if !defined(MBEDTLS_RSA_NO_CRT)
872 /* Temporaries holding the results mod p resp. mod q. */
873 mbedtls_mpi TP, TQ;
874
875 /* Temporaries holding the blinded exponents for
876 * the mod p resp. mod q computation (if used). */
877 mbedtls_mpi DP_blind, DQ_blind;
878
879 /* Pointers to actual exponents to be used - either the unblinded
880 * or the blinded ones, depending on the presence of a PRNG. */
881 mbedtls_mpi *DP = &ctx->DP;
882 mbedtls_mpi *DQ = &ctx->DQ;
883 #else
884 /* Temporary holding the blinded exponent (if used). */
885 mbedtls_mpi D_blind;
886
887 /* Pointer to actual exponent to be used - either the unblinded
888 * or the blinded one, depending on the presence of a PRNG. */
889 mbedtls_mpi *D = &ctx->D;
890 #endif /* MBEDTLS_RSA_NO_CRT */
891
892 /* Temporaries holding the initial input and the double
893 * checked result; should be the same in the end. */
894 mbedtls_mpi I, C;
895
896 RSA_VALIDATE_RET( ctx != NULL );
897 RSA_VALIDATE_RET( input != NULL );
898 RSA_VALIDATE_RET( output != NULL );
899
900 if( rsa_check_context( ctx, 1 /* private key checks */,
901 f_rng != NULL /* blinding y/n */ ) != 0 )
902 {
903 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
904 }
905
906 #if defined(MBEDTLS_THREADING_C)
907 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
908 return( ret );
909 #endif
910
911 /* MPI Initialization */
912 mbedtls_mpi_init( &T );
913
914 mbedtls_mpi_init( &P1 );
915 mbedtls_mpi_init( &Q1 );
916 mbedtls_mpi_init( &R );
917
918 if( f_rng != NULL )
919 {
920 #if defined(MBEDTLS_RSA_NO_CRT)
921 mbedtls_mpi_init( &D_blind );
922 #else
923 mbedtls_mpi_init( &DP_blind );
924 mbedtls_mpi_init( &DQ_blind );
925 #endif
926 }
927
928 #if !defined(MBEDTLS_RSA_NO_CRT)
929 mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
930 #endif
931
932 mbedtls_mpi_init( &I );
933 mbedtls_mpi_init( &C );
934
935 /* End of MPI initialization */
936
937 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
938 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
939 {
940 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
941 goto cleanup;
942 }
943
944 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
945
946 if( f_rng != NULL )
947 {
948 /*
949 * Blinding
950 * T = T * Vi mod N
951 */
952 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
953 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
954 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
955
956 /*
957 * Exponent blinding
958 */
959 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
960 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
961
962 #if defined(MBEDTLS_RSA_NO_CRT)
963 /*
964 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
965 */
966 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
967 f_rng, p_rng ) );
968 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
969 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
970 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
971
972 D = &D_blind;
973 #else
974 /*
975 * DP_blind = ( P - 1 ) * R + DP
976 */
977 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
978 f_rng, p_rng ) );
979 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
980 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
981 &ctx->DP ) );
982
983 DP = &DP_blind;
984
985 /*
986 * DQ_blind = ( Q - 1 ) * R + DQ
987 */
988 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
989 f_rng, p_rng ) );
990 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
991 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
992 &ctx->DQ ) );
993
994 DQ = &DQ_blind;
995 #endif /* MBEDTLS_RSA_NO_CRT */
996 }
997
998 #if defined(MBEDTLS_RSA_NO_CRT)
999 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
1000 #else
1001 /*
1002 * Faster decryption using the CRT
1003 *
1004 * TP = input ^ dP mod P
1005 * TQ = input ^ dQ mod Q
1006 */
1007
1008 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
1009 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
1010
1011 /*
1012 * T = (TP - TQ) * (Q^-1 mod P) mod P
1013 */
1014 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
1015 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
1016 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
1017
1018 /*
1019 * T = TQ + T * Q
1020 */
1021 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
1022 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
1023 #endif /* MBEDTLS_RSA_NO_CRT */
1024
1025 if( f_rng != NULL )
1026 {
1027 /*
1028 * Unblind
1029 * T = T * Vf mod N
1030 */
1031 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
1032 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
1033 }
1034
1035 /* Verify the result to prevent glitching attacks. */
1036 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
1037 &ctx->N, &ctx->RN ) );
1038 if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
1039 {
1040 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1041 goto cleanup;
1042 }
1043
1044 olen = ctx->len;
1045 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
1046
1047 cleanup:
1048 #if defined(MBEDTLS_THREADING_C)
1049 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
1050 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
1051 #endif
1052
1053 mbedtls_mpi_free( &P1 );
1054 mbedtls_mpi_free( &Q1 );
1055 mbedtls_mpi_free( &R );
1056
1057 if( f_rng != NULL )
1058 {
1059 #if defined(MBEDTLS_RSA_NO_CRT)
1060 mbedtls_mpi_free( &D_blind );
1061 #else
1062 mbedtls_mpi_free( &DP_blind );
1063 mbedtls_mpi_free( &DQ_blind );
1064 #endif
1065 }
1066
1067 mbedtls_mpi_free( &T );
1068
1069 #if !defined(MBEDTLS_RSA_NO_CRT)
1070 mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
1071 #endif
1072
1073 mbedtls_mpi_free( &C );
1074 mbedtls_mpi_free( &I );
1075
1076 if( ret != 0 && ret >= -0x007f )
1077 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret ) );
1078
1079 return( ret );
1080 }
1081
1082 #if defined(MBEDTLS_PKCS1_V21)
1083 /**
1084 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1085 *
1086 * \param dst buffer to mask
1087 * \param dlen length of destination buffer
1088 * \param src source of the mask generation
1089 * \param slen length of the source buffer
1090 * \param md_ctx message digest context to use
1091 */
mgf_mask(unsigned char * dst,size_t dlen,unsigned char * src,size_t slen,mbedtls_md_context_t * md_ctx)1092 static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
1093 size_t slen, mbedtls_md_context_t *md_ctx )
1094 {
1095 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
1096 unsigned char counter[4];
1097 unsigned char *p;
1098 unsigned int hlen;
1099 size_t i, use_len;
1100 int ret = 0;
1101
1102 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
1103 memset( counter, 0, 4 );
1104
1105 hlen = mbedtls_md_get_size( md_ctx->md_info );
1106
1107 /* Generate and apply dbMask */
1108 p = dst;
1109
1110 while( dlen > 0 )
1111 {
1112 use_len = hlen;
1113 if( dlen < hlen )
1114 use_len = dlen;
1115
1116 if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
1117 goto exit;
1118 if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
1119 goto exit;
1120 if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
1121 goto exit;
1122 if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
1123 goto exit;
1124
1125 for( i = 0; i < use_len; ++i )
1126 *p++ ^= mask[i];
1127
1128 counter[3]++;
1129
1130 dlen -= use_len;
1131 }
1132
1133 exit:
1134 mbedtls_platform_zeroize( mask, sizeof( mask ) );
1135
1136 return( ret );
1137 }
1138 #endif /* MBEDTLS_PKCS1_V21 */
1139
1140 #if defined(MBEDTLS_PKCS1_V21)
1141 /*
1142 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1143 */
mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,const unsigned char * label,size_t label_len,size_t ilen,const unsigned char * input,unsigned char * output)1144 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
1145 int (*f_rng)(void *, unsigned char *, size_t),
1146 void *p_rng,
1147 int mode,
1148 const unsigned char *label, size_t label_len,
1149 size_t ilen,
1150 const unsigned char *input,
1151 unsigned char *output )
1152 {
1153 size_t olen;
1154 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1155 unsigned char *p = output;
1156 unsigned int hlen;
1157 const mbedtls_md_info_t *md_info;
1158 mbedtls_md_context_t md_ctx;
1159
1160 RSA_VALIDATE_RET( ctx != NULL );
1161 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1162 mode == MBEDTLS_RSA_PUBLIC );
1163 RSA_VALIDATE_RET( output != NULL );
1164 RSA_VALIDATE_RET( ilen == 0 || input != NULL );
1165 RSA_VALIDATE_RET( label_len == 0 || label != NULL );
1166
1167 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1168 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1169
1170 if( f_rng == NULL )
1171 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1172
1173 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1174 if( md_info == NULL )
1175 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1176
1177 olen = ctx->len;
1178 hlen = mbedtls_md_get_size( md_info );
1179
1180 /* first comparison checks for overflow */
1181 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
1182 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1183
1184 memset( output, 0, olen );
1185
1186 *p++ = 0;
1187
1188 /* Generate a random octet string seed */
1189 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
1190 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
1191
1192 p += hlen;
1193
1194 /* Construct DB */
1195 if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
1196 return( ret );
1197 p += hlen;
1198 p += olen - 2 * hlen - 2 - ilen;
1199 *p++ = 1;
1200 if( ilen != 0 )
1201 memcpy( p, input, ilen );
1202
1203 mbedtls_md_init( &md_ctx );
1204 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1205 goto exit;
1206
1207 /* maskedDB: Apply dbMask to DB */
1208 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1209 &md_ctx ) ) != 0 )
1210 goto exit;
1211
1212 /* maskedSeed: Apply seedMask to seed */
1213 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1214 &md_ctx ) ) != 0 )
1215 goto exit;
1216
1217 exit:
1218 mbedtls_md_free( &md_ctx );
1219
1220 if( ret != 0 )
1221 return( ret );
1222
1223 return( ( mode == MBEDTLS_RSA_PUBLIC )
1224 ? mbedtls_rsa_public( ctx, output, output )
1225 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
1226 }
1227 #endif /* MBEDTLS_PKCS1_V21 */
1228
1229 #if defined(MBEDTLS_PKCS1_V15)
1230 /*
1231 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1232 */
mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t ilen,const unsigned char * input,unsigned char * output)1233 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
1234 int (*f_rng)(void *, unsigned char *, size_t),
1235 void *p_rng,
1236 int mode, size_t ilen,
1237 const unsigned char *input,
1238 unsigned char *output )
1239 {
1240 size_t nb_pad, olen;
1241 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1242 unsigned char *p = output;
1243
1244 RSA_VALIDATE_RET( ctx != NULL );
1245 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1246 mode == MBEDTLS_RSA_PUBLIC );
1247 RSA_VALIDATE_RET( output != NULL );
1248 RSA_VALIDATE_RET( ilen == 0 || input != NULL );
1249
1250 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1251 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1252
1253 olen = ctx->len;
1254
1255 /* first comparison checks for overflow */
1256 if( ilen + 11 < ilen || olen < ilen + 11 )
1257 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1258
1259 nb_pad = olen - 3 - ilen;
1260
1261 *p++ = 0;
1262 if( mode == MBEDTLS_RSA_PUBLIC )
1263 {
1264 if( f_rng == NULL )
1265 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1266
1267 *p++ = MBEDTLS_RSA_CRYPT;
1268
1269 while( nb_pad-- > 0 )
1270 {
1271 int rng_dl = 100;
1272
1273 do {
1274 ret = f_rng( p_rng, p, 1 );
1275 } while( *p == 0 && --rng_dl && ret == 0 );
1276
1277 /* Check if RNG failed to generate data */
1278 if( rng_dl == 0 || ret != 0 )
1279 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
1280
1281 p++;
1282 }
1283 }
1284 else
1285 {
1286 *p++ = MBEDTLS_RSA_SIGN;
1287
1288 while( nb_pad-- > 0 )
1289 *p++ = 0xFF;
1290 }
1291
1292 *p++ = 0;
1293 if( ilen != 0 )
1294 memcpy( p, input, ilen );
1295
1296 return( ( mode == MBEDTLS_RSA_PUBLIC )
1297 ? mbedtls_rsa_public( ctx, output, output )
1298 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
1299 }
1300 #endif /* MBEDTLS_PKCS1_V15 */
1301
1302 /*
1303 * Add the message padding, then do an RSA operation
1304 */
mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t ilen,const unsigned char * input,unsigned char * output)1305 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
1306 int (*f_rng)(void *, unsigned char *, size_t),
1307 void *p_rng,
1308 int mode, size_t ilen,
1309 const unsigned char *input,
1310 unsigned char *output )
1311 {
1312 RSA_VALIDATE_RET( ctx != NULL );
1313 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1314 mode == MBEDTLS_RSA_PUBLIC );
1315 RSA_VALIDATE_RET( output != NULL );
1316 RSA_VALIDATE_RET( ilen == 0 || input != NULL );
1317
1318 switch( ctx->padding )
1319 {
1320 #if defined(MBEDTLS_PKCS1_V15)
1321 case MBEDTLS_RSA_PKCS_V15:
1322 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
1323 input, output );
1324 #endif
1325
1326 #if defined(MBEDTLS_PKCS1_V21)
1327 case MBEDTLS_RSA_PKCS_V21:
1328 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1329 ilen, input, output );
1330 #endif
1331
1332 default:
1333 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1334 }
1335 }
1336
1337 #if defined(MBEDTLS_PKCS1_V21)
1338 /*
1339 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1340 */
mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,const unsigned char * label,size_t label_len,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1341 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
1342 int (*f_rng)(void *, unsigned char *, size_t),
1343 void *p_rng,
1344 int mode,
1345 const unsigned char *label, size_t label_len,
1346 size_t *olen,
1347 const unsigned char *input,
1348 unsigned char *output,
1349 size_t output_max_len )
1350 {
1351 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1352 size_t ilen, i, pad_len;
1353 unsigned char *p, bad, pad_done;
1354 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1355 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
1356 unsigned int hlen;
1357 const mbedtls_md_info_t *md_info;
1358 mbedtls_md_context_t md_ctx;
1359
1360 RSA_VALIDATE_RET( ctx != NULL );
1361 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1362 mode == MBEDTLS_RSA_PUBLIC );
1363 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1364 RSA_VALIDATE_RET( label_len == 0 || label != NULL );
1365 RSA_VALIDATE_RET( input != NULL );
1366 RSA_VALIDATE_RET( olen != NULL );
1367
1368 /*
1369 * Parameters sanity checks
1370 */
1371 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1372 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1373
1374 ilen = ctx->len;
1375
1376 if( ilen < 16 || ilen > sizeof( buf ) )
1377 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1378
1379 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1380 if( md_info == NULL )
1381 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1382
1383 hlen = mbedtls_md_get_size( md_info );
1384
1385 // checking for integer underflow
1386 if( 2 * hlen + 2 > ilen )
1387 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1388
1389 /*
1390 * RSA operation
1391 */
1392 if( ctx->P.n == 0 )
1393 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1394 ? mbedtls_rsa_public( ctx, input, buf )
1395 : mbedtls_rsa_private( ctx, NULL, NULL, input, buf );
1396 else
1397 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1398 ? mbedtls_rsa_public( ctx, input, buf )
1399 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
1400
1401 if( ret != 0 )
1402 goto cleanup;
1403
1404 /*
1405 * Unmask data and generate lHash
1406 */
1407 mbedtls_md_init( &md_ctx );
1408 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1409 {
1410 mbedtls_md_free( &md_ctx );
1411 goto cleanup;
1412 }
1413
1414 /* seed: Apply seedMask to maskedSeed */
1415 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1416 &md_ctx ) ) != 0 ||
1417 /* DB: Apply dbMask to maskedDB */
1418 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1419 &md_ctx ) ) != 0 )
1420 {
1421 mbedtls_md_free( &md_ctx );
1422 goto cleanup;
1423 }
1424
1425 mbedtls_md_free( &md_ctx );
1426
1427 /* Generate lHash */
1428 if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
1429 goto cleanup;
1430
1431 /*
1432 * Check contents, in "constant-time"
1433 */
1434 p = buf;
1435 bad = 0;
1436
1437 bad |= *p++; /* First byte must be 0 */
1438
1439 p += hlen; /* Skip seed */
1440
1441 /* Check lHash */
1442 for( i = 0; i < hlen; i++ )
1443 bad |= lhash[i] ^ *p++;
1444
1445 /* Get zero-padding len, but always read till end of buffer
1446 * (minus one, for the 01 byte) */
1447 pad_len = 0;
1448 pad_done = 0;
1449 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
1450 {
1451 pad_done |= p[i];
1452 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1453 }
1454
1455 p += pad_len;
1456 bad |= *p++ ^ 0x01;
1457
1458 /*
1459 * The only information "leaked" is whether the padding was correct or not
1460 * (eg, no data is copied if it was not correct). This meets the
1461 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1462 * the different error conditions.
1463 */
1464 if( bad != 0 )
1465 {
1466 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1467 goto cleanup;
1468 }
1469
1470 if( ilen - ( p - buf ) > output_max_len )
1471 {
1472 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1473 goto cleanup;
1474 }
1475
1476 *olen = ilen - (p - buf);
1477 if( *olen != 0 )
1478 memcpy( output, p, *olen );
1479 ret = 0;
1480
1481 cleanup:
1482 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1483 mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
1484
1485 return( ret );
1486 }
1487 #endif /* MBEDTLS_PKCS1_V21 */
1488
1489 #if defined(MBEDTLS_PKCS1_V15)
1490 /*
1491 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1492 */
mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1493 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
1494 int (*f_rng)(void *, unsigned char *, size_t),
1495 void *p_rng,
1496 int mode,
1497 size_t *olen,
1498 const unsigned char *input,
1499 unsigned char *output,
1500 size_t output_max_len )
1501 {
1502 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1503 size_t ilen;
1504 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1505
1506 RSA_VALIDATE_RET( ctx != NULL );
1507 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1508 mode == MBEDTLS_RSA_PUBLIC );
1509 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1510 RSA_VALIDATE_RET( input != NULL );
1511 RSA_VALIDATE_RET( olen != NULL );
1512
1513 ilen = ctx->len;
1514
1515 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1516 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1517
1518 if( ilen < 16 || ilen > sizeof( buf ) )
1519 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1520
1521 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1522 ? mbedtls_rsa_public( ctx, input, buf )
1523 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
1524
1525 if( ret != 0 )
1526 goto cleanup;
1527
1528 ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding( mode, buf, ilen,
1529 output, output_max_len, olen );
1530
1531 cleanup:
1532 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1533
1534 return( ret );
1535 }
1536 #endif /* MBEDTLS_PKCS1_V15 */
1537
1538 /*
1539 * Do an RSA operation, then remove the message padding
1540 */
mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1541 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
1542 int (*f_rng)(void *, unsigned char *, size_t),
1543 void *p_rng,
1544 int mode, size_t *olen,
1545 const unsigned char *input,
1546 unsigned char *output,
1547 size_t output_max_len)
1548 {
1549 RSA_VALIDATE_RET( ctx != NULL );
1550 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1551 mode == MBEDTLS_RSA_PUBLIC );
1552 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1553 RSA_VALIDATE_RET( input != NULL );
1554 RSA_VALIDATE_RET( olen != NULL );
1555
1556 switch( ctx->padding )
1557 {
1558 #if defined(MBEDTLS_PKCS1_V15)
1559 case MBEDTLS_RSA_PKCS_V15:
1560 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
1561 input, output, output_max_len );
1562 #endif
1563
1564 #if defined(MBEDTLS_PKCS1_V21)
1565 case MBEDTLS_RSA_PKCS_V21:
1566 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1567 olen, input, output,
1568 output_max_len );
1569 #endif
1570
1571 default:
1572 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1573 }
1574 }
1575
1576 #if defined(MBEDTLS_PKCS1_V21)
rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)1577 static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
1578 int (*f_rng)(void *, unsigned char *, size_t),
1579 void *p_rng,
1580 int mode,
1581 mbedtls_md_type_t md_alg,
1582 unsigned int hashlen,
1583 const unsigned char *hash,
1584 int saltlen,
1585 unsigned char *sig )
1586 {
1587 size_t olen;
1588 unsigned char *p = sig;
1589 unsigned char *salt = NULL;
1590 size_t slen, min_slen, hlen, offset = 0;
1591 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1592 size_t msb;
1593 const mbedtls_md_info_t *md_info;
1594 mbedtls_md_context_t md_ctx;
1595 RSA_VALIDATE_RET( ctx != NULL );
1596 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1597 mode == MBEDTLS_RSA_PUBLIC );
1598 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
1599 hashlen == 0 ) ||
1600 hash != NULL );
1601 RSA_VALIDATE_RET( sig != NULL );
1602
1603 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1604 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1605
1606 if( f_rng == NULL )
1607 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1608
1609 olen = ctx->len;
1610
1611 if( md_alg != MBEDTLS_MD_NONE )
1612 {
1613 /* Gather length of hash to sign */
1614 md_info = mbedtls_md_info_from_type( md_alg );
1615 if( md_info == NULL )
1616 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1617
1618 hashlen = mbedtls_md_get_size( md_info );
1619 }
1620
1621 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1622 if( md_info == NULL )
1623 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1624
1625 hlen = mbedtls_md_get_size( md_info );
1626
1627 if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY)
1628 {
1629 /* Calculate the largest possible salt length, up to the hash size.
1630 * Normally this is the hash length, which is the maximum salt length
1631 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
1632 * enough room, use the maximum salt length that fits. The constraint is
1633 * that the hash length plus the salt length plus 2 bytes must be at most
1634 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
1635 * (PKCS#1 v2.2) §9.1.1 step 3. */
1636 min_slen = hlen - 2;
1637 if( olen < hlen + min_slen + 2 )
1638 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1639 else if( olen >= hlen + hlen + 2 )
1640 slen = hlen;
1641 else
1642 slen = olen - hlen - 2;
1643 }
1644 else if ( (saltlen < 0) || (saltlen + hlen + 2 > olen) )
1645 {
1646 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1647 }
1648 else
1649 {
1650 slen = (size_t) saltlen;
1651 }
1652
1653 memset( sig, 0, olen );
1654
1655 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1656 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1657 p += olen - hlen - slen - 2;
1658 *p++ = 0x01;
1659
1660 /* Generate salt of length slen in place in the encoded message */
1661 salt = p;
1662 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
1663 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
1664
1665 p += slen;
1666
1667 mbedtls_md_init( &md_ctx );
1668 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1669 goto exit;
1670
1671 /* Generate H = Hash( M' ) */
1672 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
1673 goto exit;
1674 if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
1675 goto exit;
1676 if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
1677 goto exit;
1678 if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
1679 goto exit;
1680 if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
1681 goto exit;
1682
1683 /* Compensate for boundary condition when applying mask */
1684 if( msb % 8 == 0 )
1685 offset = 1;
1686
1687 /* maskedDB: Apply dbMask to DB */
1688 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
1689 &md_ctx ) ) != 0 )
1690 goto exit;
1691
1692 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1693 sig[0] &= 0xFF >> ( olen * 8 - msb );
1694
1695 p += hlen;
1696 *p++ = 0xBC;
1697
1698 exit:
1699 mbedtls_md_free( &md_ctx );
1700
1701 if( ret != 0 )
1702 return( ret );
1703
1704 if( ctx->P.n == 0)
1705 return( ( mode == MBEDTLS_RSA_PUBLIC )
1706 ? mbedtls_rsa_public( ctx, sig, sig )
1707 : mbedtls_rsa_private( ctx, NULL, NULL, sig, sig ) );
1708 else
1709 return( ( mode == MBEDTLS_RSA_PUBLIC )
1710 ? mbedtls_rsa_public( ctx, sig, sig )
1711 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1712 }
1713
1714 /*
1715 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
1716 * the option to pass in the salt length.
1717 */
mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)1718 int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx,
1719 int (*f_rng)(void *, unsigned char *, size_t),
1720 void *p_rng,
1721 mbedtls_md_type_t md_alg,
1722 unsigned int hashlen,
1723 const unsigned char *hash,
1724 int saltlen,
1725 unsigned char *sig )
1726 {
1727 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg,
1728 hashlen, hash, saltlen, sig );
1729 }
1730
1731
1732 /*
1733 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1734 */
mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)1735 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
1736 int (*f_rng)(void *, unsigned char *, size_t),
1737 void *p_rng,
1738 int mode,
1739 mbedtls_md_type_t md_alg,
1740 unsigned int hashlen,
1741 const unsigned char *hash,
1742 unsigned char *sig )
1743 {
1744 return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
1745 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig );
1746 }
1747 #endif /* MBEDTLS_PKCS1_V21 */
1748
1749 #if defined(MBEDTLS_PKCS1_V15)
1750 /*
1751 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1752 */
1753
1754 /* Construct a PKCS v1.5 encoding of a hashed message
1755 *
1756 * This is used both for signature generation and verification.
1757 *
1758 * Parameters:
1759 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1760 * MBEDTLS_MD_NONE if raw data is signed.
1761 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
1762 * - hash: Buffer containing the hashed message or the raw data.
1763 * - dst_len: Length of the encoded message.
1764 * - dst: Buffer to hold the encoded message.
1765 *
1766 * Assumptions:
1767 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
1768 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
1769 * - dst points to a buffer of size at least dst_len.
1770 *
1771 */
rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,size_t dst_len,unsigned char * dst)1772 static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
1773 unsigned int hashlen,
1774 const unsigned char *hash,
1775 size_t dst_len,
1776 unsigned char *dst )
1777 {
1778 size_t oid_size = 0;
1779 size_t nb_pad = dst_len;
1780 unsigned char *p = dst;
1781 const char *oid = NULL;
1782
1783 /* Are we signing hashed or raw data? */
1784 if( md_alg != MBEDTLS_MD_NONE )
1785 {
1786 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
1787 if( md_info == NULL )
1788 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1789
1790 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1791 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1792
1793 hashlen = mbedtls_md_get_size( md_info );
1794
1795 /* Double-check that 8 + hashlen + oid_size can be used as a
1796 * 1-byte ASN.1 length encoding and that there's no overflow. */
1797 if( 8 + hashlen + oid_size >= 0x80 ||
1798 10 + hashlen < hashlen ||
1799 10 + hashlen + oid_size < 10 + hashlen )
1800 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1801
1802 /*
1803 * Static bounds check:
1804 * - Need 10 bytes for five tag-length pairs.
1805 * (Insist on 1-byte length encodings to protect against variants of
1806 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1807 * - Need hashlen bytes for hash
1808 * - Need oid_size bytes for hash alg OID.
1809 */
1810 if( nb_pad < 10 + hashlen + oid_size )
1811 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1812 nb_pad -= 10 + hashlen + oid_size;
1813 }
1814 else
1815 {
1816 if( nb_pad < hashlen )
1817 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1818
1819 nb_pad -= hashlen;
1820 }
1821
1822 /* Need space for signature header and padding delimiter (3 bytes),
1823 * and 8 bytes for the minimal padding */
1824 if( nb_pad < 3 + 8 )
1825 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1826 nb_pad -= 3;
1827
1828 /* Now nb_pad is the amount of memory to be filled
1829 * with padding, and at least 8 bytes long. */
1830
1831 /* Write signature header and padding */
1832 *p++ = 0;
1833 *p++ = MBEDTLS_RSA_SIGN;
1834 memset( p, 0xFF, nb_pad );
1835 p += nb_pad;
1836 *p++ = 0;
1837
1838 /* Are we signing raw data? */
1839 if( md_alg == MBEDTLS_MD_NONE )
1840 {
1841 memcpy( p, hash, hashlen );
1842 return( 0 );
1843 }
1844
1845 /* Signing hashed data, add corresponding ASN.1 structure
1846 *
1847 * DigestInfo ::= SEQUENCE {
1848 * digestAlgorithm DigestAlgorithmIdentifier,
1849 * digest Digest }
1850 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1851 * Digest ::= OCTET STRING
1852 *
1853 * Schematic:
1854 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1855 * TAG-NULL + LEN [ NULL ] ]
1856 * TAG-OCTET + LEN [ HASH ] ]
1857 */
1858 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1859 *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
1860 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1861 *p++ = (unsigned char)( 0x04 + oid_size );
1862 *p++ = MBEDTLS_ASN1_OID;
1863 *p++ = (unsigned char) oid_size;
1864 memcpy( p, oid, oid_size );
1865 p += oid_size;
1866 *p++ = MBEDTLS_ASN1_NULL;
1867 *p++ = 0x00;
1868 *p++ = MBEDTLS_ASN1_OCTET_STRING;
1869 *p++ = (unsigned char) hashlen;
1870 memcpy( p, hash, hashlen );
1871 p += hashlen;
1872
1873 /* Just a sanity-check, should be automatic
1874 * after the initial bounds check. */
1875 if( p != dst + dst_len )
1876 {
1877 mbedtls_platform_zeroize( dst, dst_len );
1878 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1879 }
1880
1881 return( 0 );
1882 }
1883
1884 /*
1885 * Do an RSA operation to sign the message digest
1886 */
mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)1887 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
1888 int (*f_rng)(void *, unsigned char *, size_t),
1889 void *p_rng,
1890 int mode,
1891 mbedtls_md_type_t md_alg,
1892 unsigned int hashlen,
1893 const unsigned char *hash,
1894 unsigned char *sig )
1895 {
1896 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1897 unsigned char *sig_try = NULL, *verif = NULL;
1898
1899 RSA_VALIDATE_RET( ctx != NULL );
1900 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1901 mode == MBEDTLS_RSA_PUBLIC );
1902 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
1903 hashlen == 0 ) ||
1904 hash != NULL );
1905 RSA_VALIDATE_RET( sig != NULL );
1906
1907 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1908 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1909
1910 /*
1911 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
1912 */
1913
1914 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
1915 ctx->len, sig ) ) != 0 )
1916 return( ret );
1917
1918 /*
1919 * Call respective RSA primitive
1920 */
1921
1922 if( mode == MBEDTLS_RSA_PUBLIC )
1923 {
1924 /* Skip verification on a public key operation */
1925 return( mbedtls_rsa_public( ctx, sig, sig ) );
1926 }
1927
1928 /* Private key operation
1929 *
1930 * In order to prevent Lenstra's attack, make the signature in a
1931 * temporary buffer and check it before returning it.
1932 */
1933
1934 sig_try = mbedtls_calloc( 1, ctx->len );
1935 if( sig_try == NULL )
1936 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1937
1938 verif = mbedtls_calloc( 1, ctx->len );
1939 if( verif == NULL )
1940 {
1941 mbedtls_free( sig_try );
1942 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1943 }
1944
1945 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1946 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
1947
1948 if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 )
1949 {
1950 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1951 goto cleanup;
1952 }
1953
1954 memcpy( sig, sig_try, ctx->len );
1955
1956 cleanup:
1957 mbedtls_platform_zeroize( sig_try, ctx->len );
1958 mbedtls_platform_zeroize( verif, ctx->len );
1959 mbedtls_free( sig_try );
1960 mbedtls_free( verif );
1961
1962 if( ret != 0 )
1963 memset( sig, '!', ctx->len );
1964 return( ret );
1965 }
1966 #endif /* MBEDTLS_PKCS1_V15 */
1967
1968 /*
1969 * Do an RSA operation to sign the message digest
1970 */
mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)1971 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
1972 int (*f_rng)(void *, unsigned char *, size_t),
1973 void *p_rng,
1974 int mode,
1975 mbedtls_md_type_t md_alg,
1976 unsigned int hashlen,
1977 const unsigned char *hash,
1978 unsigned char *sig )
1979 {
1980 RSA_VALIDATE_RET( ctx != NULL );
1981 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1982 mode == MBEDTLS_RSA_PUBLIC );
1983 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
1984 hashlen == 0 ) ||
1985 hash != NULL );
1986 RSA_VALIDATE_RET( sig != NULL );
1987
1988 switch( ctx->padding )
1989 {
1990 #if defined(MBEDTLS_PKCS1_V15)
1991 case MBEDTLS_RSA_PKCS_V15:
1992 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
1993 hashlen, hash, sig );
1994 #endif
1995
1996 #if defined(MBEDTLS_PKCS1_V21)
1997 case MBEDTLS_RSA_PKCS_V21:
1998 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
1999 hashlen, hash, sig );
2000 #endif
2001
2002 default:
2003 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2004 }
2005 }
2006
2007 #if defined(MBEDTLS_PKCS1_V21)
2008 /*
2009 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2010 */
mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,mbedtls_md_type_t mgf1_hash_id,int expected_salt_len,const unsigned char * sig)2011 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
2012 int (*f_rng)(void *, unsigned char *, size_t),
2013 void *p_rng,
2014 int mode,
2015 mbedtls_md_type_t md_alg,
2016 unsigned int hashlen,
2017 const unsigned char *hash,
2018 mbedtls_md_type_t mgf1_hash_id,
2019 int expected_salt_len,
2020 const unsigned char *sig )
2021 {
2022 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2023 size_t siglen;
2024 unsigned char *p;
2025 unsigned char *hash_start;
2026 unsigned char result[MBEDTLS_MD_MAX_SIZE];
2027 unsigned char zeros[8];
2028 unsigned int hlen;
2029 size_t observed_salt_len, msb;
2030 const mbedtls_md_info_t *md_info;
2031 mbedtls_md_context_t md_ctx;
2032 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
2033
2034 RSA_VALIDATE_RET( ctx != NULL );
2035 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2036 mode == MBEDTLS_RSA_PUBLIC );
2037 RSA_VALIDATE_RET( sig != NULL );
2038 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2039 hashlen == 0 ) ||
2040 hash != NULL );
2041
2042 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
2043 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2044
2045 siglen = ctx->len;
2046
2047 if( siglen < 16 || siglen > sizeof( buf ) )
2048 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2049
2050 ret = ( mode == MBEDTLS_RSA_PUBLIC )
2051 ? mbedtls_rsa_public( ctx, sig, buf )
2052 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
2053
2054 if( ret != 0 )
2055 return( ret );
2056
2057 p = buf;
2058
2059 if( buf[siglen - 1] != 0xBC )
2060 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2061
2062 if( md_alg != MBEDTLS_MD_NONE )
2063 {
2064 /* Gather length of hash to sign */
2065 md_info = mbedtls_md_info_from_type( md_alg );
2066 if( md_info == NULL )
2067 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2068
2069 hashlen = mbedtls_md_get_size( md_info );
2070 }
2071
2072 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
2073 if( md_info == NULL )
2074 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2075
2076 hlen = mbedtls_md_get_size( md_info );
2077
2078 memset( zeros, 0, 8 );
2079
2080 /*
2081 * Note: EMSA-PSS verification is over the length of N - 1 bits
2082 */
2083 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
2084
2085 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
2086 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2087
2088 /* Compensate for boundary condition when applying mask */
2089 if( msb % 8 == 0 )
2090 {
2091 p++;
2092 siglen -= 1;
2093 }
2094
2095 if( siglen < hlen + 2 )
2096 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2097 hash_start = p + siglen - hlen - 1;
2098
2099 mbedtls_md_init( &md_ctx );
2100 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
2101 goto exit;
2102
2103 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
2104 if( ret != 0 )
2105 goto exit;
2106
2107 buf[0] &= 0xFF >> ( siglen * 8 - msb );
2108
2109 while( p < hash_start - 1 && *p == 0 )
2110 p++;
2111
2112 if( *p++ != 0x01 )
2113 {
2114 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2115 goto exit;
2116 }
2117
2118 observed_salt_len = hash_start - p;
2119
2120 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
2121 observed_salt_len != (size_t) expected_salt_len )
2122 {
2123 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2124 goto exit;
2125 }
2126
2127 /*
2128 * Generate H = Hash( M' )
2129 */
2130 ret = mbedtls_md_starts( &md_ctx );
2131 if ( ret != 0 )
2132 goto exit;
2133 ret = mbedtls_md_update( &md_ctx, zeros, 8 );
2134 if ( ret != 0 )
2135 goto exit;
2136 ret = mbedtls_md_update( &md_ctx, hash, hashlen );
2137 if ( ret != 0 )
2138 goto exit;
2139 ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
2140 if ( ret != 0 )
2141 goto exit;
2142 ret = mbedtls_md_finish( &md_ctx, result );
2143 if ( ret != 0 )
2144 goto exit;
2145
2146 if( FTMN_CALLEE_DONE_MEMCMP( memcmp, hash_start, result, hlen ) != 0 )
2147 {
2148 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2149 goto exit;
2150 }
2151
2152 exit:
2153 mbedtls_md_free( &md_ctx );
2154
2155 return( ret );
2156 }
2157
2158 /*
2159 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2160 */
mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2161 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
2162 int (*f_rng)(void *, unsigned char *, size_t),
2163 void *p_rng,
2164 int mode,
2165 mbedtls_md_type_t md_alg,
2166 unsigned int hashlen,
2167 const unsigned char *hash,
2168 const unsigned char *sig )
2169 {
2170 mbedtls_md_type_t mgf1_hash_id;
2171 RSA_VALIDATE_RET( ctx != NULL );
2172 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2173 mode == MBEDTLS_RSA_PUBLIC );
2174 RSA_VALIDATE_RET( sig != NULL );
2175 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2176 hashlen == 0 ) ||
2177 hash != NULL );
2178
2179 mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
2180 ? (mbedtls_md_type_t) ctx->hash_id
2181 : md_alg;
2182
2183 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
2184 md_alg, hashlen, hash,
2185 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
2186 sig ) );
2187
2188 }
2189 #endif /* MBEDTLS_PKCS1_V21 */
2190
2191 #if defined(MBEDTLS_PKCS1_V15)
2192 /*
2193 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2194 */
mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2195 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
2196 int (*f_rng)(void *, unsigned char *, size_t),
2197 void *p_rng,
2198 int mode,
2199 mbedtls_md_type_t md_alg,
2200 unsigned int hashlen,
2201 const unsigned char *hash,
2202 const unsigned char *sig )
2203 {
2204 int ret = 0;
2205 size_t sig_len;
2206 unsigned char *encoded = NULL, *encoded_expected = NULL;
2207
2208 RSA_VALIDATE_RET( ctx != NULL );
2209 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2210 mode == MBEDTLS_RSA_PUBLIC );
2211 RSA_VALIDATE_RET( sig != NULL );
2212 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2213 hashlen == 0 ) ||
2214 hash != NULL );
2215
2216 sig_len = ctx->len;
2217
2218 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
2219 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2220
2221 /*
2222 * Prepare expected PKCS1 v1.5 encoding of hash.
2223 */
2224
2225 if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL ||
2226 ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
2227 {
2228 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2229 goto cleanup;
2230 }
2231
2232 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
2233 encoded_expected ) ) != 0 )
2234 goto cleanup;
2235
2236 /*
2237 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2238 */
2239
2240 ret = ( mode == MBEDTLS_RSA_PUBLIC )
2241 ? mbedtls_rsa_public( ctx, sig, encoded )
2242 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
2243 if( ret != 0 )
2244 goto cleanup;
2245
2246 /*
2247 * Compare
2248 */
2249
2250 if( ( ret = FTMN_CALLEE_DONE_MEMCMP(mbedtls_ct_memcmp, encoded,
2251 encoded_expected, sig_len ) ) != 0 )
2252 {
2253 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2254 goto cleanup;
2255 }
2256
2257 cleanup:
2258
2259 if( encoded != NULL )
2260 {
2261 mbedtls_platform_zeroize( encoded, sig_len );
2262 mbedtls_free( encoded );
2263 }
2264
2265 if( encoded_expected != NULL )
2266 {
2267 mbedtls_platform_zeroize( encoded_expected, sig_len );
2268 mbedtls_free( encoded_expected );
2269 }
2270
2271 return( ret );
2272 }
2273 #endif /* MBEDTLS_PKCS1_V15 */
2274
2275 /*
2276 * Do an RSA operation and check the message digest
2277 */
mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2278 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
2279 int (*f_rng)(void *, unsigned char *, size_t),
2280 void *p_rng,
2281 int mode,
2282 mbedtls_md_type_t md_alg,
2283 unsigned int hashlen,
2284 const unsigned char *hash,
2285 const unsigned char *sig )
2286 {
2287 RSA_VALIDATE_RET( ctx != NULL );
2288 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2289 mode == MBEDTLS_RSA_PUBLIC );
2290 RSA_VALIDATE_RET( sig != NULL );
2291 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2292 hashlen == 0 ) ||
2293 hash != NULL );
2294
2295 switch( ctx->padding )
2296 {
2297 #if defined(MBEDTLS_PKCS1_V15)
2298 case MBEDTLS_RSA_PKCS_V15:
2299 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
2300 hashlen, hash, sig );
2301 #endif
2302
2303 #if defined(MBEDTLS_PKCS1_V21)
2304 case MBEDTLS_RSA_PKCS_V21:
2305 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
2306 hashlen, hash, sig );
2307 #endif
2308
2309 default:
2310 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2311 }
2312 }
2313
2314 /*
2315 * Copy the components of an RSA key
2316 */
mbedtls_rsa_copy(mbedtls_rsa_context * dst,const mbedtls_rsa_context * src)2317 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
2318 {
2319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2320 RSA_VALIDATE_RET( dst != NULL );
2321 RSA_VALIDATE_RET( src != NULL );
2322
2323 dst->len = src->len;
2324
2325 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
2326 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
2327
2328 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
2329 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
2330 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
2331
2332 #if !defined(MBEDTLS_RSA_NO_CRT)
2333 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
2334 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
2335 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
2336 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
2337 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
2338 #endif
2339
2340 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
2341
2342 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
2343 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
2344
2345 dst->padding = src->padding;
2346 dst->hash_id = src->hash_id;
2347
2348 cleanup:
2349 if( ret != 0 )
2350 mbedtls_rsa_free( dst );
2351
2352 return( ret );
2353 }
2354
2355 /*
2356 * Free the components of an RSA key
2357 */
mbedtls_rsa_free(mbedtls_rsa_context * ctx)2358 void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
2359 {
2360 if( ctx == NULL )
2361 return;
2362
2363 mbedtls_mpi_free( &ctx->Vi );
2364 mbedtls_mpi_free( &ctx->Vf );
2365 mbedtls_mpi_free( &ctx->RN );
2366 mbedtls_mpi_free( &ctx->D );
2367 mbedtls_mpi_free( &ctx->Q );
2368 mbedtls_mpi_free( &ctx->P );
2369 mbedtls_mpi_free( &ctx->E );
2370 mbedtls_mpi_free( &ctx->N );
2371
2372 #if !defined(MBEDTLS_RSA_NO_CRT)
2373 mbedtls_mpi_free( &ctx->RQ );
2374 mbedtls_mpi_free( &ctx->RP );
2375 mbedtls_mpi_free( &ctx->QP );
2376 mbedtls_mpi_free( &ctx->DQ );
2377 mbedtls_mpi_free( &ctx->DP );
2378 #endif /* MBEDTLS_RSA_NO_CRT */
2379
2380 #if defined(MBEDTLS_THREADING_C)
2381 /* Free the mutex, but only if it hasn't been freed already. */
2382 if( ctx->ver != 0 )
2383 {
2384 mbedtls_mutex_free( &ctx->mutex );
2385 ctx->ver = 0;
2386 }
2387 #endif
2388 }
2389
2390 #endif /* !MBEDTLS_RSA_ALT */
2391
2392 #if defined(MBEDTLS_SELF_TEST)
2393
2394 #include "mbedtls/sha1.h"
2395
2396 /*
2397 * Example RSA-1024 keypair, for test purposes
2398 */
2399 #define KEY_LEN 128
2400
2401 #define RSA_N "9292758453063D803DD603D5E777D788" \
2402 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2403 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2404 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2405 "93A89813FBF3C4F8066D2D800F7C38A8" \
2406 "1AE31942917403FF4946B0A83D3D3E05" \
2407 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2408 "5E94BB77B07507233A0BC7BAC8F90F79"
2409
2410 #define RSA_E "10001"
2411
2412 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2413 "66CA472BC44D253102F8B4A9D3BFA750" \
2414 "91386C0077937FE33FA3252D28855837" \
2415 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2416 "DF79C5CE07EE72C7F123142198164234" \
2417 "CABB724CF78B8173B9F880FC86322407" \
2418 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2419 "071513A1E85B5DFA031F21ECAE91A34D"
2420
2421 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2422 "2C01CAD19EA484A87EA4377637E75500" \
2423 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2424 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2425
2426 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2427 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2428 "910E4168387E3C30AA1E00C339A79508" \
2429 "8452DD96A9A5EA5D9DCA68DA636032AF"
2430
2431 #define PT_LEN 24
2432 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2433 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2434
2435 #if defined(MBEDTLS_PKCS1_V15)
myrand(void * rng_state,unsigned char * output,size_t len)2436 static int myrand( void *rng_state, unsigned char *output, size_t len )
2437 {
2438 #if !defined(__OpenBSD__) && !defined(__NetBSD__)
2439 size_t i;
2440
2441 if( rng_state != NULL )
2442 rng_state = NULL;
2443
2444 for( i = 0; i < len; ++i )
2445 output[i] = rand();
2446 #else
2447 if( rng_state != NULL )
2448 rng_state = NULL;
2449
2450 arc4random_buf( output, len );
2451 #endif /* !OpenBSD && !NetBSD */
2452
2453 return( 0 );
2454 }
2455 #endif /* MBEDTLS_PKCS1_V15 */
2456
2457 /*
2458 * Checkup routine
2459 */
mbedtls_rsa_self_test(int verbose)2460 int mbedtls_rsa_self_test( int verbose )
2461 {
2462 int ret = 0;
2463 #if defined(MBEDTLS_PKCS1_V15)
2464 size_t len;
2465 mbedtls_rsa_context rsa;
2466 unsigned char rsa_plaintext[PT_LEN];
2467 unsigned char rsa_decrypted[PT_LEN];
2468 unsigned char rsa_ciphertext[KEY_LEN];
2469 #if defined(MBEDTLS_SHA1_C)
2470 unsigned char sha1sum[20];
2471 #endif
2472
2473 mbedtls_mpi K;
2474
2475 mbedtls_mpi_init( &K );
2476 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
2477
2478 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );
2479 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
2480 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );
2481 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
2482 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );
2483 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
2484 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );
2485 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
2486 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );
2487 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
2488
2489 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
2490
2491 if( verbose != 0 )
2492 mbedtls_printf( " RSA key validation: " );
2493
2494 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
2495 mbedtls_rsa_check_privkey( &rsa ) != 0 )
2496 {
2497 if( verbose != 0 )
2498 mbedtls_printf( "failed\n" );
2499
2500 ret = 1;
2501 goto cleanup;
2502 }
2503
2504 if( verbose != 0 )
2505 mbedtls_printf( "passed\n PKCS#1 encryption : " );
2506
2507 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
2508
2509 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
2510 PT_LEN, rsa_plaintext,
2511 rsa_ciphertext ) != 0 )
2512 {
2513 if( verbose != 0 )
2514 mbedtls_printf( "failed\n" );
2515
2516 ret = 1;
2517 goto cleanup;
2518 }
2519
2520 if( verbose != 0 )
2521 mbedtls_printf( "passed\n PKCS#1 decryption : " );
2522
2523 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
2524 &len, rsa_ciphertext, rsa_decrypted,
2525 sizeof(rsa_decrypted) ) != 0 )
2526 {
2527 if( verbose != 0 )
2528 mbedtls_printf( "failed\n" );
2529
2530 ret = 1;
2531 goto cleanup;
2532 }
2533
2534 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
2535 {
2536 if( verbose != 0 )
2537 mbedtls_printf( "failed\n" );
2538
2539 ret = 1;
2540 goto cleanup;
2541 }
2542
2543 if( verbose != 0 )
2544 mbedtls_printf( "passed\n" );
2545
2546 #if defined(MBEDTLS_SHA1_C)
2547 if( verbose != 0 )
2548 mbedtls_printf( " PKCS#1 data sign : " );
2549
2550 if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
2551 {
2552 if( verbose != 0 )
2553 mbedtls_printf( "failed\n" );
2554
2555 return( 1 );
2556 }
2557
2558 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
2559 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
2560 sha1sum, rsa_ciphertext ) != 0 )
2561 {
2562 if( verbose != 0 )
2563 mbedtls_printf( "failed\n" );
2564
2565 ret = 1;
2566 goto cleanup;
2567 }
2568
2569 if( verbose != 0 )
2570 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
2571
2572 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
2573 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
2574 sha1sum, rsa_ciphertext ) != 0 )
2575 {
2576 if( verbose != 0 )
2577 mbedtls_printf( "failed\n" );
2578
2579 ret = 1;
2580 goto cleanup;
2581 }
2582
2583 if( verbose != 0 )
2584 mbedtls_printf( "passed\n" );
2585 #endif /* MBEDTLS_SHA1_C */
2586
2587 if( verbose != 0 )
2588 mbedtls_printf( "\n" );
2589
2590 cleanup:
2591 mbedtls_mpi_free( &K );
2592 mbedtls_rsa_free( &rsa );
2593 #else /* MBEDTLS_PKCS1_V15 */
2594 ((void) verbose);
2595 #endif /* MBEDTLS_PKCS1_V15 */
2596 return( ret );
2597 }
2598
2599 #endif /* MBEDTLS_SELF_TEST */
2600
2601 #endif /* MBEDTLS_RSA_C */
2602