Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
8774 | rgimad | 1 | /* |
2 | * The RSA public-key cryptosystem |
||
3 | * |
||
4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved |
||
5 | * SPDX-License-Identifier: GPL-2.0 |
||
6 | * |
||
7 | * This program is free software; you can redistribute it and/or modify |
||
8 | * it under the terms of the GNU General Public License as published by |
||
9 | * the Free Software Foundation; either version 2 of the License, or |
||
10 | * (at your option) any later version. |
||
11 | * |
||
12 | * This program is distributed in the hope that it will be useful, |
||
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
15 | * GNU General Public License for more details. |
||
16 | * |
||
17 | * You should have received a copy of the GNU General Public License along |
||
18 | * with this program; if not, write to the Free Software Foundation, Inc., |
||
19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
||
20 | * |
||
21 | * This file is part of mbed TLS (https://tls.mbed.org) |
||
22 | */ |
||
23 | |||
24 | /* |
||
25 | * The following sources were referenced in the design of this implementation |
||
26 | * of the RSA algorithm: |
||
27 | * |
||
28 | * [1] A method for obtaining digital signatures and public-key cryptosystems |
||
29 | * R Rivest, A Shamir, and L Adleman |
||
30 | * http://people.csail.mit.edu/rivest/pubs.html#RSA78 |
||
31 | * |
||
32 | * [2] Handbook of Applied Cryptography - 1997, Chapter 8 |
||
33 | * Menezes, van Oorschot and Vanstone |
||
34 | * |
||
35 | * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks |
||
36 | * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and |
||
37 | * Stefan Mangard |
||
38 | * https://arxiv.org/abs/1702.08719v2 |
||
39 | * |
||
40 | */ |
||
41 | |||
42 | #if !defined(MBEDTLS_CONFIG_FILE) |
||
43 | #include "mbedtls/config.h" |
||
44 | #else |
||
45 | #include MBEDTLS_CONFIG_FILE |
||
46 | #endif |
||
47 | |||
48 | #if defined(MBEDTLS_RSA_C) |
||
49 | |||
50 | #include "mbedtls/rsa.h" |
||
51 | #include "mbedtls/rsa_internal.h" |
||
52 | #include "mbedtls/oid.h" |
||
53 | #include "mbedtls/platform_util.h" |
||
54 | |||
55 | #include |
||
56 | |||
57 | #if defined(MBEDTLS_PKCS1_V21) |
||
58 | #include "mbedtls/md.h" |
||
59 | #endif |
||
60 | |||
61 | #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) |
||
62 | #include |
||
63 | #endif |
||
64 | |||
65 | #if defined(MBEDTLS_PLATFORM_C) |
||
66 | #include "mbedtls/platform.h" |
||
67 | #else |
||
68 | #include |
||
69 | #define mbedtls_printf printf |
||
70 | #define mbedtls_calloc calloc |
||
71 | #define mbedtls_free free |
||
72 | #endif |
||
73 | |||
74 | #if !defined(MBEDTLS_RSA_ALT) |
||
75 | |||
76 | /* Parameter validation macros */ |
||
77 | #define RSA_VALIDATE_RET( cond ) \ |
||
78 | MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA ) |
||
79 | #define RSA_VALIDATE( cond ) \ |
||
80 | MBEDTLS_INTERNAL_VALIDATE( cond ) |
||
81 | |||
82 | #if defined(MBEDTLS_PKCS1_V15) |
||
83 | /* constant-time buffer comparison */ |
||
84 | static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n ) |
||
85 | { |
||
86 | size_t i; |
||
87 | const unsigned char *A = (const unsigned char *) a; |
||
88 | const unsigned char *B = (const unsigned char *) b; |
||
89 | unsigned char diff = 0; |
||
90 | |||
91 | for( i = 0; i < n; i++ ) |
||
92 | diff |= A[i] ^ B[i]; |
||
93 | |||
94 | return( diff ); |
||
95 | } |
||
96 | #endif /* MBEDTLS_PKCS1_V15 */ |
||
97 | |||
98 | int mbedtls_rsa_import( mbedtls_rsa_context *ctx, |
||
99 | const mbedtls_mpi *N, |
||
100 | const mbedtls_mpi *P, const mbedtls_mpi *Q, |
||
101 | const mbedtls_mpi *D, const mbedtls_mpi *E ) |
||
102 | { |
||
103 | int ret; |
||
104 | RSA_VALIDATE_RET( ctx != NULL ); |
||
105 | |||
106 | if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) || |
||
107 | ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) || |
||
108 | ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) || |
||
109 | ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) || |
||
110 | ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) ) |
||
111 | { |
||
112 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); |
||
113 | } |
||
114 | |||
115 | if( N != NULL ) |
||
116 | ctx->len = mbedtls_mpi_size( &ctx->N ); |
||
117 | |||
118 | return( 0 ); |
||
119 | } |
||
120 | |||
121 | int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx, |
||
122 | unsigned char const *N, size_t N_len, |
||
123 | unsigned char const *P, size_t P_len, |
||
124 | unsigned char const *Q, size_t Q_len, |
||
125 | unsigned char const *D, size_t D_len, |
||
126 | unsigned char const *E, size_t E_len ) |
||
127 | { |
||
128 | int ret = 0; |
||
129 | RSA_VALIDATE_RET( ctx != NULL ); |
||
130 | |||
131 | if( N != NULL ) |
||
132 | { |
||
133 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) ); |
||
134 | ctx->len = mbedtls_mpi_size( &ctx->N ); |
||
135 | } |
||
136 | |||
137 | if( P != NULL ) |
||
138 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) ); |
||
139 | |||
140 | if( Q != NULL ) |
||
141 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) ); |
||
142 | |||
143 | if( D != NULL ) |
||
144 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) ); |
||
145 | |||
146 | if( E != NULL ) |
||
147 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) ); |
||
148 | |||
149 | cleanup: |
||
150 | |||
151 | if( ret != 0 ) |
||
152 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); |
||
153 | |||
154 | return( 0 ); |
||
155 | } |
||
156 | |||
157 | /* |
||
158 | * Checks whether the context fields are set in such a way |
||
159 | * that the RSA primitives will be able to execute without error. |
||
160 | * It does *not* make guarantees for consistency of the parameters. |
||
161 | */ |
||
162 | static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv, |
||
163 | int blinding_needed ) |
||
164 | { |
||
165 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
166 | /* blinding_needed is only used for NO_CRT to decide whether |
||
167 | * P,Q need to be present or not. */ |
||
168 | ((void) blinding_needed); |
||
169 | #endif |
||
170 | |||
171 | if( ctx->len != mbedtls_mpi_size( &ctx->N ) || |
||
172 | ctx->len > MBEDTLS_MPI_MAX_SIZE ) |
||
173 | { |
||
174 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
175 | } |
||
176 | |||
177 | /* |
||
178 | * 1. Modular exponentiation needs positive, odd moduli. |
||
179 | */ |
||
180 | |||
181 | /* Modular exponentiation wrt. N is always used for |
||
182 | * RSA public key operations. */ |
||
183 | if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 || |
||
184 | mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 ) |
||
185 | { |
||
186 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
187 | } |
||
188 | |||
189 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
190 | /* Modular exponentiation for P and Q is only |
||
191 | * used for private key operations and if CRT |
||
192 | * is used. */ |
||
193 | if( is_priv && |
||
194 | ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || |
||
195 | mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 || |
||
196 | mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 || |
||
197 | mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) ) |
||
198 | { |
||
199 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
200 | } |
||
201 | #endif /* !MBEDTLS_RSA_NO_CRT */ |
||
202 | |||
203 | /* |
||
204 | * 2. Exponents must be positive |
||
205 | */ |
||
206 | |||
207 | /* Always need E for public key operations */ |
||
208 | if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 ) |
||
209 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
210 | |||
211 | #if defined(MBEDTLS_RSA_NO_CRT) |
||
212 | /* For private key operations, use D or DP & DQ |
||
213 | * as (unblinded) exponents. */ |
||
214 | if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 ) |
||
215 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
216 | #else |
||
217 | if( is_priv && |
||
218 | ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 || |
||
219 | mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) ) |
||
220 | { |
||
221 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
222 | } |
||
223 | #endif /* MBEDTLS_RSA_NO_CRT */ |
||
224 | |||
225 | /* Blinding shouldn't make exponents negative either, |
||
226 | * so check that P, Q >= 1 if that hasn't yet been |
||
227 | * done as part of 1. */ |
||
228 | #if defined(MBEDTLS_RSA_NO_CRT) |
||
229 | if( is_priv && blinding_needed && |
||
230 | ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || |
||
231 | mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) ) |
||
232 | { |
||
233 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
234 | } |
||
235 | #endif |
||
236 | |||
237 | /* It wouldn't lead to an error if it wasn't satisfied, |
||
238 | * but check for QP >= 1 nonetheless. */ |
||
239 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
240 | if( is_priv && |
||
241 | mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 ) |
||
242 | { |
||
243 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
244 | } |
||
245 | #endif |
||
246 | |||
247 | return( 0 ); |
||
248 | } |
||
249 | |||
250 | int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ) |
||
251 | { |
||
252 | int ret = 0; |
||
253 | int have_N, have_P, have_Q, have_D, have_E; |
||
254 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
255 | int have_DP, have_DQ, have_QP; |
||
256 | #endif |
||
257 | int n_missing, pq_missing, d_missing, is_pub, is_priv; |
||
258 | |||
259 | RSA_VALIDATE_RET( ctx != NULL ); |
||
260 | |||
261 | have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 ); |
||
262 | have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 ); |
||
263 | have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 ); |
||
264 | have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 ); |
||
265 | have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 ); |
||
266 | |||
267 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
268 | have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 ); |
||
269 | have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 ); |
||
270 | have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 ); |
||
271 | #endif |
||
272 | |||
273 | /* |
||
274 | * Check whether provided parameters are enough |
||
275 | * to deduce all others. The following incomplete |
||
276 | * parameter sets for private keys are supported: |
||
277 | * |
||
278 | * (1) P, Q missing. |
||
279 | * (2) D and potentially N missing. |
||
280 | * |
||
281 | */ |
||
282 | |||
283 | n_missing = have_P && have_Q && have_D && have_E; |
||
284 | pq_missing = have_N && !have_P && !have_Q && have_D && have_E; |
||
285 | d_missing = have_P && have_Q && !have_D && have_E; |
||
286 | is_pub = have_N && !have_P && !have_Q && !have_D && have_E; |
||
287 | |||
288 | /* These three alternatives are mutually exclusive */ |
||
289 | is_priv = n_missing || pq_missing || d_missing; |
||
290 | |||
291 | if( !is_priv && !is_pub ) |
||
292 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
293 | |||
294 | /* |
||
295 | * Step 1: Deduce N if P, Q are provided. |
||
296 | */ |
||
297 | |||
298 | if( !have_N && have_P && have_Q ) |
||
299 | { |
||
300 | if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, |
||
301 | &ctx->Q ) ) != 0 ) |
||
302 | { |
||
303 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); |
||
304 | } |
||
305 | |||
306 | ctx->len = mbedtls_mpi_size( &ctx->N ); |
||
307 | } |
||
308 | |||
309 | /* |
||
310 | * Step 2: Deduce and verify all remaining core parameters. |
||
311 | */ |
||
312 | |||
313 | if( pq_missing ) |
||
314 | { |
||
315 | ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D, |
||
316 | &ctx->P, &ctx->Q ); |
||
317 | if( ret != 0 ) |
||
318 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); |
||
319 | |||
320 | } |
||
321 | else if( d_missing ) |
||
322 | { |
||
323 | if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P, |
||
324 | &ctx->Q, |
||
325 | &ctx->E, |
||
326 | &ctx->D ) ) != 0 ) |
||
327 | { |
||
328 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); |
||
329 | } |
||
330 | } |
||
331 | |||
332 | /* |
||
333 | * Step 3: Deduce all additional parameters specific |
||
334 | * to our current RSA implementation. |
||
335 | */ |
||
336 | |||
337 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
338 | if( is_priv && ! ( have_DP && have_DQ && have_QP ) ) |
||
339 | { |
||
340 | ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, |
||
341 | &ctx->DP, &ctx->DQ, &ctx->QP ); |
||
342 | if( ret != 0 ) |
||
343 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); |
||
344 | } |
||
345 | #endif /* MBEDTLS_RSA_NO_CRT */ |
||
346 | |||
347 | /* |
||
348 | * Step 3: Basic sanity checks |
||
349 | */ |
||
350 | |||
351 | return( rsa_check_context( ctx, is_priv, 1 ) ); |
||
352 | } |
||
353 | |||
354 | int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, |
||
355 | unsigned char *N, size_t N_len, |
||
356 | unsigned char *P, size_t P_len, |
||
357 | unsigned char *Q, size_t Q_len, |
||
358 | unsigned char *D, size_t D_len, |
||
359 | unsigned char *E, size_t E_len ) |
||
360 | { |
||
361 | int ret = 0; |
||
362 | int is_priv; |
||
363 | RSA_VALIDATE_RET( ctx != NULL ); |
||
364 | |||
365 | /* Check if key is private or public */ |
||
366 | is_priv = |
||
367 | mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && |
||
368 | mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && |
||
369 | mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && |
||
370 | mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && |
||
371 | mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; |
||
372 | |||
373 | if( !is_priv ) |
||
374 | { |
||
375 | /* If we're trying to export private parameters for a public key, |
||
376 | * something must be wrong. */ |
||
377 | if( P != NULL || Q != NULL || D != NULL ) |
||
378 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
379 | |||
380 | } |
||
381 | |||
382 | if( N != NULL ) |
||
383 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) ); |
||
384 | |||
385 | if( P != NULL ) |
||
386 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) ); |
||
387 | |||
388 | if( Q != NULL ) |
||
389 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) ); |
||
390 | |||
391 | if( D != NULL ) |
||
392 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) ); |
||
393 | |||
394 | if( E != NULL ) |
||
395 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) ); |
||
396 | |||
397 | cleanup: |
||
398 | |||
399 | return( ret ); |
||
400 | } |
||
401 | |||
402 | int mbedtls_rsa_export( const mbedtls_rsa_context *ctx, |
||
403 | mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, |
||
404 | mbedtls_mpi *D, mbedtls_mpi *E ) |
||
405 | { |
||
406 | int ret; |
||
407 | int is_priv; |
||
408 | RSA_VALIDATE_RET( ctx != NULL ); |
||
409 | |||
410 | /* Check if key is private or public */ |
||
411 | is_priv = |
||
412 | mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && |
||
413 | mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && |
||
414 | mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && |
||
415 | mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && |
||
416 | mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; |
||
417 | |||
418 | if( !is_priv ) |
||
419 | { |
||
420 | /* If we're trying to export private parameters for a public key, |
||
421 | * something must be wrong. */ |
||
422 | if( P != NULL || Q != NULL || D != NULL ) |
||
423 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
424 | |||
425 | } |
||
426 | |||
427 | /* Export all requested core parameters. */ |
||
428 | |||
429 | if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) || |
||
430 | ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) || |
||
431 | ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) || |
||
432 | ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) || |
||
433 | ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) ) |
||
434 | { |
||
435 | return( ret ); |
||
436 | } |
||
437 | |||
438 | return( 0 ); |
||
439 | } |
||
440 | |||
441 | /* |
||
442 | * Export CRT parameters |
||
443 | * This must also be implemented if CRT is not used, for being able to |
||
444 | * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt |
||
445 | * can be used in this case. |
||
446 | */ |
||
447 | int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, |
||
448 | mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP ) |
||
449 | { |
||
450 | int ret; |
||
451 | int is_priv; |
||
452 | RSA_VALIDATE_RET( ctx != NULL ); |
||
453 | |||
454 | /* Check if key is private or public */ |
||
455 | is_priv = |
||
456 | mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && |
||
457 | mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && |
||
458 | mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && |
||
459 | mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && |
||
460 | mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; |
||
461 | |||
462 | if( !is_priv ) |
||
463 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
464 | |||
465 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
466 | /* Export all requested blinding parameters. */ |
||
467 | if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) || |
||
468 | ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) || |
||
469 | ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) ) |
||
470 | { |
||
471 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); |
||
472 | } |
||
473 | #else |
||
474 | if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, |
||
475 | DP, DQ, QP ) ) != 0 ) |
||
476 | { |
||
477 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret ); |
||
478 | } |
||
479 | #endif |
||
480 | |||
481 | return( 0 ); |
||
482 | } |
||
483 | |||
484 | /* |
||
485 | * Initialize an RSA context |
||
486 | */ |
||
487 | void mbedtls_rsa_init( mbedtls_rsa_context *ctx, |
||
488 | int padding, |
||
489 | int hash_id ) |
||
490 | { |
||
491 | RSA_VALIDATE( ctx != NULL ); |
||
492 | RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || |
||
493 | padding == MBEDTLS_RSA_PKCS_V21 ); |
||
494 | |||
495 | memset( ctx, 0, sizeof( mbedtls_rsa_context ) ); |
||
496 | |||
497 | mbedtls_rsa_set_padding( ctx, padding, hash_id ); |
||
498 | |||
499 | #if defined(MBEDTLS_THREADING_C) |
||
500 | mbedtls_mutex_init( &ctx->mutex ); |
||
501 | #endif |
||
502 | } |
||
503 | |||
504 | /* |
||
505 | * Set padding for an existing RSA context |
||
506 | */ |
||
507 | void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, |
||
508 | int hash_id ) |
||
509 | { |
||
510 | RSA_VALIDATE( ctx != NULL ); |
||
511 | RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 || |
||
512 | padding == MBEDTLS_RSA_PKCS_V21 ); |
||
513 | |||
514 | ctx->padding = padding; |
||
515 | ctx->hash_id = hash_id; |
||
516 | } |
||
517 | |||
518 | /* |
||
519 | * Get length in bytes of RSA modulus |
||
520 | */ |
||
521 | |||
522 | size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx ) |
||
523 | { |
||
524 | return( ctx->len ); |
||
525 | } |
||
526 | |||
527 | |||
528 | #if defined(MBEDTLS_GENPRIME) |
||
529 | |||
530 | /* |
||
531 | * Generate an RSA keypair |
||
532 | * |
||
533 | * This generation method follows the RSA key pair generation procedure of |
||
534 | * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072. |
||
535 | */ |
||
536 | int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, |
||
537 | int (*f_rng)(void *, unsigned char *, size_t), |
||
538 | void *p_rng, |
||
539 | unsigned int nbits, int exponent ) |
||
540 | { |
||
541 | int ret; |
||
542 | mbedtls_mpi H, G, L; |
||
543 | int prime_quality = 0; |
||
544 | RSA_VALIDATE_RET( ctx != NULL ); |
||
545 | RSA_VALIDATE_RET( f_rng != NULL ); |
||
546 | |||
547 | if( nbits < 128 || exponent < 3 || nbits % 2 != 0 ) |
||
548 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
549 | |||
550 | /* |
||
551 | * If the modulus is 1024 bit long or shorter, then the security strength of |
||
552 | * the RSA algorithm is less than or equal to 80 bits and therefore an error |
||
553 | * rate of 2^-80 is sufficient. |
||
554 | */ |
||
555 | if( nbits > 1024 ) |
||
556 | prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR; |
||
557 | |||
558 | mbedtls_mpi_init( &H ); |
||
559 | mbedtls_mpi_init( &G ); |
||
560 | mbedtls_mpi_init( &L ); |
||
561 | |||
562 | /* |
||
563 | * find primes P and Q with Q < P so that: |
||
564 | * 1. |P-Q| > 2^( nbits / 2 - 100 ) |
||
565 | * 2. GCD( E, (P-1)*(Q-1) ) == 1 |
||
566 | * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 ) |
||
567 | */ |
||
568 | MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) ); |
||
569 | |||
570 | do |
||
571 | { |
||
572 | MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, |
||
573 | prime_quality, f_rng, p_rng ) ); |
||
574 | |||
575 | MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, |
||
576 | prime_quality, f_rng, p_rng ) ); |
||
577 | |||
578 | /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */ |
||
579 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) ); |
||
580 | if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) ) |
||
581 | continue; |
||
582 | |||
583 | /* not required by any standards, but some users rely on the fact that P > Q */ |
||
584 | if( H.s < 0 ) |
||
585 | mbedtls_mpi_swap( &ctx->P, &ctx->Q ); |
||
586 | |||
587 | /* Temporarily replace P,Q by P-1, Q-1 */ |
||
588 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) ); |
||
589 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) ); |
||
590 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) ); |
||
591 | |||
592 | /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */ |
||
593 | MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) ); |
||
594 | if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 ) |
||
595 | continue; |
||
596 | |||
597 | /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */ |
||
598 | MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) ); |
||
599 | MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) ); |
||
600 | MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) ); |
||
601 | |||
602 | if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a)) |
||
603 | continue; |
||
604 | |||
605 | break; |
||
606 | } |
||
607 | while( 1 ); |
||
608 | |||
609 | /* Restore P,Q */ |
||
610 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) ); |
||
611 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) ); |
||
612 | |||
613 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) ); |
||
614 | |||
615 | ctx->len = mbedtls_mpi_size( &ctx->N ); |
||
616 | |||
617 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
618 | /* |
||
619 | * DP = D mod (P - 1) |
||
620 | * DQ = D mod (Q - 1) |
||
621 | * QP = Q^-1 mod P |
||
622 | */ |
||
623 | MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, |
||
624 | &ctx->DP, &ctx->DQ, &ctx->QP ) ); |
||
625 | #endif /* MBEDTLS_RSA_NO_CRT */ |
||
626 | |||
627 | /* Double-check */ |
||
628 | MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) ); |
||
629 | |||
630 | cleanup: |
||
631 | |||
632 | mbedtls_mpi_free( &H ); |
||
633 | mbedtls_mpi_free( &G ); |
||
634 | mbedtls_mpi_free( &L ); |
||
635 | |||
636 | if( ret != 0 ) |
||
637 | { |
||
638 | mbedtls_rsa_free( ctx ); |
||
639 | return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret ); |
||
640 | } |
||
641 | |||
642 | return( 0 ); |
||
643 | } |
||
644 | |||
645 | #endif /* MBEDTLS_GENPRIME */ |
||
646 | |||
647 | /* |
||
648 | * Check a public RSA key |
||
649 | */ |
||
650 | int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ) |
||
651 | { |
||
652 | RSA_VALIDATE_RET( ctx != NULL ); |
||
653 | |||
654 | if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 ) |
||
655 | return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); |
||
656 | |||
657 | if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ) |
||
658 | { |
||
659 | return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); |
||
660 | } |
||
661 | |||
662 | if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 || |
||
663 | mbedtls_mpi_bitlen( &ctx->E ) < 2 || |
||
664 | mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 ) |
||
665 | { |
||
666 | return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); |
||
667 | } |
||
668 | |||
669 | return( 0 ); |
||
670 | } |
||
671 | |||
672 | /* |
||
673 | * Check for the consistency of all fields in an RSA private key context |
||
674 | */ |
||
675 | int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ) |
||
676 | { |
||
677 | RSA_VALIDATE_RET( ctx != NULL ); |
||
678 | |||
679 | if( mbedtls_rsa_check_pubkey( ctx ) != 0 || |
||
680 | rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 ) |
||
681 | { |
||
682 | return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); |
||
683 | } |
||
684 | |||
685 | if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q, |
||
686 | &ctx->D, &ctx->E, NULL, NULL ) != 0 ) |
||
687 | { |
||
688 | return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); |
||
689 | } |
||
690 | |||
691 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
692 | else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D, |
||
693 | &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 ) |
||
694 | { |
||
695 | return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); |
||
696 | } |
||
697 | #endif |
||
698 | |||
699 | return( 0 ); |
||
700 | } |
||
701 | |||
702 | /* |
||
703 | * Check if contexts holding a public and private key match |
||
704 | */ |
||
705 | int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, |
||
706 | const mbedtls_rsa_context *prv ) |
||
707 | { |
||
708 | RSA_VALIDATE_RET( pub != NULL ); |
||
709 | RSA_VALIDATE_RET( prv != NULL ); |
||
710 | |||
711 | if( mbedtls_rsa_check_pubkey( pub ) != 0 || |
||
712 | mbedtls_rsa_check_privkey( prv ) != 0 ) |
||
713 | { |
||
714 | return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); |
||
715 | } |
||
716 | |||
717 | if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 || |
||
718 | mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 ) |
||
719 | { |
||
720 | return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); |
||
721 | } |
||
722 | |||
723 | return( 0 ); |
||
724 | } |
||
725 | |||
726 | /* |
||
727 | * Do an RSA public key operation |
||
728 | */ |
||
729 | int mbedtls_rsa_public( mbedtls_rsa_context *ctx, |
||
730 | const unsigned char *input, |
||
731 | unsigned char *output ) |
||
732 | { |
||
733 | int ret; |
||
734 | size_t olen; |
||
735 | mbedtls_mpi T; |
||
736 | RSA_VALIDATE_RET( ctx != NULL ); |
||
737 | RSA_VALIDATE_RET( input != NULL ); |
||
738 | RSA_VALIDATE_RET( output != NULL ); |
||
739 | |||
740 | if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) ) |
||
741 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
742 | |||
743 | mbedtls_mpi_init( &T ); |
||
744 | |||
745 | #if defined(MBEDTLS_THREADING_C) |
||
746 | if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) |
||
747 | return( ret ); |
||
748 | #endif |
||
749 | |||
750 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); |
||
751 | |||
752 | if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) |
||
753 | { |
||
754 | ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; |
||
755 | goto cleanup; |
||
756 | } |
||
757 | |||
758 | olen = ctx->len; |
||
759 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); |
||
760 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); |
||
761 | |||
762 | cleanup: |
||
763 | #if defined(MBEDTLS_THREADING_C) |
||
764 | if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) |
||
765 | return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); |
||
766 | #endif |
||
767 | |||
768 | mbedtls_mpi_free( &T ); |
||
769 | |||
770 | if( ret != 0 ) |
||
771 | return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret ); |
||
772 | |||
773 | return( 0 ); |
||
774 | } |
||
775 | |||
776 | /* |
||
777 | * Generate or update blinding values, see section 10 of: |
||
778 | * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, |
||
779 | * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer |
||
780 | * Berlin Heidelberg, 1996. p. 104-113. |
||
781 | */ |
||
782 | static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, |
||
783 | int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) |
||
784 | { |
||
785 | int ret, count = 0; |
||
786 | |||
787 | if( ctx->Vf.p != NULL ) |
||
788 | { |
||
789 | /* We already have blinding values, just update them by squaring */ |
||
790 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) ); |
||
791 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); |
||
792 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); |
||
793 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) ); |
||
794 | |||
795 | goto cleanup; |
||
796 | } |
||
797 | |||
798 | /* Unblinding value: Vf = random number, invertible mod N */ |
||
799 | do { |
||
800 | if( count++ > 10 ) |
||
801 | return( MBEDTLS_ERR_RSA_RNG_FAILED ); |
||
802 | |||
803 | MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); |
||
804 | MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) ); |
||
805 | } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 ); |
||
806 | |||
807 | /* Blinding value: Vi = Vf^(-e) mod N */ |
||
808 | MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) ); |
||
809 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); |
||
810 | |||
811 | |||
812 | cleanup: |
||
813 | return( ret ); |
||
814 | } |
||
815 | |||
816 | /* |
||
817 | * Exponent blinding supposed to prevent side-channel attacks using multiple |
||
818 | * traces of measurements to recover the RSA key. The more collisions are there, |
||
819 | * the more bits of the key can be recovered. See [3]. |
||
820 | * |
||
821 | * Collecting n collisions with m bit long blinding value requires 2^(m-m/n) |
||
822 | * observations on avarage. |
||
823 | * |
||
824 | * For example with 28 byte blinding to achieve 2 collisions the adversary has |
||
825 | * to make 2^112 observations on avarage. |
||
826 | * |
||
827 | * (With the currently (as of 2017 April) known best algorithms breaking 2048 |
||
828 | * bit RSA requires approximately as much time as trying out 2^112 random keys. |
||
829 | * Thus in this sense with 28 byte blinding the security is not reduced by |
||
830 | * side-channel attacks like the one in [3]) |
||
831 | * |
||
832 | * This countermeasure does not help if the key recovery is possible with a |
||
833 | * single trace. |
||
834 | */ |
||
835 | #define RSA_EXPONENT_BLINDING 28 |
||
836 | |||
837 | /* |
||
838 | * Do an RSA private key operation |
||
839 | */ |
||
840 | int mbedtls_rsa_private( mbedtls_rsa_context *ctx, |
||
841 | int (*f_rng)(void *, unsigned char *, size_t), |
||
842 | void *p_rng, |
||
843 | const unsigned char *input, |
||
844 | unsigned char *output ) |
||
845 | { |
||
846 | int ret; |
||
847 | size_t olen; |
||
848 | |||
849 | /* Temporary holding the result */ |
||
850 | mbedtls_mpi T; |
||
851 | |||
852 | /* Temporaries holding P-1, Q-1 and the |
||
853 | * exponent blinding factor, respectively. */ |
||
854 | mbedtls_mpi P1, Q1, R; |
||
855 | |||
856 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
857 | /* Temporaries holding the results mod p resp. mod q. */ |
||
858 | mbedtls_mpi TP, TQ; |
||
859 | |||
860 | /* Temporaries holding the blinded exponents for |
||
861 | * the mod p resp. mod q computation (if used). */ |
||
862 | mbedtls_mpi DP_blind, DQ_blind; |
||
863 | |||
864 | /* Pointers to actual exponents to be used - either the unblinded |
||
865 | * or the blinded ones, depending on the presence of a PRNG. */ |
||
866 | mbedtls_mpi *DP = &ctx->DP; |
||
867 | mbedtls_mpi *DQ = &ctx->DQ; |
||
868 | #else |
||
869 | /* Temporary holding the blinded exponent (if used). */ |
||
870 | mbedtls_mpi D_blind; |
||
871 | |||
872 | /* Pointer to actual exponent to be used - either the unblinded |
||
873 | * or the blinded one, depending on the presence of a PRNG. */ |
||
874 | mbedtls_mpi *D = &ctx->D; |
||
875 | #endif /* MBEDTLS_RSA_NO_CRT */ |
||
876 | |||
877 | /* Temporaries holding the initial input and the double |
||
878 | * checked result; should be the same in the end. */ |
||
879 | mbedtls_mpi I, C; |
||
880 | |||
881 | RSA_VALIDATE_RET( ctx != NULL ); |
||
882 | RSA_VALIDATE_RET( input != NULL ); |
||
883 | RSA_VALIDATE_RET( output != NULL ); |
||
884 | |||
885 | if( rsa_check_context( ctx, 1 /* private key checks */, |
||
886 | f_rng != NULL /* blinding y/n */ ) != 0 ) |
||
887 | { |
||
888 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
889 | } |
||
890 | |||
891 | #if defined(MBEDTLS_THREADING_C) |
||
892 | if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) |
||
893 | return( ret ); |
||
894 | #endif |
||
895 | |||
896 | /* MPI Initialization */ |
||
897 | mbedtls_mpi_init( &T ); |
||
898 | |||
899 | mbedtls_mpi_init( &P1 ); |
||
900 | mbedtls_mpi_init( &Q1 ); |
||
901 | mbedtls_mpi_init( &R ); |
||
902 | |||
903 | if( f_rng != NULL ) |
||
904 | { |
||
905 | #if defined(MBEDTLS_RSA_NO_CRT) |
||
906 | mbedtls_mpi_init( &D_blind ); |
||
907 | #else |
||
908 | mbedtls_mpi_init( &DP_blind ); |
||
909 | mbedtls_mpi_init( &DQ_blind ); |
||
910 | #endif |
||
911 | } |
||
912 | |||
913 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
914 | mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ ); |
||
915 | #endif |
||
916 | |||
917 | mbedtls_mpi_init( &I ); |
||
918 | mbedtls_mpi_init( &C ); |
||
919 | |||
920 | /* End of MPI initialization */ |
||
921 | |||
922 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); |
||
923 | if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) |
||
924 | { |
||
925 | ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; |
||
926 | goto cleanup; |
||
927 | } |
||
928 | |||
929 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) ); |
||
930 | |||
931 | if( f_rng != NULL ) |
||
932 | { |
||
933 | /* |
||
934 | * Blinding |
||
935 | * T = T * Vi mod N |
||
936 | */ |
||
937 | MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); |
||
938 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); |
||
939 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); |
||
940 | |||
941 | /* |
||
942 | * Exponent blinding |
||
943 | */ |
||
944 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) ); |
||
945 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) ); |
||
946 | |||
947 | #if defined(MBEDTLS_RSA_NO_CRT) |
||
948 | /* |
||
949 | * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D |
||
950 | */ |
||
951 | MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, |
||
952 | f_rng, p_rng ) ); |
||
953 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) ); |
||
954 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) ); |
||
955 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) ); |
||
956 | |||
957 | D = &D_blind; |
||
958 | #else |
||
959 | /* |
||
960 | * DP_blind = ( P - 1 ) * R + DP |
||
961 | */ |
||
962 | MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, |
||
963 | f_rng, p_rng ) ); |
||
964 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) ); |
||
965 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind, |
||
966 | &ctx->DP ) ); |
||
967 | |||
968 | DP = &DP_blind; |
||
969 | |||
970 | /* |
||
971 | * DQ_blind = ( Q - 1 ) * R + DQ |
||
972 | */ |
||
973 | MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, |
||
974 | f_rng, p_rng ) ); |
||
975 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) ); |
||
976 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind, |
||
977 | &ctx->DQ ) ); |
||
978 | |||
979 | DQ = &DQ_blind; |
||
980 | #endif /* MBEDTLS_RSA_NO_CRT */ |
||
981 | } |
||
982 | |||
983 | #if defined(MBEDTLS_RSA_NO_CRT) |
||
984 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) ); |
||
985 | #else |
||
986 | /* |
||
987 | * Faster decryption using the CRT |
||
988 | * |
||
989 | * TP = input ^ dP mod P |
||
990 | * TQ = input ^ dQ mod Q |
||
991 | */ |
||
992 | |||
993 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) ); |
||
994 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) ); |
||
995 | |||
996 | /* |
||
997 | * T = (TP - TQ) * (Q^-1 mod P) mod P |
||
998 | */ |
||
999 | MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) ); |
||
1000 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) ); |
||
1001 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) ); |
||
1002 | |||
1003 | /* |
||
1004 | * T = TQ + T * Q |
||
1005 | */ |
||
1006 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) ); |
||
1007 | MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) ); |
||
1008 | #endif /* MBEDTLS_RSA_NO_CRT */ |
||
1009 | |||
1010 | if( f_rng != NULL ) |
||
1011 | { |
||
1012 | /* |
||
1013 | * Unblind |
||
1014 | * T = T * Vf mod N |
||
1015 | */ |
||
1016 | MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); |
||
1017 | MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); |
||
1018 | } |
||
1019 | |||
1020 | /* Verify the result to prevent glitching attacks. */ |
||
1021 | MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, |
||
1022 | &ctx->N, &ctx->RN ) ); |
||
1023 | if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 ) |
||
1024 | { |
||
1025 | ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; |
||
1026 | goto cleanup; |
||
1027 | } |
||
1028 | |||
1029 | olen = ctx->len; |
||
1030 | MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); |
||
1031 | |||
1032 | cleanup: |
||
1033 | #if defined(MBEDTLS_THREADING_C) |
||
1034 | if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) |
||
1035 | return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); |
||
1036 | #endif |
||
1037 | |||
1038 | mbedtls_mpi_free( &P1 ); |
||
1039 | mbedtls_mpi_free( &Q1 ); |
||
1040 | mbedtls_mpi_free( &R ); |
||
1041 | |||
1042 | if( f_rng != NULL ) |
||
1043 | { |
||
1044 | #if defined(MBEDTLS_RSA_NO_CRT) |
||
1045 | mbedtls_mpi_free( &D_blind ); |
||
1046 | #else |
||
1047 | mbedtls_mpi_free( &DP_blind ); |
||
1048 | mbedtls_mpi_free( &DQ_blind ); |
||
1049 | #endif |
||
1050 | } |
||
1051 | |||
1052 | mbedtls_mpi_free( &T ); |
||
1053 | |||
1054 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
1055 | mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ ); |
||
1056 | #endif |
||
1057 | |||
1058 | mbedtls_mpi_free( &C ); |
||
1059 | mbedtls_mpi_free( &I ); |
||
1060 | |||
1061 | if( ret != 0 ) |
||
1062 | return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); |
||
1063 | |||
1064 | return( 0 ); |
||
1065 | } |
||
1066 | |||
1067 | #if defined(MBEDTLS_PKCS1_V21) |
||
1068 | /** |
||
1069 | * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer. |
||
1070 | * |
||
1071 | * \param dst buffer to mask |
||
1072 | * \param dlen length of destination buffer |
||
1073 | * \param src source of the mask generation |
||
1074 | * \param slen length of the source buffer |
||
1075 | * \param md_ctx message digest context to use |
||
1076 | */ |
||
1077 | static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, |
||
1078 | size_t slen, mbedtls_md_context_t *md_ctx ) |
||
1079 | { |
||
1080 | unsigned char mask[MBEDTLS_MD_MAX_SIZE]; |
||
1081 | unsigned char counter[4]; |
||
1082 | unsigned char *p; |
||
1083 | unsigned int hlen; |
||
1084 | size_t i, use_len; |
||
1085 | int ret = 0; |
||
1086 | |||
1087 | memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); |
||
1088 | memset( counter, 0, 4 ); |
||
1089 | |||
1090 | hlen = mbedtls_md_get_size( md_ctx->md_info ); |
||
1091 | |||
1092 | /* Generate and apply dbMask */ |
||
1093 | p = dst; |
||
1094 | |||
1095 | while( dlen > 0 ) |
||
1096 | { |
||
1097 | use_len = hlen; |
||
1098 | if( dlen < hlen ) |
||
1099 | use_len = dlen; |
||
1100 | |||
1101 | if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 ) |
||
1102 | goto exit; |
||
1103 | if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 ) |
||
1104 | goto exit; |
||
1105 | if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 ) |
||
1106 | goto exit; |
||
1107 | if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 ) |
||
1108 | goto exit; |
||
1109 | |||
1110 | for( i = 0; i < use_len; ++i ) |
||
1111 | *p++ ^= mask[i]; |
||
1112 | |||
1113 | counter[3]++; |
||
1114 | |||
1115 | dlen -= use_len; |
||
1116 | } |
||
1117 | |||
1118 | exit: |
||
1119 | mbedtls_platform_zeroize( mask, sizeof( mask ) ); |
||
1120 | |||
1121 | return( ret ); |
||
1122 | } |
||
1123 | #endif /* MBEDTLS_PKCS1_V21 */ |
||
1124 | |||
1125 | #if defined(MBEDTLS_PKCS1_V21) |
||
1126 | /* |
||
1127 | * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function |
||
1128 | */ |
||
1129 | int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, |
||
1130 | int (*f_rng)(void *, unsigned char *, size_t), |
||
1131 | void *p_rng, |
||
1132 | int mode, |
||
1133 | const unsigned char *label, size_t label_len, |
||
1134 | size_t ilen, |
||
1135 | const unsigned char *input, |
||
1136 | unsigned char *output ) |
||
1137 | { |
||
1138 | size_t olen; |
||
1139 | int ret; |
||
1140 | unsigned char *p = output; |
||
1141 | unsigned int hlen; |
||
1142 | const mbedtls_md_info_t *md_info; |
||
1143 | mbedtls_md_context_t md_ctx; |
||
1144 | |||
1145 | RSA_VALIDATE_RET( ctx != NULL ); |
||
1146 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
1147 | mode == MBEDTLS_RSA_PUBLIC ); |
||
1148 | RSA_VALIDATE_RET( output != NULL ); |
||
1149 | RSA_VALIDATE_RET( input != NULL ); |
||
1150 | RSA_VALIDATE_RET( label_len == 0 || label != NULL ); |
||
1151 | |||
1152 | if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) |
||
1153 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1154 | |||
1155 | if( f_rng == NULL ) |
||
1156 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1157 | |||
1158 | md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); |
||
1159 | if( md_info == NULL ) |
||
1160 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1161 | |||
1162 | olen = ctx->len; |
||
1163 | hlen = mbedtls_md_get_size( md_info ); |
||
1164 | |||
1165 | /* first comparison checks for overflow */ |
||
1166 | if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 ) |
||
1167 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1168 | |||
1169 | memset( output, 0, olen ); |
||
1170 | |||
1171 | *p++ = 0; |
||
1172 | |||
1173 | /* Generate a random octet string seed */ |
||
1174 | if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 ) |
||
1175 | return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); |
||
1176 | |||
1177 | p += hlen; |
||
1178 | |||
1179 | /* Construct DB */ |
||
1180 | if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 ) |
||
1181 | return( ret ); |
||
1182 | p += hlen; |
||
1183 | p += olen - 2 * hlen - 2 - ilen; |
||
1184 | *p++ = 1; |
||
1185 | memcpy( p, input, ilen ); |
||
1186 | |||
1187 | mbedtls_md_init( &md_ctx ); |
||
1188 | if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) |
||
1189 | goto exit; |
||
1190 | |||
1191 | /* maskedDB: Apply dbMask to DB */ |
||
1192 | if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, |
||
1193 | &md_ctx ) ) != 0 ) |
||
1194 | goto exit; |
||
1195 | |||
1196 | /* maskedSeed: Apply seedMask to seed */ |
||
1197 | if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, |
||
1198 | &md_ctx ) ) != 0 ) |
||
1199 | goto exit; |
||
1200 | |||
1201 | exit: |
||
1202 | mbedtls_md_free( &md_ctx ); |
||
1203 | |||
1204 | if( ret != 0 ) |
||
1205 | return( ret ); |
||
1206 | |||
1207 | return( ( mode == MBEDTLS_RSA_PUBLIC ) |
||
1208 | ? mbedtls_rsa_public( ctx, output, output ) |
||
1209 | : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); |
||
1210 | } |
||
1211 | #endif /* MBEDTLS_PKCS1_V21 */ |
||
1212 | |||
1213 | #if defined(MBEDTLS_PKCS1_V15) |
||
1214 | /* |
||
1215 | * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function |
||
1216 | */ |
||
1217 | int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, |
||
1218 | int (*f_rng)(void *, unsigned char *, size_t), |
||
1219 | void *p_rng, |
||
1220 | int mode, size_t ilen, |
||
1221 | const unsigned char *input, |
||
1222 | unsigned char *output ) |
||
1223 | { |
||
1224 | size_t nb_pad, olen; |
||
1225 | int ret; |
||
1226 | unsigned char *p = output; |
||
1227 | |||
1228 | RSA_VALIDATE_RET( ctx != NULL ); |
||
1229 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
1230 | mode == MBEDTLS_RSA_PUBLIC ); |
||
1231 | RSA_VALIDATE_RET( output != NULL ); |
||
1232 | RSA_VALIDATE_RET( input != NULL ); |
||
1233 | |||
1234 | if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) |
||
1235 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1236 | |||
1237 | olen = ctx->len; |
||
1238 | |||
1239 | /* first comparison checks for overflow */ |
||
1240 | if( ilen + 11 < ilen || olen < ilen + 11 ) |
||
1241 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1242 | |||
1243 | nb_pad = olen - 3 - ilen; |
||
1244 | |||
1245 | *p++ = 0; |
||
1246 | if( mode == MBEDTLS_RSA_PUBLIC ) |
||
1247 | { |
||
1248 | if( f_rng == NULL ) |
||
1249 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1250 | |||
1251 | *p++ = MBEDTLS_RSA_CRYPT; |
||
1252 | |||
1253 | while( nb_pad-- > 0 ) |
||
1254 | { |
||
1255 | int rng_dl = 100; |
||
1256 | |||
1257 | do { |
||
1258 | ret = f_rng( p_rng, p, 1 ); |
||
1259 | } while( *p == 0 && --rng_dl && ret == 0 ); |
||
1260 | |||
1261 | /* Check if RNG failed to generate data */ |
||
1262 | if( rng_dl == 0 || ret != 0 ) |
||
1263 | return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); |
||
1264 | |||
1265 | p++; |
||
1266 | } |
||
1267 | } |
||
1268 | else |
||
1269 | { |
||
1270 | *p++ = MBEDTLS_RSA_SIGN; |
||
1271 | |||
1272 | while( nb_pad-- > 0 ) |
||
1273 | *p++ = 0xFF; |
||
1274 | } |
||
1275 | |||
1276 | *p++ = 0; |
||
1277 | memcpy( p, input, ilen ); |
||
1278 | |||
1279 | return( ( mode == MBEDTLS_RSA_PUBLIC ) |
||
1280 | ? mbedtls_rsa_public( ctx, output, output ) |
||
1281 | : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); |
||
1282 | } |
||
1283 | #endif /* MBEDTLS_PKCS1_V15 */ |
||
1284 | |||
1285 | /* |
||
1286 | * Add the message padding, then do an RSA operation |
||
1287 | */ |
||
1288 | int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, |
||
1289 | int (*f_rng)(void *, unsigned char *, size_t), |
||
1290 | void *p_rng, |
||
1291 | int mode, size_t ilen, |
||
1292 | const unsigned char *input, |
||
1293 | unsigned char *output ) |
||
1294 | { |
||
1295 | RSA_VALIDATE_RET( ctx != NULL ); |
||
1296 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
1297 | mode == MBEDTLS_RSA_PUBLIC ); |
||
1298 | RSA_VALIDATE_RET( output != NULL ); |
||
1299 | RSA_VALIDATE_RET( input != NULL ); |
||
1300 | |||
1301 | switch( ctx->padding ) |
||
1302 | { |
||
1303 | #if defined(MBEDTLS_PKCS1_V15) |
||
1304 | case MBEDTLS_RSA_PKCS_V15: |
||
1305 | return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, |
||
1306 | input, output ); |
||
1307 | #endif |
||
1308 | |||
1309 | #if defined(MBEDTLS_PKCS1_V21) |
||
1310 | case MBEDTLS_RSA_PKCS_V21: |
||
1311 | return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, |
||
1312 | ilen, input, output ); |
||
1313 | #endif |
||
1314 | |||
1315 | default: |
||
1316 | return( MBEDTLS_ERR_RSA_INVALID_PADDING ); |
||
1317 | } |
||
1318 | } |
||
1319 | |||
1320 | #if defined(MBEDTLS_PKCS1_V21) |
||
1321 | /* |
||
1322 | * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function |
||
1323 | */ |
||
1324 | int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, |
||
1325 | int (*f_rng)(void *, unsigned char *, size_t), |
||
1326 | void *p_rng, |
||
1327 | int mode, |
||
1328 | const unsigned char *label, size_t label_len, |
||
1329 | size_t *olen, |
||
1330 | const unsigned char *input, |
||
1331 | unsigned char *output, |
||
1332 | size_t output_max_len ) |
||
1333 | { |
||
1334 | int ret; |
||
1335 | size_t ilen, i, pad_len; |
||
1336 | unsigned char *p, bad, pad_done; |
||
1337 | unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; |
||
1338 | unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; |
||
1339 | unsigned int hlen; |
||
1340 | const mbedtls_md_info_t *md_info; |
||
1341 | mbedtls_md_context_t md_ctx; |
||
1342 | |||
1343 | RSA_VALIDATE_RET( ctx != NULL ); |
||
1344 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
1345 | mode == MBEDTLS_RSA_PUBLIC ); |
||
1346 | RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); |
||
1347 | RSA_VALIDATE_RET( label_len == 0 || label != NULL ); |
||
1348 | RSA_VALIDATE_RET( input != NULL ); |
||
1349 | RSA_VALIDATE_RET( olen != NULL ); |
||
1350 | |||
1351 | /* |
||
1352 | * Parameters sanity checks |
||
1353 | */ |
||
1354 | if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) |
||
1355 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1356 | |||
1357 | ilen = ctx->len; |
||
1358 | |||
1359 | if( ilen < 16 || ilen > sizeof( buf ) ) |
||
1360 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1361 | |||
1362 | md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); |
||
1363 | if( md_info == NULL ) |
||
1364 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1365 | |||
1366 | hlen = mbedtls_md_get_size( md_info ); |
||
1367 | |||
1368 | // checking for integer underflow |
||
1369 | if( 2 * hlen + 2 > ilen ) |
||
1370 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1371 | |||
1372 | /* |
||
1373 | * RSA operation |
||
1374 | */ |
||
1375 | ret = ( mode == MBEDTLS_RSA_PUBLIC ) |
||
1376 | ? mbedtls_rsa_public( ctx, input, buf ) |
||
1377 | : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); |
||
1378 | |||
1379 | if( ret != 0 ) |
||
1380 | goto cleanup; |
||
1381 | |||
1382 | /* |
||
1383 | * Unmask data and generate lHash |
||
1384 | */ |
||
1385 | mbedtls_md_init( &md_ctx ); |
||
1386 | if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) |
||
1387 | { |
||
1388 | mbedtls_md_free( &md_ctx ); |
||
1389 | goto cleanup; |
||
1390 | } |
||
1391 | |||
1392 | /* seed: Apply seedMask to maskedSeed */ |
||
1393 | if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, |
||
1394 | &md_ctx ) ) != 0 || |
||
1395 | /* DB: Apply dbMask to maskedDB */ |
||
1396 | ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, |
||
1397 | &md_ctx ) ) != 0 ) |
||
1398 | { |
||
1399 | mbedtls_md_free( &md_ctx ); |
||
1400 | goto cleanup; |
||
1401 | } |
||
1402 | |||
1403 | mbedtls_md_free( &md_ctx ); |
||
1404 | |||
1405 | /* Generate lHash */ |
||
1406 | if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 ) |
||
1407 | goto cleanup; |
||
1408 | |||
1409 | /* |
||
1410 | * Check contents, in "constant-time" |
||
1411 | */ |
||
1412 | p = buf; |
||
1413 | bad = 0; |
||
1414 | |||
1415 | bad |= *p++; /* First byte must be 0 */ |
||
1416 | |||
1417 | p += hlen; /* Skip seed */ |
||
1418 | |||
1419 | /* Check lHash */ |
||
1420 | for( i = 0; i < hlen; i++ ) |
||
1421 | bad |= lhash[i] ^ *p++; |
||
1422 | |||
1423 | /* Get zero-padding len, but always read till end of buffer |
||
1424 | * (minus one, for the 01 byte) */ |
||
1425 | pad_len = 0; |
||
1426 | pad_done = 0; |
||
1427 | for( i = 0; i < ilen - 2 * hlen - 2; i++ ) |
||
1428 | { |
||
1429 | pad_done |= p[i]; |
||
1430 | pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; |
||
1431 | } |
||
1432 | |||
1433 | p += pad_len; |
||
1434 | bad |= *p++ ^ 0x01; |
||
1435 | |||
1436 | /* |
||
1437 | * The only information "leaked" is whether the padding was correct or not |
||
1438 | * (eg, no data is copied if it was not correct). This meets the |
||
1439 | * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between |
||
1440 | * the different error conditions. |
||
1441 | */ |
||
1442 | if( bad != 0 ) |
||
1443 | { |
||
1444 | ret = MBEDTLS_ERR_RSA_INVALID_PADDING; |
||
1445 | goto cleanup; |
||
1446 | } |
||
1447 | |||
1448 | if( ilen - ( p - buf ) > output_max_len ) |
||
1449 | { |
||
1450 | ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; |
||
1451 | goto cleanup; |
||
1452 | } |
||
1453 | |||
1454 | *olen = ilen - (p - buf); |
||
1455 | memcpy( output, p, *olen ); |
||
1456 | ret = 0; |
||
1457 | |||
1458 | cleanup: |
||
1459 | mbedtls_platform_zeroize( buf, sizeof( buf ) ); |
||
1460 | mbedtls_platform_zeroize( lhash, sizeof( lhash ) ); |
||
1461 | |||
1462 | return( ret ); |
||
1463 | } |
||
1464 | #endif /* MBEDTLS_PKCS1_V21 */ |
||
1465 | |||
1466 | #if defined(MBEDTLS_PKCS1_V15) |
||
1467 | /** Turn zero-or-nonzero into zero-or-all-bits-one, without branches. |
||
1468 | * |
||
1469 | * \param value The value to analyze. |
||
1470 | * \return Zero if \p value is zero, otherwise all-bits-one. |
||
1471 | */ |
||
1472 | static unsigned all_or_nothing_int( unsigned value ) |
||
1473 | { |
||
1474 | /* MSVC has a warning about unary minus on unsigned, but this is |
||
1475 | * well-defined and precisely what we want to do here */ |
||
1476 | #if defined(_MSC_VER) |
||
1477 | #pragma warning( push ) |
||
1478 | #pragma warning( disable : 4146 ) |
||
1479 | #endif |
||
1480 | return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); |
||
1481 | #if defined(_MSC_VER) |
||
1482 | #pragma warning( pop ) |
||
1483 | #endif |
||
1484 | } |
||
1485 | |||
1486 | /** Check whether a size is out of bounds, without branches. |
||
1487 | * |
||
1488 | * This is equivalent to `size > max`, but is likely to be compiled to |
||
1489 | * to code using bitwise operation rather than a branch. |
||
1490 | * |
||
1491 | * \param size Size to check. |
||
1492 | * \param max Maximum desired value for \p size. |
||
1493 | * \return \c 0 if `size <= max`. |
||
1494 | * \return \c 1 if `size > max`. |
||
1495 | */ |
||
1496 | static unsigned size_greater_than( size_t size, size_t max ) |
||
1497 | { |
||
1498 | /* Return the sign bit (1 for negative) of (max - size). */ |
||
1499 | return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) ); |
||
1500 | } |
||
1501 | |||
1502 | /** Choose between two integer values, without branches. |
||
1503 | * |
||
1504 | * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled |
||
1505 | * to code using bitwise operation rather than a branch. |
||
1506 | * |
||
1507 | * \param cond Condition to test. |
||
1508 | * \param if1 Value to use if \p cond is nonzero. |
||
1509 | * \param if0 Value to use if \p cond is zero. |
||
1510 | * \return \c if1 if \p cond is nonzero, otherwise \c if0. |
||
1511 | */ |
||
1512 | static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 ) |
||
1513 | { |
||
1514 | unsigned mask = all_or_nothing_int( cond ); |
||
1515 | return( ( mask & if1 ) | (~mask & if0 ) ); |
||
1516 | } |
||
1517 | |||
1518 | /** Shift some data towards the left inside a buffer without leaking |
||
1519 | * the length of the data through side channels. |
||
1520 | * |
||
1521 | * `mem_move_to_left(start, total, offset)` is functionally equivalent to |
||
1522 | * ``` |
||
1523 | * memmove(start, start + offset, total - offset); |
||
1524 | * memset(start + offset, 0, total - offset); |
||
1525 | * ``` |
||
1526 | * but it strives to use a memory access pattern (and thus total timing) |
||
1527 | * that does not depend on \p offset. This timing independence comes at |
||
1528 | * the expense of performance. |
||
1529 | * |
||
1530 | * \param start Pointer to the start of the buffer. |
||
1531 | * \param total Total size of the buffer. |
||
1532 | * \param offset Offset from which to copy \p total - \p offset bytes. |
||
1533 | */ |
||
1534 | static void mem_move_to_left( void *start, |
||
1535 | size_t total, |
||
1536 | size_t offset ) |
||
1537 | { |
||
1538 | volatile unsigned char *buf = start; |
||
1539 | size_t i, n; |
||
1540 | if( total == 0 ) |
||
1541 | return; |
||
1542 | for( i = 0; i < total; i++ ) |
||
1543 | { |
||
1544 | unsigned no_op = size_greater_than( total - offset, i ); |
||
1545 | /* The first `total - offset` passes are a no-op. The last |
||
1546 | * `offset` passes shift the data one byte to the left and |
||
1547 | * zero out the last byte. */ |
||
1548 | for( n = 0; n < total - 1; n++ ) |
||
1549 | { |
||
1550 | unsigned char current = buf[n]; |
||
1551 | unsigned char next = buf[n+1]; |
||
1552 | buf[n] = if_int( no_op, current, next ); |
||
1553 | } |
||
1554 | buf[total-1] = if_int( no_op, buf[total-1], 0 ); |
||
1555 | } |
||
1556 | } |
||
1557 | |||
1558 | /* |
||
1559 | * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function |
||
1560 | */ |
||
1561 | int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, |
||
1562 | int (*f_rng)(void *, unsigned char *, size_t), |
||
1563 | void *p_rng, |
||
1564 | int mode, size_t *olen, |
||
1565 | const unsigned char *input, |
||
1566 | unsigned char *output, |
||
1567 | size_t output_max_len ) |
||
1568 | { |
||
1569 | int ret; |
||
1570 | size_t ilen, i, plaintext_max_size; |
||
1571 | unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; |
||
1572 | /* The following variables take sensitive values: their value must |
||
1573 | * not leak into the observable behavior of the function other than |
||
1574 | * the designated outputs (output, olen, return value). Otherwise |
||
1575 | * this would open the execution of the function to |
||
1576 | * side-channel-based variants of the Bleichenbacher padding oracle |
||
1577 | * attack. Potential side channels include overall timing, memory |
||
1578 | * access patterns (especially visible to an adversary who has access |
||
1579 | * to a shared memory cache), and branches (especially visible to |
||
1580 | * an adversary who has access to a shared code cache or to a shared |
||
1581 | * branch predictor). */ |
||
1582 | size_t pad_count = 0; |
||
1583 | unsigned bad = 0; |
||
1584 | unsigned char pad_done = 0; |
||
1585 | size_t plaintext_size = 0; |
||
1586 | unsigned output_too_large; |
||
1587 | |||
1588 | RSA_VALIDATE_RET( ctx != NULL ); |
||
1589 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
1590 | mode == MBEDTLS_RSA_PUBLIC ); |
||
1591 | RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); |
||
1592 | RSA_VALIDATE_RET( input != NULL ); |
||
1593 | RSA_VALIDATE_RET( olen != NULL ); |
||
1594 | |||
1595 | ilen = ctx->len; |
||
1596 | plaintext_max_size = ( output_max_len > ilen - 11 ? |
||
1597 | ilen - 11 : |
||
1598 | output_max_len ); |
||
1599 | |||
1600 | if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) |
||
1601 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1602 | |||
1603 | if( ilen < 16 || ilen > sizeof( buf ) ) |
||
1604 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1605 | |||
1606 | ret = ( mode == MBEDTLS_RSA_PUBLIC ) |
||
1607 | ? mbedtls_rsa_public( ctx, input, buf ) |
||
1608 | : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); |
||
1609 | |||
1610 | if( ret != 0 ) |
||
1611 | goto cleanup; |
||
1612 | |||
1613 | /* Check and get padding length in constant time and constant |
||
1614 | * memory trace. The first byte must be 0. */ |
||
1615 | bad |= buf[0]; |
||
1616 | |||
1617 | if( mode == MBEDTLS_RSA_PRIVATE ) |
||
1618 | { |
||
1619 | /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 |
||
1620 | * where PS must be at least 8 nonzero bytes. */ |
||
1621 | bad |= buf[1] ^ MBEDTLS_RSA_CRYPT; |
||
1622 | |||
1623 | /* Read the whole buffer. Set pad_done to nonzero if we find |
||
1624 | * the 0x00 byte and remember the padding length in pad_count. */ |
||
1625 | for( i = 2; i < ilen; i++ ) |
||
1626 | { |
||
1627 | pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1; |
||
1628 | pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; |
||
1629 | } |
||
1630 | } |
||
1631 | else |
||
1632 | { |
||
1633 | /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00 |
||
1634 | * where PS must be at least 8 bytes with the value 0xFF. */ |
||
1635 | bad |= buf[1] ^ MBEDTLS_RSA_SIGN; |
||
1636 | |||
1637 | /* Read the whole buffer. Set pad_done to nonzero if we find |
||
1638 | * the 0x00 byte and remember the padding length in pad_count. |
||
1639 | * If there's a non-0xff byte in the padding, the padding is bad. */ |
||
1640 | for( i = 2; i < ilen; i++ ) |
||
1641 | { |
||
1642 | pad_done |= if_int( buf[i], 0, 1 ); |
||
1643 | pad_count += if_int( pad_done, 0, 1 ); |
||
1644 | bad |= if_int( pad_done, 0, buf[i] ^ 0xFF ); |
||
1645 | } |
||
1646 | } |
||
1647 | |||
1648 | /* If pad_done is still zero, there's no data, only unfinished padding. */ |
||
1649 | bad |= if_int( pad_done, 0, 1 ); |
||
1650 | |||
1651 | /* There must be at least 8 bytes of padding. */ |
||
1652 | bad |= size_greater_than( 8, pad_count ); |
||
1653 | |||
1654 | /* If the padding is valid, set plaintext_size to the number of |
||
1655 | * remaining bytes after stripping the padding. If the padding |
||
1656 | * is invalid, avoid leaking this fact through the size of the |
||
1657 | * output: use the maximum message size that fits in the output |
||
1658 | * buffer. Do it without branches to avoid leaking the padding |
||
1659 | * validity through timing. RSA keys are small enough that all the |
||
1660 | * size_t values involved fit in unsigned int. */ |
||
1661 | plaintext_size = if_int( bad, |
||
1662 | (unsigned) plaintext_max_size, |
||
1663 | (unsigned) ( ilen - pad_count - 3 ) ); |
||
1664 | |||
1665 | /* Set output_too_large to 0 if the plaintext fits in the output |
||
1666 | * buffer and to 1 otherwise. */ |
||
1667 | output_too_large = size_greater_than( plaintext_size, |
||
1668 | plaintext_max_size ); |
||
1669 | |||
1670 | /* Set ret without branches to avoid timing attacks. Return: |
||
1671 | * - INVALID_PADDING if the padding is bad (bad != 0). |
||
1672 | * - OUTPUT_TOO_LARGE if the padding is good but the decrypted |
||
1673 | * plaintext does not fit in the output buffer. |
||
1674 | * - 0 if the padding is correct. */ |
||
1675 | ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, |
||
1676 | if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, |
||
1677 | |||
1678 | |||
1679 | /* If the padding is bad or the plaintext is too large, zero the |
||
1680 | * data that we're about to copy to the output buffer. |
||
1681 | * We need to copy the same amount of data |
||
1682 | * from the same buffer whether the padding is good or not to |
||
1683 | * avoid leaking the padding validity through overall timing or |
||
1684 | * through memory or cache access patterns. */ |
||
1685 | bad = all_or_nothing_int( bad | output_too_large ); |
||
1686 | for( i = 11; i < ilen; i++ ) |
||
1687 | buf[i] &= ~bad; |
||
1688 | |||
1689 | /* If the plaintext is too large, truncate it to the buffer size. |
||
1690 | * Copy anyway to avoid revealing the length through timing, because |
||
1691 | * revealing the length is as bad as revealing the padding validity |
||
1692 | * for a Bleichenbacher attack. */ |
||
1693 | plaintext_size = if_int( output_too_large, |
||
1694 | (unsigned) plaintext_max_size, |
||
1695 | (unsigned) plaintext_size ); |
||
1696 | |||
1697 | /* Move the plaintext to the leftmost position where it can start in |
||
1698 | * the working buffer, i.e. make it start plaintext_max_size from |
||
1699 | * the end of the buffer. Do this with a memory access trace that |
||
1700 | * does not depend on the plaintext size. After this move, the |
||
1701 | * starting location of the plaintext is no longer sensitive |
||
1702 | * information. */ |
||
1703 | mem_move_to_left( buf + ilen - plaintext_max_size, |
||
1704 | plaintext_max_size, |
||
1705 | plaintext_max_size - plaintext_size ); |
||
1706 | |||
1707 | /* Finally copy the decrypted plaintext plus trailing zeros |
||
1708 | * into the output buffer. */ |
||
1709 | memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size ); |
||
1710 | |||
1711 | /* Report the amount of data we copied to the output buffer. In case |
||
1712 | * of errors (bad padding or output too large), the value of *olen |
||
1713 | * when this function returns is not specified. Making it equivalent |
||
1714 | * to the good case limits the risks of leaking the padding validity. */ |
||
1715 | *olen = plaintext_size; |
||
1716 | |||
1717 | cleanup: |
||
1718 | mbedtls_platform_zeroize( buf, sizeof( buf ) ); |
||
1719 | |||
1720 | return( ret ); |
||
1721 | } |
||
1722 | #endif /* MBEDTLS_PKCS1_V15 */ |
||
1723 | |||
1724 | /* |
||
1725 | * Do an RSA operation, then remove the message padding |
||
1726 | */ |
||
1727 | int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, |
||
1728 | int (*f_rng)(void *, unsigned char *, size_t), |
||
1729 | void *p_rng, |
||
1730 | int mode, size_t *olen, |
||
1731 | const unsigned char *input, |
||
1732 | unsigned char *output, |
||
1733 | size_t output_max_len) |
||
1734 | { |
||
1735 | RSA_VALIDATE_RET( ctx != NULL ); |
||
1736 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
1737 | mode == MBEDTLS_RSA_PUBLIC ); |
||
1738 | RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); |
||
1739 | RSA_VALIDATE_RET( input != NULL ); |
||
1740 | RSA_VALIDATE_RET( olen != NULL ); |
||
1741 | |||
1742 | switch( ctx->padding ) |
||
1743 | { |
||
1744 | #if defined(MBEDTLS_PKCS1_V15) |
||
1745 | case MBEDTLS_RSA_PKCS_V15: |
||
1746 | return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen, |
||
1747 | input, output, output_max_len ); |
||
1748 | #endif |
||
1749 | |||
1750 | #if defined(MBEDTLS_PKCS1_V21) |
||
1751 | case MBEDTLS_RSA_PKCS_V21: |
||
1752 | return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0, |
||
1753 | olen, input, output, |
||
1754 | output_max_len ); |
||
1755 | #endif |
||
1756 | |||
1757 | default: |
||
1758 | return( MBEDTLS_ERR_RSA_INVALID_PADDING ); |
||
1759 | } |
||
1760 | } |
||
1761 | |||
1762 | #if defined(MBEDTLS_PKCS1_V21) |
||
1763 | /* |
||
1764 | * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function |
||
1765 | */ |
||
1766 | int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, |
||
1767 | int (*f_rng)(void *, unsigned char *, size_t), |
||
1768 | void *p_rng, |
||
1769 | int mode, |
||
1770 | mbedtls_md_type_t md_alg, |
||
1771 | unsigned int hashlen, |
||
1772 | const unsigned char *hash, |
||
1773 | unsigned char *sig ) |
||
1774 | { |
||
1775 | size_t olen; |
||
1776 | unsigned char *p = sig; |
||
1777 | unsigned char salt[MBEDTLS_MD_MAX_SIZE]; |
||
1778 | size_t slen, min_slen, hlen, offset = 0; |
||
1779 | int ret; |
||
1780 | size_t msb; |
||
1781 | const mbedtls_md_info_t *md_info; |
||
1782 | mbedtls_md_context_t md_ctx; |
||
1783 | RSA_VALIDATE_RET( ctx != NULL ); |
||
1784 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
1785 | mode == MBEDTLS_RSA_PUBLIC ); |
||
1786 | RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && |
||
1787 | hashlen == 0 ) || |
||
1788 | hash != NULL ); |
||
1789 | RSA_VALIDATE_RET( sig != NULL ); |
||
1790 | |||
1791 | if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) |
||
1792 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1793 | |||
1794 | if( f_rng == NULL ) |
||
1795 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1796 | |||
1797 | olen = ctx->len; |
||
1798 | |||
1799 | if( md_alg != MBEDTLS_MD_NONE ) |
||
1800 | { |
||
1801 | /* Gather length of hash to sign */ |
||
1802 | md_info = mbedtls_md_info_from_type( md_alg ); |
||
1803 | if( md_info == NULL ) |
||
1804 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1805 | |||
1806 | hashlen = mbedtls_md_get_size( md_info ); |
||
1807 | } |
||
1808 | |||
1809 | md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); |
||
1810 | if( md_info == NULL ) |
||
1811 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1812 | |||
1813 | hlen = mbedtls_md_get_size( md_info ); |
||
1814 | |||
1815 | /* Calculate the largest possible salt length. Normally this is the hash |
||
1816 | * length, which is the maximum length the salt can have. If there is not |
||
1817 | * enough room, use the maximum salt length that fits. The constraint is |
||
1818 | * that the hash length plus the salt length plus 2 bytes must be at most |
||
1819 | * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017 |
||
1820 | * (PKCS#1 v2.2) §9.1.1 step 3. */ |
||
1821 | min_slen = hlen - 2; |
||
1822 | if( olen < hlen + min_slen + 2 ) |
||
1823 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1824 | else if( olen >= hlen + hlen + 2 ) |
||
1825 | slen = hlen; |
||
1826 | else |
||
1827 | slen = olen - hlen - 2; |
||
1828 | |||
1829 | memset( sig, 0, olen ); |
||
1830 | |||
1831 | /* Generate salt of length slen */ |
||
1832 | if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 ) |
||
1833 | return( MBEDTLS_ERR_RSA_RNG_FAILED + ret ); |
||
1834 | |||
1835 | /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ |
||
1836 | msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; |
||
1837 | p += olen - hlen - slen - 2; |
||
1838 | *p++ = 0x01; |
||
1839 | memcpy( p, salt, slen ); |
||
1840 | p += slen; |
||
1841 | |||
1842 | mbedtls_md_init( &md_ctx ); |
||
1843 | if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) |
||
1844 | goto exit; |
||
1845 | |||
1846 | /* Generate H = Hash( M' ) */ |
||
1847 | if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) |
||
1848 | goto exit; |
||
1849 | if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 ) |
||
1850 | goto exit; |
||
1851 | if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) |
||
1852 | goto exit; |
||
1853 | if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 ) |
||
1854 | goto exit; |
||
1855 | if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 ) |
||
1856 | goto exit; |
||
1857 | |||
1858 | /* Compensate for boundary condition when applying mask */ |
||
1859 | if( msb % 8 == 0 ) |
||
1860 | offset = 1; |
||
1861 | |||
1862 | /* maskedDB: Apply dbMask to DB */ |
||
1863 | if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, |
||
1864 | &md_ctx ) ) != 0 ) |
||
1865 | goto exit; |
||
1866 | |||
1867 | msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; |
||
1868 | sig[0] &= 0xFF >> ( olen * 8 - msb ); |
||
1869 | |||
1870 | p += hlen; |
||
1871 | *p++ = 0xBC; |
||
1872 | |||
1873 | mbedtls_platform_zeroize( salt, sizeof( salt ) ); |
||
1874 | |||
1875 | exit: |
||
1876 | mbedtls_md_free( &md_ctx ); |
||
1877 | |||
1878 | if( ret != 0 ) |
||
1879 | return( ret ); |
||
1880 | |||
1881 | return( ( mode == MBEDTLS_RSA_PUBLIC ) |
||
1882 | ? mbedtls_rsa_public( ctx, sig, sig ) |
||
1883 | : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); |
||
1884 | } |
||
1885 | #endif /* MBEDTLS_PKCS1_V21 */ |
||
1886 | |||
1887 | #if defined(MBEDTLS_PKCS1_V15) |
||
1888 | /* |
||
1889 | * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function |
||
1890 | */ |
||
1891 | |||
1892 | /* Construct a PKCS v1.5 encoding of a hashed message |
||
1893 | * |
||
1894 | * This is used both for signature generation and verification. |
||
1895 | * |
||
1896 | * Parameters: |
||
1897 | * - md_alg: Identifies the hash algorithm used to generate the given hash; |
||
1898 | * MBEDTLS_MD_NONE if raw data is signed. |
||
1899 | * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE. |
||
1900 | * - hash: Buffer containing the hashed message or the raw data. |
||
1901 | * - dst_len: Length of the encoded message. |
||
1902 | * - dst: Buffer to hold the encoded message. |
||
1903 | * |
||
1904 | * Assumptions: |
||
1905 | * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE. |
||
1906 | * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE. |
||
1907 | * - dst points to a buffer of size at least dst_len. |
||
1908 | * |
||
1909 | */ |
||
1910 | static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, |
||
1911 | unsigned int hashlen, |
||
1912 | const unsigned char *hash, |
||
1913 | size_t dst_len, |
||
1914 | unsigned char *dst ) |
||
1915 | { |
||
1916 | size_t oid_size = 0; |
||
1917 | size_t nb_pad = dst_len; |
||
1918 | unsigned char *p = dst; |
||
1919 | const char *oid = NULL; |
||
1920 | |||
1921 | /* Are we signing hashed or raw data? */ |
||
1922 | if( md_alg != MBEDTLS_MD_NONE ) |
||
1923 | { |
||
1924 | const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); |
||
1925 | if( md_info == NULL ) |
||
1926 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1927 | |||
1928 | if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) |
||
1929 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1930 | |||
1931 | hashlen = mbedtls_md_get_size( md_info ); |
||
1932 | |||
1933 | /* Double-check that 8 + hashlen + oid_size can be used as a |
||
1934 | * 1-byte ASN.1 length encoding and that there's no overflow. */ |
||
1935 | if( 8 + hashlen + oid_size >= 0x80 || |
||
1936 | 10 + hashlen < hashlen || |
||
1937 | 10 + hashlen + oid_size < 10 + hashlen ) |
||
1938 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1939 | |||
1940 | /* |
||
1941 | * Static bounds check: |
||
1942 | * - Need 10 bytes for five tag-length pairs. |
||
1943 | * (Insist on 1-byte length encodings to protect against variants of |
||
1944 | * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification) |
||
1945 | * - Need hashlen bytes for hash |
||
1946 | * - Need oid_size bytes for hash alg OID. |
||
1947 | */ |
||
1948 | if( nb_pad < 10 + hashlen + oid_size ) |
||
1949 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1950 | nb_pad -= 10 + hashlen + oid_size; |
||
1951 | } |
||
1952 | else |
||
1953 | { |
||
1954 | if( nb_pad < hashlen ) |
||
1955 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1956 | |||
1957 | nb_pad -= hashlen; |
||
1958 | } |
||
1959 | |||
1960 | /* Need space for signature header and padding delimiter (3 bytes), |
||
1961 | * and 8 bytes for the minimal padding */ |
||
1962 | if( nb_pad < 3 + 8 ) |
||
1963 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
1964 | nb_pad -= 3; |
||
1965 | |||
1966 | /* Now nb_pad is the amount of memory to be filled |
||
1967 | * with padding, and at least 8 bytes long. */ |
||
1968 | |||
1969 | /* Write signature header and padding */ |
||
1970 | *p++ = 0; |
||
1971 | *p++ = MBEDTLS_RSA_SIGN; |
||
1972 | memset( p, 0xFF, nb_pad ); |
||
1973 | p += nb_pad; |
||
1974 | *p++ = 0; |
||
1975 | |||
1976 | /* Are we signing raw data? */ |
||
1977 | if( md_alg == MBEDTLS_MD_NONE ) |
||
1978 | { |
||
1979 | memcpy( p, hash, hashlen ); |
||
1980 | return( 0 ); |
||
1981 | } |
||
1982 | |||
1983 | /* Signing hashed data, add corresponding ASN.1 structure |
||
1984 | * |
||
1985 | * DigestInfo ::= SEQUENCE { |
||
1986 | * digestAlgorithm DigestAlgorithmIdentifier, |
||
1987 | * digest Digest } |
||
1988 | * DigestAlgorithmIdentifier ::= AlgorithmIdentifier |
||
1989 | * Digest ::= OCTET STRING |
||
1990 | * |
||
1991 | * Schematic: |
||
1992 | * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ] |
||
1993 | * TAG-NULL + LEN [ NULL ] ] |
||
1994 | * TAG-OCTET + LEN [ HASH ] ] |
||
1995 | */ |
||
1996 | *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; |
||
1997 | *p++ = (unsigned char)( 0x08 + oid_size + hashlen ); |
||
1998 | *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; |
||
1999 | *p++ = (unsigned char)( 0x04 + oid_size ); |
||
2000 | *p++ = MBEDTLS_ASN1_OID; |
||
2001 | *p++ = (unsigned char) oid_size; |
||
2002 | memcpy( p, oid, oid_size ); |
||
2003 | p += oid_size; |
||
2004 | *p++ = MBEDTLS_ASN1_NULL; |
||
2005 | *p++ = 0x00; |
||
2006 | *p++ = MBEDTLS_ASN1_OCTET_STRING; |
||
2007 | *p++ = (unsigned char) hashlen; |
||
2008 | memcpy( p, hash, hashlen ); |
||
2009 | p += hashlen; |
||
2010 | |||
2011 | /* Just a sanity-check, should be automatic |
||
2012 | * after the initial bounds check. */ |
||
2013 | if( p != dst + dst_len ) |
||
2014 | { |
||
2015 | mbedtls_platform_zeroize( dst, dst_len ); |
||
2016 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2017 | } |
||
2018 | |||
2019 | return( 0 ); |
||
2020 | } |
||
2021 | |||
2022 | /* |
||
2023 | * Do an RSA operation to sign the message digest |
||
2024 | */ |
||
2025 | int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, |
||
2026 | int (*f_rng)(void *, unsigned char *, size_t), |
||
2027 | void *p_rng, |
||
2028 | int mode, |
||
2029 | mbedtls_md_type_t md_alg, |
||
2030 | unsigned int hashlen, |
||
2031 | const unsigned char *hash, |
||
2032 | unsigned char *sig ) |
||
2033 | { |
||
2034 | int ret; |
||
2035 | unsigned char *sig_try = NULL, *verif = NULL; |
||
2036 | |||
2037 | RSA_VALIDATE_RET( ctx != NULL ); |
||
2038 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
2039 | mode == MBEDTLS_RSA_PUBLIC ); |
||
2040 | RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && |
||
2041 | hashlen == 0 ) || |
||
2042 | hash != NULL ); |
||
2043 | RSA_VALIDATE_RET( sig != NULL ); |
||
2044 | |||
2045 | if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) |
||
2046 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2047 | |||
2048 | /* |
||
2049 | * Prepare PKCS1-v1.5 encoding (padding and hash identifier) |
||
2050 | */ |
||
2051 | |||
2052 | if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, |
||
2053 | ctx->len, sig ) ) != 0 ) |
||
2054 | return( ret ); |
||
2055 | |||
2056 | /* |
||
2057 | * Call respective RSA primitive |
||
2058 | */ |
||
2059 | |||
2060 | if( mode == MBEDTLS_RSA_PUBLIC ) |
||
2061 | { |
||
2062 | /* Skip verification on a public key operation */ |
||
2063 | return( mbedtls_rsa_public( ctx, sig, sig ) ); |
||
2064 | } |
||
2065 | |||
2066 | /* Private key operation |
||
2067 | * |
||
2068 | * In order to prevent Lenstra's attack, make the signature in a |
||
2069 | * temporary buffer and check it before returning it. |
||
2070 | */ |
||
2071 | |||
2072 | sig_try = mbedtls_calloc( 1, ctx->len ); |
||
2073 | if( sig_try == NULL ) |
||
2074 | return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); |
||
2075 | |||
2076 | verif = mbedtls_calloc( 1, ctx->len ); |
||
2077 | if( verif == NULL ) |
||
2078 | { |
||
2079 | mbedtls_free( sig_try ); |
||
2080 | return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); |
||
2081 | } |
||
2082 | |||
2083 | MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); |
||
2084 | MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); |
||
2085 | |||
2086 | if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 ) |
||
2087 | { |
||
2088 | ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; |
||
2089 | goto cleanup; |
||
2090 | } |
||
2091 | |||
2092 | memcpy( sig, sig_try, ctx->len ); |
||
2093 | |||
2094 | cleanup: |
||
2095 | mbedtls_free( sig_try ); |
||
2096 | mbedtls_free( verif ); |
||
2097 | |||
2098 | return( ret ); |
||
2099 | } |
||
2100 | #endif /* MBEDTLS_PKCS1_V15 */ |
||
2101 | |||
2102 | /* |
||
2103 | * Do an RSA operation to sign the message digest |
||
2104 | */ |
||
2105 | int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, |
||
2106 | int (*f_rng)(void *, unsigned char *, size_t), |
||
2107 | void *p_rng, |
||
2108 | int mode, |
||
2109 | mbedtls_md_type_t md_alg, |
||
2110 | unsigned int hashlen, |
||
2111 | const unsigned char *hash, |
||
2112 | unsigned char *sig ) |
||
2113 | { |
||
2114 | RSA_VALIDATE_RET( ctx != NULL ); |
||
2115 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
2116 | mode == MBEDTLS_RSA_PUBLIC ); |
||
2117 | RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && |
||
2118 | hashlen == 0 ) || |
||
2119 | hash != NULL ); |
||
2120 | RSA_VALIDATE_RET( sig != NULL ); |
||
2121 | |||
2122 | switch( ctx->padding ) |
||
2123 | { |
||
2124 | #if defined(MBEDTLS_PKCS1_V15) |
||
2125 | case MBEDTLS_RSA_PKCS_V15: |
||
2126 | return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, |
||
2127 | hashlen, hash, sig ); |
||
2128 | #endif |
||
2129 | |||
2130 | #if defined(MBEDTLS_PKCS1_V21) |
||
2131 | case MBEDTLS_RSA_PKCS_V21: |
||
2132 | return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, |
||
2133 | hashlen, hash, sig ); |
||
2134 | #endif |
||
2135 | |||
2136 | default: |
||
2137 | return( MBEDTLS_ERR_RSA_INVALID_PADDING ); |
||
2138 | } |
||
2139 | } |
||
2140 | |||
2141 | #if defined(MBEDTLS_PKCS1_V21) |
||
2142 | /* |
||
2143 | * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function |
||
2144 | */ |
||
2145 | int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, |
||
2146 | int (*f_rng)(void *, unsigned char *, size_t), |
||
2147 | void *p_rng, |
||
2148 | int mode, |
||
2149 | mbedtls_md_type_t md_alg, |
||
2150 | unsigned int hashlen, |
||
2151 | const unsigned char *hash, |
||
2152 | mbedtls_md_type_t mgf1_hash_id, |
||
2153 | int expected_salt_len, |
||
2154 | const unsigned char *sig ) |
||
2155 | { |
||
2156 | int ret; |
||
2157 | size_t siglen; |
||
2158 | unsigned char *p; |
||
2159 | unsigned char *hash_start; |
||
2160 | unsigned char result[MBEDTLS_MD_MAX_SIZE]; |
||
2161 | unsigned char zeros[8]; |
||
2162 | unsigned int hlen; |
||
2163 | size_t observed_salt_len, msb; |
||
2164 | const mbedtls_md_info_t *md_info; |
||
2165 | mbedtls_md_context_t md_ctx; |
||
2166 | unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; |
||
2167 | |||
2168 | RSA_VALIDATE_RET( ctx != NULL ); |
||
2169 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
2170 | mode == MBEDTLS_RSA_PUBLIC ); |
||
2171 | RSA_VALIDATE_RET( sig != NULL ); |
||
2172 | RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && |
||
2173 | hashlen == 0 ) || |
||
2174 | hash != NULL ); |
||
2175 | |||
2176 | if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) |
||
2177 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2178 | |||
2179 | siglen = ctx->len; |
||
2180 | |||
2181 | if( siglen < 16 || siglen > sizeof( buf ) ) |
||
2182 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2183 | |||
2184 | ret = ( mode == MBEDTLS_RSA_PUBLIC ) |
||
2185 | ? mbedtls_rsa_public( ctx, sig, buf ) |
||
2186 | : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); |
||
2187 | |||
2188 | if( ret != 0 ) |
||
2189 | return( ret ); |
||
2190 | |||
2191 | p = buf; |
||
2192 | |||
2193 | if( buf[siglen - 1] != 0xBC ) |
||
2194 | return( MBEDTLS_ERR_RSA_INVALID_PADDING ); |
||
2195 | |||
2196 | if( md_alg != MBEDTLS_MD_NONE ) |
||
2197 | { |
||
2198 | /* Gather length of hash to sign */ |
||
2199 | md_info = mbedtls_md_info_from_type( md_alg ); |
||
2200 | if( md_info == NULL ) |
||
2201 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2202 | |||
2203 | hashlen = mbedtls_md_get_size( md_info ); |
||
2204 | } |
||
2205 | |||
2206 | md_info = mbedtls_md_info_from_type( mgf1_hash_id ); |
||
2207 | if( md_info == NULL ) |
||
2208 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2209 | |||
2210 | hlen = mbedtls_md_get_size( md_info ); |
||
2211 | |||
2212 | memset( zeros, 0, 8 ); |
||
2213 | |||
2214 | /* |
||
2215 | * Note: EMSA-PSS verification is over the length of N - 1 bits |
||
2216 | */ |
||
2217 | msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; |
||
2218 | |||
2219 | if( buf[0] >> ( 8 - siglen * 8 + msb ) ) |
||
2220 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2221 | |||
2222 | /* Compensate for boundary condition when applying mask */ |
||
2223 | if( msb % 8 == 0 ) |
||
2224 | { |
||
2225 | p++; |
||
2226 | siglen -= 1; |
||
2227 | } |
||
2228 | |||
2229 | if( siglen < hlen + 2 ) |
||
2230 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2231 | hash_start = p + siglen - hlen - 1; |
||
2232 | |||
2233 | mbedtls_md_init( &md_ctx ); |
||
2234 | if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) |
||
2235 | goto exit; |
||
2236 | |||
2237 | ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx ); |
||
2238 | if( ret != 0 ) |
||
2239 | goto exit; |
||
2240 | |||
2241 | buf[0] &= 0xFF >> ( siglen * 8 - msb ); |
||
2242 | |||
2243 | while( p < hash_start - 1 && *p == 0 ) |
||
2244 | p++; |
||
2245 | |||
2246 | if( *p++ != 0x01 ) |
||
2247 | { |
||
2248 | ret = MBEDTLS_ERR_RSA_INVALID_PADDING; |
||
2249 | goto exit; |
||
2250 | } |
||
2251 | |||
2252 | observed_salt_len = hash_start - p; |
||
2253 | |||
2254 | if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && |
||
2255 | observed_salt_len != (size_t) expected_salt_len ) |
||
2256 | { |
||
2257 | ret = MBEDTLS_ERR_RSA_INVALID_PADDING; |
||
2258 | goto exit; |
||
2259 | } |
||
2260 | |||
2261 | /* |
||
2262 | * Generate H = Hash( M' ) |
||
2263 | */ |
||
2264 | ret = mbedtls_md_starts( &md_ctx ); |
||
2265 | if ( ret != 0 ) |
||
2266 | goto exit; |
||
2267 | ret = mbedtls_md_update( &md_ctx, zeros, 8 ); |
||
2268 | if ( ret != 0 ) |
||
2269 | goto exit; |
||
2270 | ret = mbedtls_md_update( &md_ctx, hash, hashlen ); |
||
2271 | if ( ret != 0 ) |
||
2272 | goto exit; |
||
2273 | ret = mbedtls_md_update( &md_ctx, p, observed_salt_len ); |
||
2274 | if ( ret != 0 ) |
||
2275 | goto exit; |
||
2276 | ret = mbedtls_md_finish( &md_ctx, result ); |
||
2277 | if ( ret != 0 ) |
||
2278 | goto exit; |
||
2279 | |||
2280 | if( memcmp( hash_start, result, hlen ) != 0 ) |
||
2281 | { |
||
2282 | ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; |
||
2283 | goto exit; |
||
2284 | } |
||
2285 | |||
2286 | exit: |
||
2287 | mbedtls_md_free( &md_ctx ); |
||
2288 | |||
2289 | return( ret ); |
||
2290 | } |
||
2291 | |||
2292 | /* |
||
2293 | * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function |
||
2294 | */ |
||
2295 | int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, |
||
2296 | int (*f_rng)(void *, unsigned char *, size_t), |
||
2297 | void *p_rng, |
||
2298 | int mode, |
||
2299 | mbedtls_md_type_t md_alg, |
||
2300 | unsigned int hashlen, |
||
2301 | const unsigned char *hash, |
||
2302 | const unsigned char *sig ) |
||
2303 | { |
||
2304 | mbedtls_md_type_t mgf1_hash_id; |
||
2305 | RSA_VALIDATE_RET( ctx != NULL ); |
||
2306 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
2307 | mode == MBEDTLS_RSA_PUBLIC ); |
||
2308 | RSA_VALIDATE_RET( sig != NULL ); |
||
2309 | RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && |
||
2310 | hashlen == 0 ) || |
||
2311 | hash != NULL ); |
||
2312 | |||
2313 | mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) |
||
2314 | ? (mbedtls_md_type_t) ctx->hash_id |
||
2315 | : md_alg; |
||
2316 | |||
2317 | return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, |
||
2318 | md_alg, hashlen, hash, |
||
2319 | mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, |
||
2320 | sig ) ); |
||
2321 | |||
2322 | } |
||
2323 | #endif /* MBEDTLS_PKCS1_V21 */ |
||
2324 | |||
2325 | #if defined(MBEDTLS_PKCS1_V15) |
||
2326 | /* |
||
2327 | * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function |
||
2328 | */ |
||
2329 | int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, |
||
2330 | int (*f_rng)(void *, unsigned char *, size_t), |
||
2331 | void *p_rng, |
||
2332 | int mode, |
||
2333 | mbedtls_md_type_t md_alg, |
||
2334 | unsigned int hashlen, |
||
2335 | const unsigned char *hash, |
||
2336 | const unsigned char *sig ) |
||
2337 | { |
||
2338 | int ret = 0; |
||
2339 | size_t sig_len; |
||
2340 | unsigned char *encoded = NULL, *encoded_expected = NULL; |
||
2341 | |||
2342 | RSA_VALIDATE_RET( ctx != NULL ); |
||
2343 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
2344 | mode == MBEDTLS_RSA_PUBLIC ); |
||
2345 | RSA_VALIDATE_RET( sig != NULL ); |
||
2346 | RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && |
||
2347 | hashlen == 0 ) || |
||
2348 | hash != NULL ); |
||
2349 | |||
2350 | sig_len = ctx->len; |
||
2351 | |||
2352 | if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) |
||
2353 | return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
||
2354 | |||
2355 | /* |
||
2356 | * Prepare expected PKCS1 v1.5 encoding of hash. |
||
2357 | */ |
||
2358 | |||
2359 | if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL || |
||
2360 | ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL ) |
||
2361 | { |
||
2362 | ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; |
||
2363 | goto cleanup; |
||
2364 | } |
||
2365 | |||
2366 | if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len, |
||
2367 | encoded_expected ) ) != 0 ) |
||
2368 | goto cleanup; |
||
2369 | |||
2370 | /* |
||
2371 | * Apply RSA primitive to get what should be PKCS1 encoded hash. |
||
2372 | */ |
||
2373 | |||
2374 | ret = ( mode == MBEDTLS_RSA_PUBLIC ) |
||
2375 | ? mbedtls_rsa_public( ctx, sig, encoded ) |
||
2376 | : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded ); |
||
2377 | if( ret != 0 ) |
||
2378 | goto cleanup; |
||
2379 | |||
2380 | /* |
||
2381 | * Compare |
||
2382 | */ |
||
2383 | |||
2384 | if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected, |
||
2385 | sig_len ) ) != 0 ) |
||
2386 | { |
||
2387 | ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; |
||
2388 | goto cleanup; |
||
2389 | } |
||
2390 | |||
2391 | cleanup: |
||
2392 | |||
2393 | if( encoded != NULL ) |
||
2394 | { |
||
2395 | mbedtls_platform_zeroize( encoded, sig_len ); |
||
2396 | mbedtls_free( encoded ); |
||
2397 | } |
||
2398 | |||
2399 | if( encoded_expected != NULL ) |
||
2400 | { |
||
2401 | mbedtls_platform_zeroize( encoded_expected, sig_len ); |
||
2402 | mbedtls_free( encoded_expected ); |
||
2403 | } |
||
2404 | |||
2405 | return( ret ); |
||
2406 | } |
||
2407 | #endif /* MBEDTLS_PKCS1_V15 */ |
||
2408 | |||
2409 | /* |
||
2410 | * Do an RSA operation and check the message digest |
||
2411 | */ |
||
2412 | int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, |
||
2413 | int (*f_rng)(void *, unsigned char *, size_t), |
||
2414 | void *p_rng, |
||
2415 | int mode, |
||
2416 | mbedtls_md_type_t md_alg, |
||
2417 | unsigned int hashlen, |
||
2418 | const unsigned char *hash, |
||
2419 | const unsigned char *sig ) |
||
2420 | { |
||
2421 | RSA_VALIDATE_RET( ctx != NULL ); |
||
2422 | RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || |
||
2423 | mode == MBEDTLS_RSA_PUBLIC ); |
||
2424 | RSA_VALIDATE_RET( sig != NULL ); |
||
2425 | RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && |
||
2426 | hashlen == 0 ) || |
||
2427 | hash != NULL ); |
||
2428 | |||
2429 | switch( ctx->padding ) |
||
2430 | { |
||
2431 | #if defined(MBEDTLS_PKCS1_V15) |
||
2432 | case MBEDTLS_RSA_PKCS_V15: |
||
2433 | return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, |
||
2434 | hashlen, hash, sig ); |
||
2435 | #endif |
||
2436 | |||
2437 | #if defined(MBEDTLS_PKCS1_V21) |
||
2438 | case MBEDTLS_RSA_PKCS_V21: |
||
2439 | return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, |
||
2440 | hashlen, hash, sig ); |
||
2441 | #endif |
||
2442 | |||
2443 | default: |
||
2444 | return( MBEDTLS_ERR_RSA_INVALID_PADDING ); |
||
2445 | } |
||
2446 | } |
||
2447 | |||
2448 | /* |
||
2449 | * Copy the components of an RSA key |
||
2450 | */ |
||
2451 | int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ) |
||
2452 | { |
||
2453 | int ret; |
||
2454 | RSA_VALIDATE_RET( dst != NULL ); |
||
2455 | RSA_VALIDATE_RET( src != NULL ); |
||
2456 | |||
2457 | dst->ver = src->ver; |
||
2458 | dst->len = src->len; |
||
2459 | |||
2460 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) ); |
||
2461 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) ); |
||
2462 | |||
2463 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) ); |
||
2464 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) ); |
||
2465 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) ); |
||
2466 | |||
2467 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
2468 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) ); |
||
2469 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) ); |
||
2470 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) ); |
||
2471 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) ); |
||
2472 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) ); |
||
2473 | #endif |
||
2474 | |||
2475 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) ); |
||
2476 | |||
2477 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) ); |
||
2478 | MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) ); |
||
2479 | |||
2480 | dst->padding = src->padding; |
||
2481 | dst->hash_id = src->hash_id; |
||
2482 | |||
2483 | cleanup: |
||
2484 | if( ret != 0 ) |
||
2485 | mbedtls_rsa_free( dst ); |
||
2486 | |||
2487 | return( ret ); |
||
2488 | } |
||
2489 | |||
2490 | /* |
||
2491 | * Free the components of an RSA key |
||
2492 | */ |
||
2493 | void mbedtls_rsa_free( mbedtls_rsa_context *ctx ) |
||
2494 | { |
||
2495 | if( ctx == NULL ) |
||
2496 | return; |
||
2497 | |||
2498 | mbedtls_mpi_free( &ctx->Vi ); |
||
2499 | mbedtls_mpi_free( &ctx->Vf ); |
||
2500 | mbedtls_mpi_free( &ctx->RN ); |
||
2501 | mbedtls_mpi_free( &ctx->D ); |
||
2502 | mbedtls_mpi_free( &ctx->Q ); |
||
2503 | mbedtls_mpi_free( &ctx->P ); |
||
2504 | mbedtls_mpi_free( &ctx->E ); |
||
2505 | mbedtls_mpi_free( &ctx->N ); |
||
2506 | |||
2507 | #if !defined(MBEDTLS_RSA_NO_CRT) |
||
2508 | mbedtls_mpi_free( &ctx->RQ ); |
||
2509 | mbedtls_mpi_free( &ctx->RP ); |
||
2510 | mbedtls_mpi_free( &ctx->QP ); |
||
2511 | mbedtls_mpi_free( &ctx->DQ ); |
||
2512 | mbedtls_mpi_free( &ctx->DP ); |
||
2513 | #endif /* MBEDTLS_RSA_NO_CRT */ |
||
2514 | |||
2515 | #if defined(MBEDTLS_THREADING_C) |
||
2516 | mbedtls_mutex_free( &ctx->mutex ); |
||
2517 | #endif |
||
2518 | } |
||
2519 | |||
2520 | #endif /* !MBEDTLS_RSA_ALT */ |
||
2521 | |||
2522 | #if defined(MBEDTLS_SELF_TEST) |
||
2523 | |||
2524 | #include "mbedtls/sha1.h" |
||
2525 | |||
2526 | /* |
||
2527 | * Example RSA-1024 keypair, for test purposes |
||
2528 | */ |
||
2529 | #define KEY_LEN 128 |
||
2530 | |||
2531 | #define RSA_N "9292758453063D803DD603D5E777D788" \ |
||
2532 | "8ED1D5BF35786190FA2F23EBC0848AEA" \ |
||
2533 | "DDA92CA6C3D80B32C4D109BE0F36D6AE" \ |
||
2534 | "7130B9CED7ACDF54CFC7555AC14EEBAB" \ |
||
2535 | "93A89813FBF3C4F8066D2D800F7C38A8" \ |
||
2536 | "1AE31942917403FF4946B0A83D3D3E05" \ |
||
2537 | "EE57C6F5F5606FB5D4BC6CD34EE0801A" \ |
||
2538 | "5E94BB77B07507233A0BC7BAC8F90F79" |
||
2539 | |||
2540 | #define RSA_E "10001" |
||
2541 | |||
2542 | #define RSA_D "24BF6185468786FDD303083D25E64EFC" \ |
||
2543 | "66CA472BC44D253102F8B4A9D3BFA750" \ |
||
2544 | "91386C0077937FE33FA3252D28855837" \ |
||
2545 | "AE1B484A8A9A45F7EE8C0C634F99E8CD" \ |
||
2546 | "DF79C5CE07EE72C7F123142198164234" \ |
||
2547 | "CABB724CF78B8173B9F880FC86322407" \ |
||
2548 | "AF1FEDFDDE2BEB674CA15F3E81A1521E" \ |
||
2549 | "071513A1E85B5DFA031F21ECAE91A34D" |
||
2550 | |||
2551 | #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \ |
||
2552 | "2C01CAD19EA484A87EA4377637E75500" \ |
||
2553 | "FCB2005C5C7DD6EC4AC023CDA285D796" \ |
||
2554 | "C3D9E75E1EFC42488BB4F1D13AC30A57" |
||
2555 | |||
2556 | #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \ |
||
2557 | "E211C2B9E5DB1ED0BF61D0D9899620F4" \ |
||
2558 | "910E4168387E3C30AA1E00C339A79508" \ |
||
2559 | "8452DD96A9A5EA5D9DCA68DA636032AF" |
||
2560 | |||
2561 | #define PT_LEN 24 |
||
2562 | #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \ |
||
2563 | "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD" |
||
2564 | |||
2565 | #if defined(MBEDTLS_PKCS1_V15) |
||
2566 | static int myrand( void *rng_state, unsigned char *output, size_t len ) |
||
2567 | { |
||
2568 | #if !defined(__OpenBSD__) |
||
2569 | size_t i; |
||
2570 | |||
2571 | if( rng_state != NULL ) |
||
2572 | rng_state = NULL; |
||
2573 | |||
2574 | for( i = 0; i < len; ++i ) |
||
2575 | output[i] = rand(); |
||
2576 | #else |
||
2577 | if( rng_state != NULL ) |
||
2578 | rng_state = NULL; |
||
2579 | |||
2580 | arc4random_buf( output, len ); |
||
2581 | #endif /* !OpenBSD */ |
||
2582 | |||
2583 | return( 0 ); |
||
2584 | } |
||
2585 | #endif /* MBEDTLS_PKCS1_V15 */ |
||
2586 | |||
2587 | /* |
||
2588 | * Checkup routine |
||
2589 | */ |
||
2590 | int mbedtls_rsa_self_test( int verbose ) |
||
2591 | { |
||
2592 | int ret = 0; |
||
2593 | #if defined(MBEDTLS_PKCS1_V15) |
||
2594 | size_t len; |
||
2595 | mbedtls_rsa_context rsa; |
||
2596 | unsigned char rsa_plaintext[PT_LEN]; |
||
2597 | unsigned char rsa_decrypted[PT_LEN]; |
||
2598 | unsigned char rsa_ciphertext[KEY_LEN]; |
||
2599 | #if defined(MBEDTLS_SHA1_C) |
||
2600 | unsigned char sha1sum[20]; |
||
2601 | #endif |
||
2602 | |||
2603 | mbedtls_mpi K; |
||
2604 | |||
2605 | mbedtls_mpi_init( &K ); |
||
2606 | mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); |
||
2607 | |||
2608 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) ); |
||
2609 | MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) ); |
||
2610 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) ); |
||
2611 | MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) ); |
||
2612 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) ); |
||
2613 | MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) ); |
||
2614 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) ); |
||
2615 | MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) ); |
||
2616 | MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) ); |
||
2617 | MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) ); |
||
2618 | |||
2619 | MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) ); |
||
2620 | |||
2621 | if( verbose != 0 ) |
||
2622 | mbedtls_printf( " RSA key validation: " ); |
||
2623 | |||
2624 | if( mbedtls_rsa_check_pubkey( &rsa ) != 0 || |
||
2625 | mbedtls_rsa_check_privkey( &rsa ) != 0 ) |
||
2626 | { |
||
2627 | if( verbose != 0 ) |
||
2628 | mbedtls_printf( "failed\n" ); |
||
2629 | |||
2630 | ret = 1; |
||
2631 | goto cleanup; |
||
2632 | } |
||
2633 | |||
2634 | if( verbose != 0 ) |
||
2635 | mbedtls_printf( "passed\n PKCS#1 encryption : " ); |
||
2636 | |||
2637 | memcpy( rsa_plaintext, RSA_PT, PT_LEN ); |
||
2638 | |||
2639 | if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, |
||
2640 | PT_LEN, rsa_plaintext, |
||
2641 | rsa_ciphertext ) != 0 ) |
||
2642 | { |
||
2643 | if( verbose != 0 ) |
||
2644 | mbedtls_printf( "failed\n" ); |
||
2645 | |||
2646 | ret = 1; |
||
2647 | goto cleanup; |
||
2648 | } |
||
2649 | |||
2650 | if( verbose != 0 ) |
||
2651 | mbedtls_printf( "passed\n PKCS#1 decryption : " ); |
||
2652 | |||
2653 | if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, |
||
2654 | &len, rsa_ciphertext, rsa_decrypted, |
||
2655 | sizeof(rsa_decrypted) ) != 0 ) |
||
2656 | { |
||
2657 | if( verbose != 0 ) |
||
2658 | mbedtls_printf( "failed\n" ); |
||
2659 | |||
2660 | ret = 1; |
||
2661 | goto cleanup; |
||
2662 | } |
||
2663 | |||
2664 | if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 ) |
||
2665 | { |
||
2666 | if( verbose != 0 ) |
||
2667 | mbedtls_printf( "failed\n" ); |
||
2668 | |||
2669 | ret = 1; |
||
2670 | goto cleanup; |
||
2671 | } |
||
2672 | |||
2673 | if( verbose != 0 ) |
||
2674 | mbedtls_printf( "passed\n" ); |
||
2675 | |||
2676 | #if defined(MBEDTLS_SHA1_C) |
||
2677 | if( verbose != 0 ) |
||
2678 | mbedtls_printf( " PKCS#1 data sign : " ); |
||
2679 | |||
2680 | if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 ) |
||
2681 | { |
||
2682 | if( verbose != 0 ) |
||
2683 | mbedtls_printf( "failed\n" ); |
||
2684 | |||
2685 | return( 1 ); |
||
2686 | } |
||
2687 | |||
2688 | if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, |
||
2689 | MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, |
||
2690 | sha1sum, rsa_ciphertext ) != 0 ) |
||
2691 | { |
||
2692 | if( verbose != 0 ) |
||
2693 | mbedtls_printf( "failed\n" ); |
||
2694 | |||
2695 | ret = 1; |
||
2696 | goto cleanup; |
||
2697 | } |
||
2698 | |||
2699 | if( verbose != 0 ) |
||
2700 | mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); |
||
2701 | |||
2702 | if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, |
||
2703 | MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, |
||
2704 | sha1sum, rsa_ciphertext ) != 0 ) |
||
2705 | { |
||
2706 | if( verbose != 0 ) |
||
2707 | mbedtls_printf( "failed\n" ); |
||
2708 | |||
2709 | ret = 1; |
||
2710 | goto cleanup; |
||
2711 | } |
||
2712 | |||
2713 | if( verbose != 0 ) |
||
2714 | mbedtls_printf( "passed\n" ); |
||
2715 | #endif /* MBEDTLS_SHA1_C */ |
||
2716 | |||
2717 | if( verbose != 0 ) |
||
2718 | mbedtls_printf( "\n" ); |
||
2719 | |||
2720 | cleanup: |
||
2721 | mbedtls_mpi_free( &K ); |
||
2722 | mbedtls_rsa_free( &rsa ); |
||
2723 | #else /* MBEDTLS_PKCS1_V15 */ |
||
2724 | ((void) verbose); |
||
2725 | #endif /* MBEDTLS_PKCS1_V15 */ |
||
2726 | return( ret ); |
||
2727 | } |
||
2728 | |||
2729 | #endif /* MBEDTLS_SELF_TEST */ |
||
2730 | |||
2731 | #endif /* MBEDTLS_RSA_C */>>>>>>>>>>>>>>>>=>>>>>>>>>>>>=>>=>>>>>>=>=>=>=>=>=>=>=>=>=>> |