2 * The RSA public-key cryptosystem
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 * This file is part of mbed TLS (https://tls.mbed.org)
25 * The following sources were referenced in the design of this implementation
26 * of the RSA algorithm:
28 * [1] A method for obtaining digital signatures and public-key cryptosystems
29 * R Rivest, A Shamir, and L Adleman
30 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
32 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
33 * Menezes, van Oorschot and Vanstone
35 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
36 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
38 * https://arxiv.org/abs/1702.08719v2
42 #if !defined(MBEDTLS_CONFIG_FILE)
43 #include "mbedtls/config.h"
45 #include MBEDTLS_CONFIG_FILE
48 #if defined(MBEDTLS_RSA_C)
50 #include "mbedtls/rsa.h"
51 #include "mbedtls/rsa_internal.h"
52 #include "mbedtls/oid.h"
53 #include "mbedtls/platform_util.h"
57 #if defined(MBEDTLS_PKCS1_V21)
58 #include "mbedtls/md.h"
61 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
65 #if defined(MBEDTLS_PLATFORM_C)
66 #include "mbedtls/platform.h"
69 #define mbedtls_printf printf
70 #define mbedtls_calloc calloc
71 #define mbedtls_free free
74 #if !defined(MBEDTLS_RSA_ALT)
76 #if defined(MBEDTLS_PKCS1_V15)
77 /* constant-time buffer comparison */
78 static inline int mbedtls_safer_memcmp( const void *a
, const void *b
, size_t n
)
81 const unsigned char *A
= (const unsigned char *) a
;
82 const unsigned char *B
= (const unsigned char *) b
;
83 unsigned char diff
= 0;
85 for( i
= 0; i
< n
; i
++ )
90 #endif /* MBEDTLS_PKCS1_V15 */
92 int mbedtls_rsa_import( mbedtls_rsa_context
*ctx
,
94 const mbedtls_mpi
*P
, const mbedtls_mpi
*Q
,
95 const mbedtls_mpi
*D
, const mbedtls_mpi
*E
)
99 if( ( N
!= NULL
&& ( ret
= mbedtls_mpi_copy( &ctx
->N
, N
) ) != 0 ) ||
100 ( P
!= NULL
&& ( ret
= mbedtls_mpi_copy( &ctx
->P
, P
) ) != 0 ) ||
101 ( Q
!= NULL
&& ( ret
= mbedtls_mpi_copy( &ctx
->Q
, Q
) ) != 0 ) ||
102 ( D
!= NULL
&& ( ret
= mbedtls_mpi_copy( &ctx
->D
, D
) ) != 0 ) ||
103 ( E
!= NULL
&& ( ret
= mbedtls_mpi_copy( &ctx
->E
, E
) ) != 0 ) )
105 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+ ret
);
109 ctx
->len
= mbedtls_mpi_size( &ctx
->N
);
114 int mbedtls_rsa_import_raw( mbedtls_rsa_context
*ctx
,
115 unsigned char const *N
, size_t N_len
,
116 unsigned char const *P
, size_t P_len
,
117 unsigned char const *Q
, size_t Q_len
,
118 unsigned char const *D
, size_t D_len
,
119 unsigned char const *E
, size_t E_len
)
125 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx
->N
, N
, N_len
) );
126 ctx
->len
= mbedtls_mpi_size( &ctx
->N
);
130 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx
->P
, P
, P_len
) );
133 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx
->Q
, Q
, Q_len
) );
136 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx
->D
, D
, D_len
) );
139 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx
->E
, E
, E_len
) );
144 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+ ret
);
150 * Checks whether the context fields are set in such a way
151 * that the RSA primitives will be able to execute without error.
152 * It does *not* make guarantees for consistency of the parameters.
154 static int rsa_check_context( mbedtls_rsa_context
const *ctx
, int is_priv
,
155 int blinding_needed
)
157 #if !defined(MBEDTLS_RSA_NO_CRT)
158 /* blinding_needed is only used for NO_CRT to decide whether
159 * P,Q need to be present or not. */
160 ((void) blinding_needed
);
163 if( ctx
->len
!= mbedtls_mpi_size( &ctx
->N
) ||
164 ctx
->len
> MBEDTLS_MPI_MAX_SIZE
)
166 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
170 * 1. Modular exponentiation needs positive, odd moduli.
173 /* Modular exponentiation wrt. N is always used for
174 * RSA public key operations. */
175 if( mbedtls_mpi_cmp_int( &ctx
->N
, 0 ) <= 0 ||
176 mbedtls_mpi_get_bit( &ctx
->N
, 0 ) == 0 )
178 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
181 #if !defined(MBEDTLS_RSA_NO_CRT)
182 /* Modular exponentiation for P and Q is only
183 * used for private key operations and if CRT
186 ( mbedtls_mpi_cmp_int( &ctx
->P
, 0 ) <= 0 ||
187 mbedtls_mpi_get_bit( &ctx
->P
, 0 ) == 0 ||
188 mbedtls_mpi_cmp_int( &ctx
->Q
, 0 ) <= 0 ||
189 mbedtls_mpi_get_bit( &ctx
->Q
, 0 ) == 0 ) )
191 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
193 #endif /* !MBEDTLS_RSA_NO_CRT */
196 * 2. Exponents must be positive
199 /* Always need E for public key operations */
200 if( mbedtls_mpi_cmp_int( &ctx
->E
, 0 ) <= 0 )
201 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
203 #if defined(MBEDTLS_RSA_NO_CRT)
204 /* For private key operations, use D or DP & DQ
205 * as (unblinded) exponents. */
206 if( is_priv
&& mbedtls_mpi_cmp_int( &ctx
->D
, 0 ) <= 0 )
207 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
210 ( mbedtls_mpi_cmp_int( &ctx
->DP
, 0 ) <= 0 ||
211 mbedtls_mpi_cmp_int( &ctx
->DQ
, 0 ) <= 0 ) )
213 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
215 #endif /* MBEDTLS_RSA_NO_CRT */
217 /* Blinding shouldn't make exponents negative either,
218 * so check that P, Q >= 1 if that hasn't yet been
219 * done as part of 1. */
220 #if defined(MBEDTLS_RSA_NO_CRT)
221 if( is_priv
&& blinding_needed
&&
222 ( mbedtls_mpi_cmp_int( &ctx
->P
, 0 ) <= 0 ||
223 mbedtls_mpi_cmp_int( &ctx
->Q
, 0 ) <= 0 ) )
225 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
229 /* It wouldn't lead to an error if it wasn't satisfied,
230 * but check for QP >= 1 nonetheless. */
231 #if !defined(MBEDTLS_RSA_NO_CRT)
233 mbedtls_mpi_cmp_int( &ctx
->QP
, 0 ) <= 0 )
235 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
242 int mbedtls_rsa_complete( mbedtls_rsa_context
*ctx
)
246 const int have_N
= ( mbedtls_mpi_cmp_int( &ctx
->N
, 0 ) != 0 );
247 const int have_P
= ( mbedtls_mpi_cmp_int( &ctx
->P
, 0 ) != 0 );
248 const int have_Q
= ( mbedtls_mpi_cmp_int( &ctx
->Q
, 0 ) != 0 );
249 const int have_D
= ( mbedtls_mpi_cmp_int( &ctx
->D
, 0 ) != 0 );
250 const int have_E
= ( mbedtls_mpi_cmp_int( &ctx
->E
, 0 ) != 0 );
253 * Check whether provided parameters are enough
254 * to deduce all others. The following incomplete
255 * parameter sets for private keys are supported:
258 * (2) D and potentially N missing.
262 const int n_missing
= have_P
&& have_Q
&& have_D
&& have_E
;
263 const int pq_missing
= have_N
&& !have_P
&& !have_Q
&& have_D
&& have_E
;
264 const int d_missing
= have_P
&& have_Q
&& !have_D
&& have_E
;
265 const int is_pub
= have_N
&& !have_P
&& !have_Q
&& !have_D
&& have_E
;
267 /* These three alternatives are mutually exclusive */
268 const int is_priv
= n_missing
|| pq_missing
|| d_missing
;
270 if( !is_priv
&& !is_pub
)
271 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
274 * Step 1: Deduce N if P, Q are provided.
277 if( !have_N
&& have_P
&& have_Q
)
279 if( ( ret
= mbedtls_mpi_mul_mpi( &ctx
->N
, &ctx
->P
,
282 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+ ret
);
285 ctx
->len
= mbedtls_mpi_size( &ctx
->N
);
289 * Step 2: Deduce and verify all remaining core parameters.
294 ret
= mbedtls_rsa_deduce_primes( &ctx
->N
, &ctx
->E
, &ctx
->D
,
297 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+ ret
);
302 if( ( ret
= mbedtls_rsa_deduce_private_exponent( &ctx
->P
,
307 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+ ret
);
312 * Step 3: Deduce all additional parameters specific
313 * to our current RSA implementation.
316 #if !defined(MBEDTLS_RSA_NO_CRT)
319 ret
= mbedtls_rsa_deduce_crt( &ctx
->P
, &ctx
->Q
, &ctx
->D
,
320 &ctx
->DP
, &ctx
->DQ
, &ctx
->QP
);
322 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+ ret
);
324 #endif /* MBEDTLS_RSA_NO_CRT */
327 * Step 3: Basic sanity checks
330 return( rsa_check_context( ctx
, is_priv
, 1 ) );
333 int mbedtls_rsa_export_raw( const mbedtls_rsa_context
*ctx
,
334 unsigned char *N
, size_t N_len
,
335 unsigned char *P
, size_t P_len
,
336 unsigned char *Q
, size_t Q_len
,
337 unsigned char *D
, size_t D_len
,
338 unsigned char *E
, size_t E_len
)
342 /* Check if key is private or public */
344 mbedtls_mpi_cmp_int( &ctx
->N
, 0 ) != 0 &&
345 mbedtls_mpi_cmp_int( &ctx
->P
, 0 ) != 0 &&
346 mbedtls_mpi_cmp_int( &ctx
->Q
, 0 ) != 0 &&
347 mbedtls_mpi_cmp_int( &ctx
->D
, 0 ) != 0 &&
348 mbedtls_mpi_cmp_int( &ctx
->E
, 0 ) != 0;
352 /* If we're trying to export private parameters for a public key,
353 * something must be wrong. */
354 if( P
!= NULL
|| Q
!= NULL
|| D
!= NULL
)
355 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
360 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx
->N
, N
, N_len
) );
363 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx
->P
, P
, P_len
) );
366 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx
->Q
, Q
, Q_len
) );
369 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx
->D
, D
, D_len
) );
372 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx
->E
, E
, E_len
) );
379 int mbedtls_rsa_export( const mbedtls_rsa_context
*ctx
,
380 mbedtls_mpi
*N
, mbedtls_mpi
*P
, mbedtls_mpi
*Q
,
381 mbedtls_mpi
*D
, mbedtls_mpi
*E
)
385 /* Check if key is private or public */
387 mbedtls_mpi_cmp_int( &ctx
->N
, 0 ) != 0 &&
388 mbedtls_mpi_cmp_int( &ctx
->P
, 0 ) != 0 &&
389 mbedtls_mpi_cmp_int( &ctx
->Q
, 0 ) != 0 &&
390 mbedtls_mpi_cmp_int( &ctx
->D
, 0 ) != 0 &&
391 mbedtls_mpi_cmp_int( &ctx
->E
, 0 ) != 0;
395 /* If we're trying to export private parameters for a public key,
396 * something must be wrong. */
397 if( P
!= NULL
|| Q
!= NULL
|| D
!= NULL
)
398 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
402 /* Export all requested core parameters. */
404 if( ( N
!= NULL
&& ( ret
= mbedtls_mpi_copy( N
, &ctx
->N
) ) != 0 ) ||
405 ( P
!= NULL
&& ( ret
= mbedtls_mpi_copy( P
, &ctx
->P
) ) != 0 ) ||
406 ( Q
!= NULL
&& ( ret
= mbedtls_mpi_copy( Q
, &ctx
->Q
) ) != 0 ) ||
407 ( D
!= NULL
&& ( ret
= mbedtls_mpi_copy( D
, &ctx
->D
) ) != 0 ) ||
408 ( E
!= NULL
&& ( ret
= mbedtls_mpi_copy( E
, &ctx
->E
) ) != 0 ) )
417 * Export CRT parameters
418 * This must also be implemented if CRT is not used, for being able to
419 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
420 * can be used in this case.
422 int mbedtls_rsa_export_crt( const mbedtls_rsa_context
*ctx
,
423 mbedtls_mpi
*DP
, mbedtls_mpi
*DQ
, mbedtls_mpi
*QP
)
427 /* Check if key is private or public */
429 mbedtls_mpi_cmp_int( &ctx
->N
, 0 ) != 0 &&
430 mbedtls_mpi_cmp_int( &ctx
->P
, 0 ) != 0 &&
431 mbedtls_mpi_cmp_int( &ctx
->Q
, 0 ) != 0 &&
432 mbedtls_mpi_cmp_int( &ctx
->D
, 0 ) != 0 &&
433 mbedtls_mpi_cmp_int( &ctx
->E
, 0 ) != 0;
436 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
438 #if !defined(MBEDTLS_RSA_NO_CRT)
439 /* Export all requested blinding parameters. */
440 if( ( DP
!= NULL
&& ( ret
= mbedtls_mpi_copy( DP
, &ctx
->DP
) ) != 0 ) ||
441 ( DQ
!= NULL
&& ( ret
= mbedtls_mpi_copy( DQ
, &ctx
->DQ
) ) != 0 ) ||
442 ( QP
!= NULL
&& ( ret
= mbedtls_mpi_copy( QP
, &ctx
->QP
) ) != 0 ) )
444 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+ ret
);
447 if( ( ret
= mbedtls_rsa_deduce_crt( &ctx
->P
, &ctx
->Q
, &ctx
->D
,
448 DP
, DQ
, QP
) ) != 0 )
450 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+ ret
);
458 * Initialize an RSA context
460 void mbedtls_rsa_init( mbedtls_rsa_context
*ctx
,
464 memset( ctx
, 0, sizeof( mbedtls_rsa_context
) );
466 mbedtls_rsa_set_padding( ctx
, padding
, hash_id
);
468 #if defined(MBEDTLS_THREADING_C)
469 mbedtls_mutex_init( &ctx
->mutex
);
474 * Set padding for an existing RSA context
476 void mbedtls_rsa_set_padding( mbedtls_rsa_context
*ctx
, int padding
, int hash_id
)
478 ctx
->padding
= padding
;
479 ctx
->hash_id
= hash_id
;
483 * Get length in bytes of RSA modulus
486 size_t mbedtls_rsa_get_len( const mbedtls_rsa_context
*ctx
)
492 #if defined(MBEDTLS_GENPRIME)
495 * Generate an RSA keypair
497 * This generation method follows the RSA key pair generation procedure of
498 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
500 int mbedtls_rsa_gen_key( mbedtls_rsa_context
*ctx
,
501 int (*f_rng
)(void *, unsigned char *, size_t),
503 unsigned int nbits
, int exponent
)
508 if( f_rng
== NULL
|| nbits
< 128 || exponent
< 3 )
509 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
512 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
514 mbedtls_mpi_init( &H
);
515 mbedtls_mpi_init( &G
);
516 mbedtls_mpi_init( &L
);
519 * find primes P and Q with Q < P so that:
520 * 1. |P-Q| > 2^( nbits / 2 - 100 )
521 * 2. GCD( E, (P-1)*(Q-1) ) == 1
522 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
524 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx
->E
, exponent
) );
528 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx
->P
, nbits
>> 1, 0,
531 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx
->Q
, nbits
>> 1, 0,
534 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
535 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H
, &ctx
->P
, &ctx
->Q
) );
536 if( mbedtls_mpi_bitlen( &H
) <= ( ( nbits
>= 200 ) ? ( ( nbits
>> 1 ) - 99 ) : 0 ) )
539 /* not required by any standards, but some users rely on the fact that P > Q */
541 mbedtls_mpi_swap( &ctx
->P
, &ctx
->Q
);
543 /* Temporarily replace P,Q by P-1, Q-1 */
544 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx
->P
, &ctx
->P
, 1 ) );
545 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx
->Q
, &ctx
->Q
, 1 ) );
546 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H
, &ctx
->P
, &ctx
->Q
) );
548 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
549 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G
, &ctx
->E
, &H
) );
550 if( mbedtls_mpi_cmp_int( &G
, 1 ) != 0 )
553 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
554 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G
, &ctx
->P
, &ctx
->Q
) );
555 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L
, NULL
, &H
, &G
) );
556 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx
->D
, &ctx
->E
, &L
) );
558 if( mbedtls_mpi_bitlen( &ctx
->D
) <= ( ( nbits
+ 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
566 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx
->P
, &ctx
->P
, 1 ) );
567 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx
->Q
, &ctx
->Q
, 1 ) );
569 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->N
, &ctx
->P
, &ctx
->Q
) );
571 ctx
->len
= mbedtls_mpi_size( &ctx
->N
);
573 #if !defined(MBEDTLS_RSA_NO_CRT)
579 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx
->P
, &ctx
->Q
, &ctx
->D
,
580 &ctx
->DP
, &ctx
->DQ
, &ctx
->QP
) );
581 #endif /* MBEDTLS_RSA_NO_CRT */
584 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx
) );
588 mbedtls_mpi_free( &H
);
589 mbedtls_mpi_free( &G
);
590 mbedtls_mpi_free( &L
);
594 mbedtls_rsa_free( ctx
);
595 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED
+ ret
);
601 #endif /* MBEDTLS_GENPRIME */
604 * Check a public RSA key
606 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context
*ctx
)
608 if( rsa_check_context( ctx
, 0 /* public */, 0 /* no blinding */ ) != 0 )
609 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
611 if( mbedtls_mpi_bitlen( &ctx
->N
) < 128 )
613 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
616 if( mbedtls_mpi_get_bit( &ctx
->E
, 0 ) == 0 ||
617 mbedtls_mpi_bitlen( &ctx
->E
) < 2 ||
618 mbedtls_mpi_cmp_mpi( &ctx
->E
, &ctx
->N
) >= 0 )
620 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
627 * Check for the consistency of all fields in an RSA private key context
629 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context
*ctx
)
631 if( mbedtls_rsa_check_pubkey( ctx
) != 0 ||
632 rsa_check_context( ctx
, 1 /* private */, 1 /* blinding */ ) != 0 )
634 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
637 if( mbedtls_rsa_validate_params( &ctx
->N
, &ctx
->P
, &ctx
->Q
,
638 &ctx
->D
, &ctx
->E
, NULL
, NULL
) != 0 )
640 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
643 #if !defined(MBEDTLS_RSA_NO_CRT)
644 else if( mbedtls_rsa_validate_crt( &ctx
->P
, &ctx
->Q
, &ctx
->D
,
645 &ctx
->DP
, &ctx
->DQ
, &ctx
->QP
) != 0 )
647 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
655 * Check if contexts holding a public and private key match
657 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context
*pub
,
658 const mbedtls_rsa_context
*prv
)
660 if( mbedtls_rsa_check_pubkey( pub
) != 0 ||
661 mbedtls_rsa_check_privkey( prv
) != 0 )
663 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
666 if( mbedtls_mpi_cmp_mpi( &pub
->N
, &prv
->N
) != 0 ||
667 mbedtls_mpi_cmp_mpi( &pub
->E
, &prv
->E
) != 0 )
669 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
676 * Do an RSA public key operation
678 int mbedtls_rsa_public( mbedtls_rsa_context
*ctx
,
679 const unsigned char *input
,
680 unsigned char *output
)
686 if( rsa_check_context( ctx
, 0 /* public */, 0 /* no blinding */ ) )
687 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
689 mbedtls_mpi_init( &T
);
691 #if defined(MBEDTLS_THREADING_C)
692 if( ( ret
= mbedtls_mutex_lock( &ctx
->mutex
) ) != 0 )
696 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T
, input
, ctx
->len
) );
698 if( mbedtls_mpi_cmp_mpi( &T
, &ctx
->N
) >= 0 )
700 ret
= MBEDTLS_ERR_MPI_BAD_INPUT_DATA
;
705 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T
, &T
, &ctx
->E
, &ctx
->N
, &ctx
->RN
) );
706 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T
, output
, olen
) );
709 #if defined(MBEDTLS_THREADING_C)
710 if( mbedtls_mutex_unlock( &ctx
->mutex
) != 0 )
711 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR
);
714 mbedtls_mpi_free( &T
);
717 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED
+ ret
);
723 * Generate or update blinding values, see section 10 of:
724 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
725 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
726 * Berlin Heidelberg, 1996. p. 104-113.
728 static int rsa_prepare_blinding( mbedtls_rsa_context
*ctx
,
729 int (*f_rng
)(void *, unsigned char *, size_t), void *p_rng
)
733 if( ctx
->Vf
.p
!= NULL
)
735 /* We already have blinding values, just update them by squaring */
736 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->Vi
, &ctx
->Vi
, &ctx
->Vi
) );
737 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->Vi
, &ctx
->Vi
, &ctx
->N
) );
738 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->Vf
, &ctx
->Vf
, &ctx
->Vf
) );
739 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->Vf
, &ctx
->Vf
, &ctx
->N
) );
744 /* Unblinding value: Vf = random number, invertible mod N */
747 return( MBEDTLS_ERR_RSA_RNG_FAILED
);
749 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx
->Vf
, ctx
->len
- 1, f_rng
, p_rng
) );
750 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx
->Vi
, &ctx
->Vf
, &ctx
->N
) );
751 } while( mbedtls_mpi_cmp_int( &ctx
->Vi
, 1 ) != 0 );
753 /* Blinding value: Vi = Vf^(-e) mod N */
754 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx
->Vi
, &ctx
->Vf
, &ctx
->N
) );
755 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx
->Vi
, &ctx
->Vi
, &ctx
->E
, &ctx
->N
, &ctx
->RN
) );
763 * Exponent blinding supposed to prevent side-channel attacks using multiple
764 * traces of measurements to recover the RSA key. The more collisions are there,
765 * the more bits of the key can be recovered. See [3].
767 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
768 * observations on avarage.
770 * For example with 28 byte blinding to achieve 2 collisions the adversary has
771 * to make 2^112 observations on avarage.
773 * (With the currently (as of 2017 April) known best algorithms breaking 2048
774 * bit RSA requires approximately as much time as trying out 2^112 random keys.
775 * Thus in this sense with 28 byte blinding the security is not reduced by
776 * side-channel attacks like the one in [3])
778 * This countermeasure does not help if the key recovery is possible with a
781 #define RSA_EXPONENT_BLINDING 28
784 * Do an RSA private key operation
786 int mbedtls_rsa_private( mbedtls_rsa_context
*ctx
,
787 int (*f_rng
)(void *, unsigned char *, size_t),
789 const unsigned char *input
,
790 unsigned char *output
)
795 /* Temporary holding the result */
798 /* Temporaries holding P-1, Q-1 and the
799 * exponent blinding factor, respectively. */
800 mbedtls_mpi P1
, Q1
, R
;
802 #if !defined(MBEDTLS_RSA_NO_CRT)
803 /* Temporaries holding the results mod p resp. mod q. */
806 /* Temporaries holding the blinded exponents for
807 * the mod p resp. mod q computation (if used). */
808 mbedtls_mpi DP_blind
, DQ_blind
;
810 /* Pointers to actual exponents to be used - either the unblinded
811 * or the blinded ones, depending on the presence of a PRNG. */
812 mbedtls_mpi
*DP
= &ctx
->DP
;
813 mbedtls_mpi
*DQ
= &ctx
->DQ
;
815 /* Temporary holding the blinded exponent (if used). */
818 /* Pointer to actual exponent to be used - either the unblinded
819 * or the blinded one, depending on the presence of a PRNG. */
820 mbedtls_mpi
*D
= &ctx
->D
;
821 #endif /* MBEDTLS_RSA_NO_CRT */
823 /* Temporaries holding the initial input and the double
824 * checked result; should be the same in the end. */
827 if( rsa_check_context( ctx
, 1 /* private key checks */,
828 f_rng
!= NULL
/* blinding y/n */ ) != 0 )
830 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
833 #if defined(MBEDTLS_THREADING_C)
834 if( ( ret
= mbedtls_mutex_lock( &ctx
->mutex
) ) != 0 )
838 /* MPI Initialization */
839 mbedtls_mpi_init( &T
);
841 mbedtls_mpi_init( &P1
);
842 mbedtls_mpi_init( &Q1
);
843 mbedtls_mpi_init( &R
);
847 #if defined(MBEDTLS_RSA_NO_CRT)
848 mbedtls_mpi_init( &D_blind
);
850 mbedtls_mpi_init( &DP_blind
);
851 mbedtls_mpi_init( &DQ_blind
);
855 #if !defined(MBEDTLS_RSA_NO_CRT)
856 mbedtls_mpi_init( &TP
); mbedtls_mpi_init( &TQ
);
859 mbedtls_mpi_init( &I
);
860 mbedtls_mpi_init( &C
);
862 /* End of MPI initialization */
864 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T
, input
, ctx
->len
) );
865 if( mbedtls_mpi_cmp_mpi( &T
, &ctx
->N
) >= 0 )
867 ret
= MBEDTLS_ERR_MPI_BAD_INPUT_DATA
;
871 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I
, &T
) );
879 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx
, f_rng
, p_rng
) );
880 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T
, &T
, &ctx
->Vi
) );
881 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &T
, &ctx
->N
) );
886 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1
, &ctx
->P
, 1 ) );
887 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1
, &ctx
->Q
, 1 ) );
889 #if defined(MBEDTLS_RSA_NO_CRT)
891 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
893 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R
, RSA_EXPONENT_BLINDING
,
895 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind
, &P1
, &Q1
) );
896 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind
, &D_blind
, &R
) );
897 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind
, &D_blind
, &ctx
->D
) );
902 * DP_blind = ( P - 1 ) * R + DP
904 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R
, RSA_EXPONENT_BLINDING
,
906 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind
, &P1
, &R
) );
907 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind
, &DP_blind
,
913 * DQ_blind = ( Q - 1 ) * R + DQ
915 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R
, RSA_EXPONENT_BLINDING
,
917 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind
, &Q1
, &R
) );
918 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind
, &DQ_blind
,
922 #endif /* MBEDTLS_RSA_NO_CRT */
925 #if defined(MBEDTLS_RSA_NO_CRT)
926 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T
, &T
, D
, &ctx
->N
, &ctx
->RN
) );
929 * Faster decryption using the CRT
931 * TP = input ^ dP mod P
932 * TQ = input ^ dQ mod Q
935 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP
, &T
, DP
, &ctx
->P
, &ctx
->RP
) );
936 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ
, &T
, DQ
, &ctx
->Q
, &ctx
->RQ
) );
939 * T = (TP - TQ) * (Q^-1 mod P) mod P
941 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T
, &TP
, &TQ
) );
942 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP
, &T
, &ctx
->QP
) );
943 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &TP
, &ctx
->P
) );
948 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP
, &T
, &ctx
->Q
) );
949 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T
, &TQ
, &TP
) );
950 #endif /* MBEDTLS_RSA_NO_CRT */
958 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T
, &T
, &ctx
->Vf
) );
959 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &T
, &ctx
->N
) );
962 /* Verify the result to prevent glitching attacks. */
963 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C
, &T
, &ctx
->E
,
964 &ctx
->N
, &ctx
->RN
) );
965 if( mbedtls_mpi_cmp_mpi( &C
, &I
) != 0 )
967 ret
= MBEDTLS_ERR_RSA_VERIFY_FAILED
;
972 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T
, output
, olen
) );
975 #if defined(MBEDTLS_THREADING_C)
976 if( mbedtls_mutex_unlock( &ctx
->mutex
) != 0 )
977 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR
);
980 mbedtls_mpi_free( &P1
);
981 mbedtls_mpi_free( &Q1
);
982 mbedtls_mpi_free( &R
);
986 #if defined(MBEDTLS_RSA_NO_CRT)
987 mbedtls_mpi_free( &D_blind
);
989 mbedtls_mpi_free( &DP_blind
);
990 mbedtls_mpi_free( &DQ_blind
);
994 mbedtls_mpi_free( &T
);
996 #if !defined(MBEDTLS_RSA_NO_CRT)
997 mbedtls_mpi_free( &TP
); mbedtls_mpi_free( &TQ
);
1000 mbedtls_mpi_free( &C
);
1001 mbedtls_mpi_free( &I
);
1004 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED
+ ret
);
1009 #if defined(MBEDTLS_PKCS1_V21)
1011 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1013 * \param dst buffer to mask
1014 * \param dlen length of destination buffer
1015 * \param src source of the mask generation
1016 * \param slen length of the source buffer
1017 * \param md_ctx message digest context to use
1019 static int mgf_mask( unsigned char *dst
, size_t dlen
, unsigned char *src
,
1020 size_t slen
, mbedtls_md_context_t
*md_ctx
)
1022 unsigned char mask
[MBEDTLS_MD_MAX_SIZE
];
1023 unsigned char counter
[4];
1029 memset( mask
, 0, MBEDTLS_MD_MAX_SIZE
);
1030 memset( counter
, 0, 4 );
1032 hlen
= mbedtls_md_get_size( md_ctx
->md_info
);
1034 /* Generate and apply dbMask */
1043 if( ( ret
= mbedtls_md_starts( md_ctx
) ) != 0 )
1045 if( ( ret
= mbedtls_md_update( md_ctx
, src
, slen
) ) != 0 )
1047 if( ( ret
= mbedtls_md_update( md_ctx
, counter
, 4 ) ) != 0 )
1049 if( ( ret
= mbedtls_md_finish( md_ctx
, mask
) ) != 0 )
1052 for( i
= 0; i
< use_len
; ++i
)
1061 mbedtls_platform_zeroize( mask
, sizeof( mask
) );
1065 #endif /* MBEDTLS_PKCS1_V21 */
1067 #if defined(MBEDTLS_PKCS1_V21)
1069 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1071 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context
*ctx
,
1072 int (*f_rng
)(void *, unsigned char *, size_t),
1075 const unsigned char *label
, size_t label_len
,
1077 const unsigned char *input
,
1078 unsigned char *output
)
1082 unsigned char *p
= output
;
1084 const mbedtls_md_info_t
*md_info
;
1085 mbedtls_md_context_t md_ctx
;
1087 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
1088 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1091 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1093 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
1094 if( md_info
== NULL
)
1095 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1098 hlen
= mbedtls_md_get_size( md_info
);
1100 /* first comparison checks for overflow */
1101 if( ilen
+ 2 * hlen
+ 2 < ilen
|| olen
< ilen
+ 2 * hlen
+ 2 )
1102 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1104 memset( output
, 0, olen
);
1108 /* Generate a random octet string seed */
1109 if( ( ret
= f_rng( p_rng
, p
, hlen
) ) != 0 )
1110 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
1115 if( ( ret
= mbedtls_md( md_info
, label
, label_len
, p
) ) != 0 )
1118 p
+= olen
- 2 * hlen
- 2 - ilen
;
1120 memcpy( p
, input
, ilen
);
1122 mbedtls_md_init( &md_ctx
);
1123 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 0 ) ) != 0 )
1126 /* maskedDB: Apply dbMask to DB */
1127 if( ( ret
= mgf_mask( output
+ hlen
+ 1, olen
- hlen
- 1, output
+ 1, hlen
,
1131 /* maskedSeed: Apply seedMask to seed */
1132 if( ( ret
= mgf_mask( output
+ 1, hlen
, output
+ hlen
+ 1, olen
- hlen
- 1,
1137 mbedtls_md_free( &md_ctx
);
1142 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
1143 ? mbedtls_rsa_public( ctx
, output
, output
)
1144 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, output
, output
) );
1146 #endif /* MBEDTLS_PKCS1_V21 */
1148 #if defined(MBEDTLS_PKCS1_V15)
1150 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1152 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context
*ctx
,
1153 int (*f_rng
)(void *, unsigned char *, size_t),
1155 int mode
, size_t ilen
,
1156 const unsigned char *input
,
1157 unsigned char *output
)
1159 size_t nb_pad
, olen
;
1161 unsigned char *p
= output
;
1163 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
1164 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1166 // We don't check p_rng because it won't be dereferenced here
1167 if( f_rng
== NULL
|| input
== NULL
|| output
== NULL
)
1168 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1172 /* first comparison checks for overflow */
1173 if( ilen
+ 11 < ilen
|| olen
< ilen
+ 11 )
1174 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1176 nb_pad
= olen
- 3 - ilen
;
1179 if( mode
== MBEDTLS_RSA_PUBLIC
)
1181 *p
++ = MBEDTLS_RSA_CRYPT
;
1183 while( nb_pad
-- > 0 )
1188 ret
= f_rng( p_rng
, p
, 1 );
1189 } while( *p
== 0 && --rng_dl
&& ret
== 0 );
1191 /* Check if RNG failed to generate data */
1192 if( rng_dl
== 0 || ret
!= 0 )
1193 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
1200 *p
++ = MBEDTLS_RSA_SIGN
;
1202 while( nb_pad
-- > 0 )
1207 memcpy( p
, input
, ilen
);
1209 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
1210 ? mbedtls_rsa_public( ctx
, output
, output
)
1211 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, output
, output
) );
1213 #endif /* MBEDTLS_PKCS1_V15 */
1216 * Add the message padding, then do an RSA operation
1218 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context
*ctx
,
1219 int (*f_rng
)(void *, unsigned char *, size_t),
1221 int mode
, size_t ilen
,
1222 const unsigned char *input
,
1223 unsigned char *output
)
1225 switch( ctx
->padding
)
1227 #if defined(MBEDTLS_PKCS1_V15)
1228 case MBEDTLS_RSA_PKCS_V15
:
1229 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx
, f_rng
, p_rng
, mode
, ilen
,
1233 #if defined(MBEDTLS_PKCS1_V21)
1234 case MBEDTLS_RSA_PKCS_V21
:
1235 return mbedtls_rsa_rsaes_oaep_encrypt( ctx
, f_rng
, p_rng
, mode
, NULL
, 0,
1236 ilen
, input
, output
);
1240 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1244 #if defined(MBEDTLS_PKCS1_V21)
1246 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1248 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context
*ctx
,
1249 int (*f_rng
)(void *, unsigned char *, size_t),
1252 const unsigned char *label
, size_t label_len
,
1254 const unsigned char *input
,
1255 unsigned char *output
,
1256 size_t output_max_len
)
1259 size_t ilen
, i
, pad_len
;
1260 unsigned char *p
, bad
, pad_done
;
1261 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
1262 unsigned char lhash
[MBEDTLS_MD_MAX_SIZE
];
1264 const mbedtls_md_info_t
*md_info
;
1265 mbedtls_md_context_t md_ctx
;
1268 * Parameters sanity checks
1270 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
1271 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1275 if( ilen
< 16 || ilen
> sizeof( buf
) )
1276 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1278 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
1279 if( md_info
== NULL
)
1280 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1282 hlen
= mbedtls_md_get_size( md_info
);
1284 // checking for integer underflow
1285 if( 2 * hlen
+ 2 > ilen
)
1286 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1291 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
1292 ? mbedtls_rsa_public( ctx
, input
, buf
)
1293 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, input
, buf
);
1299 * Unmask data and generate lHash
1301 mbedtls_md_init( &md_ctx
);
1302 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 0 ) ) != 0 )
1304 mbedtls_md_free( &md_ctx
);
1308 /* seed: Apply seedMask to maskedSeed */
1309 if( ( ret
= mgf_mask( buf
+ 1, hlen
, buf
+ hlen
+ 1, ilen
- hlen
- 1,
1311 /* DB: Apply dbMask to maskedDB */
1312 ( ret
= mgf_mask( buf
+ hlen
+ 1, ilen
- hlen
- 1, buf
+ 1, hlen
,
1315 mbedtls_md_free( &md_ctx
);
1319 mbedtls_md_free( &md_ctx
);
1321 /* Generate lHash */
1322 if( ( ret
= mbedtls_md( md_info
, label
, label_len
, lhash
) ) != 0 )
1326 * Check contents, in "constant-time"
1331 bad
|= *p
++; /* First byte must be 0 */
1333 p
+= hlen
; /* Skip seed */
1336 for( i
= 0; i
< hlen
; i
++ )
1337 bad
|= lhash
[i
] ^ *p
++;
1339 /* Get zero-padding len, but always read till end of buffer
1340 * (minus one, for the 01 byte) */
1343 for( i
= 0; i
< ilen
- 2 * hlen
- 2; i
++ )
1346 pad_len
+= ((pad_done
| (unsigned char)-pad_done
) >> 7) ^ 1;
1353 * The only information "leaked" is whether the padding was correct or not
1354 * (eg, no data is copied if it was not correct). This meets the
1355 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1356 * the different error conditions.
1360 ret
= MBEDTLS_ERR_RSA_INVALID_PADDING
;
1364 if( ilen
- ( p
- buf
) > output_max_len
)
1366 ret
= MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
;
1370 *olen
= ilen
- (p
- buf
);
1371 memcpy( output
, p
, *olen
);
1375 mbedtls_platform_zeroize( buf
, sizeof( buf
) );
1376 mbedtls_platform_zeroize( lhash
, sizeof( lhash
) );
1380 #endif /* MBEDTLS_PKCS1_V21 */
1382 #if defined(MBEDTLS_PKCS1_V15)
1384 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1386 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context
*ctx
,
1387 int (*f_rng
)(void *, unsigned char *, size_t),
1389 int mode
, size_t *olen
,
1390 const unsigned char *input
,
1391 unsigned char *output
,
1392 size_t output_max_len
)
1395 size_t ilen
, pad_count
= 0, i
;
1396 unsigned char *p
, bad
, pad_done
= 0;
1397 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
1399 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
1400 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1404 if( ilen
< 16 || ilen
> sizeof( buf
) )
1405 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1407 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
1408 ? mbedtls_rsa_public( ctx
, input
, buf
)
1409 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, input
, buf
);
1418 * Check and get padding len in "constant-time"
1420 bad
|= *p
++; /* First byte must be 0 */
1422 /* This test does not depend on secret data */
1423 if( mode
== MBEDTLS_RSA_PRIVATE
)
1425 bad
|= *p
++ ^ MBEDTLS_RSA_CRYPT
;
1427 /* Get padding len, but always read till end of buffer
1428 * (minus one, for the 00 byte) */
1429 for( i
= 0; i
< ilen
- 3; i
++ )
1431 pad_done
|= ((p
[i
] | (unsigned char)-p
[i
]) >> 7) ^ 1;
1432 pad_count
+= ((pad_done
| (unsigned char)-pad_done
) >> 7) ^ 1;
1436 bad
|= *p
++; /* Must be zero */
1440 bad
|= *p
++ ^ MBEDTLS_RSA_SIGN
;
1442 /* Get padding len, but always read till end of buffer
1443 * (minus one, for the 00 byte) */
1444 for( i
= 0; i
< ilen
- 3; i
++ )
1446 pad_done
|= ( p
[i
] != 0xFF );
1447 pad_count
+= ( pad_done
== 0 );
1451 bad
|= *p
++; /* Must be zero */
1454 bad
|= ( pad_count
< 8 );
1458 ret
= MBEDTLS_ERR_RSA_INVALID_PADDING
;
1462 if( ilen
- ( p
- buf
) > output_max_len
)
1464 ret
= MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
;
1468 *olen
= ilen
- (p
- buf
);
1469 memcpy( output
, p
, *olen
);
1473 mbedtls_platform_zeroize( buf
, sizeof( buf
) );
1477 #endif /* MBEDTLS_PKCS1_V15 */
1480 * Do an RSA operation, then remove the message padding
1482 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context
*ctx
,
1483 int (*f_rng
)(void *, unsigned char *, size_t),
1485 int mode
, size_t *olen
,
1486 const unsigned char *input
,
1487 unsigned char *output
,
1488 size_t output_max_len
)
1490 switch( ctx
->padding
)
1492 #if defined(MBEDTLS_PKCS1_V15)
1493 case MBEDTLS_RSA_PKCS_V15
:
1494 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx
, f_rng
, p_rng
, mode
, olen
,
1495 input
, output
, output_max_len
);
1498 #if defined(MBEDTLS_PKCS1_V21)
1499 case MBEDTLS_RSA_PKCS_V21
:
1500 return mbedtls_rsa_rsaes_oaep_decrypt( ctx
, f_rng
, p_rng
, mode
, NULL
, 0,
1501 olen
, input
, output
,
1506 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1510 #if defined(MBEDTLS_PKCS1_V21)
1512 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1514 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context
*ctx
,
1515 int (*f_rng
)(void *, unsigned char *, size_t),
1518 mbedtls_md_type_t md_alg
,
1519 unsigned int hashlen
,
1520 const unsigned char *hash
,
1521 unsigned char *sig
)
1524 unsigned char *p
= sig
;
1525 unsigned char salt
[MBEDTLS_MD_MAX_SIZE
];
1526 unsigned int slen
, hlen
, offset
= 0;
1529 const mbedtls_md_info_t
*md_info
;
1530 mbedtls_md_context_t md_ctx
;
1532 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
1533 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1536 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1540 if( md_alg
!= MBEDTLS_MD_NONE
)
1542 /* Gather length of hash to sign */
1543 md_info
= mbedtls_md_info_from_type( md_alg
);
1544 if( md_info
== NULL
)
1545 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1547 hashlen
= mbedtls_md_get_size( md_info
);
1550 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
1551 if( md_info
== NULL
)
1552 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1554 hlen
= mbedtls_md_get_size( md_info
);
1557 if( olen
< hlen
+ slen
+ 2 )
1558 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1560 memset( sig
, 0, olen
);
1562 /* Generate salt of length slen */
1563 if( ( ret
= f_rng( p_rng
, salt
, slen
) ) != 0 )
1564 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
1566 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1567 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
1568 p
+= olen
- hlen
* 2 - 2;
1570 memcpy( p
, salt
, slen
);
1573 mbedtls_md_init( &md_ctx
);
1574 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 0 ) ) != 0 )
1577 /* Generate H = Hash( M' ) */
1578 if( ( ret
= mbedtls_md_starts( &md_ctx
) ) != 0 )
1580 if( ( ret
= mbedtls_md_update( &md_ctx
, p
, 8 ) ) != 0 )
1582 if( ( ret
= mbedtls_md_update( &md_ctx
, hash
, hashlen
) ) != 0 )
1584 if( ( ret
= mbedtls_md_update( &md_ctx
, salt
, slen
) ) != 0 )
1586 if( ( ret
= mbedtls_md_finish( &md_ctx
, p
) ) != 0 )
1589 /* Compensate for boundary condition when applying mask */
1593 /* maskedDB: Apply dbMask to DB */
1594 if( ( ret
= mgf_mask( sig
+ offset
, olen
- hlen
- 1 - offset
, p
, hlen
,
1598 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
1599 sig
[0] &= 0xFF >> ( olen
* 8 - msb
);
1604 mbedtls_platform_zeroize( salt
, sizeof( salt
) );
1607 mbedtls_md_free( &md_ctx
);
1612 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
1613 ? mbedtls_rsa_public( ctx
, sig
, sig
)
1614 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, sig
) );
1616 #endif /* MBEDTLS_PKCS1_V21 */
1618 #if defined(MBEDTLS_PKCS1_V15)
1620 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1623 /* Construct a PKCS v1.5 encoding of a hashed message
1625 * This is used both for signature generation and verification.
1628 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1629 * MBEDTLS_MD_NONE if raw data is signed.
1630 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
1631 * - hash: Buffer containing the hashed message or the raw data.
1632 * - dst_len: Length of the encoded message.
1633 * - dst: Buffer to hold the encoded message.
1636 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
1637 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
1638 * - dst points to a buffer of size at least dst_len.
1641 static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg
,
1642 unsigned int hashlen
,
1643 const unsigned char *hash
,
1645 unsigned char *dst
)
1647 size_t oid_size
= 0;
1648 size_t nb_pad
= dst_len
;
1649 unsigned char *p
= dst
;
1650 const char *oid
= NULL
;
1652 /* Are we signing hashed or raw data? */
1653 if( md_alg
!= MBEDTLS_MD_NONE
)
1655 const mbedtls_md_info_t
*md_info
= mbedtls_md_info_from_type( md_alg
);
1656 if( md_info
== NULL
)
1657 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1659 if( mbedtls_oid_get_oid_by_md( md_alg
, &oid
, &oid_size
) != 0 )
1660 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1662 hashlen
= mbedtls_md_get_size( md_info
);
1664 /* Double-check that 8 + hashlen + oid_size can be used as a
1665 * 1-byte ASN.1 length encoding and that there's no overflow. */
1666 if( 8 + hashlen
+ oid_size
>= 0x80 ||
1667 10 + hashlen
< hashlen
||
1668 10 + hashlen
+ oid_size
< 10 + hashlen
)
1669 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1672 * Static bounds check:
1673 * - Need 10 bytes for five tag-length pairs.
1674 * (Insist on 1-byte length encodings to protect against variants of
1675 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1676 * - Need hashlen bytes for hash
1677 * - Need oid_size bytes for hash alg OID.
1679 if( nb_pad
< 10 + hashlen
+ oid_size
)
1680 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1681 nb_pad
-= 10 + hashlen
+ oid_size
;
1685 if( nb_pad
< hashlen
)
1686 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1691 /* Need space for signature header and padding delimiter (3 bytes),
1692 * and 8 bytes for the minimal padding */
1693 if( nb_pad
< 3 + 8 )
1694 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1697 /* Now nb_pad is the amount of memory to be filled
1698 * with padding, and at least 8 bytes long. */
1700 /* Write signature header and padding */
1702 *p
++ = MBEDTLS_RSA_SIGN
;
1703 memset( p
, 0xFF, nb_pad
);
1707 /* Are we signing raw data? */
1708 if( md_alg
== MBEDTLS_MD_NONE
)
1710 memcpy( p
, hash
, hashlen
);
1714 /* Signing hashed data, add corresponding ASN.1 structure
1716 * DigestInfo ::= SEQUENCE {
1717 * digestAlgorithm DigestAlgorithmIdentifier,
1719 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1720 * Digest ::= OCTET STRING
1723 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1724 * TAG-NULL + LEN [ NULL ] ]
1725 * TAG-OCTET + LEN [ HASH ] ]
1727 *p
++ = MBEDTLS_ASN1_SEQUENCE
| MBEDTLS_ASN1_CONSTRUCTED
;
1728 *p
++ = (unsigned char)( 0x08 + oid_size
+ hashlen
);
1729 *p
++ = MBEDTLS_ASN1_SEQUENCE
| MBEDTLS_ASN1_CONSTRUCTED
;
1730 *p
++ = (unsigned char)( 0x04 + oid_size
);
1731 *p
++ = MBEDTLS_ASN1_OID
;
1732 *p
++ = (unsigned char) oid_size
;
1733 memcpy( p
, oid
, oid_size
);
1735 *p
++ = MBEDTLS_ASN1_NULL
;
1737 *p
++ = MBEDTLS_ASN1_OCTET_STRING
;
1738 *p
++ = (unsigned char) hashlen
;
1739 memcpy( p
, hash
, hashlen
);
1742 /* Just a sanity-check, should be automatic
1743 * after the initial bounds check. */
1744 if( p
!= dst
+ dst_len
)
1746 mbedtls_platform_zeroize( dst
, dst_len
);
1747 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1754 * Do an RSA operation to sign the message digest
1756 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context
*ctx
,
1757 int (*f_rng
)(void *, unsigned char *, size_t),
1760 mbedtls_md_type_t md_alg
,
1761 unsigned int hashlen
,
1762 const unsigned char *hash
,
1763 unsigned char *sig
)
1766 unsigned char *sig_try
= NULL
, *verif
= NULL
;
1768 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
1769 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1772 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
1775 if( ( ret
= rsa_rsassa_pkcs1_v15_encode( md_alg
, hashlen
, hash
,
1776 ctx
->len
, sig
) ) != 0 )
1780 * Call respective RSA primitive
1783 if( mode
== MBEDTLS_RSA_PUBLIC
)
1785 /* Skip verification on a public key operation */
1786 return( mbedtls_rsa_public( ctx
, sig
, sig
) );
1789 /* Private key operation
1791 * In order to prevent Lenstra's attack, make the signature in a
1792 * temporary buffer and check it before returning it.
1795 sig_try
= mbedtls_calloc( 1, ctx
->len
);
1796 if( sig_try
== NULL
)
1797 return( MBEDTLS_ERR_MPI_ALLOC_FAILED
);
1799 verif
= mbedtls_calloc( 1, ctx
->len
);
1802 mbedtls_free( sig_try
);
1803 return( MBEDTLS_ERR_MPI_ALLOC_FAILED
);
1806 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, sig_try
) );
1807 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx
, sig_try
, verif
) );
1809 if( mbedtls_safer_memcmp( verif
, sig
, ctx
->len
) != 0 )
1811 ret
= MBEDTLS_ERR_RSA_PRIVATE_FAILED
;
1815 memcpy( sig
, sig_try
, ctx
->len
);
1818 mbedtls_free( sig_try
);
1819 mbedtls_free( verif
);
1823 #endif /* MBEDTLS_PKCS1_V15 */
1826 * Do an RSA operation to sign the message digest
1828 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context
*ctx
,
1829 int (*f_rng
)(void *, unsigned char *, size_t),
1832 mbedtls_md_type_t md_alg
,
1833 unsigned int hashlen
,
1834 const unsigned char *hash
,
1835 unsigned char *sig
)
1837 switch( ctx
->padding
)
1839 #if defined(MBEDTLS_PKCS1_V15)
1840 case MBEDTLS_RSA_PKCS_V15
:
1841 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1842 hashlen
, hash
, sig
);
1845 #if defined(MBEDTLS_PKCS1_V21)
1846 case MBEDTLS_RSA_PKCS_V21
:
1847 return mbedtls_rsa_rsassa_pss_sign( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1848 hashlen
, hash
, sig
);
1852 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1856 #if defined(MBEDTLS_PKCS1_V21)
1858 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1860 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context
*ctx
,
1861 int (*f_rng
)(void *, unsigned char *, size_t),
1864 mbedtls_md_type_t md_alg
,
1865 unsigned int hashlen
,
1866 const unsigned char *hash
,
1867 mbedtls_md_type_t mgf1_hash_id
,
1868 int expected_salt_len
,
1869 const unsigned char *sig
)
1874 unsigned char *hash_start
;
1875 unsigned char result
[MBEDTLS_MD_MAX_SIZE
];
1876 unsigned char zeros
[8];
1878 size_t observed_salt_len
, msb
;
1879 const mbedtls_md_info_t
*md_info
;
1880 mbedtls_md_context_t md_ctx
;
1881 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
1883 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
1884 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1888 if( siglen
< 16 || siglen
> sizeof( buf
) )
1889 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1891 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
1892 ? mbedtls_rsa_public( ctx
, sig
, buf
)
1893 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, buf
);
1900 if( buf
[siglen
- 1] != 0xBC )
1901 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1903 if( md_alg
!= MBEDTLS_MD_NONE
)
1905 /* Gather length of hash to sign */
1906 md_info
= mbedtls_md_info_from_type( md_alg
);
1907 if( md_info
== NULL
)
1908 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1910 hashlen
= mbedtls_md_get_size( md_info
);
1913 md_info
= mbedtls_md_info_from_type( mgf1_hash_id
);
1914 if( md_info
== NULL
)
1915 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1917 hlen
= mbedtls_md_get_size( md_info
);
1919 memset( zeros
, 0, 8 );
1922 * Note: EMSA-PSS verification is over the length of N - 1 bits
1924 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
1926 if( buf
[0] >> ( 8 - siglen
* 8 + msb
) )
1927 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1929 /* Compensate for boundary condition when applying mask */
1936 if( siglen
< hlen
+ 2 )
1937 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1938 hash_start
= p
+ siglen
- hlen
- 1;
1940 mbedtls_md_init( &md_ctx
);
1941 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 0 ) ) != 0 )
1944 ret
= mgf_mask( p
, siglen
- hlen
- 1, hash_start
, hlen
, &md_ctx
);
1948 buf
[0] &= 0xFF >> ( siglen
* 8 - msb
);
1950 while( p
< hash_start
- 1 && *p
== 0 )
1955 ret
= MBEDTLS_ERR_RSA_INVALID_PADDING
;
1959 observed_salt_len
= hash_start
- p
;
1961 if( expected_salt_len
!= MBEDTLS_RSA_SALT_LEN_ANY
&&
1962 observed_salt_len
!= (size_t) expected_salt_len
)
1964 ret
= MBEDTLS_ERR_RSA_INVALID_PADDING
;
1969 * Generate H = Hash( M' )
1971 ret
= mbedtls_md_starts( &md_ctx
);
1974 ret
= mbedtls_md_update( &md_ctx
, zeros
, 8 );
1977 ret
= mbedtls_md_update( &md_ctx
, hash
, hashlen
);
1980 ret
= mbedtls_md_update( &md_ctx
, p
, observed_salt_len
);
1983 ret
= mbedtls_md_finish( &md_ctx
, result
);
1987 if( memcmp( hash_start
, result
, hlen
) != 0 )
1989 ret
= MBEDTLS_ERR_RSA_VERIFY_FAILED
;
1994 mbedtls_md_free( &md_ctx
);
2000 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2002 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context
*ctx
,
2003 int (*f_rng
)(void *, unsigned char *, size_t),
2006 mbedtls_md_type_t md_alg
,
2007 unsigned int hashlen
,
2008 const unsigned char *hash
,
2009 const unsigned char *sig
)
2011 mbedtls_md_type_t mgf1_hash_id
= ( ctx
->hash_id
!= MBEDTLS_MD_NONE
)
2012 ? (mbedtls_md_type_t
) ctx
->hash_id
2015 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx
, f_rng
, p_rng
, mode
,
2016 md_alg
, hashlen
, hash
,
2017 mgf1_hash_id
, MBEDTLS_RSA_SALT_LEN_ANY
,
2021 #endif /* MBEDTLS_PKCS1_V21 */
2023 #if defined(MBEDTLS_PKCS1_V15)
2025 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2027 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context
*ctx
,
2028 int (*f_rng
)(void *, unsigned char *, size_t),
2031 mbedtls_md_type_t md_alg
,
2032 unsigned int hashlen
,
2033 const unsigned char *hash
,
2034 const unsigned char *sig
)
2037 const size_t sig_len
= ctx
->len
;
2038 unsigned char *encoded
= NULL
, *encoded_expected
= NULL
;
2040 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
2041 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
2044 * Prepare expected PKCS1 v1.5 encoding of hash.
2047 if( ( encoded
= mbedtls_calloc( 1, sig_len
) ) == NULL
||
2048 ( encoded_expected
= mbedtls_calloc( 1, sig_len
) ) == NULL
)
2050 ret
= MBEDTLS_ERR_MPI_ALLOC_FAILED
;
2054 if( ( ret
= rsa_rsassa_pkcs1_v15_encode( md_alg
, hashlen
, hash
, sig_len
,
2055 encoded_expected
) ) != 0 )
2059 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2062 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
2063 ? mbedtls_rsa_public( ctx
, sig
, encoded
)
2064 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, encoded
);
2072 if( ( ret
= mbedtls_safer_memcmp( encoded
, encoded_expected
,
2075 ret
= MBEDTLS_ERR_RSA_VERIFY_FAILED
;
2081 if( encoded
!= NULL
)
2083 mbedtls_platform_zeroize( encoded
, sig_len
);
2084 mbedtls_free( encoded
);
2087 if( encoded_expected
!= NULL
)
2089 mbedtls_platform_zeroize( encoded_expected
, sig_len
);
2090 mbedtls_free( encoded_expected
);
2095 #endif /* MBEDTLS_PKCS1_V15 */
2098 * Do an RSA operation and check the message digest
2100 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context
*ctx
,
2101 int (*f_rng
)(void *, unsigned char *, size_t),
2104 mbedtls_md_type_t md_alg
,
2105 unsigned int hashlen
,
2106 const unsigned char *hash
,
2107 const unsigned char *sig
)
2109 switch( ctx
->padding
)
2111 #if defined(MBEDTLS_PKCS1_V15)
2112 case MBEDTLS_RSA_PKCS_V15
:
2113 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx
, f_rng
, p_rng
, mode
, md_alg
,
2114 hashlen
, hash
, sig
);
2117 #if defined(MBEDTLS_PKCS1_V21)
2118 case MBEDTLS_RSA_PKCS_V21
:
2119 return mbedtls_rsa_rsassa_pss_verify( ctx
, f_rng
, p_rng
, mode
, md_alg
,
2120 hashlen
, hash
, sig
);
2124 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
2129 * Copy the components of an RSA key
2131 int mbedtls_rsa_copy( mbedtls_rsa_context
*dst
, const mbedtls_rsa_context
*src
)
2135 dst
->ver
= src
->ver
;
2136 dst
->len
= src
->len
;
2138 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->N
, &src
->N
) );
2139 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->E
, &src
->E
) );
2141 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->D
, &src
->D
) );
2142 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->P
, &src
->P
) );
2143 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Q
, &src
->Q
) );
2145 #if !defined(MBEDTLS_RSA_NO_CRT)
2146 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->DP
, &src
->DP
) );
2147 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->DQ
, &src
->DQ
) );
2148 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->QP
, &src
->QP
) );
2149 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RP
, &src
->RP
) );
2150 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RQ
, &src
->RQ
) );
2153 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RN
, &src
->RN
) );
2155 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Vi
, &src
->Vi
) );
2156 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Vf
, &src
->Vf
) );
2158 dst
->padding
= src
->padding
;
2159 dst
->hash_id
= src
->hash_id
;
2163 mbedtls_rsa_free( dst
);
2169 * Free the components of an RSA key
2171 void mbedtls_rsa_free( mbedtls_rsa_context
*ctx
)
2173 mbedtls_mpi_free( &ctx
->Vi
); mbedtls_mpi_free( &ctx
->Vf
);
2174 mbedtls_mpi_free( &ctx
->RN
); mbedtls_mpi_free( &ctx
->D
);
2175 mbedtls_mpi_free( &ctx
->Q
); mbedtls_mpi_free( &ctx
->P
);
2176 mbedtls_mpi_free( &ctx
->E
); mbedtls_mpi_free( &ctx
->N
);
2178 #if !defined(MBEDTLS_RSA_NO_CRT)
2179 mbedtls_mpi_free( &ctx
->RQ
); mbedtls_mpi_free( &ctx
->RP
);
2180 mbedtls_mpi_free( &ctx
->QP
); mbedtls_mpi_free( &ctx
->DQ
);
2181 mbedtls_mpi_free( &ctx
->DP
);
2182 #endif /* MBEDTLS_RSA_NO_CRT */
2184 #if defined(MBEDTLS_THREADING_C)
2185 mbedtls_mutex_free( &ctx
->mutex
);
2189 #endif /* !MBEDTLS_RSA_ALT */
2191 #if defined(MBEDTLS_SELF_TEST)
2193 #include "mbedtls/sha1.h"
2196 * Example RSA-1024 keypair, for test purposes
2200 #define RSA_N "9292758453063D803DD603D5E777D788" \
2201 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2202 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2203 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2204 "93A89813FBF3C4F8066D2D800F7C38A8" \
2205 "1AE31942917403FF4946B0A83D3D3E05" \
2206 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2207 "5E94BB77B07507233A0BC7BAC8F90F79"
2209 #define RSA_E "10001"
2211 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2212 "66CA472BC44D253102F8B4A9D3BFA750" \
2213 "91386C0077937FE33FA3252D28855837" \
2214 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2215 "DF79C5CE07EE72C7F123142198164234" \
2216 "CABB724CF78B8173B9F880FC86322407" \
2217 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2218 "071513A1E85B5DFA031F21ECAE91A34D"
2220 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2221 "2C01CAD19EA484A87EA4377637E75500" \
2222 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2223 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2225 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2226 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2227 "910E4168387E3C30AA1E00C339A79508" \
2228 "8452DD96A9A5EA5D9DCA68DA636032AF"
2231 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2232 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2234 #if defined(MBEDTLS_PKCS1_V15)
2235 static int myrand( void *rng_state
, unsigned char *output
, size_t len
)
2237 #if !defined(__OpenBSD__)
2240 if( rng_state
!= NULL
)
2243 for( i
= 0; i
< len
; ++i
)
2246 if( rng_state
!= NULL
)
2249 arc4random_buf( output
, len
);
2250 #endif /* !OpenBSD */
2254 #endif /* MBEDTLS_PKCS1_V15 */
2259 int mbedtls_rsa_self_test( int verbose
)
2262 #if defined(MBEDTLS_PKCS1_V15)
2264 mbedtls_rsa_context rsa
;
2265 unsigned char rsa_plaintext
[PT_LEN
];
2266 unsigned char rsa_decrypted
[PT_LEN
];
2267 unsigned char rsa_ciphertext
[KEY_LEN
];
2268 #if defined(MBEDTLS_SHA1_C)
2269 unsigned char sha1sum
[20];
2274 mbedtls_mpi_init( &K
);
2275 mbedtls_rsa_init( &rsa
, MBEDTLS_RSA_PKCS_V15
, 0 );
2277 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K
, 16, RSA_N
) );
2278 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa
, &K
, NULL
, NULL
, NULL
, NULL
) );
2279 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K
, 16, RSA_P
) );
2280 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa
, NULL
, &K
, NULL
, NULL
, NULL
) );
2281 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K
, 16, RSA_Q
) );
2282 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa
, NULL
, NULL
, &K
, NULL
, NULL
) );
2283 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K
, 16, RSA_D
) );
2284 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa
, NULL
, NULL
, NULL
, &K
, NULL
) );
2285 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K
, 16, RSA_E
) );
2286 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa
, NULL
, NULL
, NULL
, NULL
, &K
) );
2288 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa
) );
2291 mbedtls_printf( " RSA key validation: " );
2293 if( mbedtls_rsa_check_pubkey( &rsa
) != 0 ||
2294 mbedtls_rsa_check_privkey( &rsa
) != 0 )
2297 mbedtls_printf( "failed\n" );
2304 mbedtls_printf( "passed\n PKCS#1 encryption : " );
2306 memcpy( rsa_plaintext
, RSA_PT
, PT_LEN
);
2308 if( mbedtls_rsa_pkcs1_encrypt( &rsa
, myrand
, NULL
, MBEDTLS_RSA_PUBLIC
,
2309 PT_LEN
, rsa_plaintext
,
2310 rsa_ciphertext
) != 0 )
2313 mbedtls_printf( "failed\n" );
2320 mbedtls_printf( "passed\n PKCS#1 decryption : " );
2322 if( mbedtls_rsa_pkcs1_decrypt( &rsa
, myrand
, NULL
, MBEDTLS_RSA_PRIVATE
,
2323 &len
, rsa_ciphertext
, rsa_decrypted
,
2324 sizeof(rsa_decrypted
) ) != 0 )
2327 mbedtls_printf( "failed\n" );
2333 if( memcmp( rsa_decrypted
, rsa_plaintext
, len
) != 0 )
2336 mbedtls_printf( "failed\n" );
2343 mbedtls_printf( "passed\n" );
2345 #if defined(MBEDTLS_SHA1_C)
2347 mbedtls_printf( " PKCS#1 data sign : " );
2349 if( mbedtls_sha1_ret( rsa_plaintext
, PT_LEN
, sha1sum
) != 0 )
2352 mbedtls_printf( "failed\n" );
2357 if( mbedtls_rsa_pkcs1_sign( &rsa
, myrand
, NULL
,
2358 MBEDTLS_RSA_PRIVATE
, MBEDTLS_MD_SHA1
, 0,
2359 sha1sum
, rsa_ciphertext
) != 0 )
2362 mbedtls_printf( "failed\n" );
2369 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
2371 if( mbedtls_rsa_pkcs1_verify( &rsa
, NULL
, NULL
,
2372 MBEDTLS_RSA_PUBLIC
, MBEDTLS_MD_SHA1
, 0,
2373 sha1sum
, rsa_ciphertext
) != 0 )
2376 mbedtls_printf( "failed\n" );
2383 mbedtls_printf( "passed\n" );
2384 #endif /* MBEDTLS_SHA1_C */
2387 mbedtls_printf( "\n" );
2390 mbedtls_mpi_free( &K
);
2391 mbedtls_rsa_free( &rsa
);
2392 #else /* MBEDTLS_PKCS1_V15 */
2394 #endif /* MBEDTLS_PKCS1_V15 */
2398 #endif /* MBEDTLS_SELF_TEST */
2400 #endif /* MBEDTLS_RSA_C */