Context Navigation

rsa.c

Last change on this file was 20366, checked in by Itms, 7 years ago

Alpha 12 version of Premake 5, including prebuilt binary for Windows.
Directly taken from https://premake.github.io/.

File size: 49.3 KB

Line
1	/*
2	* The RSA public-key cryptosystem
3	*
4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5	* SPDX-License-Identifier: Apache-2.0
6	*
7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
8	* not use this file except in compliance with the License.
9	* You may obtain a copy of the License at
10	*
11	* http://www.apache.org/licenses/LICENSE-2.0
12	*
13	* Unless required by applicable law or agreed to in writing, software
14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16	* See the License for the specific language governing permissions and
17	* limitations under the License.
18	*
19	* This file is part of mbed TLS (https://tls.mbed.org)
20	*/
21	/*
22	* RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
23	*
24	* http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
25	* http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
26	*/
27
28	#if !defined(MBEDTLS_CONFIG_FILE)
29	#include "mbedtls/config.h"
30	#else
31	#include MBEDTLS_CONFIG_FILE
32	#endif
33
34	#if defined(MBEDTLS_RSA_C)
35
36	#include "mbedtls/rsa.h"
37	#include "mbedtls/oid.h"
38
39	#include <string.h>
40
41	#if defined(MBEDTLS_PKCS1_V21)
42	#include "mbedtls/md.h"
43	#endif
44
45	#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
46	#include <stdlib.h>
47	#endif
48
49	#if defined(MBEDTLS_PLATFORM_C)
50	#include "mbedtls/platform.h"
51	#else
52	#include <stdio.h>
53	#define mbedtls_printf printf
54	#define mbedtls_calloc calloc
55	#define mbedtls_free free
56	#endif
57
58	/*
59	* Initialize an RSA context
60	*/
61	void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
62	int padding,
63	int hash_id )
64	{
65	memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
66
67	mbedtls_rsa_set_padding( ctx, padding, hash_id );
68
69	#if defined(MBEDTLS_THREADING_C)
70	mbedtls_mutex_init( &ctx->mutex );
71	#endif
72	}
73
74	/*
75	* Set padding for an existing RSA context
76	*/
77	void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
78	{
79	ctx->padding = padding;
80	ctx->hash_id = hash_id;
81	}
82
83	#if defined(MBEDTLS_GENPRIME)
84
85	/*
86	* Generate an RSA keypair
87	*/
88	int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
89	int (f_rng)(void , unsigned char *, size_t),
90	void *p_rng,
91	unsigned int nbits, int exponent )
92	{
93	int ret;
94	mbedtls_mpi P1, Q1, H, G;
95
96	if( f_rng == NULL \|\| nbits < 128 \|\| exponent < 3 )
97	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
98
99	mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
100
101	/*
102	* find primes P and Q with Q < P so that:
103	* GCD( E, (P-1)*(Q-1) ) == 1
104	*/
105	MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
106
107	do
108	{
109	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
110	f_rng, p_rng ) );
111
112	MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
113	f_rng, p_rng ) );
114
115	if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
116	mbedtls_mpi_swap( &ctx->P, &ctx->Q );
117
118	if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
119	continue;
120
121	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
122	if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
123	continue;
124
125	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
126	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
127	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
128	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
129	}
130	while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
131
132	/*
133	* D = E^-1 mod ((P-1)*(Q-1))
134	* DP = D mod (P - 1)
135	* DQ = D mod (Q - 1)
136	* QP = Q^-1 mod P
137	*/
138	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
139	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
140	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
141	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
142
143	ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
144
145	cleanup:
146
147	mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
148
149	if( ret != 0 )
150	{
151	mbedtls_rsa_free( ctx );
152	return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
153	}
154
155	return( 0 );
156	}
157
158	#endif /* MBEDTLS_GENPRIME */
159
160	/*
161	* Check a public RSA key
162	*/
163	int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
164	{
165	if( !ctx->N.p \|\| !ctx->E.p )
166	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
167
168	if( ( ctx->N.p[0] & 1 ) == 0 \|\|
169	( ctx->E.p[0] & 1 ) == 0 )
170	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
171
172	if( mbedtls_mpi_bitlen( &ctx->N ) < 128 \|\|
173	mbedtls_mpi_bitlen( &ctx->N ) > MBEDTLS_MPI_MAX_BITS )
174	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
175
176	if( mbedtls_mpi_bitlen( &ctx->E ) < 2 \|\|
177	mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
178	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
179
180	return( 0 );
181	}
182
183	/*
184	* Check a private RSA key
185	*/
186	int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
187	{
188	int ret;
189	mbedtls_mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
190
191	if( ( ret = mbedtls_rsa_check_pubkey( ctx ) ) != 0 )
192	return( ret );
193
194	if( !ctx->P.p \|\| !ctx->Q.p \|\| !ctx->D.p )
195	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
196
197	mbedtls_mpi_init( &PQ ); mbedtls_mpi_init( &DE ); mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
198	mbedtls_mpi_init( &H ); mbedtls_mpi_init( &I ); mbedtls_mpi_init( &G ); mbedtls_mpi_init( &G2 );
199	mbedtls_mpi_init( &L1 ); mbedtls_mpi_init( &L2 ); mbedtls_mpi_init( &DP ); mbedtls_mpi_init( &DQ );
200	mbedtls_mpi_init( &QP );
201
202	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
203	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
204	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
205	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
206	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
207	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
208
209	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2, &P1, &Q1 ) );
210	MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );
211	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I, &DE, &L1 ) );
212
213	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
214	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
215	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
216	/*
217	* Check for a valid PKCS1v2 private key
218	*/
219	if( mbedtls_mpi_cmp_mpi( &PQ, &ctx->N ) != 0 \|\|
220	mbedtls_mpi_cmp_mpi( &DP, &ctx->DP ) != 0 \|\|
221	mbedtls_mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 \|\|
222	mbedtls_mpi_cmp_mpi( &QP, &ctx->QP ) != 0 \|\|
223	mbedtls_mpi_cmp_int( &L2, 0 ) != 0 \|\|
224	mbedtls_mpi_cmp_int( &I, 1 ) != 0 \|\|
225	mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
226	{
227	ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
228	}
229
230	cleanup:
231	mbedtls_mpi_free( &PQ ); mbedtls_mpi_free( &DE ); mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 );
232	mbedtls_mpi_free( &H ); mbedtls_mpi_free( &I ); mbedtls_mpi_free( &G ); mbedtls_mpi_free( &G2 );
233	mbedtls_mpi_free( &L1 ); mbedtls_mpi_free( &L2 ); mbedtls_mpi_free( &DP ); mbedtls_mpi_free( &DQ );
234	mbedtls_mpi_free( &QP );
235
236	if( ret == MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
237	return( ret );
238
239	if( ret != 0 )
240	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED + ret );
241
242	return( 0 );
243	}
244
245	/*
246	* Check if contexts holding a public and private key match
247	*/
248	int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context pub, const mbedtls_rsa_context prv )
249	{
250	if( mbedtls_rsa_check_pubkey( pub ) != 0 \|\|
251	mbedtls_rsa_check_privkey( prv ) != 0 )
252	{
253	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
254	}
255
256	if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 \|\|
257	mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
258	{
259	return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
260	}
261
262	return( 0 );
263	}
264
265	/*
266	* Do an RSA public key operation
267	*/
268	int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
269	const unsigned char *input,
270	unsigned char *output )
271	{
272	int ret;
273	size_t olen;
274	mbedtls_mpi T;
275
276	mbedtls_mpi_init( &T );
277
278	#if defined(MBEDTLS_THREADING_C)
279	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
280	return( ret );
281	#endif
282
283	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
284
285	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
286	{
287	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
288	goto cleanup;
289	}
290
291	olen = ctx->len;
292	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
293	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
294
295	cleanup:
296	#if defined(MBEDTLS_THREADING_C)
297	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
298	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
299	#endif
300
301	mbedtls_mpi_free( &T );
302
303	if( ret != 0 )
304	return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
305
306	return( 0 );
307	}
308
309	/*
310	* Generate or update blinding values, see section 10 of:
311	* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
312	* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
313	* Berlin Heidelberg, 1996. p. 104-113.
314	*/
315	static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
316	int (f_rng)(void , unsigned char , size_t), void p_rng )
317	{
318	int ret, count = 0;
319
320	if( ctx->Vf.p != NULL )
321	{
322	/* We already have blinding values, just update them by squaring */
323	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
324	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
325	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
326	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
327
328	goto cleanup;
329	}
330
331	/* Unblinding value: Vf = random number, invertible mod N */
332	do {
333	if( count++ > 10 )
334	return( MBEDTLS_ERR_RSA_RNG_FAILED );
335
336	MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
337	MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
338	} while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
339
340	/* Blinding value: Vi = Vf^(-e) mod N */
341	MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
342	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
343
344
345	cleanup:
346	return( ret );
347	}
348
349	/*
350	* Do an RSA private key operation
351	*/
352	int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
353	int (f_rng)(void , unsigned char *, size_t),
354	void *p_rng,
355	const unsigned char *input,
356	unsigned char *output )
357	{
358	int ret;
359	size_t olen;
360	mbedtls_mpi T, T1, T2;
361
362	/* Make sure we have private key info, prevent possible misuse */
363	if( ctx->P.p == NULL \|\| ctx->Q.p == NULL \|\| ctx->D.p == NULL )
364	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
365
366	mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
367
368	#if defined(MBEDTLS_THREADING_C)
369	if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
370	return( ret );
371	#endif
372
373	MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
374	if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
375	{
376	ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
377	goto cleanup;
378	}
379
380	if( f_rng != NULL )
381	{
382	/*
383	* Blinding
384	* T = T * Vi mod N
385	*/
386	MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
387	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
388	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
389	}
390
391	#if defined(MBEDTLS_RSA_NO_CRT)
392	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
393	#else
394	/*
395	* faster decryption using the CRT
396	*
397	* T1 = input ^ dP mod P
398	* T2 = input ^ dQ mod Q
399	*/
400	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
401	MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
402
403	/*
404	* T = (T1 - T2) * (Q^-1 mod P) mod P
405	*/
406	MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &T1, &T2 ) );
407	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->QP ) );
408	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T1, &ctx->P ) );
409
410	/*
411	* T = T2 + T * Q
412	*/
413	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1, &T, &ctx->Q ) );
414	MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &T2, &T1 ) );
415	#endif /* MBEDTLS_RSA_NO_CRT */
416
417	if( f_rng != NULL )
418	{
419	/*
420	* Unblind
421	* T = T * Vf mod N
422	*/
423	MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
424	MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
425	}
426
427	olen = ctx->len;
428	MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
429
430	cleanup:
431	#if defined(MBEDTLS_THREADING_C)
432	if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
433	return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
434	#endif
435
436	mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
437
438	if( ret != 0 )
439	return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
440
441	return( 0 );
442	}
443
444	#if defined(MBEDTLS_PKCS1_V21)
445	/**
446	* Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
447	*
448	* \param dst buffer to mask
449	* \param dlen length of destination buffer
450	* \param src source of the mask generation
451	* \param slen length of the source buffer
452	* \param md_ctx message digest context to use
453	*/
454	static void mgf_mask( unsigned char dst, size_t dlen, unsigned char src,
455	size_t slen, mbedtls_md_context_t *md_ctx )
456	{
457	unsigned char mask[MBEDTLS_MD_MAX_SIZE];
458	unsigned char counter[4];
459	unsigned char *p;
460	unsigned int hlen;
461	size_t i, use_len;
462
463	memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
464	memset( counter, 0, 4 );
465
466	hlen = mbedtls_md_get_size( md_ctx->md_info );
467
468	// Generate and apply dbMask
469	//
470	p = dst;
471
472	while( dlen > 0 )
473	{
474	use_len = hlen;
475	if( dlen < hlen )
476	use_len = dlen;
477
478	mbedtls_md_starts( md_ctx );
479	mbedtls_md_update( md_ctx, src, slen );
480	mbedtls_md_update( md_ctx, counter, 4 );
481	mbedtls_md_finish( md_ctx, mask );
482
483	for( i = 0; i < use_len; ++i )
484	*p++ ^= mask[i];
485
486	counter[3]++;
487
488	dlen -= use_len;
489	}
490	}
491	#endif /* MBEDTLS_PKCS1_V21 */
492
493	#if defined(MBEDTLS_PKCS1_V21)
494	/*
495	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
496	*/
497	int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
498	int (f_rng)(void , unsigned char *, size_t),
499	void *p_rng,
500	int mode,
501	const unsigned char *label, size_t label_len,
502	size_t ilen,
503	const unsigned char *input,
504	unsigned char *output )
505	{
506	size_t olen;
507	int ret;
508	unsigned char *p = output;
509	unsigned int hlen;
510	const mbedtls_md_info_t *md_info;
511	mbedtls_md_context_t md_ctx;
512
513	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
514	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
515
516	if( f_rng == NULL )
517	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
518
519	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
520	if( md_info == NULL )
521	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
522
523	olen = ctx->len;
524	hlen = mbedtls_md_get_size( md_info );
525
526	if( olen < ilen + 2 * hlen + 2 )
527	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
528
529	memset( output, 0, olen );
530
531	*p++ = 0;
532
533	// Generate a random octet string seed
534	//
535	if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
536	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
537
538	p += hlen;
539
540	// Construct DB
541	//
542	mbedtls_md( md_info, label, label_len, p );
543	p += hlen;
544	p += olen - 2 * hlen - 2 - ilen;
545	*p++ = 1;
546	memcpy( p, input, ilen );
547
548	mbedtls_md_init( &md_ctx );
549	mbedtls_md_setup( &md_ctx, md_info, 0 );
550
551	// maskedDB: Apply dbMask to DB
552	//
553	mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
554	&md_ctx );
555
556	// maskedSeed: Apply seedMask to seed
557	//
558	mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
559	&md_ctx );
560
561	mbedtls_md_free( &md_ctx );
562
563	return( ( mode == MBEDTLS_RSA_PUBLIC )
564	? mbedtls_rsa_public( ctx, output, output )
565	: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
566	}
567	#endif /* MBEDTLS_PKCS1_V21 */
568
569	#if defined(MBEDTLS_PKCS1_V15)
570	/*
571	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
572	*/
573	int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
574	int (f_rng)(void , unsigned char *, size_t),
575	void *p_rng,
576	int mode, size_t ilen,
577	const unsigned char *input,
578	unsigned char *output )
579	{
580	size_t nb_pad, olen;
581	int ret;
582	unsigned char *p = output;
583
584	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
585	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
586
587	if( f_rng == NULL )
588	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
589
590	olen = ctx->len;
591
592	if( olen < ilen + 11 )
593	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
594
595	nb_pad = olen - 3 - ilen;
596
597	*p++ = 0;
598	if( mode == MBEDTLS_RSA_PUBLIC )
599	{
600	*p++ = MBEDTLS_RSA_CRYPT;
601
602	while( nb_pad-- > 0 )
603	{
604	int rng_dl = 100;
605
606	do {
607	ret = f_rng( p_rng, p, 1 );
608	} while( *p == 0 && --rng_dl && ret == 0 );
609
610	// Check if RNG failed to generate data
611	//
612	if( rng_dl == 0 \|\| ret != 0 )
613	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
614
615	p++;
616	}
617	}
618	else
619	{
620	*p++ = MBEDTLS_RSA_SIGN;
621
622	while( nb_pad-- > 0 )
623	*p++ = 0xFF;
624	}
625
626	*p++ = 0;
627	memcpy( p, input, ilen );
628
629	return( ( mode == MBEDTLS_RSA_PUBLIC )
630	? mbedtls_rsa_public( ctx, output, output )
631	: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
632	}
633	#endif /* MBEDTLS_PKCS1_V15 */
634
635	/*
636	* Add the message padding, then do an RSA operation
637	*/
638	int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
639	int (f_rng)(void , unsigned char *, size_t),
640	void *p_rng,
641	int mode, size_t ilen,
642	const unsigned char *input,
643	unsigned char *output )
644	{
645	switch( ctx->padding )
646	{
647	#if defined(MBEDTLS_PKCS1_V15)
648	case MBEDTLS_RSA_PKCS_V15:
649	return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
650	input, output );
651	#endif
652
653	#if defined(MBEDTLS_PKCS1_V21)
654	case MBEDTLS_RSA_PKCS_V21:
655	return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
656	ilen, input, output );
657	#endif
658
659	default:
660	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
661	}
662	}
663
664	#if defined(MBEDTLS_PKCS1_V21)
665	/*
666	* Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
667	*/
668	int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
669	int (f_rng)(void , unsigned char *, size_t),
670	void *p_rng,
671	int mode,
672	const unsigned char *label, size_t label_len,
673	size_t *olen,
674	const unsigned char *input,
675	unsigned char *output,
676	size_t output_max_len )
677	{
678	int ret;
679	size_t ilen, i, pad_len;
680	unsigned char *p, bad, pad_done;
681	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
682	unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
683	unsigned int hlen;
684	const mbedtls_md_info_t *md_info;
685	mbedtls_md_context_t md_ctx;
686
687	/*
688	* Parameters sanity checks
689	*/
690	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
691	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
692
693	ilen = ctx->len;
694
695	if( ilen < 16 \|\| ilen > sizeof( buf ) )
696	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
697
698	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
699	if( md_info == NULL )
700	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
701
702	/*
703	* RSA operation
704	*/
705	ret = ( mode == MBEDTLS_RSA_PUBLIC )
706	? mbedtls_rsa_public( ctx, input, buf )
707	: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
708
709	if( ret != 0 )
710	return( ret );
711
712	/*
713	* Unmask data and generate lHash
714	*/
715	hlen = mbedtls_md_get_size( md_info );
716
717	mbedtls_md_init( &md_ctx );
718	mbedtls_md_setup( &md_ctx, md_info, 0 );
719
720	/* Generate lHash */
721	mbedtls_md( md_info, label, label_len, lhash );
722
723	/* seed: Apply seedMask to maskedSeed */
724	mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
725	&md_ctx );
726
727	/* DB: Apply dbMask to maskedDB */
728	mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
729	&md_ctx );
730
731	mbedtls_md_free( &md_ctx );
732
733	/*
734	* Check contents, in "constant-time"
735	*/
736	p = buf;
737	bad = 0;
738
739	bad \|= p++; / First byte must be 0 */
740
741	p += hlen; /* Skip seed */
742
743	/* Check lHash */
744	for( i = 0; i < hlen; i++ )
745	bad \|= lhash[i] ^ *p++;
746
747	/* Get zero-padding len, but always read till end of buffer
748	* (minus one, for the 01 byte) */
749	pad_len = 0;
750	pad_done = 0;
751	for( i = 0; i < ilen - 2 * hlen - 2; i++ )
752	{
753	pad_done \|= p[i];
754	pad_len += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
755	}
756
757	p += pad_len;
758	bad \|= *p++ ^ 0x01;
759
760	/*
761	* The only information "leaked" is whether the padding was correct or not
762	* (eg, no data is copied if it was not correct). This meets the
763	* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
764	* the different error conditions.
765	*/
766	if( bad != 0 )
767	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
768
769	if( ilen - ( p - buf ) > output_max_len )
770	return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
771
772	*olen = ilen - (p - buf);
773	memcpy( output, p, *olen );
774
775	return( 0 );
776	}
777	#endif /* MBEDTLS_PKCS1_V21 */
778
779	#if defined(MBEDTLS_PKCS1_V15)
780	/*
781	* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
782	*/
783	int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
784	int (f_rng)(void , unsigned char *, size_t),
785	void *p_rng,
786	int mode, size_t *olen,
787	const unsigned char *input,
788	unsigned char *output,
789	size_t output_max_len)
790	{
791	int ret;
792	size_t ilen, pad_count = 0, i;
793	unsigned char *p, bad, pad_done = 0;
794	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
795
796	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
797	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
798
799	ilen = ctx->len;
800
801	if( ilen < 16 \|\| ilen > sizeof( buf ) )
802	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
803
804	ret = ( mode == MBEDTLS_RSA_PUBLIC )
805	? mbedtls_rsa_public( ctx, input, buf )
806	: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
807
808	if( ret != 0 )
809	return( ret );
810
811	p = buf;
812	bad = 0;
813
814	/*
815	* Check and get padding len in "constant-time"
816	*/
817	bad \|= p++; / First byte must be 0 */
818
819	/* This test does not depend on secret data */
820	if( mode == MBEDTLS_RSA_PRIVATE )
821	{
822	bad \|= *p++ ^ MBEDTLS_RSA_CRYPT;
823
824	/* Get padding len, but always read till end of buffer
825	* (minus one, for the 00 byte) */
826	for( i = 0; i < ilen - 3; i++ )
827	{
828	pad_done \|= ((p[i] \| (unsigned char)-p[i]) >> 7) ^ 1;
829	pad_count += ((pad_done \| (unsigned char)-pad_done) >> 7) ^ 1;
830	}
831
832	p += pad_count;
833	bad \|= p++; / Must be zero */
834	}
835	else
836	{
837	bad \|= *p++ ^ MBEDTLS_RSA_SIGN;
838
839	/* Get padding len, but always read till end of buffer
840	* (minus one, for the 00 byte) */
841	for( i = 0; i < ilen - 3; i++ )
842	{
843	pad_done \|= ( p[i] != 0xFF );
844	pad_count += ( pad_done == 0 );
845	}
846
847	p += pad_count;
848	bad \|= p++; / Must be zero */
849	}
850
851	if( bad )
852	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
853
854	if( ilen - ( p - buf ) > output_max_len )
855	return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
856
857	*olen = ilen - (p - buf);
858	memcpy( output, p, *olen );
859
860	return( 0 );
861	}
862	#endif /* MBEDTLS_PKCS1_V15 */
863
864	/*
865	* Do an RSA operation, then remove the message padding
866	*/
867	int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
868	int (f_rng)(void , unsigned char *, size_t),
869	void *p_rng,
870	int mode, size_t *olen,
871	const unsigned char *input,
872	unsigned char *output,
873	size_t output_max_len)
874	{
875	switch( ctx->padding )
876	{
877	#if defined(MBEDTLS_PKCS1_V15)
878	case MBEDTLS_RSA_PKCS_V15:
879	return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
880	input, output, output_max_len );
881	#endif
882
883	#if defined(MBEDTLS_PKCS1_V21)
884	case MBEDTLS_RSA_PKCS_V21:
885	return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
886	olen, input, output,
887	output_max_len );
888	#endif
889
890	default:
891	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
892	}
893	}
894
895	#if defined(MBEDTLS_PKCS1_V21)
896	/*
897	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
898	*/
899	int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
900	int (f_rng)(void , unsigned char *, size_t),
901	void *p_rng,
902	int mode,
903	mbedtls_md_type_t md_alg,
904	unsigned int hashlen,
905	const unsigned char *hash,
906	unsigned char *sig )
907	{
908	size_t olen;
909	unsigned char *p = sig;
910	unsigned char salt[MBEDTLS_MD_MAX_SIZE];
911	unsigned int slen, hlen, offset = 0;
912	int ret;
913	size_t msb;
914	const mbedtls_md_info_t *md_info;
915	mbedtls_md_context_t md_ctx;
916
917	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
918	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
919
920	if( f_rng == NULL )
921	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
922
923	olen = ctx->len;
924
925	if( md_alg != MBEDTLS_MD_NONE )
926	{
927	// Gather length of hash to sign
928	//
929	md_info = mbedtls_md_info_from_type( md_alg );
930	if( md_info == NULL )
931	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
932
933	hashlen = mbedtls_md_get_size( md_info );
934	}
935
936	md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
937	if( md_info == NULL )
938	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
939
940	hlen = mbedtls_md_get_size( md_info );
941	slen = hlen;
942
943	if( olen < hlen + slen + 2 )
944	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
945
946	memset( sig, 0, olen );
947
948	// Generate salt of length slen
949	//
950	if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
951	return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
952
953	// Note: EMSA-PSS encoding is over the length of N - 1 bits
954	//
955	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
956	p += olen - hlen * 2 - 2;
957	*p++ = 0x01;
958	memcpy( p, salt, slen );
959	p += slen;
960
961	mbedtls_md_init( &md_ctx );
962	mbedtls_md_setup( &md_ctx, md_info, 0 );
963
964	// Generate H = Hash( M' )
965	//
966	mbedtls_md_starts( &md_ctx );
967	mbedtls_md_update( &md_ctx, p, 8 );
968	mbedtls_md_update( &md_ctx, hash, hashlen );
969	mbedtls_md_update( &md_ctx, salt, slen );
970	mbedtls_md_finish( &md_ctx, p );
971
972	// Compensate for boundary condition when applying mask
973	//
974	if( msb % 8 == 0 )
975	offset = 1;
976
977	// maskedDB: Apply dbMask to DB
978	//
979	mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
980
981	mbedtls_md_free( &md_ctx );
982
983	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
984	sig[0] &= 0xFF >> ( olen * 8 - msb );
985
986	p += hlen;
987	*p++ = 0xBC;
988
989	return( ( mode == MBEDTLS_RSA_PUBLIC )
990	? mbedtls_rsa_public( ctx, sig, sig )
991	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
992	}
993	#endif /* MBEDTLS_PKCS1_V21 */
994
995	#if defined(MBEDTLS_PKCS1_V15)
996	/*
997	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
998	*/
999	/*
1000	* Do an RSA operation to sign the message digest
1001	*/
1002	int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
1003	int (f_rng)(void , unsigned char *, size_t),
1004	void *p_rng,
1005	int mode,
1006	mbedtls_md_type_t md_alg,
1007	unsigned int hashlen,
1008	const unsigned char *hash,
1009	unsigned char *sig )
1010	{
1011	size_t nb_pad, olen, oid_size = 0;
1012	unsigned char *p = sig;
1013	const char *oid = NULL;
1014	unsigned char sig_try = NULL, verif = NULL;
1015	size_t i;
1016	unsigned char diff;
1017	volatile unsigned char diff_no_optimize;
1018	int ret;
1019
1020	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1021	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1022
1023	olen = ctx->len;
1024	nb_pad = olen - 3;
1025
1026	if( md_alg != MBEDTLS_MD_NONE )
1027	{
1028	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
1029	if( md_info == NULL )
1030	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1031
1032	if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1033	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1034
1035	nb_pad -= 10 + oid_size;
1036
1037	hashlen = mbedtls_md_get_size( md_info );
1038	}
1039
1040	nb_pad -= hashlen;
1041
1042	if( ( nb_pad < 8 ) \|\| ( nb_pad > olen ) )
1043	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1044
1045	*p++ = 0;
1046	*p++ = MBEDTLS_RSA_SIGN;
1047	memset( p, 0xFF, nb_pad );
1048	p += nb_pad;
1049	*p++ = 0;
1050
1051	if( md_alg == MBEDTLS_MD_NONE )
1052	{
1053	memcpy( p, hash, hashlen );
1054	}
1055	else
1056	{
1057	/*
1058	* DigestInfo ::= SEQUENCE {
1059	* digestAlgorithm DigestAlgorithmIdentifier,
1060	* digest Digest }
1061	*
1062	* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1063	*
1064	* Digest ::= OCTET STRING
1065	*/
1066	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
1067	*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
1068	*p++ = MBEDTLS_ASN1_SEQUENCE \| MBEDTLS_ASN1_CONSTRUCTED;
1069	*p++ = (unsigned char) ( 0x04 + oid_size );
1070	*p++ = MBEDTLS_ASN1_OID;
1071	*p++ = oid_size & 0xFF;
1072	memcpy( p, oid, oid_size );
1073	p += oid_size;
1074	*p++ = MBEDTLS_ASN1_NULL;
1075	*p++ = 0x00;
1076	*p++ = MBEDTLS_ASN1_OCTET_STRING;
1077	*p++ = hashlen;
1078	memcpy( p, hash, hashlen );
1079	}
1080
1081	if( mode == MBEDTLS_RSA_PUBLIC )
1082	return( mbedtls_rsa_public( ctx, sig, sig ) );
1083
1084	/*
1085	* In order to prevent Lenstra's attack, make the signature in a
1086	* temporary buffer and check it before returning it.
1087	*/
1088	sig_try = mbedtls_calloc( 1, ctx->len );
1089	if( sig_try == NULL )
1090	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1091
1092	verif = mbedtls_calloc( 1, ctx->len );
1093	if( verif == NULL )
1094	{
1095	mbedtls_free( sig_try );
1096	return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
1097	}
1098
1099	MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
1100	MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
1101
1102	/* Compare in constant time just in case */
1103	for( diff = 0, i = 0; i < ctx->len; i++ )
1104	diff \|= verif[i] ^ sig[i];
1105	diff_no_optimize = diff;
1106
1107	if( diff_no_optimize != 0 )
1108	{
1109	ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1110	goto cleanup;
1111	}
1112
1113	memcpy( sig, sig_try, ctx->len );
1114
1115	cleanup:
1116	mbedtls_free( sig_try );
1117	mbedtls_free( verif );
1118
1119	return( ret );
1120	}
1121	#endif /* MBEDTLS_PKCS1_V15 */
1122
1123	/*
1124	* Do an RSA operation to sign the message digest
1125	*/
1126	int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
1127	int (f_rng)(void , unsigned char *, size_t),
1128	void *p_rng,
1129	int mode,
1130	mbedtls_md_type_t md_alg,
1131	unsigned int hashlen,
1132	const unsigned char *hash,
1133	unsigned char *sig )
1134	{
1135	switch( ctx->padding )
1136	{
1137	#if defined(MBEDTLS_PKCS1_V15)
1138	case MBEDTLS_RSA_PKCS_V15:
1139	return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
1140	hashlen, hash, sig );
1141	#endif
1142
1143	#if defined(MBEDTLS_PKCS1_V21)
1144	case MBEDTLS_RSA_PKCS_V21:
1145	return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
1146	hashlen, hash, sig );
1147	#endif
1148
1149	default:
1150	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1151	}
1152	}
1153
1154	#if defined(MBEDTLS_PKCS1_V21)
1155	/*
1156	* Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1157	*/
1158	int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
1159	int (f_rng)(void , unsigned char *, size_t),
1160	void *p_rng,
1161	int mode,
1162	mbedtls_md_type_t md_alg,
1163	unsigned int hashlen,
1164	const unsigned char *hash,
1165	mbedtls_md_type_t mgf1_hash_id,
1166	int expected_salt_len,
1167	const unsigned char *sig )
1168	{
1169	int ret;
1170	size_t siglen;
1171	unsigned char *p;
1172	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1173	unsigned char result[MBEDTLS_MD_MAX_SIZE];
1174	unsigned char zeros[8];
1175	unsigned int hlen;
1176	size_t slen, msb;
1177	const mbedtls_md_info_t *md_info;
1178	mbedtls_md_context_t md_ctx;
1179
1180	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1181	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1182
1183	siglen = ctx->len;
1184
1185	if( siglen < 16 \|\| siglen > sizeof( buf ) )
1186	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1187
1188	ret = ( mode == MBEDTLS_RSA_PUBLIC )
1189	? mbedtls_rsa_public( ctx, sig, buf )
1190	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
1191
1192	if( ret != 0 )
1193	return( ret );
1194
1195	p = buf;
1196
1197	if( buf[siglen - 1] != 0xBC )
1198	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1199
1200	if( md_alg != MBEDTLS_MD_NONE )
1201	{
1202	// Gather length of hash to sign
1203	//
1204	md_info = mbedtls_md_info_from_type( md_alg );
1205	if( md_info == NULL )
1206	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1207
1208	hashlen = mbedtls_md_get_size( md_info );
1209	}
1210
1211	md_info = mbedtls_md_info_from_type( mgf1_hash_id );
1212	if( md_info == NULL )
1213	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1214
1215	hlen = mbedtls_md_get_size( md_info );
1216	slen = siglen - hlen - 1; /* Currently length of salt + padding */
1217
1218	memset( zeros, 0, 8 );
1219
1220	// Note: EMSA-PSS verification is over the length of N - 1 bits
1221	//
1222	msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1223
1224	// Compensate for boundary condition when applying mask
1225	//
1226	if( msb % 8 == 0 )
1227	{
1228	p++;
1229	siglen -= 1;
1230	}
1231	if( buf[0] >> ( 8 - siglen * 8 + msb ) )
1232	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1233
1234	mbedtls_md_init( &md_ctx );
1235	mbedtls_md_setup( &md_ctx, md_info, 0 );
1236
1237	mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
1238
1239	buf[0] &= 0xFF >> ( siglen * 8 - msb );
1240
1241	while( p < buf + siglen && *p == 0 )
1242	p++;
1243
1244	if( p == buf + siglen \|\|
1245	*p++ != 0x01 )
1246	{
1247	mbedtls_md_free( &md_ctx );
1248	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1249	}
1250
1251	/* Actual salt len */
1252	slen -= p - buf;
1253
1254	if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
1255	slen != (size_t) expected_salt_len )
1256	{
1257	mbedtls_md_free( &md_ctx );
1258	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1259	}
1260
1261	// Generate H = Hash( M' )
1262	//
1263	mbedtls_md_starts( &md_ctx );
1264	mbedtls_md_update( &md_ctx, zeros, 8 );
1265	mbedtls_md_update( &md_ctx, hash, hashlen );
1266	mbedtls_md_update( &md_ctx, p, slen );
1267	mbedtls_md_finish( &md_ctx, result );
1268
1269	mbedtls_md_free( &md_ctx );
1270
1271	if( memcmp( p + slen, result, hlen ) == 0 )
1272	return( 0 );
1273	else
1274	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1275	}
1276
1277	/*
1278	* Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1279	*/
1280	int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
1281	int (f_rng)(void , unsigned char *, size_t),
1282	void *p_rng,
1283	int mode,
1284	mbedtls_md_type_t md_alg,
1285	unsigned int hashlen,
1286	const unsigned char *hash,
1287	const unsigned char *sig )
1288	{
1289	mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
1290	? (mbedtls_md_type_t) ctx->hash_id
1291	: md_alg;
1292
1293	return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
1294	md_alg, hashlen, hash,
1295	mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
1296	sig ) );
1297
1298	}
1299	#endif /* MBEDTLS_PKCS1_V21 */
1300
1301	#if defined(MBEDTLS_PKCS1_V15)
1302	/*
1303	* Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1304	*/
1305	int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
1306	int (f_rng)(void , unsigned char *, size_t),
1307	void *p_rng,
1308	int mode,
1309	mbedtls_md_type_t md_alg,
1310	unsigned int hashlen,
1311	const unsigned char *hash,
1312	const unsigned char *sig )
1313	{
1314	int ret;
1315	size_t len, siglen, asn1_len;
1316	unsigned char p, end;
1317	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1318	mbedtls_md_type_t msg_md_alg;
1319	const mbedtls_md_info_t *md_info;
1320	mbedtls_asn1_buf oid;
1321
1322	if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1323	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1324
1325	siglen = ctx->len;
1326
1327	if( siglen < 16 \|\| siglen > sizeof( buf ) )
1328	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1329
1330	ret = ( mode == MBEDTLS_RSA_PUBLIC )
1331	? mbedtls_rsa_public( ctx, sig, buf )
1332	: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
1333
1334	if( ret != 0 )
1335	return( ret );
1336
1337	p = buf;
1338
1339	if( p++ != 0 \|\| p++ != MBEDTLS_RSA_SIGN )
1340	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1341
1342	while( *p != 0 )
1343	{
1344	if( p >= buf + siglen - 1 \|\| *p != 0xFF )
1345	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1346	p++;
1347	}
1348	p++;
1349
1350	len = siglen - ( p - buf );
1351
1352	if( len == hashlen && md_alg == MBEDTLS_MD_NONE )
1353	{
1354	if( memcmp( p, hash, hashlen ) == 0 )
1355	return( 0 );
1356	else
1357	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1358	}
1359
1360	md_info = mbedtls_md_info_from_type( md_alg );
1361	if( md_info == NULL )
1362	return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1363	hashlen = mbedtls_md_get_size( md_info );
1364
1365	end = p + len;
1366
1367	// Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
1368	//
1369	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
1370	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1371	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1372
1373	if( asn1_len + 2 != len )
1374	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1375
1376	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len,
1377	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1378	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1379
1380	if( asn1_len + 6 + hashlen != len )
1381	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1382
1383	if( ( ret = mbedtls_asn1_get_tag( &p, end, &oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
1384	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1385
1386	oid.p = p;
1387	p += oid.len;
1388
1389	if( mbedtls_oid_get_md_alg( &oid, &msg_md_alg ) != 0 )
1390	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1391
1392	if( md_alg != msg_md_alg )
1393	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1394
1395	/*
1396	* assume the algorithm parameters must be NULL
1397	*/
1398	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_NULL ) ) != 0 )
1399	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1400
1401	if( ( ret = mbedtls_asn1_get_tag( &p, end, &asn1_len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1402	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1403
1404	if( asn1_len != hashlen )
1405	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1406
1407	if( memcmp( p, hash, hashlen ) != 0 )
1408	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1409
1410	p += hashlen;
1411
1412	if( p != end )
1413	return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
1414
1415	return( 0 );
1416	}
1417	#endif /* MBEDTLS_PKCS1_V15 */
1418
1419	/*
1420	* Do an RSA operation and check the message digest
1421	*/
1422	int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
1423	int (f_rng)(void , unsigned char *, size_t),
1424	void *p_rng,
1425	int mode,
1426	mbedtls_md_type_t md_alg,
1427	unsigned int hashlen,
1428	const unsigned char *hash,
1429	const unsigned char *sig )
1430	{
1431	switch( ctx->padding )
1432	{
1433	#if defined(MBEDTLS_PKCS1_V15)
1434	case MBEDTLS_RSA_PKCS_V15:
1435	return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
1436	hashlen, hash, sig );
1437	#endif
1438
1439	#if defined(MBEDTLS_PKCS1_V21)
1440	case MBEDTLS_RSA_PKCS_V21:
1441	return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
1442	hashlen, hash, sig );
1443	#endif
1444
1445	default:
1446	return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1447	}
1448	}
1449
1450	/*
1451	* Copy the components of an RSA key
1452	*/
1453	int mbedtls_rsa_copy( mbedtls_rsa_context dst, const mbedtls_rsa_context src )
1454	{
1455	int ret;
1456
1457	dst->ver = src->ver;
1458	dst->len = src->len;
1459
1460	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
1461	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
1462
1463	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
1464	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
1465	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
1466	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
1467	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
1468	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
1469
1470	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
1471	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
1472	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
1473
1474	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
1475	MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
1476
1477	dst->padding = src->padding;
1478	dst->hash_id = src->hash_id;
1479
1480	cleanup:
1481	if( ret != 0 )
1482	mbedtls_rsa_free( dst );
1483
1484	return( ret );
1485	}
1486
1487	/*
1488	* Free the components of an RSA key
1489	*/
1490	void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
1491	{
1492	mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
1493	mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->RN );
1494	mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ ); mbedtls_mpi_free( &ctx->DP );
1495	mbedtls_mpi_free( &ctx->Q ); mbedtls_mpi_free( &ctx->P ); mbedtls_mpi_free( &ctx->D );
1496	mbedtls_mpi_free( &ctx->E ); mbedtls_mpi_free( &ctx->N );
1497
1498	#if defined(MBEDTLS_THREADING_C)
1499	mbedtls_mutex_free( &ctx->mutex );
1500	#endif
1501	}
1502
1503	#if defined(MBEDTLS_SELF_TEST)
1504
1505	#include "mbedtls/sha1.h"
1506
1507	/*
1508	* Example RSA-1024 keypair, for test purposes
1509	*/
1510	#define KEY_LEN 128
1511
1512	#define RSA_N "9292758453063D803DD603D5E777D788" \
1513	"8ED1D5BF35786190FA2F23EBC0848AEA" \
1514	"DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1515	"7130B9CED7ACDF54CFC7555AC14EEBAB" \
1516	"93A89813FBF3C4F8066D2D800F7C38A8" \
1517	"1AE31942917403FF4946B0A83D3D3E05" \
1518	"EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1519	"5E94BB77B07507233A0BC7BAC8F90F79"
1520
1521	#define RSA_E "10001"
1522
1523	#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1524	"66CA472BC44D253102F8B4A9D3BFA750" \
1525	"91386C0077937FE33FA3252D28855837" \
1526	"AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1527	"DF79C5CE07EE72C7F123142198164234" \
1528	"CABB724CF78B8173B9F880FC86322407" \
1529	"AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1530	"071513A1E85B5DFA031F21ECAE91A34D"
1531
1532	#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1533	"2C01CAD19EA484A87EA4377637E75500" \
1534	"FCB2005C5C7DD6EC4AC023CDA285D796" \
1535	"C3D9E75E1EFC42488BB4F1D13AC30A57"
1536
1537	#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1538	"E211C2B9E5DB1ED0BF61D0D9899620F4" \
1539	"910E4168387E3C30AA1E00C339A79508" \
1540	"8452DD96A9A5EA5D9DCA68DA636032AF"
1541
1542	#define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1543	"3C94D22288ACD763FD8E5600ED4A702D" \
1544	"F84198A5F06C2E72236AE490C93F07F8" \
1545	"3CC559CD27BC2D1CA488811730BB5725"
1546
1547	#define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1548	"D8AAEA56749EA28623272E4F7D0592AF" \
1549	"7C1F1313CAC9471B5C523BFE592F517B" \
1550	"407A1BD76C164B93DA2D32A383E58357"
1551
1552	#define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1553	"F38D18D2B2F0E2DD275AA977E2BF4411" \
1554	"F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1555	"A74206CEC169D74BF5A8C50D6F48EA08"
1556
1557	#define PT_LEN 24
1558	#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1559	"\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1560
1561	#if defined(MBEDTLS_PKCS1_V15)
1562	static int myrand( void rng_state, unsigned char output, size_t len )
1563	{
1564	#if !defined(__OpenBSD__)
1565	size_t i;
1566
1567	if( rng_state != NULL )
1568	rng_state = NULL;
1569
1570	for( i = 0; i < len; ++i )
1571	output[i] = rand();
1572	#else
1573	if( rng_state != NULL )
1574	rng_state = NULL;
1575
1576	arc4random_buf( output, len );
1577	#endif /* !OpenBSD */
1578
1579	return( 0 );
1580	}
1581	#endif /* MBEDTLS_PKCS1_V15 */
1582
1583	/*
1584	* Checkup routine
1585	*/
1586	int mbedtls_rsa_self_test( int verbose )
1587	{
1588	int ret = 0;
1589	#if defined(MBEDTLS_PKCS1_V15)
1590	size_t len;
1591	mbedtls_rsa_context rsa;
1592	unsigned char rsa_plaintext[PT_LEN];
1593	unsigned char rsa_decrypted[PT_LEN];
1594	unsigned char rsa_ciphertext[KEY_LEN];
1595	#if defined(MBEDTLS_SHA1_C)
1596	unsigned char sha1sum[20];
1597	#endif
1598
1599	mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
1600
1601	rsa.len = KEY_LEN;
1602	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.N , 16, RSA_N ) );
1603	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.E , 16, RSA_E ) );
1604	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.D , 16, RSA_D ) );
1605	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.P , 16, RSA_P ) );
1606	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.Q , 16, RSA_Q ) );
1607	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DP, 16, RSA_DP ) );
1608	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.DQ, 16, RSA_DQ ) );
1609	MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa.QP, 16, RSA_QP ) );
1610
1611	if( verbose != 0 )
1612	mbedtls_printf( " RSA key validation: " );
1613
1614	if( mbedtls_rsa_check_pubkey( &rsa ) != 0 \|\|
1615	mbedtls_rsa_check_privkey( &rsa ) != 0 )
1616	{
1617	if( verbose != 0 )
1618	mbedtls_printf( "failed\n" );
1619
1620	return( 1 );
1621	}
1622
1623	if( verbose != 0 )
1624	mbedtls_printf( "passed\n PKCS#1 encryption : " );
1625
1626	memcpy( rsa_plaintext, RSA_PT, PT_LEN );
1627
1628	if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, PT_LEN,
1629	rsa_plaintext, rsa_ciphertext ) != 0 )
1630	{
1631	if( verbose != 0 )
1632	mbedtls_printf( "failed\n" );
1633
1634	return( 1 );
1635	}
1636
1637	if( verbose != 0 )
1638	mbedtls_printf( "passed\n PKCS#1 decryption : " );
1639
1640	if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, &len,
1641	rsa_ciphertext, rsa_decrypted,
1642	sizeof(rsa_decrypted) ) != 0 )
1643	{
1644	if( verbose != 0 )
1645	mbedtls_printf( "failed\n" );
1646
1647	return( 1 );
1648	}
1649
1650	if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
1651	{
1652	if( verbose != 0 )
1653	mbedtls_printf( "failed\n" );
1654
1655	return( 1 );
1656	}
1657
1658	if( verbose != 0 )
1659	mbedtls_printf( "passed\n" );
1660
1661	#if defined(MBEDTLS_SHA1_C)
1662	if( verbose != 0 )
1663	mbedtls_printf( "PKCS#1 data sign : " );
1664
1665	mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
1666
1667	if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
1668	sha1sum, rsa_ciphertext ) != 0 )
1669	{
1670	if( verbose != 0 )
1671	mbedtls_printf( "failed\n" );
1672
1673	return( 1 );
1674	}
1675
1676	if( verbose != 0 )
1677	mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
1678
1679	if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
1680	sha1sum, rsa_ciphertext ) != 0 )
1681	{
1682	if( verbose != 0 )
1683	mbedtls_printf( "failed\n" );
1684
1685	return( 1 );
1686	}
1687
1688	if( verbose != 0 )
1689	mbedtls_printf( "passed\n" );
1690	#endif /* MBEDTLS_SHA1_C */
1691
1692	if( verbose != 0 )
1693	mbedtls_printf( "\n" );
1694
1695	cleanup:
1696	mbedtls_rsa_free( &rsa );
1697	#else /* MBEDTLS_PKCS1_V15 */
1698	((void) verbose);
1699	#endif /* MBEDTLS_PKCS1_V15 */
1700	return( ret );
1701	}
1702
1703	#endif /* MBEDTLS_SELF_TEST */
1704
1705	#endif /* MBEDTLS_RSA_C */

Note: See TracBrowser for help on using the repository browser.

This Trac instance is not used for development anymore!

Context Navigation

source: ps/trunk/build/premake/premake5/contrib/mbedtls/library/rsa.c

Download in other formats: