2 * The RSA public-key cryptosystem
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 * This file is part of mbed TLS (https://tls.mbed.org)
24 * The following sources were referenced in the design of this implementation
25 * of the RSA algorithm:
27 * [1] A method for obtaining digital signatures and public-key cryptosystems
28 * R Rivest, A Shamir, and L Adleman
29 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
31 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
32 * Menezes, van Oorschot and Vanstone
34 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
35 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
37 * https://arxiv.org/abs/1702.08719v2
41 #if !defined(MBEDTLS_CONFIG_FILE)
42 #include "mbedtls/config.h"
44 #include MBEDTLS_CONFIG_FILE
47 #if defined(MBEDTLS_RSA_C)
49 #include "mbedtls/rsa.h"
50 #include "mbedtls/oid.h"
52 #if defined(MBEDTLS_PKCS1_V21)
53 #include "mbedtls/md.h"
56 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
60 #if defined(MBEDTLS_PLATFORM_C)
61 #include "mbedtls/platform.h"
64 #define mbedtls_printf printf
65 #define mbedtls_calloc calloc
66 #define mbedtls_free free
69 /* Implementation that should never be optimized out by the compiler */
70 static void mbedtls_zeroize( void *v
, size_t n
) {
71 volatile unsigned char *p
= (unsigned char*)v
; while( n
-- ) *p
++ = 0;
75 * Initialize an RSA context
77 void mbedtls_rsa_init( mbedtls_rsa_context
*ctx
,
81 memset( ctx
, 0, sizeof( mbedtls_rsa_context
) );
83 mbedtls_rsa_set_padding( ctx
, padding
, hash_id
);
85 #if defined(MBEDTLS_THREADING_C)
86 mbedtls_mutex_init( &ctx
->mutex
);
91 * Set padding for an existing RSA context
93 void mbedtls_rsa_set_padding( mbedtls_rsa_context
*ctx
, int padding
, int hash_id
)
95 ctx
->padding
= padding
;
96 ctx
->hash_id
= hash_id
;
99 #if defined(MBEDTLS_GENPRIME)
102 * Generate an RSA keypair
104 int mbedtls_rsa_gen_key( mbedtls_rsa_context
*ctx
,
105 int (*f_rng
)(void *, unsigned char *, size_t),
107 unsigned int nbits
, int exponent
)
110 mbedtls_mpi P1
, Q1
, H
, G
;
112 if( f_rng
== NULL
|| nbits
< 128 || exponent
< 3 )
113 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
116 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
118 mbedtls_mpi_init( &P1
); mbedtls_mpi_init( &Q1
);
119 mbedtls_mpi_init( &H
); mbedtls_mpi_init( &G
);
122 * find primes P and Q with Q < P so that:
123 * GCD( E, (P-1)*(Q-1) ) == 1
125 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx
->E
, exponent
) );
129 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx
->P
, nbits
>> 1, 0,
132 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx
->Q
, nbits
>> 1, 0,
135 if( mbedtls_mpi_cmp_mpi( &ctx
->P
, &ctx
->Q
) == 0 )
138 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->N
, &ctx
->P
, &ctx
->Q
) );
139 if( mbedtls_mpi_bitlen( &ctx
->N
) != nbits
)
142 if( mbedtls_mpi_cmp_mpi( &ctx
->P
, &ctx
->Q
) < 0 )
143 mbedtls_mpi_swap( &ctx
->P
, &ctx
->Q
);
145 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1
, &ctx
->P
, 1 ) );
146 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1
, &ctx
->Q
, 1 ) );
147 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H
, &P1
, &Q1
) );
148 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G
, &ctx
->E
, &H
) );
150 while( mbedtls_mpi_cmp_int( &G
, 1 ) != 0 );
153 * D = E^-1 mod ((P-1)*(Q-1))
158 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx
->D
, &ctx
->E
, &H
) );
159 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->DP
, &ctx
->D
, &P1
) );
160 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->DQ
, &ctx
->D
, &Q1
) );
161 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx
->QP
, &ctx
->Q
, &ctx
->P
) );
163 ctx
->len
= ( mbedtls_mpi_bitlen( &ctx
->N
) + 7 ) >> 3;
167 mbedtls_mpi_free( &P1
); mbedtls_mpi_free( &Q1
); mbedtls_mpi_free( &H
); mbedtls_mpi_free( &G
);
171 mbedtls_rsa_free( ctx
);
172 return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED
+ ret
);
178 #endif /* MBEDTLS_GENPRIME */
181 * Check a public RSA key
183 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context
*ctx
)
185 if( !ctx
->N
.p
|| !ctx
->E
.p
)
186 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
188 if( ( ctx
->N
.p
[0] & 1 ) == 0 ||
189 ( ctx
->E
.p
[0] & 1 ) == 0 )
190 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
192 if( mbedtls_mpi_bitlen( &ctx
->N
) < 128 ||
193 mbedtls_mpi_bitlen( &ctx
->N
) > MBEDTLS_MPI_MAX_BITS
)
194 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
196 if( mbedtls_mpi_bitlen( &ctx
->E
) < 2 ||
197 mbedtls_mpi_cmp_mpi( &ctx
->E
, &ctx
->N
) >= 0 )
198 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
204 * Check a private RSA key
206 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context
*ctx
)
209 mbedtls_mpi PQ
, DE
, P1
, Q1
, H
, I
, G
, G2
, L1
, L2
, DP
, DQ
, QP
;
211 if( ( ret
= mbedtls_rsa_check_pubkey( ctx
) ) != 0 )
214 if( !ctx
->P
.p
|| !ctx
->Q
.p
|| !ctx
->D
.p
)
215 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
217 mbedtls_mpi_init( &PQ
); mbedtls_mpi_init( &DE
); mbedtls_mpi_init( &P1
); mbedtls_mpi_init( &Q1
);
218 mbedtls_mpi_init( &H
); mbedtls_mpi_init( &I
); mbedtls_mpi_init( &G
); mbedtls_mpi_init( &G2
);
219 mbedtls_mpi_init( &L1
); mbedtls_mpi_init( &L2
); mbedtls_mpi_init( &DP
); mbedtls_mpi_init( &DQ
);
220 mbedtls_mpi_init( &QP
);
222 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &PQ
, &ctx
->P
, &ctx
->Q
) );
223 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DE
, &ctx
->D
, &ctx
->E
) );
224 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1
, &ctx
->P
, 1 ) );
225 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1
, &ctx
->Q
, 1 ) );
226 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H
, &P1
, &Q1
) );
227 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G
, &ctx
->E
, &H
) );
229 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G2
, &P1
, &Q1
) );
230 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1
, &L2
, &H
, &G2
) );
231 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &I
, &DE
, &L1
) );
233 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DP
, &ctx
->D
, &P1
) );
234 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &DQ
, &ctx
->D
, &Q1
) );
235 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &QP
, &ctx
->Q
, &ctx
->P
) );
237 * Check for a valid PKCS1v2 private key
239 if( mbedtls_mpi_cmp_mpi( &PQ
, &ctx
->N
) != 0 ||
240 mbedtls_mpi_cmp_mpi( &DP
, &ctx
->DP
) != 0 ||
241 mbedtls_mpi_cmp_mpi( &DQ
, &ctx
->DQ
) != 0 ||
242 mbedtls_mpi_cmp_mpi( &QP
, &ctx
->QP
) != 0 ||
243 mbedtls_mpi_cmp_int( &L2
, 0 ) != 0 ||
244 mbedtls_mpi_cmp_int( &I
, 1 ) != 0 ||
245 mbedtls_mpi_cmp_int( &G
, 1 ) != 0 )
247 ret
= MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
;
251 mbedtls_mpi_free( &PQ
); mbedtls_mpi_free( &DE
); mbedtls_mpi_free( &P1
); mbedtls_mpi_free( &Q1
);
252 mbedtls_mpi_free( &H
); mbedtls_mpi_free( &I
); mbedtls_mpi_free( &G
); mbedtls_mpi_free( &G2
);
253 mbedtls_mpi_free( &L1
); mbedtls_mpi_free( &L2
); mbedtls_mpi_free( &DP
); mbedtls_mpi_free( &DQ
);
254 mbedtls_mpi_free( &QP
);
256 if( ret
== MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
)
260 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
+ ret
);
266 * Check if contexts holding a public and private key match
268 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context
*pub
, const mbedtls_rsa_context
*prv
)
270 if( mbedtls_rsa_check_pubkey( pub
) != 0 ||
271 mbedtls_rsa_check_privkey( prv
) != 0 )
273 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
276 if( mbedtls_mpi_cmp_mpi( &pub
->N
, &prv
->N
) != 0 ||
277 mbedtls_mpi_cmp_mpi( &pub
->E
, &prv
->E
) != 0 )
279 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
);
286 * Do an RSA public key operation
288 int mbedtls_rsa_public( mbedtls_rsa_context
*ctx
,
289 const unsigned char *input
,
290 unsigned char *output
)
296 mbedtls_mpi_init( &T
);
298 #if defined(MBEDTLS_THREADING_C)
299 if( ( ret
= mbedtls_mutex_lock( &ctx
->mutex
) ) != 0 )
303 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T
, input
, ctx
->len
) );
305 if( mbedtls_mpi_cmp_mpi( &T
, &ctx
->N
) >= 0 )
307 ret
= MBEDTLS_ERR_MPI_BAD_INPUT_DATA
;
312 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T
, &T
, &ctx
->E
, &ctx
->N
, &ctx
->RN
) );
313 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T
, output
, olen
) );
316 #if defined(MBEDTLS_THREADING_C)
317 if( mbedtls_mutex_unlock( &ctx
->mutex
) != 0 )
318 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR
);
321 mbedtls_mpi_free( &T
);
324 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED
+ ret
);
330 * Generate or update blinding values, see section 10 of:
331 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
332 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
333 * Berlin Heidelberg, 1996. p. 104-113.
335 static int rsa_prepare_blinding( mbedtls_rsa_context
*ctx
,
336 int (*f_rng
)(void *, unsigned char *, size_t), void *p_rng
)
340 if( ctx
->Vf
.p
!= NULL
)
342 /* We already have blinding values, just update them by squaring */
343 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->Vi
, &ctx
->Vi
, &ctx
->Vi
) );
344 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->Vi
, &ctx
->Vi
, &ctx
->N
) );
345 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx
->Vf
, &ctx
->Vf
, &ctx
->Vf
) );
346 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx
->Vf
, &ctx
->Vf
, &ctx
->N
) );
351 /* Unblinding value: Vf = random number, invertible mod N */
354 return( MBEDTLS_ERR_RSA_RNG_FAILED
);
356 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx
->Vf
, ctx
->len
- 1, f_rng
, p_rng
) );
357 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx
->Vi
, &ctx
->Vf
, &ctx
->N
) );
358 } while( mbedtls_mpi_cmp_int( &ctx
->Vi
, 1 ) != 0 );
360 /* Blinding value: Vi = Vf^(-e) mod N */
361 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx
->Vi
, &ctx
->Vf
, &ctx
->N
) );
362 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx
->Vi
, &ctx
->Vi
, &ctx
->E
, &ctx
->N
, &ctx
->RN
) );
370 * Exponent blinding supposed to prevent side-channel attacks using multiple
371 * traces of measurements to recover the RSA key. The more collisions are there,
372 * the more bits of the key can be recovered. See [3].
374 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
375 * observations on avarage.
377 * For example with 28 byte blinding to achieve 2 collisions the adversary has
378 * to make 2^112 observations on avarage.
380 * (With the currently (as of 2017 April) known best algorithms breaking 2048
381 * bit RSA requires approximately as much time as trying out 2^112 random keys.
382 * Thus in this sense with 28 byte blinding the security is not reduced by
383 * side-channel attacks like the one in [3])
385 * This countermeasure does not help if the key recovery is possible with a
388 #define RSA_EXPONENT_BLINDING 28
391 * Do an RSA private key operation
393 int mbedtls_rsa_private( mbedtls_rsa_context
*ctx
,
394 int (*f_rng
)(void *, unsigned char *, size_t),
396 const unsigned char *input
,
397 unsigned char *output
)
401 mbedtls_mpi T
, T1
, T2
;
402 mbedtls_mpi P1
, Q1
, R
;
403 #if defined(MBEDTLS_RSA_NO_CRT)
405 mbedtls_mpi
*D
= &ctx
->D
;
407 mbedtls_mpi DP_blind
, DQ_blind
;
408 mbedtls_mpi
*DP
= &ctx
->DP
;
409 mbedtls_mpi
*DQ
= &ctx
->DQ
;
412 /* Make sure we have private key info, prevent possible misuse */
413 if( ctx
->P
.p
== NULL
|| ctx
->Q
.p
== NULL
|| ctx
->D
.p
== NULL
)
414 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
416 mbedtls_mpi_init( &T
); mbedtls_mpi_init( &T1
); mbedtls_mpi_init( &T2
);
417 mbedtls_mpi_init( &P1
); mbedtls_mpi_init( &Q1
); mbedtls_mpi_init( &R
);
422 #if defined(MBEDTLS_RSA_NO_CRT)
423 mbedtls_mpi_init( &D_blind
);
425 mbedtls_mpi_init( &DP_blind
);
426 mbedtls_mpi_init( &DQ_blind
);
431 #if defined(MBEDTLS_THREADING_C)
432 if( ( ret
= mbedtls_mutex_lock( &ctx
->mutex
) ) != 0 )
436 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T
, input
, ctx
->len
) );
437 if( mbedtls_mpi_cmp_mpi( &T
, &ctx
->N
) >= 0 )
439 ret
= MBEDTLS_ERR_MPI_BAD_INPUT_DATA
;
449 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx
, f_rng
, p_rng
) );
450 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T
, &T
, &ctx
->Vi
) );
451 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &T
, &ctx
->N
) );
456 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1
, &ctx
->P
, 1 ) );
457 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1
, &ctx
->Q
, 1 ) );
459 #if defined(MBEDTLS_RSA_NO_CRT)
461 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
463 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R
, RSA_EXPONENT_BLINDING
,
465 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind
, &P1
, &Q1
) );
466 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind
, &D_blind
, &R
) );
467 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind
, &D_blind
, &ctx
->D
) );
472 * DP_blind = ( P - 1 ) * R + DP
474 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R
, RSA_EXPONENT_BLINDING
,
476 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind
, &P1
, &R
) );
477 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind
, &DP_blind
,
483 * DQ_blind = ( Q - 1 ) * R + DQ
485 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R
, RSA_EXPONENT_BLINDING
,
487 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind
, &Q1
, &R
) );
488 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind
, &DQ_blind
,
492 #endif /* MBEDTLS_RSA_NO_CRT */
495 #if defined(MBEDTLS_RSA_NO_CRT)
496 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T
, &T
, D
, &ctx
->N
, &ctx
->RN
) );
499 * Faster decryption using the CRT
501 * T1 = input ^ dP mod P
502 * T2 = input ^ dQ mod Q
504 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1
, &T
, DP
, &ctx
->P
, &ctx
->RP
) );
505 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2
, &T
, DQ
, &ctx
->Q
, &ctx
->RQ
) );
508 * T = (T1 - T2) * (Q^-1 mod P) mod P
510 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T
, &T1
, &T2
) );
511 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1
, &T
, &ctx
->QP
) );
512 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &T1
, &ctx
->P
) );
517 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1
, &T
, &ctx
->Q
) );
518 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T
, &T2
, &T1
) );
519 #endif /* MBEDTLS_RSA_NO_CRT */
527 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T
, &T
, &ctx
->Vf
) );
528 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T
, &T
, &ctx
->N
) );
532 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T
, output
, olen
) );
535 #if defined(MBEDTLS_THREADING_C)
536 if( mbedtls_mutex_unlock( &ctx
->mutex
) != 0 )
537 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR
);
540 mbedtls_mpi_free( &T
); mbedtls_mpi_free( &T1
); mbedtls_mpi_free( &T2
);
541 mbedtls_mpi_free( &P1
); mbedtls_mpi_free( &Q1
); mbedtls_mpi_free( &R
);
545 #if defined(MBEDTLS_RSA_NO_CRT)
546 mbedtls_mpi_free( &D_blind
);
548 mbedtls_mpi_free( &DP_blind
);
549 mbedtls_mpi_free( &DQ_blind
);
554 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED
+ ret
);
559 #if defined(MBEDTLS_PKCS1_V21)
561 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
563 * \param dst buffer to mask
564 * \param dlen length of destination buffer
565 * \param src source of the mask generation
566 * \param slen length of the source buffer
567 * \param md_ctx message digest context to use
569 static void mgf_mask( unsigned char *dst
, size_t dlen
, unsigned char *src
,
570 size_t slen
, mbedtls_md_context_t
*md_ctx
)
572 unsigned char mask
[MBEDTLS_MD_MAX_SIZE
];
573 unsigned char counter
[4];
578 memset( mask
, 0, MBEDTLS_MD_MAX_SIZE
);
579 memset( counter
, 0, 4 );
581 hlen
= mbedtls_md_get_size( md_ctx
->md_info
);
583 /* Generate and apply dbMask */
592 mbedtls_md_starts( md_ctx
);
593 mbedtls_md_update( md_ctx
, src
, slen
);
594 mbedtls_md_update( md_ctx
, counter
, 4 );
595 mbedtls_md_finish( md_ctx
, mask
);
597 for( i
= 0; i
< use_len
; ++i
)
605 mbedtls_zeroize( mask
, sizeof( mask
) );
607 #endif /* MBEDTLS_PKCS1_V21 */
609 #if defined(MBEDTLS_PKCS1_V21)
611 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
613 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context
*ctx
,
614 int (*f_rng
)(void *, unsigned char *, size_t),
617 const unsigned char *label
, size_t label_len
,
619 const unsigned char *input
,
620 unsigned char *output
)
624 unsigned char *p
= output
;
626 const mbedtls_md_info_t
*md_info
;
627 mbedtls_md_context_t md_ctx
;
629 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
630 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
633 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
635 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
636 if( md_info
== NULL
)
637 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
640 hlen
= mbedtls_md_get_size( md_info
);
642 /* first comparison checks for overflow */
643 if( ilen
+ 2 * hlen
+ 2 < ilen
|| olen
< ilen
+ 2 * hlen
+ 2 )
644 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
646 memset( output
, 0, olen
);
650 /* Generate a random octet string seed */
651 if( ( ret
= f_rng( p_rng
, p
, hlen
) ) != 0 )
652 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
657 mbedtls_md( md_info
, label
, label_len
, p
);
659 p
+= olen
- 2 * hlen
- 2 - ilen
;
661 memcpy( p
, input
, ilen
);
663 mbedtls_md_init( &md_ctx
);
664 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 0 ) ) != 0 )
666 mbedtls_md_free( &md_ctx
);
670 /* maskedDB: Apply dbMask to DB */
671 mgf_mask( output
+ hlen
+ 1, olen
- hlen
- 1, output
+ 1, hlen
,
674 /* maskedSeed: Apply seedMask to seed */
675 mgf_mask( output
+ 1, hlen
, output
+ hlen
+ 1, olen
- hlen
- 1,
678 mbedtls_md_free( &md_ctx
);
680 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
681 ? mbedtls_rsa_public( ctx
, output
, output
)
682 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, output
, output
) );
684 #endif /* MBEDTLS_PKCS1_V21 */
686 #if defined(MBEDTLS_PKCS1_V15)
688 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
690 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context
*ctx
,
691 int (*f_rng
)(void *, unsigned char *, size_t),
693 int mode
, size_t ilen
,
694 const unsigned char *input
,
695 unsigned char *output
)
699 unsigned char *p
= output
;
701 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
702 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
704 // We don't check p_rng because it won't be dereferenced here
705 if( f_rng
== NULL
|| input
== NULL
|| output
== NULL
)
706 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
710 /* first comparison checks for overflow */
711 if( ilen
+ 11 < ilen
|| olen
< ilen
+ 11 )
712 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
714 nb_pad
= olen
- 3 - ilen
;
717 if( mode
== MBEDTLS_RSA_PUBLIC
)
719 *p
++ = MBEDTLS_RSA_CRYPT
;
721 while( nb_pad
-- > 0 )
726 ret
= f_rng( p_rng
, p
, 1 );
727 } while( *p
== 0 && --rng_dl
&& ret
== 0 );
729 /* Check if RNG failed to generate data */
730 if( rng_dl
== 0 || ret
!= 0 )
731 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
738 *p
++ = MBEDTLS_RSA_SIGN
;
740 while( nb_pad
-- > 0 )
745 memcpy( p
, input
, ilen
);
747 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
748 ? mbedtls_rsa_public( ctx
, output
, output
)
749 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, output
, output
) );
751 #endif /* MBEDTLS_PKCS1_V15 */
754 * Add the message padding, then do an RSA operation
756 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context
*ctx
,
757 int (*f_rng
)(void *, unsigned char *, size_t),
759 int mode
, size_t ilen
,
760 const unsigned char *input
,
761 unsigned char *output
)
763 switch( ctx
->padding
)
765 #if defined(MBEDTLS_PKCS1_V15)
766 case MBEDTLS_RSA_PKCS_V15
:
767 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx
, f_rng
, p_rng
, mode
, ilen
,
771 #if defined(MBEDTLS_PKCS1_V21)
772 case MBEDTLS_RSA_PKCS_V21
:
773 return mbedtls_rsa_rsaes_oaep_encrypt( ctx
, f_rng
, p_rng
, mode
, NULL
, 0,
774 ilen
, input
, output
);
778 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
782 #if defined(MBEDTLS_PKCS1_V21)
784 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
786 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context
*ctx
,
787 int (*f_rng
)(void *, unsigned char *, size_t),
790 const unsigned char *label
, size_t label_len
,
792 const unsigned char *input
,
793 unsigned char *output
,
794 size_t output_max_len
)
797 size_t ilen
, i
, pad_len
;
798 unsigned char *p
, bad
, pad_done
;
799 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
800 unsigned char lhash
[MBEDTLS_MD_MAX_SIZE
];
802 const mbedtls_md_info_t
*md_info
;
803 mbedtls_md_context_t md_ctx
;
806 * Parameters sanity checks
808 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
809 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
813 if( ilen
< 16 || ilen
> sizeof( buf
) )
814 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
816 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
817 if( md_info
== NULL
)
818 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
820 hlen
= mbedtls_md_get_size( md_info
);
822 // checking for integer underflow
823 if( 2 * hlen
+ 2 > ilen
)
824 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
829 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
830 ? mbedtls_rsa_public( ctx
, input
, buf
)
831 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, input
, buf
);
837 * Unmask data and generate lHash
839 mbedtls_md_init( &md_ctx
);
840 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 0 ) ) != 0 )
842 mbedtls_md_free( &md_ctx
);
848 mbedtls_md( md_info
, label
, label_len
, lhash
);
850 /* seed: Apply seedMask to maskedSeed */
851 mgf_mask( buf
+ 1, hlen
, buf
+ hlen
+ 1, ilen
- hlen
- 1,
854 /* DB: Apply dbMask to maskedDB */
855 mgf_mask( buf
+ hlen
+ 1, ilen
- hlen
- 1, buf
+ 1, hlen
,
858 mbedtls_md_free( &md_ctx
);
861 * Check contents, in "constant-time"
866 bad
|= *p
++; /* First byte must be 0 */
868 p
+= hlen
; /* Skip seed */
871 for( i
= 0; i
< hlen
; i
++ )
872 bad
|= lhash
[i
] ^ *p
++;
874 /* Get zero-padding len, but always read till end of buffer
875 * (minus one, for the 01 byte) */
878 for( i
= 0; i
< ilen
- 2 * hlen
- 2; i
++ )
881 pad_len
+= ((pad_done
| (unsigned char)-pad_done
) >> 7) ^ 1;
888 * The only information "leaked" is whether the padding was correct or not
889 * (eg, no data is copied if it was not correct). This meets the
890 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
891 * the different error conditions.
895 ret
= MBEDTLS_ERR_RSA_INVALID_PADDING
;
899 if( ilen
- ( p
- buf
) > output_max_len
)
901 ret
= MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
;
905 *olen
= ilen
- (p
- buf
);
906 memcpy( output
, p
, *olen
);
910 mbedtls_zeroize( buf
, sizeof( buf
) );
911 mbedtls_zeroize( lhash
, sizeof( lhash
) );
915 #endif /* MBEDTLS_PKCS1_V21 */
917 #if defined(MBEDTLS_PKCS1_V15)
919 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
921 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context
*ctx
,
922 int (*f_rng
)(void *, unsigned char *, size_t),
924 int mode
, size_t *olen
,
925 const unsigned char *input
,
926 unsigned char *output
,
927 size_t output_max_len
)
930 size_t ilen
, pad_count
= 0, i
;
931 unsigned char *p
, bad
, pad_done
= 0;
932 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
934 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
935 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
939 if( ilen
< 16 || ilen
> sizeof( buf
) )
940 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
942 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
943 ? mbedtls_rsa_public( ctx
, input
, buf
)
944 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, input
, buf
);
953 * Check and get padding len in "constant-time"
955 bad
|= *p
++; /* First byte must be 0 */
957 /* This test does not depend on secret data */
958 if( mode
== MBEDTLS_RSA_PRIVATE
)
960 bad
|= *p
++ ^ MBEDTLS_RSA_CRYPT
;
962 /* Get padding len, but always read till end of buffer
963 * (minus one, for the 00 byte) */
964 for( i
= 0; i
< ilen
- 3; i
++ )
966 pad_done
|= ((p
[i
] | (unsigned char)-p
[i
]) >> 7) ^ 1;
967 pad_count
+= ((pad_done
| (unsigned char)-pad_done
) >> 7) ^ 1;
971 bad
|= *p
++; /* Must be zero */
975 bad
|= *p
++ ^ MBEDTLS_RSA_SIGN
;
977 /* Get padding len, but always read till end of buffer
978 * (minus one, for the 00 byte) */
979 for( i
= 0; i
< ilen
- 3; i
++ )
981 pad_done
|= ( p
[i
] != 0xFF );
982 pad_count
+= ( pad_done
== 0 );
986 bad
|= *p
++; /* Must be zero */
989 bad
|= ( pad_count
< 8 );
993 ret
= MBEDTLS_ERR_RSA_INVALID_PADDING
;
997 if( ilen
- ( p
- buf
) > output_max_len
)
999 ret
= MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
;
1003 *olen
= ilen
- (p
- buf
);
1004 memcpy( output
, p
, *olen
);
1008 mbedtls_zeroize( buf
, sizeof( buf
) );
1012 #endif /* MBEDTLS_PKCS1_V15 */
1015 * Do an RSA operation, then remove the message padding
1017 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context
*ctx
,
1018 int (*f_rng
)(void *, unsigned char *, size_t),
1020 int mode
, size_t *olen
,
1021 const unsigned char *input
,
1022 unsigned char *output
,
1023 size_t output_max_len
)
1025 switch( ctx
->padding
)
1027 #if defined(MBEDTLS_PKCS1_V15)
1028 case MBEDTLS_RSA_PKCS_V15
:
1029 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx
, f_rng
, p_rng
, mode
, olen
,
1030 input
, output
, output_max_len
);
1033 #if defined(MBEDTLS_PKCS1_V21)
1034 case MBEDTLS_RSA_PKCS_V21
:
1035 return mbedtls_rsa_rsaes_oaep_decrypt( ctx
, f_rng
, p_rng
, mode
, NULL
, 0,
1036 olen
, input
, output
,
1041 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1045 #if defined(MBEDTLS_PKCS1_V21)
1047 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1049 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context
*ctx
,
1050 int (*f_rng
)(void *, unsigned char *, size_t),
1053 mbedtls_md_type_t md_alg
,
1054 unsigned int hashlen
,
1055 const unsigned char *hash
,
1056 unsigned char *sig
)
1059 unsigned char *p
= sig
;
1060 unsigned char salt
[MBEDTLS_MD_MAX_SIZE
];
1061 unsigned int slen
, hlen
, offset
= 0;
1064 const mbedtls_md_info_t
*md_info
;
1065 mbedtls_md_context_t md_ctx
;
1067 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
1068 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1071 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1075 if( md_alg
!= MBEDTLS_MD_NONE
)
1077 /* Gather length of hash to sign */
1078 md_info
= mbedtls_md_info_from_type( md_alg
);
1079 if( md_info
== NULL
)
1080 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1082 hashlen
= mbedtls_md_get_size( md_info
);
1085 md_info
= mbedtls_md_info_from_type( (mbedtls_md_type_t
) ctx
->hash_id
);
1086 if( md_info
== NULL
)
1087 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1089 hlen
= mbedtls_md_get_size( md_info
);
1092 if( olen
< hlen
+ slen
+ 2 )
1093 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1095 memset( sig
, 0, olen
);
1097 /* Generate salt of length slen */
1098 if( ( ret
= f_rng( p_rng
, salt
, slen
) ) != 0 )
1099 return( MBEDTLS_ERR_RSA_RNG_FAILED
+ ret
);
1101 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1102 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
1103 p
+= olen
- hlen
* 2 - 2;
1105 memcpy( p
, salt
, slen
);
1108 mbedtls_md_init( &md_ctx
);
1109 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 0 ) ) != 0 )
1111 mbedtls_md_free( &md_ctx
);
1112 /* No need to zeroize salt: we didn't use it. */
1116 /* Generate H = Hash( M' ) */
1117 mbedtls_md_starts( &md_ctx
);
1118 mbedtls_md_update( &md_ctx
, p
, 8 );
1119 mbedtls_md_update( &md_ctx
, hash
, hashlen
);
1120 mbedtls_md_update( &md_ctx
, salt
, slen
);
1121 mbedtls_md_finish( &md_ctx
, p
);
1122 mbedtls_zeroize( salt
, sizeof( salt
) );
1124 /* Compensate for boundary condition when applying mask */
1128 /* maskedDB: Apply dbMask to DB */
1129 mgf_mask( sig
+ offset
, olen
- hlen
- 1 - offset
, p
, hlen
, &md_ctx
);
1131 mbedtls_md_free( &md_ctx
);
1133 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
1134 sig
[0] &= 0xFF >> ( olen
* 8 - msb
);
1139 return( ( mode
== MBEDTLS_RSA_PUBLIC
)
1140 ? mbedtls_rsa_public( ctx
, sig
, sig
)
1141 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, sig
) );
1143 #endif /* MBEDTLS_PKCS1_V21 */
1145 #if defined(MBEDTLS_PKCS1_V15)
1147 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1150 * Do an RSA operation to sign the message digest
1152 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context
*ctx
,
1153 int (*f_rng
)(void *, unsigned char *, size_t),
1156 mbedtls_md_type_t md_alg
,
1157 unsigned int hashlen
,
1158 const unsigned char *hash
,
1159 unsigned char *sig
)
1161 size_t nb_pad
, olen
, oid_size
= 0;
1162 unsigned char *p
= sig
;
1163 const char *oid
= NULL
;
1164 unsigned char *sig_try
= NULL
, *verif
= NULL
;
1167 volatile unsigned char diff_no_optimize
;
1170 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
1171 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1176 if( md_alg
!= MBEDTLS_MD_NONE
)
1178 const mbedtls_md_info_t
*md_info
= mbedtls_md_info_from_type( md_alg
);
1179 if( md_info
== NULL
)
1180 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1182 if( mbedtls_oid_get_oid_by_md( md_alg
, &oid
, &oid_size
) != 0 )
1183 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1185 nb_pad
-= 10 + oid_size
;
1187 hashlen
= mbedtls_md_get_size( md_info
);
1192 if( ( nb_pad
< 8 ) || ( nb_pad
> olen
) )
1193 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1196 *p
++ = MBEDTLS_RSA_SIGN
;
1197 memset( p
, 0xFF, nb_pad
);
1201 if( md_alg
== MBEDTLS_MD_NONE
)
1203 memcpy( p
, hash
, hashlen
);
1208 * DigestInfo ::= SEQUENCE {
1209 * digestAlgorithm DigestAlgorithmIdentifier,
1212 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1214 * Digest ::= OCTET STRING
1216 *p
++ = MBEDTLS_ASN1_SEQUENCE
| MBEDTLS_ASN1_CONSTRUCTED
;
1217 *p
++ = (unsigned char) ( 0x08 + oid_size
+ hashlen
);
1218 *p
++ = MBEDTLS_ASN1_SEQUENCE
| MBEDTLS_ASN1_CONSTRUCTED
;
1219 *p
++ = (unsigned char) ( 0x04 + oid_size
);
1220 *p
++ = MBEDTLS_ASN1_OID
;
1221 *p
++ = oid_size
& 0xFF;
1222 memcpy( p
, oid
, oid_size
);
1224 *p
++ = MBEDTLS_ASN1_NULL
;
1226 *p
++ = MBEDTLS_ASN1_OCTET_STRING
;
1228 memcpy( p
, hash
, hashlen
);
1231 if( mode
== MBEDTLS_RSA_PUBLIC
)
1232 return( mbedtls_rsa_public( ctx
, sig
, sig
) );
1235 * In order to prevent Lenstra's attack, make the signature in a
1236 * temporary buffer and check it before returning it.
1238 sig_try
= mbedtls_calloc( 1, ctx
->len
);
1239 if( sig_try
== NULL
)
1240 return( MBEDTLS_ERR_MPI_ALLOC_FAILED
);
1242 verif
= mbedtls_calloc( 1, ctx
->len
);
1245 mbedtls_free( sig_try
);
1246 return( MBEDTLS_ERR_MPI_ALLOC_FAILED
);
1249 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, sig_try
) );
1250 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx
, sig_try
, verif
) );
1252 /* Compare in constant time just in case */
1253 for( diff
= 0, i
= 0; i
< ctx
->len
; i
++ )
1254 diff
|= verif
[i
] ^ sig
[i
];
1255 diff_no_optimize
= diff
;
1257 if( diff_no_optimize
!= 0 )
1259 ret
= MBEDTLS_ERR_RSA_PRIVATE_FAILED
;
1263 memcpy( sig
, sig_try
, ctx
->len
);
1266 mbedtls_free( sig_try
);
1267 mbedtls_free( verif
);
1271 #endif /* MBEDTLS_PKCS1_V15 */
1274 * Do an RSA operation to sign the message digest
1276 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context
*ctx
,
1277 int (*f_rng
)(void *, unsigned char *, size_t),
1280 mbedtls_md_type_t md_alg
,
1281 unsigned int hashlen
,
1282 const unsigned char *hash
,
1283 unsigned char *sig
)
1285 switch( ctx
->padding
)
1287 #if defined(MBEDTLS_PKCS1_V15)
1288 case MBEDTLS_RSA_PKCS_V15
:
1289 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1290 hashlen
, hash
, sig
);
1293 #if defined(MBEDTLS_PKCS1_V21)
1294 case MBEDTLS_RSA_PKCS_V21
:
1295 return mbedtls_rsa_rsassa_pss_sign( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1296 hashlen
, hash
, sig
);
1300 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1304 #if defined(MBEDTLS_PKCS1_V21)
1306 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1308 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context
*ctx
,
1309 int (*f_rng
)(void *, unsigned char *, size_t),
1312 mbedtls_md_type_t md_alg
,
1313 unsigned int hashlen
,
1314 const unsigned char *hash
,
1315 mbedtls_md_type_t mgf1_hash_id
,
1316 int expected_salt_len
,
1317 const unsigned char *sig
)
1322 unsigned char result
[MBEDTLS_MD_MAX_SIZE
];
1323 unsigned char zeros
[8];
1326 const mbedtls_md_info_t
*md_info
;
1327 mbedtls_md_context_t md_ctx
;
1328 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
1330 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V21
)
1331 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1335 if( siglen
< 16 || siglen
> sizeof( buf
) )
1336 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1338 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
1339 ? mbedtls_rsa_public( ctx
, sig
, buf
)
1340 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, buf
);
1347 if( buf
[siglen
- 1] != 0xBC )
1348 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1350 if( md_alg
!= MBEDTLS_MD_NONE
)
1352 /* Gather length of hash to sign */
1353 md_info
= mbedtls_md_info_from_type( md_alg
);
1354 if( md_info
== NULL
)
1355 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1357 hashlen
= mbedtls_md_get_size( md_info
);
1360 md_info
= mbedtls_md_info_from_type( mgf1_hash_id
);
1361 if( md_info
== NULL
)
1362 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1364 hlen
= mbedtls_md_get_size( md_info
);
1365 slen
= siglen
- hlen
- 1; /* Currently length of salt + padding */
1367 memset( zeros
, 0, 8 );
1370 * Note: EMSA-PSS verification is over the length of N - 1 bits
1372 msb
= mbedtls_mpi_bitlen( &ctx
->N
) - 1;
1374 /* Compensate for boundary condition when applying mask */
1380 if( buf
[0] >> ( 8 - siglen
* 8 + msb
) )
1381 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1383 mbedtls_md_init( &md_ctx
);
1384 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 0 ) ) != 0 )
1386 mbedtls_md_free( &md_ctx
);
1390 mgf_mask( p
, siglen
- hlen
- 1, p
+ siglen
- hlen
- 1, hlen
, &md_ctx
);
1392 buf
[0] &= 0xFF >> ( siglen
* 8 - msb
);
1394 while( p
< buf
+ siglen
&& *p
== 0 )
1397 if( p
== buf
+ siglen
||
1400 mbedtls_md_free( &md_ctx
);
1401 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1404 /* Actual salt len */
1407 if( expected_salt_len
!= MBEDTLS_RSA_SALT_LEN_ANY
&&
1408 slen
!= (size_t) expected_salt_len
)
1410 mbedtls_md_free( &md_ctx
);
1411 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1415 * Generate H = Hash( M' )
1417 mbedtls_md_starts( &md_ctx
);
1418 mbedtls_md_update( &md_ctx
, zeros
, 8 );
1419 mbedtls_md_update( &md_ctx
, hash
, hashlen
);
1420 mbedtls_md_update( &md_ctx
, p
, slen
);
1421 mbedtls_md_finish( &md_ctx
, result
);
1423 mbedtls_md_free( &md_ctx
);
1425 if( memcmp( p
+ slen
, result
, hlen
) == 0 )
1428 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1432 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1434 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context
*ctx
,
1435 int (*f_rng
)(void *, unsigned char *, size_t),
1438 mbedtls_md_type_t md_alg
,
1439 unsigned int hashlen
,
1440 const unsigned char *hash
,
1441 const unsigned char *sig
)
1443 mbedtls_md_type_t mgf1_hash_id
= ( ctx
->hash_id
!= MBEDTLS_MD_NONE
)
1444 ? (mbedtls_md_type_t
) ctx
->hash_id
1447 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx
, f_rng
, p_rng
, mode
,
1448 md_alg
, hashlen
, hash
,
1449 mgf1_hash_id
, MBEDTLS_RSA_SALT_LEN_ANY
,
1453 #endif /* MBEDTLS_PKCS1_V21 */
1455 #if defined(MBEDTLS_PKCS1_V15)
1457 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
1459 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context
*ctx
,
1460 int (*f_rng
)(void *, unsigned char *, size_t),
1463 mbedtls_md_type_t md_alg
,
1464 unsigned int hashlen
,
1465 const unsigned char *hash
,
1466 const unsigned char *sig
)
1469 size_t len
, siglen
, asn1_len
;
1470 unsigned char *p
, *p0
, *end
;
1471 mbedtls_md_type_t msg_md_alg
;
1472 const mbedtls_md_info_t
*md_info
;
1473 mbedtls_asn1_buf oid
;
1474 unsigned char buf
[MBEDTLS_MPI_MAX_SIZE
];
1476 if( mode
== MBEDTLS_RSA_PRIVATE
&& ctx
->padding
!= MBEDTLS_RSA_PKCS_V15
)
1477 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1481 if( siglen
< 16 || siglen
> sizeof( buf
) )
1482 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1484 ret
= ( mode
== MBEDTLS_RSA_PUBLIC
)
1485 ? mbedtls_rsa_public( ctx
, sig
, buf
)
1486 : mbedtls_rsa_private( ctx
, f_rng
, p_rng
, sig
, buf
);
1493 if( *p
++ != 0 || *p
++ != MBEDTLS_RSA_SIGN
)
1494 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1498 if( p
>= buf
+ siglen
- 1 || *p
!= 0xFF )
1499 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1502 p
++; /* skip 00 byte */
1504 /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
1506 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1508 len
= siglen
- ( p
- buf
);
1510 if( len
== hashlen
&& md_alg
== MBEDTLS_MD_NONE
)
1512 if( memcmp( p
, hash
, hashlen
) == 0 )
1515 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1518 md_info
= mbedtls_md_info_from_type( md_alg
);
1519 if( md_info
== NULL
)
1520 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA
);
1521 hashlen
= mbedtls_md_get_size( md_info
);
1526 * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.
1527 * Insist on 2-byte length tags, to protect against variants of
1528 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.
1531 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &asn1_len
,
1532 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
1533 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1534 if( p
!= p0
+ 2 || asn1_len
+ 2 != len
)
1535 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1538 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &asn1_len
,
1539 MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE
) ) != 0 )
1540 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1541 if( p
!= p0
+ 2 || asn1_len
+ 6 + hashlen
!= len
)
1542 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1545 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &oid
.len
, MBEDTLS_ASN1_OID
) ) != 0 )
1546 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1548 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1553 if( mbedtls_oid_get_md_alg( &oid
, &msg_md_alg
) != 0 )
1554 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1556 if( md_alg
!= msg_md_alg
)
1557 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1560 * assume the algorithm parameters must be NULL
1563 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &asn1_len
, MBEDTLS_ASN1_NULL
) ) != 0 )
1564 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1566 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1569 if( ( ret
= mbedtls_asn1_get_tag( &p
, end
, &asn1_len
, MBEDTLS_ASN1_OCTET_STRING
) ) != 0 )
1570 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1571 if( p
!= p0
+ 2 || asn1_len
!= hashlen
)
1572 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1574 if( memcmp( p
, hash
, hashlen
) != 0 )
1575 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1580 return( MBEDTLS_ERR_RSA_VERIFY_FAILED
);
1584 #endif /* MBEDTLS_PKCS1_V15 */
1587 * Do an RSA operation and check the message digest
1589 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context
*ctx
,
1590 int (*f_rng
)(void *, unsigned char *, size_t),
1593 mbedtls_md_type_t md_alg
,
1594 unsigned int hashlen
,
1595 const unsigned char *hash
,
1596 const unsigned char *sig
)
1598 switch( ctx
->padding
)
1600 #if defined(MBEDTLS_PKCS1_V15)
1601 case MBEDTLS_RSA_PKCS_V15
:
1602 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1603 hashlen
, hash
, sig
);
1606 #if defined(MBEDTLS_PKCS1_V21)
1607 case MBEDTLS_RSA_PKCS_V21
:
1608 return mbedtls_rsa_rsassa_pss_verify( ctx
, f_rng
, p_rng
, mode
, md_alg
,
1609 hashlen
, hash
, sig
);
1613 return( MBEDTLS_ERR_RSA_INVALID_PADDING
);
1618 * Copy the components of an RSA key
1620 int mbedtls_rsa_copy( mbedtls_rsa_context
*dst
, const mbedtls_rsa_context
*src
)
1624 dst
->ver
= src
->ver
;
1625 dst
->len
= src
->len
;
1627 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->N
, &src
->N
) );
1628 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->E
, &src
->E
) );
1630 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->D
, &src
->D
) );
1631 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->P
, &src
->P
) );
1632 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Q
, &src
->Q
) );
1633 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->DP
, &src
->DP
) );
1634 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->DQ
, &src
->DQ
) );
1635 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->QP
, &src
->QP
) );
1637 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RN
, &src
->RN
) );
1638 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RP
, &src
->RP
) );
1639 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->RQ
, &src
->RQ
) );
1641 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Vi
, &src
->Vi
) );
1642 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst
->Vf
, &src
->Vf
) );
1644 dst
->padding
= src
->padding
;
1645 dst
->hash_id
= src
->hash_id
;
1649 mbedtls_rsa_free( dst
);
1655 * Free the components of an RSA key
1657 void mbedtls_rsa_free( mbedtls_rsa_context
*ctx
)
1659 mbedtls_mpi_free( &ctx
->Vi
); mbedtls_mpi_free( &ctx
->Vf
);
1660 mbedtls_mpi_free( &ctx
->RQ
); mbedtls_mpi_free( &ctx
->RP
); mbedtls_mpi_free( &ctx
->RN
);
1661 mbedtls_mpi_free( &ctx
->QP
); mbedtls_mpi_free( &ctx
->DQ
); mbedtls_mpi_free( &ctx
->DP
);
1662 mbedtls_mpi_free( &ctx
->Q
); mbedtls_mpi_free( &ctx
->P
); mbedtls_mpi_free( &ctx
->D
);
1663 mbedtls_mpi_free( &ctx
->E
); mbedtls_mpi_free( &ctx
->N
);
1665 #if defined(MBEDTLS_THREADING_C)
1666 mbedtls_mutex_free( &ctx
->mutex
);
1670 #if defined(MBEDTLS_SELF_TEST)
1672 #include "mbedtls/sha1.h"
1675 * Example RSA-1024 keypair, for test purposes
1679 #define RSA_N "9292758453063D803DD603D5E777D788" \
1680 "8ED1D5BF35786190FA2F23EBC0848AEA" \
1681 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
1682 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
1683 "93A89813FBF3C4F8066D2D800F7C38A8" \
1684 "1AE31942917403FF4946B0A83D3D3E05" \
1685 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
1686 "5E94BB77B07507233A0BC7BAC8F90F79"
1688 #define RSA_E "10001"
1690 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
1691 "66CA472BC44D253102F8B4A9D3BFA750" \
1692 "91386C0077937FE33FA3252D28855837" \
1693 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
1694 "DF79C5CE07EE72C7F123142198164234" \
1695 "CABB724CF78B8173B9F880FC86322407" \
1696 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
1697 "071513A1E85B5DFA031F21ECAE91A34D"
1699 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
1700 "2C01CAD19EA484A87EA4377637E75500" \
1701 "FCB2005C5C7DD6EC4AC023CDA285D796" \
1702 "C3D9E75E1EFC42488BB4F1D13AC30A57"
1704 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
1705 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
1706 "910E4168387E3C30AA1E00C339A79508" \
1707 "8452DD96A9A5EA5D9DCA68DA636032AF"
1709 #define RSA_DP "C1ACF567564274FB07A0BBAD5D26E298" \
1710 "3C94D22288ACD763FD8E5600ED4A702D" \
1711 "F84198A5F06C2E72236AE490C93F07F8" \
1712 "3CC559CD27BC2D1CA488811730BB5725"
1714 #define RSA_DQ "4959CBF6F8FEF750AEE6977C155579C7" \
1715 "D8AAEA56749EA28623272E4F7D0592AF" \
1716 "7C1F1313CAC9471B5C523BFE592F517B" \
1717 "407A1BD76C164B93DA2D32A383E58357"
1719 #define RSA_QP "9AE7FBC99546432DF71896FC239EADAE" \
1720 "F38D18D2B2F0E2DD275AA977E2BF4411" \
1721 "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
1722 "A74206CEC169D74BF5A8C50D6F48EA08"
1725 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
1726 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
1728 #if defined(MBEDTLS_PKCS1_V15)
1729 static int myrand( void *rng_state
, unsigned char *output
, size_t len
)
1731 #if !defined(__OpenBSD__)
1734 if( rng_state
!= NULL
)
1737 for( i
= 0; i
< len
; ++i
)
1740 if( rng_state
!= NULL
)
1743 arc4random_buf( output
, len
);
1744 #endif /* !OpenBSD */
1748 #endif /* MBEDTLS_PKCS1_V15 */
1753 int mbedtls_rsa_self_test( int verbose
)
1756 #if defined(MBEDTLS_PKCS1_V15)
1758 mbedtls_rsa_context rsa
;
1759 unsigned char rsa_plaintext
[PT_LEN
];
1760 unsigned char rsa_decrypted
[PT_LEN
];
1761 unsigned char rsa_ciphertext
[KEY_LEN
];
1762 #if defined(MBEDTLS_SHA1_C)
1763 unsigned char sha1sum
[20];
1766 mbedtls_rsa_init( &rsa
, MBEDTLS_RSA_PKCS_V15
, 0 );
1769 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.N
, 16, RSA_N
) );
1770 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.E
, 16, RSA_E
) );
1771 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.D
, 16, RSA_D
) );
1772 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.P
, 16, RSA_P
) );
1773 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.Q
, 16, RSA_Q
) );
1774 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.DP
, 16, RSA_DP
) );
1775 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.DQ
, 16, RSA_DQ
) );
1776 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &rsa
.QP
, 16, RSA_QP
) );
1779 mbedtls_printf( " RSA key validation: " );
1781 if( mbedtls_rsa_check_pubkey( &rsa
) != 0 ||
1782 mbedtls_rsa_check_privkey( &rsa
) != 0 )
1785 mbedtls_printf( "failed\n" );
1791 mbedtls_printf( "passed\n PKCS#1 encryption : " );
1793 memcpy( rsa_plaintext
, RSA_PT
, PT_LEN
);
1795 if( mbedtls_rsa_pkcs1_encrypt( &rsa
, myrand
, NULL
, MBEDTLS_RSA_PUBLIC
, PT_LEN
,
1796 rsa_plaintext
, rsa_ciphertext
) != 0 )
1799 mbedtls_printf( "failed\n" );
1805 mbedtls_printf( "passed\n PKCS#1 decryption : " );
1807 if( mbedtls_rsa_pkcs1_decrypt( &rsa
, myrand
, NULL
, MBEDTLS_RSA_PRIVATE
, &len
,
1808 rsa_ciphertext
, rsa_decrypted
,
1809 sizeof(rsa_decrypted
) ) != 0 )
1812 mbedtls_printf( "failed\n" );
1817 if( memcmp( rsa_decrypted
, rsa_plaintext
, len
) != 0 )
1820 mbedtls_printf( "failed\n" );
1826 mbedtls_printf( "passed\n" );
1828 #if defined(MBEDTLS_SHA1_C)
1830 mbedtls_printf( " PKCS#1 data sign : " );
1832 mbedtls_sha1( rsa_plaintext
, PT_LEN
, sha1sum
);
1834 if( mbedtls_rsa_pkcs1_sign( &rsa
, myrand
, NULL
, MBEDTLS_RSA_PRIVATE
, MBEDTLS_MD_SHA1
, 0,
1835 sha1sum
, rsa_ciphertext
) != 0 )
1838 mbedtls_printf( "failed\n" );
1844 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
1846 if( mbedtls_rsa_pkcs1_verify( &rsa
, NULL
, NULL
, MBEDTLS_RSA_PUBLIC
, MBEDTLS_MD_SHA1
, 0,
1847 sha1sum
, rsa_ciphertext
) != 0 )
1850 mbedtls_printf( "failed\n" );
1856 mbedtls_printf( "passed\n" );
1857 #endif /* MBEDTLS_SHA1_C */
1860 mbedtls_printf( "\n" );
1863 mbedtls_rsa_free( &rsa
);
1864 #else /* MBEDTLS_PKCS1_V15 */
1866 #endif /* MBEDTLS_PKCS1_V15 */
1870 #endif /* MBEDTLS_SELF_TEST */
1872 #endif /* MBEDTLS_RSA_C */