Lines Matching +full:traces +full:- +full:db
2 * The RSA public-key cryptosystem
5 * SPDX-License-Identifier: Apache-2.0
11 * http://www.apache.org/licenses/LICENSE-2.0
24 * [1] A method for obtaining digital signatures and public-key cryptosystems
28 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
85 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) || in mbedtls_rsa_import()
86 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) || in mbedtls_rsa_import()
87 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) || in mbedtls_rsa_import()
88 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) || in mbedtls_rsa_import()
89 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) ) in mbedtls_rsa_import()
95 ctx->len = mbedtls_mpi_size( &ctx->N ); in mbedtls_rsa_import()
112 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) ); in mbedtls_rsa_import_raw()
113 ctx->len = mbedtls_mpi_size( &ctx->N ); in mbedtls_rsa_import_raw()
117 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) ); in mbedtls_rsa_import_raw()
120 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) ); in mbedtls_rsa_import_raw()
123 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) ); in mbedtls_rsa_import_raw()
126 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) ); in mbedtls_rsa_import_raw()
150 if( ctx->len != mbedtls_mpi_size( &ctx->N ) || in rsa_check_context()
151 ctx->len > MBEDTLS_MPI_MAX_SIZE ) in rsa_check_context()
162 if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 || in rsa_check_context()
163 mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 ) in rsa_check_context()
173 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || in rsa_check_context()
174 mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 || in rsa_check_context()
175 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 || in rsa_check_context()
176 mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) ) in rsa_check_context()
187 if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 ) in rsa_check_context()
193 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 ) in rsa_check_context()
197 ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 || in rsa_check_context()
198 mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) ) in rsa_check_context()
209 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 || in rsa_check_context()
210 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) ) in rsa_check_context()
220 mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 ) in rsa_check_context()
240 have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 ); in mbedtls_rsa_complete()
241 have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 ); in mbedtls_rsa_complete()
242 have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 ); in mbedtls_rsa_complete()
243 have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 ); in mbedtls_rsa_complete()
244 have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 ); in mbedtls_rsa_complete()
247 have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 ); in mbedtls_rsa_complete()
248 have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 ); in mbedtls_rsa_complete()
249 have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 ); in mbedtls_rsa_complete()
279 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, in mbedtls_rsa_complete()
280 &ctx->Q ) ) != 0 ) in mbedtls_rsa_complete()
285 ctx->len = mbedtls_mpi_size( &ctx->N ); in mbedtls_rsa_complete()
294 ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D, in mbedtls_rsa_complete()
295 &ctx->P, &ctx->Q ); in mbedtls_rsa_complete()
302 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P, in mbedtls_rsa_complete()
303 &ctx->Q, in mbedtls_rsa_complete()
304 &ctx->E, in mbedtls_rsa_complete()
305 &ctx->D ) ) != 0 ) in mbedtls_rsa_complete()
319 ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, in mbedtls_rsa_complete()
320 &ctx->DP, &ctx->DQ, &ctx->QP ); in mbedtls_rsa_complete()
346 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && in mbedtls_rsa_export_raw()
347 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && in mbedtls_rsa_export_raw()
348 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && in mbedtls_rsa_export_raw()
349 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && in mbedtls_rsa_export_raw()
350 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; in mbedtls_rsa_export_raw()
362 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) ); in mbedtls_rsa_export_raw()
365 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) ); in mbedtls_rsa_export_raw()
368 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) ); in mbedtls_rsa_export_raw()
371 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) ); in mbedtls_rsa_export_raw()
374 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) ); in mbedtls_rsa_export_raw()
391 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && in mbedtls_rsa_export()
392 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && in mbedtls_rsa_export()
393 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && in mbedtls_rsa_export()
394 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && in mbedtls_rsa_export()
395 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; in mbedtls_rsa_export()
408 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) || in mbedtls_rsa_export()
409 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) || in mbedtls_rsa_export()
410 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) || in mbedtls_rsa_export()
411 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) || in mbedtls_rsa_export()
412 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) ) in mbedtls_rsa_export()
435 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 && in mbedtls_rsa_export_crt()
436 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 && in mbedtls_rsa_export_crt()
437 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 && in mbedtls_rsa_export_crt()
438 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 && in mbedtls_rsa_export_crt()
439 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0; in mbedtls_rsa_export_crt()
446 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) || in mbedtls_rsa_export_crt()
447 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) || in mbedtls_rsa_export_crt()
448 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) ) in mbedtls_rsa_export_crt()
453 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, in mbedtls_rsa_export_crt()
472 ctx->padding = MBEDTLS_RSA_PKCS_V15; in mbedtls_rsa_init()
473 ctx->hash_id = MBEDTLS_MD_NONE; in mbedtls_rsa_init()
476 /* Set ctx->ver to nonzero to indicate that the mutex has been in mbedtls_rsa_init()
478 ctx->ver = 1; in mbedtls_rsa_init()
479 mbedtls_mutex_init( &ctx->mutex ); in mbedtls_rsa_init()
514 ctx->padding = padding; in mbedtls_rsa_set_padding()
515 ctx->hash_id = hash_id; in mbedtls_rsa_set_padding()
526 return( ctx->len ); in mbedtls_rsa_get_len()
536 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
552 * rate of 2^-80 is sufficient. in mbedtls_rsa_gen_key()
569 * 1. |P-Q| > 2^( nbits / 2 - 100 ) in mbedtls_rsa_gen_key()
570 * 2. GCD( E, (P-1)*(Q-1) ) == 1 in mbedtls_rsa_gen_key()
571 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 ) in mbedtls_rsa_gen_key()
573 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) ); in mbedtls_rsa_gen_key()
577 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, in mbedtls_rsa_gen_key()
580 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, in mbedtls_rsa_gen_key()
583 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */ in mbedtls_rsa_gen_key()
584 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) ); in mbedtls_rsa_gen_key()
585 if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) ) in mbedtls_rsa_gen_key()
590 mbedtls_mpi_swap( &ctx->P, &ctx->Q ); in mbedtls_rsa_gen_key()
592 /* Temporarily replace P,Q by P-1, Q-1 */ in mbedtls_rsa_gen_key()
593 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) ); in mbedtls_rsa_gen_key()
594 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) ); in mbedtls_rsa_gen_key()
595 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) ); in mbedtls_rsa_gen_key()
597 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */ in mbedtls_rsa_gen_key()
598 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) ); in mbedtls_rsa_gen_key()
602 … /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */ in mbedtls_rsa_gen_key()
603 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) ); in mbedtls_rsa_gen_key()
605 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) ); in mbedtls_rsa_gen_key()
607 … if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a)) in mbedtls_rsa_gen_key()
615 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) ); in mbedtls_rsa_gen_key()
616 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) ); in mbedtls_rsa_gen_key()
618 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) ); in mbedtls_rsa_gen_key()
620 ctx->len = mbedtls_mpi_size( &ctx->N ); in mbedtls_rsa_gen_key()
624 * DP = D mod (P - 1) in mbedtls_rsa_gen_key()
625 * DQ = D mod (Q - 1) in mbedtls_rsa_gen_key()
626 * QP = Q^-1 mod P in mbedtls_rsa_gen_key()
628 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D, in mbedtls_rsa_gen_key()
629 &ctx->DP, &ctx->DQ, &ctx->QP ) ); in mbedtls_rsa_gen_key()
632 /* Double-check */ in mbedtls_rsa_gen_key()
645 if( ( -ret & ~0x7f ) == 0 ) in mbedtls_rsa_gen_key()
665 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 ) in mbedtls_rsa_check_pubkey()
670 if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 || in mbedtls_rsa_check_pubkey()
671 mbedtls_mpi_bitlen( &ctx->E ) < 2 || in mbedtls_rsa_check_pubkey()
672 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 ) in mbedtls_rsa_check_pubkey()
693 if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q, in mbedtls_rsa_check_privkey()
694 &ctx->D, &ctx->E, NULL, NULL ) != 0 ) in mbedtls_rsa_check_privkey()
700 else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D, in mbedtls_rsa_check_privkey()
701 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 ) in mbedtls_rsa_check_privkey()
725 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 || in mbedtls_rsa_check_pub_priv()
726 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 ) in mbedtls_rsa_check_pub_priv()
754 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) in mbedtls_rsa_public()
758 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); in mbedtls_rsa_public()
760 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) in mbedtls_rsa_public()
766 olen = ctx->len; in mbedtls_rsa_public()
767 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); in mbedtls_rsa_public()
772 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) in mbedtls_rsa_public()
786 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
787 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
788 * Berlin Heidelberg, 1996. p. 104-113.
798 if( ctx->Vf.p != NULL ) in rsa_prepare_blinding()
801 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) ); in rsa_prepare_blinding()
802 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); in rsa_prepare_blinding()
803 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); in rsa_prepare_blinding()
804 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) ); in rsa_prepare_blinding()
817 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); in rsa_prepare_blinding()
819 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */ in rsa_prepare_blinding()
820 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) ); in rsa_prepare_blinding()
821 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) ); in rsa_prepare_blinding()
822 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); in rsa_prepare_blinding()
828 ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N ); in rsa_prepare_blinding()
834 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */ in rsa_prepare_blinding()
835 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) ); in rsa_prepare_blinding()
836 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); in rsa_prepare_blinding()
838 /* Blinding value: Vi = Vf^(-e) mod N in rsa_prepare_blinding()
839 * (Vi already contains Vf^-1 at this point) */ in rsa_prepare_blinding()
840 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); in rsa_prepare_blinding()
850 * Exponent blinding supposed to prevent side-channel attacks using multiple
851 * traces of measurements to recover the RSA key. The more collisions are there,
854 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
863 * side-channel attacks like the one in [3])
885 /* Temporaries holding P-1, Q-1 and the in mbedtls_rsa_private()
897 /* Pointers to actual exponents to be used - either the unblinded in mbedtls_rsa_private()
899 mbedtls_mpi *DP = &ctx->DP; in mbedtls_rsa_private()
900 mbedtls_mpi *DQ = &ctx->DQ; in mbedtls_rsa_private()
905 /* Pointer to actual exponent to be used - either the unblinded in mbedtls_rsa_private()
907 mbedtls_mpi *D = &ctx->D; in mbedtls_rsa_private()
928 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) in mbedtls_rsa_private()
955 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); in mbedtls_rsa_private()
956 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) in mbedtls_rsa_private()
969 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); in mbedtls_rsa_private()
970 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); in mbedtls_rsa_private()
975 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) ); in mbedtls_rsa_private()
976 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) ); in mbedtls_rsa_private()
980 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D in mbedtls_rsa_private()
986 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) ); in mbedtls_rsa_private()
991 * DP_blind = ( P - 1 ) * R + DP in mbedtls_rsa_private()
997 &ctx->DP ) ); in mbedtls_rsa_private()
1002 * DQ_blind = ( Q - 1 ) * R + DQ in mbedtls_rsa_private()
1008 &ctx->DQ ) ); in mbedtls_rsa_private()
1014 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) ); in mbedtls_rsa_private()
1023 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) ); in mbedtls_rsa_private()
1024 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) ); in mbedtls_rsa_private()
1027 * T = (TP - TQ) * (Q^-1 mod P) mod P in mbedtls_rsa_private()
1030 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) ); in mbedtls_rsa_private()
1031 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) ); in mbedtls_rsa_private()
1036 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) ); in mbedtls_rsa_private()
1044 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); in mbedtls_rsa_private()
1045 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); in mbedtls_rsa_private()
1048 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, in mbedtls_rsa_private()
1049 &ctx->N, &ctx->RN ) ); in mbedtls_rsa_private()
1056 olen = ctx->len; in mbedtls_rsa_private()
1061 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) in mbedtls_rsa_private()
1085 if( ret != 0 && ret >= -0x007f ) in mbedtls_rsa_private()
1114 hlen = mbedtls_md_get_size( md_ctx->md_info ); in mgf_mask()
1139 dlen -= use_len; in mgf_mask()
1151 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1176 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); in mbedtls_rsa_rsaes_oaep_encrypt()
1180 olen = ctx->len; in mbedtls_rsa_rsaes_oaep_encrypt()
1197 /* Construct DB */ in mbedtls_rsa_rsaes_oaep_encrypt()
1201 p += olen - 2 * hlen - 2 - ilen; in mbedtls_rsa_rsaes_oaep_encrypt()
1210 /* maskedDB: Apply dbMask to DB */ in mbedtls_rsa_rsaes_oaep_encrypt()
1211 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, in mbedtls_rsa_rsaes_oaep_encrypt()
1216 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, in mbedtls_rsa_rsaes_oaep_encrypt()
1232 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1248 olen = ctx->len; in mbedtls_rsa_rsaes_pkcs1_v15_encrypt()
1254 nb_pad = olen - 3 - ilen; in mbedtls_rsa_rsaes_pkcs1_v15_encrypt()
1263 while( nb_pad-- > 0 ) in mbedtls_rsa_rsaes_pkcs1_v15_encrypt()
1269 } while( *p == 0 && --rng_dl && ret == 0 ); in mbedtls_rsa_rsaes_pkcs1_v15_encrypt()
1300 switch( ctx->padding ) in mbedtls_rsa_pkcs1_encrypt()
1321 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1350 if( ctx->padding != MBEDTLS_RSA_PKCS_V21 ) in mbedtls_rsa_rsaes_oaep_decrypt()
1353 ilen = ctx->len; in mbedtls_rsa_rsaes_oaep_decrypt()
1358 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); in mbedtls_rsa_rsaes_oaep_decrypt()
1387 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, in mbedtls_rsa_rsaes_oaep_decrypt()
1389 /* DB: Apply dbMask to maskedDB */ in mbedtls_rsa_rsaes_oaep_decrypt()
1390 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, in mbedtls_rsa_rsaes_oaep_decrypt()
1404 * Check contents, in "constant-time" in mbedtls_rsa_rsaes_oaep_decrypt()
1417 /* Get zero-padding len, but always read till end of buffer in mbedtls_rsa_rsaes_oaep_decrypt()
1421 for( i = 0; i < ilen - 2 * hlen - 2; i++ ) in mbedtls_rsa_rsaes_oaep_decrypt()
1424 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; in mbedtls_rsa_rsaes_oaep_decrypt()
1442 if( ilen - ( p - buf ) > output_max_len ) in mbedtls_rsa_rsaes_oaep_decrypt()
1448 *olen = ilen - (p - buf); in mbedtls_rsa_rsaes_oaep_decrypt()
1463 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1482 ilen = ctx->len; in mbedtls_rsa_rsaes_pkcs1_v15_decrypt()
1484 if( ctx->padding != MBEDTLS_RSA_PKCS_V15 ) in mbedtls_rsa_rsaes_pkcs1_v15_decrypt()
1521 switch( ctx->padding ) in mbedtls_rsa_pkcs1_decrypt()
1565 if( ctx->padding != MBEDTLS_RSA_PKCS_V21 ) in rsa_rsassa_pss_sign()
1571 olen = ctx->len; in rsa_rsassa_pss_sign()
1584 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); in rsa_rsassa_pss_sign()
1594 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not in rsa_rsassa_pss_sign()
1597 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017 in rsa_rsassa_pss_sign()
1599 min_slen = hlen - 2; in rsa_rsassa_pss_sign()
1605 slen = olen - hlen - 2; in rsa_rsassa_pss_sign()
1618 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */ in rsa_rsassa_pss_sign()
1619 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; in rsa_rsassa_pss_sign()
1620 p += olen - hlen - slen - 2; in rsa_rsassa_pss_sign()
1650 /* maskedDB: Apply dbMask to DB */ in rsa_rsassa_pss_sign()
1651 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, in rsa_rsassa_pss_sign()
1655 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; in rsa_rsassa_pss_sign()
1656 sig[0] &= 0xFF >> ( olen * 8 - msb ); in rsa_rsassa_pss_sign()
1671 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
1689 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1706 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1714 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1716 * - hashlen: Length of hash. Must match md_alg if that's not NONE.
1717 * - hash: Buffer containing the hashed message or the raw data.
1718 * - dst_len: Length of the encoded message.
1719 * - dst: Buffer to hold the encoded message.
1722 * - hash has size hashlen.
1723 * - dst points to a buffer of size at least dst_len.
1750 /* Double-check that 8 + hashlen + oid_size can be used as a in rsa_rsassa_pkcs1_v15_encode()
1751 * 1-byte ASN.1 length encoding and that there's no overflow. */ in rsa_rsassa_pkcs1_v15_encode()
1759 * - Need 10 bytes for five tag-length pairs. in rsa_rsassa_pkcs1_v15_encode()
1760 * (Insist on 1-byte length encodings to protect against variants of in rsa_rsassa_pkcs1_v15_encode()
1762 * - Need hashlen bytes for hash in rsa_rsassa_pkcs1_v15_encode()
1763 * - Need oid_size bytes for hash alg OID. in rsa_rsassa_pkcs1_v15_encode()
1767 nb_pad -= 10 + hashlen + oid_size; in rsa_rsassa_pkcs1_v15_encode()
1774 nb_pad -= hashlen; in rsa_rsassa_pkcs1_v15_encode()
1781 nb_pad -= 3; in rsa_rsassa_pkcs1_v15_encode()
1809 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ] in rsa_rsassa_pkcs1_v15_encode()
1810 * TAG-NULL + LEN [ NULL ] ] in rsa_rsassa_pkcs1_v15_encode()
1811 * TAG-OCTET + LEN [ HASH ] ] in rsa_rsassa_pkcs1_v15_encode()
1828 /* Just a sanity-check, should be automatic in rsa_rsassa_pkcs1_v15_encode()
1859 if( ctx->padding != MBEDTLS_RSA_PKCS_V15 ) in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1863 * Prepare PKCS1-v1.5 encoding (padding and hash identifier) in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1867 ctx->len, sig ) ) != 0 ) in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1876 sig_try = mbedtls_calloc( 1, ctx->len ); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1880 verif = mbedtls_calloc( 1, ctx->len ); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1890 if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 ) in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1896 memcpy( sig, sig_try, ctx->len ); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1899 mbedtls_platform_zeroize( sig_try, ctx->len ); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1900 mbedtls_platform_zeroize( verif, ctx->len ); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1905 memset( sig, '!', ctx->len ); in mbedtls_rsa_rsassa_pkcs1_v15_sign()
1927 switch( ctx->padding ) in mbedtls_rsa_pkcs1_sign()
1948 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
1976 siglen = ctx->len; in mbedtls_rsa_rsassa_pss_verify_ext()
1988 if( buf[siglen - 1] != 0xBC ) in mbedtls_rsa_rsassa_pss_verify_ext()
2011 * Note: EMSA-PSS verification is over the length of N - 1 bits in mbedtls_rsa_rsassa_pss_verify_ext()
2013 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; in mbedtls_rsa_rsassa_pss_verify_ext()
2015 if( buf[0] >> ( 8 - siglen * 8 + msb ) ) in mbedtls_rsa_rsassa_pss_verify_ext()
2022 siglen -= 1; in mbedtls_rsa_rsassa_pss_verify_ext()
2027 hash_start = p + siglen - hlen - 1; in mbedtls_rsa_rsassa_pss_verify_ext()
2033 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx ); in mbedtls_rsa_rsassa_pss_verify_ext()
2037 buf[0] &= 0xFF >> ( siglen * 8 - msb ); in mbedtls_rsa_rsassa_pss_verify_ext()
2039 while( p < hash_start - 1 && *p == 0 ) in mbedtls_rsa_rsassa_pss_verify_ext()
2048 observed_salt_len = hash_start - p; in mbedtls_rsa_rsassa_pss_verify_ext()
2089 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2104 mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE ) in mbedtls_rsa_rsassa_pss_verify()
2105 ? (mbedtls_md_type_t) ctx->hash_id in mbedtls_rsa_rsassa_pss_verify()
2119 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2137 sig_len = ctx->len; in mbedtls_rsa_rsassa_pkcs1_v15_verify()
2206 switch( ctx->padding ) in mbedtls_rsa_pkcs1_verify()
2234 dst->len = src->len; in mbedtls_rsa_copy()
2236 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) ); in mbedtls_rsa_copy()
2237 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) ); in mbedtls_rsa_copy()
2239 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) ); in mbedtls_rsa_copy()
2240 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) ); in mbedtls_rsa_copy()
2241 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) ); in mbedtls_rsa_copy()
2244 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) ); in mbedtls_rsa_copy()
2245 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) ); in mbedtls_rsa_copy()
2246 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) ); in mbedtls_rsa_copy()
2247 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) ); in mbedtls_rsa_copy()
2248 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) ); in mbedtls_rsa_copy()
2251 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) ); in mbedtls_rsa_copy()
2253 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) ); in mbedtls_rsa_copy()
2254 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) ); in mbedtls_rsa_copy()
2256 dst->padding = src->padding; in mbedtls_rsa_copy()
2257 dst->hash_id = src->hash_id; in mbedtls_rsa_copy()
2274 mbedtls_mpi_free( &ctx->Vi ); in mbedtls_rsa_free()
2275 mbedtls_mpi_free( &ctx->Vf ); in mbedtls_rsa_free()
2276 mbedtls_mpi_free( &ctx->RN ); in mbedtls_rsa_free()
2277 mbedtls_mpi_free( &ctx->D ); in mbedtls_rsa_free()
2278 mbedtls_mpi_free( &ctx->Q ); in mbedtls_rsa_free()
2279 mbedtls_mpi_free( &ctx->P ); in mbedtls_rsa_free()
2280 mbedtls_mpi_free( &ctx->E ); in mbedtls_rsa_free()
2281 mbedtls_mpi_free( &ctx->N ); in mbedtls_rsa_free()
2284 mbedtls_mpi_free( &ctx->RQ ); in mbedtls_rsa_free()
2285 mbedtls_mpi_free( &ctx->RP ); in mbedtls_rsa_free()
2286 mbedtls_mpi_free( &ctx->QP ); in mbedtls_rsa_free()
2287 mbedtls_mpi_free( &ctx->DQ ); in mbedtls_rsa_free()
2288 mbedtls_mpi_free( &ctx->DP ); in mbedtls_rsa_free()
2293 if( ctx->ver != 0 ) in mbedtls_rsa_free()
2295 mbedtls_mutex_free( &ctx->mutex ); in mbedtls_rsa_free()
2296 ctx->ver = 0; in mbedtls_rsa_free()
2308 * Example RSA-1024 keypair, for test purposes