1 /*
2 * The RSA public-key cryptosystem
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 /*
9 * The following sources were referenced in the design of this implementation
10 * of the RSA algorithm:
11 *
12 * [1] A method for obtaining digital signatures and public-key cryptosystems
13 * R Rivest, A Shamir, and L Adleman
14 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
15 *
16 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
17 * Menezes, van Oorschot and Vanstone
18 *
19 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
20 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
21 * Stefan Mangard
22 * https://arxiv.org/abs/1702.08719v2
23 *
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_RSA_C)
29
30 #include "mbedtls/rsa.h"
31 #include "mbedtls/rsa_internal.h"
32 #include "mbedtls/oid.h"
33 #include "mbedtls/platform_util.h"
34 #include "mbedtls/error.h"
35 #include "constant_time_internal.h"
36 #include "mbedtls/constant_time.h"
37 #include "bignum_internal.h"
38
39 #include <string.h>
40
41 #if defined(MBEDTLS_PKCS1_V21)
42 #include "mbedtls/md.h"
43 #endif
44
45 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
46 #include <stdlib.h>
47 #endif
48
49 #include "mbedtls/platform.h"
50
51 #if !defined(MBEDTLS_RSA_ALT)
52
53 /* Parameter validation macros */
54 #define RSA_VALIDATE_RET(cond) \
55 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA)
56 #define RSA_VALIDATE(cond) \
57 MBEDTLS_INTERNAL_VALIDATE(cond)
58
mbedtls_rsa_import(mbedtls_rsa_context * ctx,const mbedtls_mpi * N,const mbedtls_mpi * P,const mbedtls_mpi * Q,const mbedtls_mpi * D,const mbedtls_mpi * E)59 int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
60 const mbedtls_mpi *N,
61 const mbedtls_mpi *P, const mbedtls_mpi *Q,
62 const mbedtls_mpi *D, const mbedtls_mpi *E)
63 {
64 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
65 RSA_VALIDATE_RET(ctx != NULL);
66
67 if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
68 (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
69 (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||
70 (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||
71 (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
72 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
73 }
74
75 if (N != NULL) {
76 ctx->len = mbedtls_mpi_size(&ctx->N);
77 }
78
79 return 0;
80 }
81
mbedtls_rsa_import_raw(mbedtls_rsa_context * ctx,unsigned char const * N,size_t N_len,unsigned char const * P,size_t P_len,unsigned char const * Q,size_t Q_len,unsigned char const * D,size_t D_len,unsigned char const * E,size_t E_len)82 int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
83 unsigned char const *N, size_t N_len,
84 unsigned char const *P, size_t P_len,
85 unsigned char const *Q, size_t Q_len,
86 unsigned char const *D, size_t D_len,
87 unsigned char const *E, size_t E_len)
88 {
89 int ret = 0;
90 RSA_VALIDATE_RET(ctx != NULL);
91
92 if (N != NULL) {
93 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
94 ctx->len = mbedtls_mpi_size(&ctx->N);
95 }
96
97 if (P != NULL) {
98 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
99 }
100
101 if (Q != NULL) {
102 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
103 }
104
105 if (D != NULL) {
106 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
107 }
108
109 if (E != NULL) {
110 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
111 }
112
113 cleanup:
114
115 if (ret != 0) {
116 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
117 }
118
119 return 0;
120 }
121
122 /*
123 * Checks whether the context fields are set in such a way
124 * that the RSA primitives will be able to execute without error.
125 * It does *not* make guarantees for consistency of the parameters.
126 */
rsa_check_context(mbedtls_rsa_context const * ctx,int is_priv,int blinding_needed)127 static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
128 int blinding_needed)
129 {
130 #if !defined(MBEDTLS_RSA_NO_CRT)
131 /* blinding_needed is only used for NO_CRT to decide whether
132 * P,Q need to be present or not. */
133 ((void) blinding_needed);
134 #endif
135
136 if (ctx->len != mbedtls_mpi_size(&ctx->N) ||
137 ctx->len > MBEDTLS_MPI_MAX_SIZE) {
138 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
139 }
140
141 /*
142 * 1. Modular exponentiation needs positive, odd moduli.
143 */
144
145 /* Modular exponentiation wrt. N is always used for
146 * RSA public key operations. */
147 if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||
148 mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
149 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
150 }
151
152 #if !defined(MBEDTLS_RSA_NO_CRT)
153 /* Modular exponentiation for P and Q is only
154 * used for private key operations and if CRT
155 * is used. */
156 if (is_priv &&
157 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
158 mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||
159 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||
160 mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
161 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
162 }
163 #endif /* !MBEDTLS_RSA_NO_CRT */
164
165 /*
166 * 2. Exponents must be positive
167 */
168
169 /* Always need E for public key operations */
170 if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
171 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
172 }
173
174 #if defined(MBEDTLS_RSA_NO_CRT)
175 /* For private key operations, use D or DP & DQ
176 * as (unblinded) exponents. */
177 if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
178 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
179 }
180 #else
181 if (is_priv &&
182 (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||
183 mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
184 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
185 }
186 #endif /* MBEDTLS_RSA_NO_CRT */
187
188 /* Blinding shouldn't make exponents negative either,
189 * so check that P, Q >= 1 if that hasn't yet been
190 * done as part of 1. */
191 #if defined(MBEDTLS_RSA_NO_CRT)
192 if (is_priv && blinding_needed &&
193 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
194 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
195 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
196 }
197 #endif
198
199 /* It wouldn't lead to an error if it wasn't satisfied,
200 * but check for QP >= 1 nonetheless. */
201 #if !defined(MBEDTLS_RSA_NO_CRT)
202 if (is_priv &&
203 mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
204 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
205 }
206 #endif
207
208 return 0;
209 }
210
mbedtls_rsa_complete(mbedtls_rsa_context * ctx)211 int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
212 {
213 int ret = 0;
214 int have_N, have_P, have_Q, have_D, have_E;
215 #if !defined(MBEDTLS_RSA_NO_CRT)
216 int have_DP, have_DQ, have_QP;
217 #endif
218 int n_missing, pq_missing, d_missing, is_pub, is_priv;
219
220 RSA_VALIDATE_RET(ctx != NULL);
221
222 have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
223 have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
224 have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
225 have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
226 have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
227
228 #if !defined(MBEDTLS_RSA_NO_CRT)
229 have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
230 have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
231 have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
232 #endif
233
234 /*
235 * Check whether provided parameters are enough
236 * to deduce all others. The following incomplete
237 * parameter sets for private keys are supported:
238 *
239 * (1) P, Q missing.
240 * (2) D and potentially N missing.
241 *
242 */
243
244 n_missing = have_P && have_Q && have_D && have_E;
245 pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
246 d_missing = have_P && have_Q && !have_D && have_E;
247 is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
248
249 /* These three alternatives are mutually exclusive */
250 is_priv = n_missing || pq_missing || d_missing;
251
252 if (!is_priv && !is_pub) {
253 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
254 }
255
256 /*
257 * Step 1: Deduce N if P, Q are provided.
258 */
259
260 if (!have_N && have_P && have_Q) {
261 if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
262 &ctx->Q)) != 0) {
263 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
264 }
265
266 ctx->len = mbedtls_mpi_size(&ctx->N);
267 }
268
269 /*
270 * Step 2: Deduce and verify all remaining core parameters.
271 */
272
273 if (pq_missing) {
274 ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
275 &ctx->P, &ctx->Q);
276 if (ret != 0) {
277 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
278 }
279
280 } else if (d_missing) {
281 if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
282 &ctx->Q,
283 &ctx->E,
284 &ctx->D)) != 0) {
285 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
286 }
287 }
288
289 /*
290 * Step 3: Deduce all additional parameters specific
291 * to our current RSA implementation.
292 */
293
294 #if !defined(MBEDTLS_RSA_NO_CRT)
295 if (is_priv && !(have_DP && have_DQ && have_QP)) {
296 ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
297 &ctx->DP, &ctx->DQ, &ctx->QP);
298 if (ret != 0) {
299 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
300 }
301 }
302 #endif /* MBEDTLS_RSA_NO_CRT */
303
304 /*
305 * Step 3: Basic sanity checks
306 */
307
308 return rsa_check_context(ctx, is_priv, 1);
309 }
310
mbedtls_rsa_export_raw(const mbedtls_rsa_context * ctx,unsigned char * N,size_t N_len,unsigned char * P,size_t P_len,unsigned char * Q,size_t Q_len,unsigned char * D,size_t D_len,unsigned char * E,size_t E_len)311 int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
312 unsigned char *N, size_t N_len,
313 unsigned char *P, size_t P_len,
314 unsigned char *Q, size_t Q_len,
315 unsigned char *D, size_t D_len,
316 unsigned char *E, size_t E_len)
317 {
318 int ret = 0;
319 int is_priv;
320 RSA_VALIDATE_RET(ctx != NULL);
321
322 /* Check if key is private or public */
323 is_priv =
324 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
325 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
326 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
327 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
328 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
329
330 if (!is_priv) {
331 /* If we're trying to export private parameters for a public key,
332 * something must be wrong. */
333 if (P != NULL || Q != NULL || D != NULL) {
334 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
335 }
336
337 }
338
339 if (N != NULL) {
340 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
341 }
342
343 if (P != NULL) {
344 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
345 }
346
347 if (Q != NULL) {
348 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
349 }
350
351 if (D != NULL) {
352 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
353 }
354
355 if (E != NULL) {
356 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
357 }
358
359 cleanup:
360
361 return ret;
362 }
363
mbedtls_rsa_export(const mbedtls_rsa_context * ctx,mbedtls_mpi * N,mbedtls_mpi * P,mbedtls_mpi * Q,mbedtls_mpi * D,mbedtls_mpi * E)364 int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
365 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
366 mbedtls_mpi *D, mbedtls_mpi *E)
367 {
368 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
369 int is_priv;
370 RSA_VALIDATE_RET(ctx != NULL);
371
372 /* Check if key is private or public */
373 is_priv =
374 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
375 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
376 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
377 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
378 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
379
380 if (!is_priv) {
381 /* If we're trying to export private parameters for a public key,
382 * something must be wrong. */
383 if (P != NULL || Q != NULL || D != NULL) {
384 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
385 }
386
387 }
388
389 /* Export all requested core parameters. */
390
391 if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||
392 (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||
393 (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||
394 (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||
395 (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
396 return ret;
397 }
398
399 return 0;
400 }
401
402 /*
403 * Export CRT parameters
404 * This must also be implemented if CRT is not used, for being able to
405 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
406 * can be used in this case.
407 */
mbedtls_rsa_export_crt(const mbedtls_rsa_context * ctx,mbedtls_mpi * DP,mbedtls_mpi * DQ,mbedtls_mpi * QP)408 int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
409 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
410 {
411 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
412 int is_priv;
413 RSA_VALIDATE_RET(ctx != NULL);
414
415 /* Check if key is private or public */
416 is_priv =
417 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
418 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
419 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
420 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
421 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
422
423 if (!is_priv) {
424 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
425 }
426
427 #if !defined(MBEDTLS_RSA_NO_CRT)
428 /* Export all requested blinding parameters. */
429 if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||
430 (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||
431 (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
432 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
433 }
434 #else
435 if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
436 DP, DQ, QP)) != 0) {
437 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
438 }
439 #endif
440
441 return 0;
442 }
443
444 /*
445 * Initialize an RSA context
446 */
mbedtls_rsa_init(mbedtls_rsa_context * ctx,int padding,int hash_id)447 void mbedtls_rsa_init(mbedtls_rsa_context *ctx,
448 int padding,
449 int hash_id)
450 {
451 RSA_VALIDATE(ctx != NULL);
452 RSA_VALIDATE(padding == MBEDTLS_RSA_PKCS_V15 ||
453 padding == MBEDTLS_RSA_PKCS_V21);
454
455 memset(ctx, 0, sizeof(mbedtls_rsa_context));
456
457 mbedtls_rsa_set_padding(ctx, padding, hash_id);
458
459 #if defined(MBEDTLS_THREADING_C)
460 /* Set ctx->ver to nonzero to indicate that the mutex has been
461 * initialized and will need to be freed. */
462 ctx->ver = 1;
463 mbedtls_mutex_init(&ctx->mutex);
464 #endif
465 }
466
467 /*
468 * Set padding for an existing RSA context
469 */
mbedtls_rsa_set_padding(mbedtls_rsa_context * ctx,int padding,int hash_id)470 void mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
471 int hash_id)
472 {
473 RSA_VALIDATE(ctx != NULL);
474 RSA_VALIDATE(padding == MBEDTLS_RSA_PKCS_V15 ||
475 padding == MBEDTLS_RSA_PKCS_V21);
476
477 ctx->padding = padding;
478 ctx->hash_id = hash_id;
479 }
480
481 /*
482 * Get length in bytes of RSA modulus
483 */
484
mbedtls_rsa_get_len(const mbedtls_rsa_context * ctx)485 size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
486 {
487 return ctx->len;
488 }
489
490
491 #if defined(MBEDTLS_GENPRIME)
492
493 /*
494 * Generate an RSA keypair
495 *
496 * This generation method follows the RSA key pair generation procedure of
497 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
498 */
mbedtls_rsa_gen_key(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,unsigned int nbits,int exponent)499 int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
500 int (*f_rng)(void *, unsigned char *, size_t),
501 void *p_rng,
502 unsigned int nbits, int exponent)
503 {
504 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
505 mbedtls_mpi H, G, L;
506 int prime_quality = 0;
507 RSA_VALIDATE_RET(ctx != NULL);
508 RSA_VALIDATE_RET(f_rng != NULL);
509
510 /*
511 * If the modulus is 1024 bit long or shorter, then the security strength of
512 * the RSA algorithm is less than or equal to 80 bits and therefore an error
513 * rate of 2^-80 is sufficient.
514 */
515 if (nbits > 1024) {
516 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
517 }
518
519 mbedtls_mpi_init(&H);
520 mbedtls_mpi_init(&G);
521 mbedtls_mpi_init(&L);
522
523 if (nbits < 128 || exponent < 3 || nbits % 2 != 0) {
524 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
525 goto cleanup;
526 }
527
528 /*
529 * find primes P and Q with Q < P so that:
530 * 1. |P-Q| > 2^( nbits / 2 - 100 )
531 * 2. GCD( E, (P-1)*(Q-1) ) == 1
532 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
533 */
534 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
535
536 do {
537 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
538 prime_quality, f_rng, p_rng));
539
540 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
541 prime_quality, f_rng, p_rng));
542
543 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
544 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
545 if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
546 continue;
547 }
548
549 /* not required by any standards, but some users rely on the fact that P > Q */
550 if (H.s < 0) {
551 mbedtls_mpi_swap(&ctx->P, &ctx->Q);
552 }
553
554 /* Temporarily replace P,Q by P-1, Q-1 */
555 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
556 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
557 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
558
559 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
560 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
561 if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
562 continue;
563 }
564
565 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
566 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
567 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
568 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
569
570 if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a))
571 continue;
572 }
573
574 break;
575 } while (1);
576
577 /* Restore P,Q */
578 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));
579 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));
580
581 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
582
583 ctx->len = mbedtls_mpi_size(&ctx->N);
584
585 #if !defined(MBEDTLS_RSA_NO_CRT)
586 /*
587 * DP = D mod (P - 1)
588 * DQ = D mod (Q - 1)
589 * QP = Q^-1 mod P
590 */
591 MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
592 &ctx->DP, &ctx->DQ, &ctx->QP));
593 #endif /* MBEDTLS_RSA_NO_CRT */
594
595 /* Double-check */
596 MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
597
598 cleanup:
599
600 mbedtls_mpi_free(&H);
601 mbedtls_mpi_free(&G);
602 mbedtls_mpi_free(&L);
603
604 if (ret != 0) {
605 mbedtls_rsa_free(ctx);
606
607 if ((-ret & ~0x7f) == 0) {
608 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
609 }
610 return ret;
611 }
612
613 return 0;
614 }
615
616 #endif /* MBEDTLS_GENPRIME */
617
618 /*
619 * Check a public RSA key
620 */
mbedtls_rsa_check_pubkey(const mbedtls_rsa_context * ctx)621 int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
622 {
623 RSA_VALIDATE_RET(ctx != NULL);
624
625 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) {
626 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
627 }
628
629 if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
630 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
631 }
632
633 if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||
634 mbedtls_mpi_bitlen(&ctx->E) < 2 ||
635 mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
636 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
637 }
638
639 return 0;
640 }
641
642 /*
643 * Check for the consistency of all fields in an RSA private key context
644 */
mbedtls_rsa_check_privkey(const mbedtls_rsa_context * ctx)645 int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
646 {
647 RSA_VALIDATE_RET(ctx != NULL);
648
649 if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
650 rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
651 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
652 }
653
654 if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
655 &ctx->D, &ctx->E, NULL, NULL) != 0) {
656 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
657 }
658
659 #if !defined(MBEDTLS_RSA_NO_CRT)
660 else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
661 &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
662 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
663 }
664 #endif
665
666 return 0;
667 }
668
669 /*
670 * Check if contexts holding a public and private key match
671 */
mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context * pub,const mbedtls_rsa_context * prv)672 int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
673 const mbedtls_rsa_context *prv)
674 {
675 RSA_VALIDATE_RET(pub != NULL);
676 RSA_VALIDATE_RET(prv != NULL);
677
678 if (mbedtls_rsa_check_pubkey(pub) != 0 ||
679 mbedtls_rsa_check_privkey(prv) != 0) {
680 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
681 }
682
683 if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||
684 mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
685 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
686 }
687
688 return 0;
689 }
690
691 /*
692 * Do an RSA public key operation
693 */
mbedtls_rsa_public(mbedtls_rsa_context * ctx,const unsigned char * input,unsigned char * output)694 int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
695 const unsigned char *input,
696 unsigned char *output)
697 {
698 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
699 size_t olen;
700 mbedtls_mpi T;
701 RSA_VALIDATE_RET(ctx != NULL);
702 RSA_VALIDATE_RET(input != NULL);
703 RSA_VALIDATE_RET(output != NULL);
704
705 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) {
706 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
707 }
708
709 mbedtls_mpi_init(&T);
710
711 #if defined(MBEDTLS_THREADING_C)
712 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
713 return ret;
714 }
715 #endif
716
717 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
718
719 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
720 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
721 goto cleanup;
722 }
723
724 olen = ctx->len;
725 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
726 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
727
728 cleanup:
729 #if defined(MBEDTLS_THREADING_C)
730 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
731 return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
732 }
733 #endif
734
735 mbedtls_mpi_free(&T);
736
737 if (ret != 0) {
738 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
739 }
740
741 return 0;
742 }
743
744 /*
745 * Generate or update blinding values, see section 10 of:
746 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
747 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
748 * Berlin Heidelberg, 1996. p. 104-113.
749 */
rsa_prepare_blinding(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)750 static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
751 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
752 {
753 int ret, count = 0;
754 mbedtls_mpi R;
755
756 mbedtls_mpi_init(&R);
757
758 if (ctx->Vf.p != NULL) {
759 /* We already have blinding values, just update them by squaring */
760 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
761 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
762 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
763 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
764
765 goto cleanup;
766 }
767
768 /* Unblinding value: Vf = random number, invertible mod N */
769 do {
770 if (count++ > 10) {
771 ret = MBEDTLS_ERR_RSA_RNG_FAILED;
772 goto cleanup;
773 }
774
775 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
776
777 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
778 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
779 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
780 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
781
782 /* At this point, Vi is invertible mod N if and only if both Vf and R
783 * are invertible mod N. If one of them isn't, we don't need to know
784 * which one, we just loop and choose new values for both of them.
785 * (Each iteration succeeds with overwhelming probability.) */
786 ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
787 if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
788 goto cleanup;
789 }
790
791 } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
792
793 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
794 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
795 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
796
797 /* Blinding value: Vi = Vf^(-e) mod N
798 * (Vi already contains Vf^-1 at this point) */
799 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
800
801
802 cleanup:
803 mbedtls_mpi_free(&R);
804
805 return ret;
806 }
807
808 /*
809 * Unblind
810 * T = T * Vf mod N
811 */
rsa_unblind(mbedtls_mpi * T,mbedtls_mpi * Vf,const mbedtls_mpi * N)812 static int rsa_unblind(mbedtls_mpi *T, mbedtls_mpi *Vf, const mbedtls_mpi *N)
813 {
814 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
815 const size_t nlimbs = N->n;
816 const size_t tlimbs = 2 * (nlimbs + 1);
817
818 mbedtls_mpi_uint mm = mbedtls_mpi_montmul_init(N->p);
819
820 mbedtls_mpi RR, M_T;
821
822 mbedtls_mpi_init(&RR);
823 mbedtls_mpi_init(&M_T);
824
825 MBEDTLS_MPI_CHK(mbedtls_mpi_get_mont_r2_unsafe(&RR, N));
826 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&M_T, tlimbs));
827
828 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(T, nlimbs));
829 MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Vf, nlimbs));
830
831 /* T = T * Vf mod N
832 * Reminder: montmul(A, B, N) = A * B * R^-1 mod N
833 * Usually both operands are multiplied by R mod N beforehand, yielding a
834 * result that's also * R mod N (aka "in the Montgomery domain"). Here we
835 * only multiply one operand by R mod N, so the result is directly what we
836 * want - no need to call `mpi_montred()` on it. */
837 mbedtls_mpi_montmul(T, &RR, N, mm, &M_T);
838 mbedtls_mpi_montmul(T, Vf, N, mm, &M_T);
839
840 cleanup:
841
842 mbedtls_mpi_free(&RR);
843 mbedtls_mpi_free(&M_T);
844
845 return ret;
846 }
847
848 /*
849 * Exponent blinding supposed to prevent side-channel attacks using multiple
850 * traces of measurements to recover the RSA key. The more collisions are there,
851 * the more bits of the key can be recovered. See [3].
852 *
853 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
854 * observations on average.
855 *
856 * For example with 28 byte blinding to achieve 2 collisions the adversary has
857 * to make 2^112 observations on average.
858 *
859 * (With the currently (as of 2017 April) known best algorithms breaking 2048
860 * bit RSA requires approximately as much time as trying out 2^112 random keys.
861 * Thus in this sense with 28 byte blinding the security is not reduced by
862 * side-channel attacks like the one in [3])
863 *
864 * This countermeasure does not help if the key recovery is possible with a
865 * single trace.
866 */
867 #define RSA_EXPONENT_BLINDING 28
868
869 /*
870 * Do an RSA private key operation
871 */
mbedtls_rsa_private(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * input,unsigned char * output)872 int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
873 int (*f_rng)(void *, unsigned char *, size_t),
874 void *p_rng,
875 const unsigned char *input,
876 unsigned char *output)
877 {
878 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
879 size_t olen;
880
881 /* Temporary holding the result */
882 mbedtls_mpi T;
883
884 /* Temporaries holding P-1, Q-1 and the
885 * exponent blinding factor, respectively. */
886 mbedtls_mpi P1, Q1, R;
887
888 #if !defined(MBEDTLS_RSA_NO_CRT)
889 /* Temporaries holding the results mod p resp. mod q. */
890 mbedtls_mpi TP, TQ;
891
892 /* Temporaries holding the blinded exponents for
893 * the mod p resp. mod q computation (if used). */
894 mbedtls_mpi DP_blind, DQ_blind;
895
896 /* Pointers to actual exponents to be used - either the unblinded
897 * or the blinded ones, depending on the presence of a PRNG. */
898 mbedtls_mpi *DP = &ctx->DP;
899 mbedtls_mpi *DQ = &ctx->DQ;
900 #else
901 /* Temporary holding the blinded exponent (if used). */
902 mbedtls_mpi D_blind;
903
904 /* Pointer to actual exponent to be used - either the unblinded
905 * or the blinded one, depending on the presence of a PRNG. */
906 mbedtls_mpi *D = &ctx->D;
907 #endif /* MBEDTLS_RSA_NO_CRT */
908
909 /* Temporaries holding the initial input and the double
910 * checked result; should be the same in the end. */
911 mbedtls_mpi input_blinded, check_result_blinded;
912
913 RSA_VALIDATE_RET(ctx != NULL);
914 RSA_VALIDATE_RET(input != NULL);
915 RSA_VALIDATE_RET(output != NULL);
916
917 if (rsa_check_context(ctx, 1 /* private key checks */,
918 f_rng != NULL /* blinding y/n */) != 0) {
919 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
920 }
921
922 #if defined(MBEDTLS_THREADING_C)
923 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
924 return ret;
925 }
926 #endif
927
928 /* MPI Initialization */
929 mbedtls_mpi_init(&T);
930
931 mbedtls_mpi_init(&P1);
932 mbedtls_mpi_init(&Q1);
933 mbedtls_mpi_init(&R);
934
935 if (f_rng != NULL) {
936 #if defined(MBEDTLS_RSA_NO_CRT)
937 mbedtls_mpi_init(&D_blind);
938 #else
939 mbedtls_mpi_init(&DP_blind);
940 mbedtls_mpi_init(&DQ_blind);
941 #endif
942 }
943
944 #if !defined(MBEDTLS_RSA_NO_CRT)
945 mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
946 #endif
947
948 mbedtls_mpi_init(&input_blinded);
949 mbedtls_mpi_init(&check_result_blinded);
950
951 /* End of MPI initialization */
952
953 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
954 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
955 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
956 goto cleanup;
957 }
958
959 if (f_rng != NULL) {
960 /*
961 * Blinding
962 * T = T * Vi mod N
963 */
964 MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
965 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
966 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
967
968 /*
969 * Exponent blinding
970 */
971 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
972 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
973
974 #if defined(MBEDTLS_RSA_NO_CRT)
975 /*
976 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
977 */
978 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
979 f_rng, p_rng));
980 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
981 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
982 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
983
984 D = &D_blind;
985 #else
986 /*
987 * DP_blind = ( P - 1 ) * R + DP
988 */
989 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
990 f_rng, p_rng));
991 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
992 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
993 &ctx->DP));
994
995 DP = &DP_blind;
996
997 /*
998 * DQ_blind = ( Q - 1 ) * R + DQ
999 */
1000 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
1001 f_rng, p_rng));
1002 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
1003 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
1004 &ctx->DQ));
1005
1006 DQ = &DQ_blind;
1007 #endif /* MBEDTLS_RSA_NO_CRT */
1008 }
1009
1010 /* Make a copy of the input (after blinding if there was any) */
1011 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&input_blinded, &T));
1012
1013 #if defined(MBEDTLS_RSA_NO_CRT)
1014 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));
1015 #else
1016 /*
1017 * Faster decryption using the CRT
1018 *
1019 * TP = input ^ dP mod P
1020 * TQ = input ^ dQ mod Q
1021 */
1022
1023 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));
1024 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));
1025
1026 /*
1027 * T = (TP - TQ) * (Q^-1 mod P) mod P
1028 */
1029 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
1030 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
1031 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
1032
1033 /*
1034 * T = TQ + T * Q
1035 */
1036 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
1037 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
1038 #endif /* MBEDTLS_RSA_NO_CRT */
1039
1040 /* Verify the result to prevent glitching attacks. */
1041 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&check_result_blinded, &T, &ctx->E,
1042 &ctx->N, &ctx->RN));
1043 if (mbedtls_mpi_cmp_mpi(&check_result_blinded, &input_blinded) != 0) {
1044 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1045 goto cleanup;
1046 }
1047
1048 if (f_rng != NULL) {
1049 /*
1050 * Unblind
1051 * T = T * Vf mod N
1052 */
1053 MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
1054 }
1055
1056 olen = ctx->len;
1057 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
1058
1059 cleanup:
1060 #if defined(MBEDTLS_THREADING_C)
1061 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
1062 return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1063 }
1064 #endif
1065
1066 mbedtls_mpi_free(&P1);
1067 mbedtls_mpi_free(&Q1);
1068 mbedtls_mpi_free(&R);
1069
1070 if (f_rng != NULL) {
1071 #if defined(MBEDTLS_RSA_NO_CRT)
1072 mbedtls_mpi_free(&D_blind);
1073 #else
1074 mbedtls_mpi_free(&DP_blind);
1075 mbedtls_mpi_free(&DQ_blind);
1076 #endif
1077 }
1078
1079 mbedtls_mpi_free(&T);
1080
1081 #if !defined(MBEDTLS_RSA_NO_CRT)
1082 mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
1083 #endif
1084
1085 mbedtls_mpi_free(&check_result_blinded);
1086 mbedtls_mpi_free(&input_blinded);
1087
1088 if (ret != 0 && ret >= -0x007f) {
1089 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
1090 }
1091
1092 return ret;
1093 }
1094
1095 #if defined(MBEDTLS_PKCS1_V21)
1096 /**
1097 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1098 *
1099 * \param dst buffer to mask
1100 * \param dlen length of destination buffer
1101 * \param src source of the mask generation
1102 * \param slen length of the source buffer
1103 * \param md_ctx message digest context to use
1104 */
mgf_mask(unsigned char * dst,size_t dlen,unsigned char * src,size_t slen,mbedtls_md_context_t * md_ctx)1105 static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
1106 size_t slen, mbedtls_md_context_t *md_ctx)
1107 {
1108 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
1109 unsigned char counter[4];
1110 unsigned char *p;
1111 unsigned int hlen;
1112 size_t i, use_len;
1113 int ret = 0;
1114
1115 memset(mask, 0, MBEDTLS_MD_MAX_SIZE);
1116 memset(counter, 0, 4);
1117
1118 hlen = mbedtls_md_get_size(md_ctx->md_info);
1119
1120 /* Generate and apply dbMask */
1121 p = dst;
1122
1123 while (dlen > 0) {
1124 use_len = hlen;
1125 if (dlen < hlen) {
1126 use_len = dlen;
1127 }
1128
1129 if ((ret = mbedtls_md_starts(md_ctx)) != 0) {
1130 goto exit;
1131 }
1132 if ((ret = mbedtls_md_update(md_ctx, src, slen)) != 0) {
1133 goto exit;
1134 }
1135 if ((ret = mbedtls_md_update(md_ctx, counter, 4)) != 0) {
1136 goto exit;
1137 }
1138 if ((ret = mbedtls_md_finish(md_ctx, mask)) != 0) {
1139 goto exit;
1140 }
1141
1142 for (i = 0; i < use_len; ++i) {
1143 *p++ ^= mask[i];
1144 }
1145
1146 counter[3]++;
1147
1148 dlen -= use_len;
1149 }
1150
1151 exit:
1152 mbedtls_platform_zeroize(mask, sizeof(mask));
1153
1154 return ret;
1155 }
1156 #endif /* MBEDTLS_PKCS1_V21 */
1157
1158 #if defined(MBEDTLS_PKCS1_V21)
1159 /*
1160 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1161 */
mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,const unsigned char * label,size_t label_len,size_t ilen,const unsigned char * input,unsigned char * output)1162 int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
1163 int (*f_rng)(void *, unsigned char *, size_t),
1164 void *p_rng,
1165 int mode,
1166 const unsigned char *label, size_t label_len,
1167 size_t ilen,
1168 const unsigned char *input,
1169 unsigned char *output)
1170 {
1171 size_t olen;
1172 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1173 unsigned char *p = output;
1174 unsigned int hlen;
1175 const mbedtls_md_info_t *md_info;
1176 mbedtls_md_context_t md_ctx;
1177
1178 RSA_VALIDATE_RET(ctx != NULL);
1179 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
1180 mode == MBEDTLS_RSA_PUBLIC);
1181 RSA_VALIDATE_RET(output != NULL);
1182 RSA_VALIDATE_RET(ilen == 0 || input != NULL);
1183 RSA_VALIDATE_RET(label_len == 0 || label != NULL);
1184
1185 if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1186 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1187 }
1188
1189 if (f_rng == NULL) {
1190 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1191 }
1192
1193 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ctx->hash_id);
1194 if (md_info == NULL) {
1195 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1196 }
1197
1198 olen = ctx->len;
1199 hlen = mbedtls_md_get_size(md_info);
1200
1201 /* first comparison checks for overflow */
1202 if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) {
1203 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1204 }
1205
1206 memset(output, 0, olen);
1207
1208 *p++ = 0;
1209
1210 /* Generate a random octet string seed */
1211 if ((ret = f_rng(p_rng, p, hlen)) != 0) {
1212 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1213 }
1214
1215 p += hlen;
1216
1217 /* Construct DB */
1218 if ((ret = mbedtls_md(md_info, label, label_len, p)) != 0) {
1219 return ret;
1220 }
1221 p += hlen;
1222 p += olen - 2 * hlen - 2 - ilen;
1223 *p++ = 1;
1224 if (ilen != 0) {
1225 memcpy(p, input, ilen);
1226 }
1227
1228 mbedtls_md_init(&md_ctx);
1229 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
1230 goto exit;
1231 }
1232
1233 /* maskedDB: Apply dbMask to DB */
1234 if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1235 &md_ctx)) != 0) {
1236 goto exit;
1237 }
1238
1239 /* maskedSeed: Apply seedMask to seed */
1240 if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1241 &md_ctx)) != 0) {
1242 goto exit;
1243 }
1244
1245 exit:
1246 mbedtls_md_free(&md_ctx);
1247
1248 if (ret != 0) {
1249 return ret;
1250 }
1251
1252 return (mode == MBEDTLS_RSA_PUBLIC)
1253 ? mbedtls_rsa_public(ctx, output, output)
1254 : mbedtls_rsa_private(ctx, f_rng, p_rng, output, output);
1255 }
1256 #endif /* MBEDTLS_PKCS1_V21 */
1257
1258 #if defined(MBEDTLS_PKCS1_V15)
1259 /*
1260 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1261 */
mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t ilen,const unsigned char * input,unsigned char * output)1262 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
1263 int (*f_rng)(void *, unsigned char *, size_t),
1264 void *p_rng,
1265 int mode, size_t ilen,
1266 const unsigned char *input,
1267 unsigned char *output)
1268 {
1269 size_t nb_pad, olen;
1270 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1271 unsigned char *p = output;
1272
1273 RSA_VALIDATE_RET(ctx != NULL);
1274 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
1275 mode == MBEDTLS_RSA_PUBLIC);
1276 RSA_VALIDATE_RET(output != NULL);
1277 RSA_VALIDATE_RET(ilen == 0 || input != NULL);
1278
1279 if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15) {
1280 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1281 }
1282
1283 olen = ctx->len;
1284
1285 /* first comparison checks for overflow */
1286 if (ilen + 11 < ilen || olen < ilen + 11) {
1287 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1288 }
1289
1290 nb_pad = olen - 3 - ilen;
1291
1292 *p++ = 0;
1293 if (mode == MBEDTLS_RSA_PUBLIC) {
1294 if (f_rng == NULL) {
1295 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1296 }
1297
1298 *p++ = MBEDTLS_RSA_CRYPT;
1299
1300 while (nb_pad-- > 0) {
1301 int rng_dl = 100;
1302
1303 do {
1304 ret = f_rng(p_rng, p, 1);
1305 } while (*p == 0 && --rng_dl && ret == 0);
1306
1307 /* Check if RNG failed to generate data */
1308 if (rng_dl == 0 || ret != 0) {
1309 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1310 }
1311
1312 p++;
1313 }
1314 } else {
1315 *p++ = MBEDTLS_RSA_SIGN;
1316
1317 while (nb_pad-- > 0) {
1318 *p++ = 0xFF;
1319 }
1320 }
1321
1322 *p++ = 0;
1323 if (ilen != 0) {
1324 memcpy(p, input, ilen);
1325 }
1326
1327 return (mode == MBEDTLS_RSA_PUBLIC)
1328 ? mbedtls_rsa_public(ctx, output, output)
1329 : mbedtls_rsa_private(ctx, f_rng, p_rng, output, output);
1330 }
1331 #endif /* MBEDTLS_PKCS1_V15 */
1332
1333 /*
1334 * Add the message padding, then do an RSA operation
1335 */
mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t ilen,const unsigned char * input,unsigned char * output)1336 int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
1337 int (*f_rng)(void *, unsigned char *, size_t),
1338 void *p_rng,
1339 int mode, size_t ilen,
1340 const unsigned char *input,
1341 unsigned char *output)
1342 {
1343 RSA_VALIDATE_RET(ctx != NULL);
1344 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
1345 mode == MBEDTLS_RSA_PUBLIC);
1346 RSA_VALIDATE_RET(output != NULL);
1347 RSA_VALIDATE_RET(ilen == 0 || input != NULL);
1348
1349 switch (ctx->padding) {
1350 #if defined(MBEDTLS_PKCS1_V15)
1351 case MBEDTLS_RSA_PKCS_V15:
1352 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng, mode, ilen,
1353 input, output);
1354 #endif
1355
1356 #if defined(MBEDTLS_PKCS1_V21)
1357 case MBEDTLS_RSA_PKCS_V21:
1358 return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, mode, NULL, 0,
1359 ilen, input, output);
1360 #endif
1361
1362 default:
1363 return MBEDTLS_ERR_RSA_INVALID_PADDING;
1364 }
1365 }
1366
1367 #if defined(MBEDTLS_PKCS1_V21)
1368 /*
1369 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1370 */
mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,const unsigned char * label,size_t label_len,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1371 int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
1372 int (*f_rng)(void *, unsigned char *, size_t),
1373 void *p_rng,
1374 int mode,
1375 const unsigned char *label, size_t label_len,
1376 size_t *olen,
1377 const unsigned char *input,
1378 unsigned char *output,
1379 size_t output_max_len)
1380 {
1381 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1382 size_t ilen, i, pad_len;
1383 unsigned char *p, pad_done;
1384 int bad;
1385 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1386 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
1387 unsigned int hlen;
1388 const mbedtls_md_info_t *md_info;
1389 mbedtls_md_context_t md_ctx;
1390
1391 RSA_VALIDATE_RET(ctx != NULL);
1392 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
1393 mode == MBEDTLS_RSA_PUBLIC);
1394 RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);
1395 RSA_VALIDATE_RET(label_len == 0 || label != NULL);
1396 RSA_VALIDATE_RET(input != NULL);
1397 RSA_VALIDATE_RET(olen != NULL);
1398
1399 /*
1400 * Parameters sanity checks
1401 */
1402 if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1403 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1404 }
1405
1406 ilen = ctx->len;
1407
1408 if (ilen < 16 || ilen > sizeof(buf)) {
1409 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1410 }
1411
1412 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ctx->hash_id);
1413 if (md_info == NULL) {
1414 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1415 }
1416
1417 hlen = mbedtls_md_get_size(md_info);
1418
1419 // checking for integer underflow
1420 if (2 * hlen + 2 > ilen) {
1421 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1422 }
1423
1424 /*
1425 * RSA operation
1426 */
1427 ret = (mode == MBEDTLS_RSA_PUBLIC)
1428 ? mbedtls_rsa_public(ctx, input, buf)
1429 : mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
1430
1431 if (ret != 0) {
1432 goto cleanup;
1433 }
1434
1435 /*
1436 * Unmask data and generate lHash
1437 */
1438 mbedtls_md_init(&md_ctx);
1439 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
1440 mbedtls_md_free(&md_ctx);
1441 goto cleanup;
1442 }
1443
1444 /* seed: Apply seedMask to maskedSeed */
1445 if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1446 &md_ctx)) != 0 ||
1447 /* DB: Apply dbMask to maskedDB */
1448 (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1449 &md_ctx)) != 0) {
1450 mbedtls_md_free(&md_ctx);
1451 goto cleanup;
1452 }
1453
1454 mbedtls_md_free(&md_ctx);
1455
1456 /* Generate lHash */
1457 if ((ret = mbedtls_md(md_info, label, label_len, lhash)) != 0) {
1458 goto cleanup;
1459 }
1460
1461 /*
1462 * Check contents, in "constant-time"
1463 */
1464 p = buf;
1465 bad = 0;
1466
1467 bad |= *p++; /* First byte must be 0 */
1468
1469 p += hlen; /* Skip seed */
1470
1471 /* Check lHash */
1472 bad |= mbedtls_ct_memcmp(lhash, p, hlen);
1473 p += hlen;
1474
1475 /* Get zero-padding len, but always read till end of buffer
1476 * (minus one, for the 01 byte) */
1477 pad_len = 0;
1478 pad_done = 0;
1479 for (i = 0; i < ilen - 2 * hlen - 2; i++) {
1480 pad_done |= p[i];
1481 pad_len += ((pad_done | (unsigned char) -pad_done) >> 7) ^ 1;
1482 }
1483
1484 p += pad_len;
1485 bad |= *p++ ^ 0x01;
1486
1487 /*
1488 * The only information "leaked" is whether the padding was correct or not
1489 * (eg, no data is copied if it was not correct). This meets the
1490 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1491 * the different error conditions.
1492 */
1493 if (bad != 0) {
1494 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1495 goto cleanup;
1496 }
1497
1498 if (ilen - (p - buf) > output_max_len) {
1499 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1500 goto cleanup;
1501 }
1502
1503 *olen = ilen - (p - buf);
1504 if (*olen != 0) {
1505 memcpy(output, p, *olen);
1506 }
1507 ret = 0;
1508
1509 cleanup:
1510 mbedtls_platform_zeroize(buf, sizeof(buf));
1511 mbedtls_platform_zeroize(lhash, sizeof(lhash));
1512
1513 return ret;
1514 }
1515 #endif /* MBEDTLS_PKCS1_V21 */
1516
1517 #if defined(MBEDTLS_PKCS1_V15)
1518 /*
1519 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1520 */
mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1521 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
1522 int (*f_rng)(void *, unsigned char *, size_t),
1523 void *p_rng,
1524 int mode,
1525 size_t *olen,
1526 const unsigned char *input,
1527 unsigned char *output,
1528 size_t output_max_len)
1529 {
1530 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1531 size_t ilen;
1532 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1533
1534 RSA_VALIDATE_RET(ctx != NULL);
1535 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
1536 mode == MBEDTLS_RSA_PUBLIC);
1537 RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);
1538 RSA_VALIDATE_RET(input != NULL);
1539 RSA_VALIDATE_RET(olen != NULL);
1540
1541 ilen = ctx->len;
1542
1543 if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15) {
1544 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1545 }
1546
1547 if (ilen < 16 || ilen > sizeof(buf)) {
1548 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1549 }
1550
1551 ret = (mode == MBEDTLS_RSA_PUBLIC)
1552 ? mbedtls_rsa_public(ctx, input, buf)
1553 : mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
1554
1555 if (ret != 0) {
1556 goto cleanup;
1557 }
1558
1559 ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(mode, buf, ilen,
1560 output, output_max_len, olen);
1561
1562 cleanup:
1563 mbedtls_platform_zeroize(buf, sizeof(buf));
1564
1565 return ret;
1566 }
1567 #endif /* MBEDTLS_PKCS1_V15 */
1568
1569 /*
1570 * Do an RSA operation, then remove the message padding
1571 */
mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1572 int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
1573 int (*f_rng)(void *, unsigned char *, size_t),
1574 void *p_rng,
1575 int mode, size_t *olen,
1576 const unsigned char *input,
1577 unsigned char *output,
1578 size_t output_max_len)
1579 {
1580 RSA_VALIDATE_RET(ctx != NULL);
1581 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
1582 mode == MBEDTLS_RSA_PUBLIC);
1583 RSA_VALIDATE_RET(output_max_len == 0 || output != NULL);
1584 RSA_VALIDATE_RET(input != NULL);
1585 RSA_VALIDATE_RET(olen != NULL);
1586
1587 switch (ctx->padding) {
1588 #if defined(MBEDTLS_PKCS1_V15)
1589 case MBEDTLS_RSA_PKCS_V15:
1590 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, mode, olen,
1591 input, output, output_max_len);
1592 #endif
1593
1594 #if defined(MBEDTLS_PKCS1_V21)
1595 case MBEDTLS_RSA_PKCS_V21:
1596 return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, mode, NULL, 0,
1597 olen, input, output,
1598 output_max_len);
1599 #endif
1600
1601 default:
1602 return MBEDTLS_ERR_RSA_INVALID_PADDING;
1603 }
1604 }
1605
1606 #if defined(MBEDTLS_PKCS1_V21)
rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)1607 static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
1608 int (*f_rng)(void *, unsigned char *, size_t),
1609 void *p_rng,
1610 int mode,
1611 mbedtls_md_type_t md_alg,
1612 unsigned int hashlen,
1613 const unsigned char *hash,
1614 int saltlen,
1615 unsigned char *sig)
1616 {
1617 size_t olen;
1618 unsigned char *p = sig;
1619 unsigned char *salt = NULL;
1620 size_t slen, min_slen, hlen, offset = 0;
1621 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1622 size_t msb;
1623 const mbedtls_md_info_t *md_info;
1624 mbedtls_md_context_t md_ctx;
1625 RSA_VALIDATE_RET(ctx != NULL);
1626 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
1627 mode == MBEDTLS_RSA_PUBLIC);
1628 RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE &&
1629 hashlen == 0) ||
1630 hash != NULL);
1631 RSA_VALIDATE_RET(sig != NULL);
1632
1633 if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1634 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1635 }
1636
1637 if (f_rng == NULL) {
1638 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1639 }
1640
1641 olen = ctx->len;
1642
1643 if (md_alg != MBEDTLS_MD_NONE) {
1644 /* Gather length of hash to sign */
1645 md_info = mbedtls_md_info_from_type(md_alg);
1646 if (md_info == NULL) {
1647 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1648 }
1649
1650 hashlen = mbedtls_md_get_size(md_info);
1651 }
1652
1653 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ctx->hash_id);
1654 if (md_info == NULL) {
1655 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1656 }
1657
1658 hlen = mbedtls_md_get_size(md_info);
1659
1660 if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
1661 /* Calculate the largest possible salt length, up to the hash size.
1662 * Normally this is the hash length, which is the maximum salt length
1663 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
1664 * enough room, use the maximum salt length that fits. The constraint is
1665 * that the hash length plus the salt length plus 2 bytes must be at most
1666 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
1667 * (PKCS#1 v2.2) §9.1.1 step 3. */
1668 min_slen = hlen - 2;
1669 if (olen < hlen + min_slen + 2) {
1670 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1671 } else if (olen >= hlen + hlen + 2) {
1672 slen = hlen;
1673 } else {
1674 slen = olen - hlen - 2;
1675 }
1676 } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {
1677 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1678 } else {
1679 slen = (size_t) saltlen;
1680 }
1681
1682 memset(sig, 0, olen);
1683
1684 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1685 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
1686 p += olen - hlen - slen - 2;
1687 *p++ = 0x01;
1688
1689 /* Generate salt of length slen in place in the encoded message */
1690 salt = p;
1691 if ((ret = f_rng(p_rng, salt, slen)) != 0) {
1692 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1693 }
1694
1695 p += slen;
1696
1697 mbedtls_md_init(&md_ctx);
1698 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
1699 goto exit;
1700 }
1701
1702 /* Generate H = Hash( M' ) */
1703 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
1704 goto exit;
1705 }
1706 if ((ret = mbedtls_md_update(&md_ctx, p, 8)) != 0) {
1707 goto exit;
1708 }
1709 if ((ret = mbedtls_md_update(&md_ctx, hash, hashlen)) != 0) {
1710 goto exit;
1711 }
1712 if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
1713 goto exit;
1714 }
1715 if ((ret = mbedtls_md_finish(&md_ctx, p)) != 0) {
1716 goto exit;
1717 }
1718
1719 /* Compensate for boundary condition when applying mask */
1720 if (msb % 8 == 0) {
1721 offset = 1;
1722 }
1723
1724 /* maskedDB: Apply dbMask to DB */
1725 if ((ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen,
1726 &md_ctx)) != 0) {
1727 goto exit;
1728 }
1729
1730 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
1731 sig[0] &= 0xFF >> (olen * 8 - msb);
1732
1733 p += hlen;
1734 *p++ = 0xBC;
1735
1736 exit:
1737 mbedtls_md_free(&md_ctx);
1738
1739 if (ret != 0) {
1740 return ret;
1741 }
1742
1743 return (mode == MBEDTLS_RSA_PUBLIC)
1744 ? mbedtls_rsa_public(ctx, sig, sig)
1745 : mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
1746 }
1747
1748 /*
1749 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
1750 * the option to pass in the salt length.
1751 */
mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)1752 int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
1753 int (*f_rng)(void *, unsigned char *, size_t),
1754 void *p_rng,
1755 mbedtls_md_type_t md_alg,
1756 unsigned int hashlen,
1757 const unsigned char *hash,
1758 int saltlen,
1759 unsigned char *sig)
1760 {
1761 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg,
1762 hashlen, hash, saltlen, sig);
1763 }
1764
1765
1766 /*
1767 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1768 */
mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)1769 int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
1770 int (*f_rng)(void *, unsigned char *, size_t),
1771 void *p_rng,
1772 int mode,
1773 mbedtls_md_type_t md_alg,
1774 unsigned int hashlen,
1775 const unsigned char *hash,
1776 unsigned char *sig)
1777 {
1778 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, mode, md_alg,
1779 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
1780 }
1781 #endif /* MBEDTLS_PKCS1_V21 */
1782
1783 #if defined(MBEDTLS_PKCS1_V15)
1784 /*
1785 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1786 */
1787
1788 /* Construct a PKCS v1.5 encoding of a hashed message
1789 *
1790 * This is used both for signature generation and verification.
1791 *
1792 * Parameters:
1793 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1794 * MBEDTLS_MD_NONE if raw data is signed.
1795 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
1796 * - hash: Buffer containing the hashed message or the raw data.
1797 * - dst_len: Length of the encoded message.
1798 * - dst: Buffer to hold the encoded message.
1799 *
1800 * Assumptions:
1801 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
1802 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
1803 * - dst points to a buffer of size at least dst_len.
1804 *
1805 */
rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,size_t dst_len,unsigned char * dst)1806 static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
1807 unsigned int hashlen,
1808 const unsigned char *hash,
1809 size_t dst_len,
1810 unsigned char *dst)
1811 {
1812 size_t oid_size = 0;
1813 size_t nb_pad = dst_len;
1814 unsigned char *p = dst;
1815 const char *oid = NULL;
1816
1817 /* Are we signing hashed or raw data? */
1818 if (md_alg != MBEDTLS_MD_NONE) {
1819 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
1820 if (md_info == NULL) {
1821 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1822 }
1823
1824 if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
1825 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1826 }
1827
1828 hashlen = mbedtls_md_get_size(md_info);
1829
1830 /* Double-check that 8 + hashlen + oid_size can be used as a
1831 * 1-byte ASN.1 length encoding and that there's no overflow. */
1832 if (8 + hashlen + oid_size >= 0x80 ||
1833 10 + hashlen < hashlen ||
1834 10 + hashlen + oid_size < 10 + hashlen) {
1835 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1836 }
1837
1838 /*
1839 * Static bounds check:
1840 * - Need 10 bytes for five tag-length pairs.
1841 * (Insist on 1-byte length encodings to protect against variants of
1842 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1843 * - Need hashlen bytes for hash
1844 * - Need oid_size bytes for hash alg OID.
1845 */
1846 if (nb_pad < 10 + hashlen + oid_size) {
1847 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1848 }
1849 nb_pad -= 10 + hashlen + oid_size;
1850 } else {
1851 if (nb_pad < hashlen) {
1852 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1853 }
1854
1855 nb_pad -= hashlen;
1856 }
1857
1858 /* Need space for signature header and padding delimiter (3 bytes),
1859 * and 8 bytes for the minimal padding */
1860 if (nb_pad < 3 + 8) {
1861 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1862 }
1863 nb_pad -= 3;
1864
1865 /* Now nb_pad is the amount of memory to be filled
1866 * with padding, and at least 8 bytes long. */
1867
1868 /* Write signature header and padding */
1869 *p++ = 0;
1870 *p++ = MBEDTLS_RSA_SIGN;
1871 memset(p, 0xFF, nb_pad);
1872 p += nb_pad;
1873 *p++ = 0;
1874
1875 /* Are we signing raw data? */
1876 if (md_alg == MBEDTLS_MD_NONE) {
1877 memcpy(p, hash, hashlen);
1878 return 0;
1879 }
1880
1881 /* Signing hashed data, add corresponding ASN.1 structure
1882 *
1883 * DigestInfo ::= SEQUENCE {
1884 * digestAlgorithm DigestAlgorithmIdentifier,
1885 * digest Digest }
1886 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1887 * Digest ::= OCTET STRING
1888 *
1889 * Schematic:
1890 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1891 * TAG-NULL + LEN [ NULL ] ]
1892 * TAG-OCTET + LEN [ HASH ] ]
1893 */
1894 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1895 *p++ = (unsigned char) (0x08 + oid_size + hashlen);
1896 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1897 *p++ = (unsigned char) (0x04 + oid_size);
1898 *p++ = MBEDTLS_ASN1_OID;
1899 *p++ = (unsigned char) oid_size;
1900 memcpy(p, oid, oid_size);
1901 p += oid_size;
1902 *p++ = MBEDTLS_ASN1_NULL;
1903 *p++ = 0x00;
1904 *p++ = MBEDTLS_ASN1_OCTET_STRING;
1905 *p++ = (unsigned char) hashlen;
1906 memcpy(p, hash, hashlen);
1907 p += hashlen;
1908
1909 /* Just a sanity-check, should be automatic
1910 * after the initial bounds check. */
1911 if (p != dst + dst_len) {
1912 mbedtls_platform_zeroize(dst, dst_len);
1913 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1914 }
1915
1916 return 0;
1917 }
1918
1919 /*
1920 * Do an RSA operation to sign the message digest
1921 */
mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)1922 int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
1923 int (*f_rng)(void *, unsigned char *, size_t),
1924 void *p_rng,
1925 int mode,
1926 mbedtls_md_type_t md_alg,
1927 unsigned int hashlen,
1928 const unsigned char *hash,
1929 unsigned char *sig)
1930 {
1931 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1932 unsigned char *sig_try = NULL, *verif = NULL;
1933
1934 RSA_VALIDATE_RET(ctx != NULL);
1935 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
1936 mode == MBEDTLS_RSA_PUBLIC);
1937 RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE &&
1938 hashlen == 0) ||
1939 hash != NULL);
1940 RSA_VALIDATE_RET(sig != NULL);
1941
1942 if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15) {
1943 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1944 }
1945
1946 /*
1947 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
1948 */
1949
1950 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
1951 ctx->len, sig)) != 0) {
1952 return ret;
1953 }
1954
1955 /*
1956 * Call respective RSA primitive
1957 */
1958
1959 if (mode == MBEDTLS_RSA_PUBLIC) {
1960 /* Skip verification on a public key operation */
1961 return mbedtls_rsa_public(ctx, sig, sig);
1962 }
1963
1964 /* Private key operation
1965 *
1966 * In order to prevent Lenstra's attack, make the signature in a
1967 * temporary buffer and check it before returning it.
1968 */
1969
1970 sig_try = mbedtls_calloc(1, ctx->len);
1971 if (sig_try == NULL) {
1972 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
1973 }
1974
1975 verif = mbedtls_calloc(1, ctx->len);
1976 if (verif == NULL) {
1977 mbedtls_free(sig_try);
1978 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
1979 }
1980
1981 MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
1982 MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
1983
1984 if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
1985 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1986 goto cleanup;
1987 }
1988
1989 memcpy(sig, sig_try, ctx->len);
1990
1991 cleanup:
1992 mbedtls_platform_zeroize(sig_try, ctx->len);
1993 mbedtls_platform_zeroize(verif, ctx->len);
1994 mbedtls_free(sig_try);
1995 mbedtls_free(verif);
1996
1997 if (ret != 0) {
1998 memset(sig, '!', ctx->len);
1999 }
2000 return ret;
2001 }
2002 #endif /* MBEDTLS_PKCS1_V15 */
2003
2004 /*
2005 * Do an RSA operation to sign the message digest
2006 */
mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)2007 int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
2008 int (*f_rng)(void *, unsigned char *, size_t),
2009 void *p_rng,
2010 int mode,
2011 mbedtls_md_type_t md_alg,
2012 unsigned int hashlen,
2013 const unsigned char *hash,
2014 unsigned char *sig)
2015 {
2016 RSA_VALIDATE_RET(ctx != NULL);
2017 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
2018 mode == MBEDTLS_RSA_PUBLIC);
2019 RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE &&
2020 hashlen == 0) ||
2021 hash != NULL);
2022 RSA_VALIDATE_RET(sig != NULL);
2023
2024 switch (ctx->padding) {
2025 #if defined(MBEDTLS_PKCS1_V15)
2026 case MBEDTLS_RSA_PKCS_V15:
2027 return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng, mode, md_alg,
2028 hashlen, hash, sig);
2029 #endif
2030
2031 #if defined(MBEDTLS_PKCS1_V21)
2032 case MBEDTLS_RSA_PKCS_V21:
2033 return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, mode, md_alg,
2034 hashlen, hash, sig);
2035 #endif
2036
2037 default:
2038 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2039 }
2040 }
2041
2042 #if defined(MBEDTLS_PKCS1_V21)
2043 /*
2044 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2045 */
mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,mbedtls_md_type_t mgf1_hash_id,int expected_salt_len,const unsigned char * sig)2046 int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
2047 int (*f_rng)(void *, unsigned char *, size_t),
2048 void *p_rng,
2049 int mode,
2050 mbedtls_md_type_t md_alg,
2051 unsigned int hashlen,
2052 const unsigned char *hash,
2053 mbedtls_md_type_t mgf1_hash_id,
2054 int expected_salt_len,
2055 const unsigned char *sig)
2056 {
2057 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2058 size_t siglen;
2059 unsigned char *p;
2060 unsigned char *hash_start;
2061 unsigned char result[MBEDTLS_MD_MAX_SIZE];
2062 unsigned char zeros[8];
2063 unsigned int hlen;
2064 size_t observed_salt_len, msb;
2065 const mbedtls_md_info_t *md_info;
2066 mbedtls_md_context_t md_ctx;
2067 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
2068
2069 RSA_VALIDATE_RET(ctx != NULL);
2070 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
2071 mode == MBEDTLS_RSA_PUBLIC);
2072 RSA_VALIDATE_RET(sig != NULL);
2073 RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE &&
2074 hashlen == 0) ||
2075 hash != NULL);
2076
2077 if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21) {
2078 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2079 }
2080
2081 siglen = ctx->len;
2082
2083 if (siglen < 16 || siglen > sizeof(buf)) {
2084 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2085 }
2086
2087 ret = (mode == MBEDTLS_RSA_PUBLIC)
2088 ? mbedtls_rsa_public(ctx, sig, buf)
2089 : mbedtls_rsa_private(ctx, f_rng, p_rng, sig, buf);
2090
2091 if (ret != 0) {
2092 return ret;
2093 }
2094
2095 p = buf;
2096
2097 if (buf[siglen - 1] != 0xBC) {
2098 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2099 }
2100
2101 if (md_alg != MBEDTLS_MD_NONE) {
2102 /* Gather length of hash to sign */
2103 md_info = mbedtls_md_info_from_type(md_alg);
2104 if (md_info == NULL) {
2105 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2106 }
2107
2108 hashlen = mbedtls_md_get_size(md_info);
2109 }
2110
2111 md_info = mbedtls_md_info_from_type(mgf1_hash_id);
2112 if (md_info == NULL) {
2113 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2114 }
2115
2116 hlen = mbedtls_md_get_size(md_info);
2117
2118 memset(zeros, 0, 8);
2119
2120 /*
2121 * Note: EMSA-PSS verification is over the length of N - 1 bits
2122 */
2123 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
2124
2125 if (buf[0] >> (8 - siglen * 8 + msb)) {
2126 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2127 }
2128
2129 /* Compensate for boundary condition when applying mask */
2130 if (msb % 8 == 0) {
2131 p++;
2132 siglen -= 1;
2133 }
2134
2135 if (siglen < hlen + 2) {
2136 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2137 }
2138 hash_start = p + siglen - hlen - 1;
2139
2140 mbedtls_md_init(&md_ctx);
2141 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
2142 goto exit;
2143 }
2144
2145 ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, &md_ctx);
2146 if (ret != 0) {
2147 goto exit;
2148 }
2149
2150 buf[0] &= 0xFF >> (siglen * 8 - msb);
2151
2152 while (p < hash_start - 1 && *p == 0) {
2153 p++;
2154 }
2155
2156 if (*p++ != 0x01) {
2157 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2158 goto exit;
2159 }
2160
2161 observed_salt_len = hash_start - p;
2162
2163 if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
2164 observed_salt_len != (size_t) expected_salt_len) {
2165 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2166 goto exit;
2167 }
2168
2169 /*
2170 * Generate H = Hash( M' )
2171 */
2172 ret = mbedtls_md_starts(&md_ctx);
2173 if (ret != 0) {
2174 goto exit;
2175 }
2176 ret = mbedtls_md_update(&md_ctx, zeros, 8);
2177 if (ret != 0) {
2178 goto exit;
2179 }
2180 ret = mbedtls_md_update(&md_ctx, hash, hashlen);
2181 if (ret != 0) {
2182 goto exit;
2183 }
2184 ret = mbedtls_md_update(&md_ctx, p, observed_salt_len);
2185 if (ret != 0) {
2186 goto exit;
2187 }
2188 ret = mbedtls_md_finish(&md_ctx, result);
2189 if (ret != 0) {
2190 goto exit;
2191 }
2192
2193 if (memcmp(hash_start, result, hlen) != 0) {
2194 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2195 goto exit;
2196 }
2197
2198 exit:
2199 mbedtls_md_free(&md_ctx);
2200
2201 return ret;
2202 }
2203
2204 /*
2205 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2206 */
mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2207 int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
2208 int (*f_rng)(void *, unsigned char *, size_t),
2209 void *p_rng,
2210 int mode,
2211 mbedtls_md_type_t md_alg,
2212 unsigned int hashlen,
2213 const unsigned char *hash,
2214 const unsigned char *sig)
2215 {
2216 mbedtls_md_type_t mgf1_hash_id;
2217 RSA_VALIDATE_RET(ctx != NULL);
2218 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
2219 mode == MBEDTLS_RSA_PUBLIC);
2220 RSA_VALIDATE_RET(sig != NULL);
2221 RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE &&
2222 hashlen == 0) ||
2223 hash != NULL);
2224
2225 mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
2226 ? (mbedtls_md_type_t) ctx->hash_id
2227 : md_alg;
2228
2229 return mbedtls_rsa_rsassa_pss_verify_ext(ctx, f_rng, p_rng, mode,
2230 md_alg, hashlen, hash,
2231 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
2232 sig);
2233
2234 }
2235 #endif /* MBEDTLS_PKCS1_V21 */
2236
2237 #if defined(MBEDTLS_PKCS1_V15)
2238 /*
2239 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2240 */
mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2241 int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
2242 int (*f_rng)(void *, unsigned char *, size_t),
2243 void *p_rng,
2244 int mode,
2245 mbedtls_md_type_t md_alg,
2246 unsigned int hashlen,
2247 const unsigned char *hash,
2248 const unsigned char *sig)
2249 {
2250 int ret = 0;
2251 size_t sig_len;
2252 unsigned char *encoded = NULL, *encoded_expected = NULL;
2253
2254 RSA_VALIDATE_RET(ctx != NULL);
2255 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
2256 mode == MBEDTLS_RSA_PUBLIC);
2257 RSA_VALIDATE_RET(sig != NULL);
2258 RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE &&
2259 hashlen == 0) ||
2260 hash != NULL);
2261
2262 sig_len = ctx->len;
2263
2264 if (mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15) {
2265 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2266 }
2267
2268 /*
2269 * Prepare expected PKCS1 v1.5 encoding of hash.
2270 */
2271
2272 if ((encoded = mbedtls_calloc(1, sig_len)) == NULL ||
2273 (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
2274 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2275 goto cleanup;
2276 }
2277
2278 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
2279 encoded_expected)) != 0) {
2280 goto cleanup;
2281 }
2282
2283 /*
2284 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2285 */
2286
2287 ret = (mode == MBEDTLS_RSA_PUBLIC)
2288 ? mbedtls_rsa_public(ctx, sig, encoded)
2289 : mbedtls_rsa_private(ctx, f_rng, p_rng, sig, encoded);
2290 if (ret != 0) {
2291 goto cleanup;
2292 }
2293
2294 /*
2295 * Compare
2296 */
2297
2298 if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
2299 sig_len)) != 0) {
2300 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2301 goto cleanup;
2302 }
2303
2304 cleanup:
2305
2306 if (encoded != NULL) {
2307 mbedtls_platform_zeroize(encoded, sig_len);
2308 mbedtls_free(encoded);
2309 }
2310
2311 if (encoded_expected != NULL) {
2312 mbedtls_platform_zeroize(encoded_expected, sig_len);
2313 mbedtls_free(encoded_expected);
2314 }
2315
2316 return ret;
2317 }
2318 #endif /* MBEDTLS_PKCS1_V15 */
2319
2320 /*
2321 * Do an RSA operation and check the message digest
2322 */
mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,int mode,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2323 int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
2324 int (*f_rng)(void *, unsigned char *, size_t),
2325 void *p_rng,
2326 int mode,
2327 mbedtls_md_type_t md_alg,
2328 unsigned int hashlen,
2329 const unsigned char *hash,
2330 const unsigned char *sig)
2331 {
2332 RSA_VALIDATE_RET(ctx != NULL);
2333 RSA_VALIDATE_RET(mode == MBEDTLS_RSA_PRIVATE ||
2334 mode == MBEDTLS_RSA_PUBLIC);
2335 RSA_VALIDATE_RET(sig != NULL);
2336 RSA_VALIDATE_RET((md_alg == MBEDTLS_MD_NONE &&
2337 hashlen == 0) ||
2338 hash != NULL);
2339
2340 switch (ctx->padding) {
2341 #if defined(MBEDTLS_PKCS1_V15)
2342 case MBEDTLS_RSA_PKCS_V15:
2343 return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, f_rng, p_rng, mode, md_alg,
2344 hashlen, hash, sig);
2345 #endif
2346
2347 #if defined(MBEDTLS_PKCS1_V21)
2348 case MBEDTLS_RSA_PKCS_V21:
2349 return mbedtls_rsa_rsassa_pss_verify(ctx, f_rng, p_rng, mode, md_alg,
2350 hashlen, hash, sig);
2351 #endif
2352
2353 default:
2354 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2355 }
2356 }
2357
2358 /*
2359 * Copy the components of an RSA key
2360 */
mbedtls_rsa_copy(mbedtls_rsa_context * dst,const mbedtls_rsa_context * src)2361 int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
2362 {
2363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2364 RSA_VALIDATE_RET(dst != NULL);
2365 RSA_VALIDATE_RET(src != NULL);
2366
2367 dst->len = src->len;
2368
2369 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
2370 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
2371
2372 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
2373 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
2374 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
2375
2376 #if !defined(MBEDTLS_RSA_NO_CRT)
2377 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
2378 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
2379 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
2380 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
2381 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
2382 #endif
2383
2384 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
2385
2386 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
2387 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
2388
2389 dst->padding = src->padding;
2390 dst->hash_id = src->hash_id;
2391
2392 cleanup:
2393 if (ret != 0) {
2394 mbedtls_rsa_free(dst);
2395 }
2396
2397 return ret;
2398 }
2399
2400 /*
2401 * Free the components of an RSA key
2402 */
mbedtls_rsa_free(mbedtls_rsa_context * ctx)2403 void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
2404 {
2405 if (ctx == NULL) {
2406 return;
2407 }
2408
2409 mbedtls_mpi_free(&ctx->Vi);
2410 mbedtls_mpi_free(&ctx->Vf);
2411 mbedtls_mpi_free(&ctx->RN);
2412 mbedtls_mpi_free(&ctx->D);
2413 mbedtls_mpi_free(&ctx->Q);
2414 mbedtls_mpi_free(&ctx->P);
2415 mbedtls_mpi_free(&ctx->E);
2416 mbedtls_mpi_free(&ctx->N);
2417
2418 #if !defined(MBEDTLS_RSA_NO_CRT)
2419 mbedtls_mpi_free(&ctx->RQ);
2420 mbedtls_mpi_free(&ctx->RP);
2421 mbedtls_mpi_free(&ctx->QP);
2422 mbedtls_mpi_free(&ctx->DQ);
2423 mbedtls_mpi_free(&ctx->DP);
2424 #endif /* MBEDTLS_RSA_NO_CRT */
2425
2426 #if defined(MBEDTLS_THREADING_C)
2427 /* Free the mutex, but only if it hasn't been freed already. */
2428 if (ctx->ver != 0) {
2429 mbedtls_mutex_free(&ctx->mutex);
2430 ctx->ver = 0;
2431 }
2432 #endif
2433 }
2434
2435 #endif /* !MBEDTLS_RSA_ALT */
2436
2437 #if defined(MBEDTLS_SELF_TEST)
2438
2439 #include "mbedtls/sha1.h"
2440
2441 /*
2442 * Example RSA-1024 keypair, for test purposes
2443 */
2444 #define KEY_LEN 128
2445
2446 #define RSA_N "9292758453063D803DD603D5E777D788" \
2447 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2448 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2449 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2450 "93A89813FBF3C4F8066D2D800F7C38A8" \
2451 "1AE31942917403FF4946B0A83D3D3E05" \
2452 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2453 "5E94BB77B07507233A0BC7BAC8F90F79"
2454
2455 #define RSA_E "10001"
2456
2457 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2458 "66CA472BC44D253102F8B4A9D3BFA750" \
2459 "91386C0077937FE33FA3252D28855837" \
2460 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2461 "DF79C5CE07EE72C7F123142198164234" \
2462 "CABB724CF78B8173B9F880FC86322407" \
2463 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2464 "071513A1E85B5DFA031F21ECAE91A34D"
2465
2466 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2467 "2C01CAD19EA484A87EA4377637E75500" \
2468 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2469 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2470
2471 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2472 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2473 "910E4168387E3C30AA1E00C339A79508" \
2474 "8452DD96A9A5EA5D9DCA68DA636032AF"
2475
2476 #define PT_LEN 24
2477 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2478 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2479
2480 #if defined(MBEDTLS_PKCS1_V15)
myrand(void * rng_state,unsigned char * output,size_t len)2481 static int myrand(void *rng_state, unsigned char *output, size_t len)
2482 {
2483 #if !defined(__OpenBSD__) && !defined(__NetBSD__)
2484 size_t i;
2485
2486 if (rng_state != NULL) {
2487 rng_state = NULL;
2488 }
2489
2490 for (i = 0; i < len; ++i) {
2491 output[i] = rand();
2492 }
2493 #else
2494 if (rng_state != NULL) {
2495 rng_state = NULL;
2496 }
2497
2498 arc4random_buf(output, len);
2499 #endif /* !OpenBSD && !NetBSD */
2500
2501 return 0;
2502 }
2503 #endif /* MBEDTLS_PKCS1_V15 */
2504
2505 /*
2506 * Checkup routine
2507 */
mbedtls_rsa_self_test(int verbose)2508 int mbedtls_rsa_self_test(int verbose)
2509 {
2510 int ret = 0;
2511 #if defined(MBEDTLS_PKCS1_V15)
2512 size_t len;
2513 mbedtls_rsa_context rsa;
2514 unsigned char rsa_plaintext[PT_LEN];
2515 unsigned char rsa_decrypted[PT_LEN];
2516 unsigned char rsa_ciphertext[KEY_LEN];
2517 #if defined(MBEDTLS_SHA1_C)
2518 unsigned char sha1sum[20];
2519 #endif
2520
2521 mbedtls_mpi K;
2522
2523 mbedtls_mpi_init(&K);
2524 mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V15, 0);
2525
2526 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
2527 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
2528 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
2529 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
2530 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
2531 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
2532 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
2533 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
2534 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
2535 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
2536
2537 MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
2538
2539 if (verbose != 0) {
2540 mbedtls_printf(" RSA key validation: ");
2541 }
2542
2543 if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||
2544 mbedtls_rsa_check_privkey(&rsa) != 0) {
2545 if (verbose != 0) {
2546 mbedtls_printf("failed\n");
2547 }
2548
2549 ret = 1;
2550 goto cleanup;
2551 }
2552
2553 if (verbose != 0) {
2554 mbedtls_printf("passed\n PKCS#1 encryption : ");
2555 }
2556
2557 memcpy(rsa_plaintext, RSA_PT, PT_LEN);
2558
2559 if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
2560 PT_LEN, rsa_plaintext,
2561 rsa_ciphertext) != 0) {
2562 if (verbose != 0) {
2563 mbedtls_printf("failed\n");
2564 }
2565
2566 ret = 1;
2567 goto cleanup;
2568 }
2569
2570 if (verbose != 0) {
2571 mbedtls_printf("passed\n PKCS#1 decryption : ");
2572 }
2573
2574 if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
2575 &len, rsa_ciphertext, rsa_decrypted,
2576 sizeof(rsa_decrypted)) != 0) {
2577 if (verbose != 0) {
2578 mbedtls_printf("failed\n");
2579 }
2580
2581 ret = 1;
2582 goto cleanup;
2583 }
2584
2585 if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
2586 if (verbose != 0) {
2587 mbedtls_printf("failed\n");
2588 }
2589
2590 ret = 1;
2591 goto cleanup;
2592 }
2593
2594 if (verbose != 0) {
2595 mbedtls_printf("passed\n");
2596 }
2597
2598 #if defined(MBEDTLS_SHA1_C)
2599 if (verbose != 0) {
2600 mbedtls_printf(" PKCS#1 data sign : ");
2601 }
2602
2603 if (mbedtls_sha1_ret(rsa_plaintext, PT_LEN, sha1sum) != 0) {
2604 if (verbose != 0) {
2605 mbedtls_printf("failed\n");
2606 }
2607
2608 return 1;
2609 }
2610
2611 if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
2612 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
2613 sha1sum, rsa_ciphertext) != 0) {
2614 if (verbose != 0) {
2615 mbedtls_printf("failed\n");
2616 }
2617
2618 ret = 1;
2619 goto cleanup;
2620 }
2621
2622 if (verbose != 0) {
2623 mbedtls_printf("passed\n PKCS#1 sig. verify: ");
2624 }
2625
2626 if (mbedtls_rsa_pkcs1_verify(&rsa, NULL, NULL,
2627 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
2628 sha1sum, rsa_ciphertext) != 0) {
2629 if (verbose != 0) {
2630 mbedtls_printf("failed\n");
2631 }
2632
2633 ret = 1;
2634 goto cleanup;
2635 }
2636
2637 if (verbose != 0) {
2638 mbedtls_printf("passed\n");
2639 }
2640 #endif /* MBEDTLS_SHA1_C */
2641
2642 if (verbose != 0) {
2643 mbedtls_printf("\n");
2644 }
2645
2646 cleanup:
2647 mbedtls_mpi_free(&K);
2648 mbedtls_rsa_free(&rsa);
2649 #else /* MBEDTLS_PKCS1_V15 */
2650 ((void) verbose);
2651 #endif /* MBEDTLS_PKCS1_V15 */
2652 return ret;
2653 }
2654
2655 #endif /* MBEDTLS_SELF_TEST */
2656
2657 #endif /* MBEDTLS_RSA_C */
2658