1 /*
2 * The RSA public-key cryptosystem
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * The following sources were referenced in the design of this implementation
22 * of the RSA algorithm:
23 *
24 * [1] A method for obtaining digital signatures and public-key cryptosystems
25 * R Rivest, A Shamir, and L Adleman
26 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
27 *
28 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
29 * Menezes, van Oorschot and Vanstone
30 *
31 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
32 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
33 * Stefan Mangard
34 * https://arxiv.org/abs/1702.08719v2
35 *
36 */
37
38 #include "common.h"
39
40 #if defined(MBEDTLS_RSA_C)
41
42 #include "mbedtls/rsa.h"
43 #include "rsa_alt_helpers.h"
44 #include "mbedtls/oid.h"
45 #include "mbedtls/platform_util.h"
46 #include "mbedtls/error.h"
47 #include "constant_time_internal.h"
48 #include "mbedtls/constant_time.h"
49 #include "hash_info.h"
50
51 #include <string.h>
52
53 #if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
54 #include <stdlib.h>
55 #endif
56
57 /* We use MD first if it's available (for compatibility reasons)
58 * and "fall back" to PSA otherwise (which needs psa_crypto_init()). */
59 #if defined(MBEDTLS_PKCS1_V21)
60 #if !defined(MBEDTLS_MD_C)
61 #include "psa/crypto.h"
62 #include "mbedtls/psa_util.h"
63 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
64 psa_to_md_errors, \
65 psa_generic_status_to_mbedtls)
66 #endif /* !MBEDTLS_MD_C */
67 #endif /* MBEDTLS_PKCS1_V21 */
68
69 #include "mbedtls/platform.h"
70
71 #if !defined(MBEDTLS_RSA_ALT)
72
mbedtls_rsa_import(mbedtls_rsa_context * ctx,const mbedtls_mpi * N,const mbedtls_mpi * P,const mbedtls_mpi * Q,const mbedtls_mpi * D,const mbedtls_mpi * E)73 int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
74 const mbedtls_mpi *N,
75 const mbedtls_mpi *P, const mbedtls_mpi *Q,
76 const mbedtls_mpi *D, const mbedtls_mpi *E)
77 {
78 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
79
80 if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
81 (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
82 (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||
83 (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||
84 (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
85 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
86 }
87
88 if (N != NULL) {
89 ctx->len = mbedtls_mpi_size(&ctx->N);
90 }
91
92 return 0;
93 }
94
mbedtls_rsa_import_raw(mbedtls_rsa_context * ctx,unsigned char const * N,size_t N_len,unsigned char const * P,size_t P_len,unsigned char const * Q,size_t Q_len,unsigned char const * D,size_t D_len,unsigned char const * E,size_t E_len)95 int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
96 unsigned char const *N, size_t N_len,
97 unsigned char const *P, size_t P_len,
98 unsigned char const *Q, size_t Q_len,
99 unsigned char const *D, size_t D_len,
100 unsigned char const *E, size_t E_len)
101 {
102 int ret = 0;
103
104 if (N != NULL) {
105 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
106 ctx->len = mbedtls_mpi_size(&ctx->N);
107 }
108
109 if (P != NULL) {
110 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
111 }
112
113 if (Q != NULL) {
114 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
115 }
116
117 if (D != NULL) {
118 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
119 }
120
121 if (E != NULL) {
122 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
123 }
124
125 cleanup:
126
127 if (ret != 0) {
128 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
129 }
130
131 return 0;
132 }
133
134 /*
135 * Checks whether the context fields are set in such a way
136 * that the RSA primitives will be able to execute without error.
137 * It does *not* make guarantees for consistency of the parameters.
138 */
rsa_check_context(mbedtls_rsa_context const * ctx,int is_priv,int blinding_needed)139 static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
140 int blinding_needed)
141 {
142 #if !defined(MBEDTLS_RSA_NO_CRT)
143 /* blinding_needed is only used for NO_CRT to decide whether
144 * P,Q need to be present or not. */
145 ((void) blinding_needed);
146 #endif
147
148 if (ctx->len != mbedtls_mpi_size(&ctx->N) ||
149 ctx->len > MBEDTLS_MPI_MAX_SIZE) {
150 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
151 }
152
153 /*
154 * 1. Modular exponentiation needs positive, odd moduli.
155 */
156
157 /* Modular exponentiation wrt. N is always used for
158 * RSA public key operations. */
159 if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||
160 mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
161 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
162 }
163
164 #if !defined(MBEDTLS_RSA_NO_CRT)
165 /* Modular exponentiation for P and Q is only
166 * used for private key operations and if CRT
167 * is used. */
168 if (is_priv &&
169 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
170 mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||
171 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||
172 mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
173 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
174 }
175 #endif /* !MBEDTLS_RSA_NO_CRT */
176
177 /*
178 * 2. Exponents must be positive
179 */
180
181 /* Always need E for public key operations */
182 if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
183 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
184 }
185
186 #if defined(MBEDTLS_RSA_NO_CRT)
187 /* For private key operations, use D or DP & DQ
188 * as (unblinded) exponents. */
189 if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
190 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
191 }
192 #else
193 if (is_priv &&
194 (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||
195 mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
196 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
197 }
198 #endif /* MBEDTLS_RSA_NO_CRT */
199
200 /* Blinding shouldn't make exponents negative either,
201 * so check that P, Q >= 1 if that hasn't yet been
202 * done as part of 1. */
203 #if defined(MBEDTLS_RSA_NO_CRT)
204 if (is_priv && blinding_needed &&
205 (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
206 mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
207 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
208 }
209 #endif
210
211 /* It wouldn't lead to an error if it wasn't satisfied,
212 * but check for QP >= 1 nonetheless. */
213 #if !defined(MBEDTLS_RSA_NO_CRT)
214 if (is_priv &&
215 mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
216 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
217 }
218 #endif
219
220 return 0;
221 }
222
mbedtls_rsa_complete(mbedtls_rsa_context * ctx)223 int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
224 {
225 int ret = 0;
226 int have_N, have_P, have_Q, have_D, have_E;
227 #if !defined(MBEDTLS_RSA_NO_CRT)
228 int have_DP, have_DQ, have_QP;
229 #endif
230 int n_missing, pq_missing, d_missing, is_pub, is_priv;
231
232 have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
233 have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
234 have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
235 have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
236 have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
237
238 #if !defined(MBEDTLS_RSA_NO_CRT)
239 have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
240 have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
241 have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
242 #endif
243
244 /*
245 * Check whether provided parameters are enough
246 * to deduce all others. The following incomplete
247 * parameter sets for private keys are supported:
248 *
249 * (1) P, Q missing.
250 * (2) D and potentially N missing.
251 *
252 */
253
254 n_missing = have_P && have_Q && have_D && have_E;
255 pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
256 d_missing = have_P && have_Q && !have_D && have_E;
257 is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
258
259 /* These three alternatives are mutually exclusive */
260 is_priv = n_missing || pq_missing || d_missing;
261
262 if (!is_priv && !is_pub) {
263 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
264 }
265
266 /*
267 * Step 1: Deduce N if P, Q are provided.
268 */
269
270 if (!have_N && have_P && have_Q) {
271 if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
272 &ctx->Q)) != 0) {
273 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
274 }
275
276 ctx->len = mbedtls_mpi_size(&ctx->N);
277 }
278
279 /*
280 * Step 2: Deduce and verify all remaining core parameters.
281 */
282
283 if (pq_missing) {
284 ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
285 &ctx->P, &ctx->Q);
286 if (ret != 0) {
287 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
288 }
289
290 } else if (d_missing) {
291 if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
292 &ctx->Q,
293 &ctx->E,
294 &ctx->D)) != 0) {
295 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
296 }
297 }
298
299 /*
300 * Step 3: Deduce all additional parameters specific
301 * to our current RSA implementation.
302 */
303
304 #if !defined(MBEDTLS_RSA_NO_CRT)
305 if (is_priv && !(have_DP && have_DQ && have_QP)) {
306 ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
307 &ctx->DP, &ctx->DQ, &ctx->QP);
308 if (ret != 0) {
309 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
310 }
311 }
312 #endif /* MBEDTLS_RSA_NO_CRT */
313
314 /*
315 * Step 3: Basic sanity checks
316 */
317
318 return rsa_check_context(ctx, is_priv, 1);
319 }
320
mbedtls_rsa_export_raw(const mbedtls_rsa_context * ctx,unsigned char * N,size_t N_len,unsigned char * P,size_t P_len,unsigned char * Q,size_t Q_len,unsigned char * D,size_t D_len,unsigned char * E,size_t E_len)321 int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
322 unsigned char *N, size_t N_len,
323 unsigned char *P, size_t P_len,
324 unsigned char *Q, size_t Q_len,
325 unsigned char *D, size_t D_len,
326 unsigned char *E, size_t E_len)
327 {
328 int ret = 0;
329 int is_priv;
330
331 /* Check if key is private or public */
332 is_priv =
333 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
334 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
335 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
336 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
337 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
338
339 if (!is_priv) {
340 /* If we're trying to export private parameters for a public key,
341 * something must be wrong. */
342 if (P != NULL || Q != NULL || D != NULL) {
343 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
344 }
345
346 }
347
348 if (N != NULL) {
349 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
350 }
351
352 if (P != NULL) {
353 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
354 }
355
356 if (Q != NULL) {
357 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
358 }
359
360 if (D != NULL) {
361 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
362 }
363
364 if (E != NULL) {
365 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
366 }
367
368 cleanup:
369
370 return ret;
371 }
372
mbedtls_rsa_export(const mbedtls_rsa_context * ctx,mbedtls_mpi * N,mbedtls_mpi * P,mbedtls_mpi * Q,mbedtls_mpi * D,mbedtls_mpi * E)373 int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
374 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
375 mbedtls_mpi *D, mbedtls_mpi *E)
376 {
377 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
378 int is_priv;
379
380 /* Check if key is private or public */
381 is_priv =
382 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
383 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
384 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
385 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
386 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
387
388 if (!is_priv) {
389 /* If we're trying to export private parameters for a public key,
390 * something must be wrong. */
391 if (P != NULL || Q != NULL || D != NULL) {
392 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
393 }
394
395 }
396
397 /* Export all requested core parameters. */
398
399 if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||
400 (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||
401 (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||
402 (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||
403 (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
404 return ret;
405 }
406
407 return 0;
408 }
409
410 /*
411 * Export CRT parameters
412 * This must also be implemented if CRT is not used, for being able to
413 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
414 * can be used in this case.
415 */
mbedtls_rsa_export_crt(const mbedtls_rsa_context * ctx,mbedtls_mpi * DP,mbedtls_mpi * DQ,mbedtls_mpi * QP)416 int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
417 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
418 {
419 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
420 int is_priv;
421
422 /* Check if key is private or public */
423 is_priv =
424 mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
425 mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
426 mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
427 mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
428 mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
429
430 if (!is_priv) {
431 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
432 }
433
434 #if !defined(MBEDTLS_RSA_NO_CRT)
435 /* Export all requested blinding parameters. */
436 if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||
437 (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||
438 (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
439 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
440 }
441 #else
442 if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
443 DP, DQ, QP)) != 0) {
444 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
445 }
446 #endif
447
448 return 0;
449 }
450
451 /*
452 * Initialize an RSA context
453 */
mbedtls_rsa_init(mbedtls_rsa_context * ctx)454 void mbedtls_rsa_init(mbedtls_rsa_context *ctx)
455 {
456 memset(ctx, 0, sizeof(mbedtls_rsa_context));
457
458 ctx->padding = MBEDTLS_RSA_PKCS_V15;
459 ctx->hash_id = MBEDTLS_MD_NONE;
460
461 #if defined(MBEDTLS_THREADING_C)
462 /* Set ctx->ver to nonzero to indicate that the mutex has been
463 * initialized and will need to be freed. */
464 ctx->ver = 1;
465 mbedtls_mutex_init(&ctx->mutex);
466 #endif
467 }
468
469 /*
470 * Set padding for an existing RSA context
471 */
mbedtls_rsa_set_padding(mbedtls_rsa_context * ctx,int padding,mbedtls_md_type_t hash_id)472 int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
473 mbedtls_md_type_t hash_id)
474 {
475 switch (padding) {
476 #if defined(MBEDTLS_PKCS1_V15)
477 case MBEDTLS_RSA_PKCS_V15:
478 break;
479 #endif
480
481 #if defined(MBEDTLS_PKCS1_V21)
482 case MBEDTLS_RSA_PKCS_V21:
483 break;
484 #endif
485 default:
486 return MBEDTLS_ERR_RSA_INVALID_PADDING;
487 }
488
489 #if defined(MBEDTLS_PKCS1_V21)
490 if ((padding == MBEDTLS_RSA_PKCS_V21) &&
491 (hash_id != MBEDTLS_MD_NONE)) {
492 /* Just make sure this hash is supported in this build. */
493 if (mbedtls_hash_info_psa_from_md(hash_id) == PSA_ALG_NONE) {
494 return MBEDTLS_ERR_RSA_INVALID_PADDING;
495 }
496 }
497 #endif /* MBEDTLS_PKCS1_V21 */
498
499 ctx->padding = padding;
500 ctx->hash_id = hash_id;
501
502 return 0;
503 }
504
505 /*
506 * Get padding mode of initialized RSA context
507 */
mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context * ctx)508 int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx)
509 {
510 return ctx->padding;
511 }
512
513 /*
514 * Get hash identifier of mbedtls_md_type_t type
515 */
mbedtls_rsa_get_md_alg(const mbedtls_rsa_context * ctx)516 int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx)
517 {
518 return ctx->hash_id;
519 }
520
521 /*
522 * Get length in bytes of RSA modulus
523 */
mbedtls_rsa_get_len(const mbedtls_rsa_context * ctx)524 size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
525 {
526 return ctx->len;
527 }
528
529
530 #if defined(MBEDTLS_GENPRIME)
531
532 /*
533 * Generate an RSA keypair
534 *
535 * This generation method follows the RSA key pair generation procedure of
536 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
537 */
mbedtls_rsa_gen_key(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,unsigned int nbits,int exponent)538 int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
539 int (*f_rng)(void *, unsigned char *, size_t),
540 void *p_rng,
541 unsigned int nbits, int exponent)
542 {
543 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
544 mbedtls_mpi H, G, L;
545 int prime_quality = 0;
546
547 /*
548 * If the modulus is 1024 bit long or shorter, then the security strength of
549 * the RSA algorithm is less than or equal to 80 bits and therefore an error
550 * rate of 2^-80 is sufficient.
551 */
552 if (nbits > 1024) {
553 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
554 }
555
556 mbedtls_mpi_init(&H);
557 mbedtls_mpi_init(&G);
558 mbedtls_mpi_init(&L);
559
560 if (nbits < 128 || exponent < 3 || nbits % 2 != 0) {
561 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
562 goto cleanup;
563 }
564
565 /*
566 * find primes P and Q with Q < P so that:
567 * 1. |P-Q| > 2^( nbits / 2 - 100 )
568 * 2. GCD( E, (P-1)*(Q-1) ) == 1
569 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
570 */
571 MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
572
573 do {
574 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
575 prime_quality, f_rng, p_rng));
576
577 MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
578 prime_quality, f_rng, p_rng));
579
580 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
581 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
582 if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
583 continue;
584 }
585
586 /* not required by any standards, but some users rely on the fact that P > Q */
587 if (H.s < 0) {
588 mbedtls_mpi_swap(&ctx->P, &ctx->Q);
589 }
590
591 /* Temporarily replace P,Q by P-1, Q-1 */
592 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
593 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
594 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
595
596 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
597 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
598 if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
599 continue;
600 }
601
602 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
603 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
604 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
605 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
606
607 if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a))
608 continue;
609 }
610
611 break;
612 } while (1);
613
614 /* Restore P,Q */
615 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));
616 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));
617
618 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
619
620 ctx->len = mbedtls_mpi_size(&ctx->N);
621
622 #if !defined(MBEDTLS_RSA_NO_CRT)
623 /*
624 * DP = D mod (P - 1)
625 * DQ = D mod (Q - 1)
626 * QP = Q^-1 mod P
627 */
628 MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
629 &ctx->DP, &ctx->DQ, &ctx->QP));
630 #endif /* MBEDTLS_RSA_NO_CRT */
631
632 /* Double-check */
633 MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
634
635 cleanup:
636
637 mbedtls_mpi_free(&H);
638 mbedtls_mpi_free(&G);
639 mbedtls_mpi_free(&L);
640
641 if (ret != 0) {
642 mbedtls_rsa_free(ctx);
643
644 if ((-ret & ~0x7f) == 0) {
645 ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
646 }
647 return ret;
648 }
649
650 return 0;
651 }
652
653 #endif /* MBEDTLS_GENPRIME */
654
655 /*
656 * Check a public RSA key
657 */
mbedtls_rsa_check_pubkey(const mbedtls_rsa_context * ctx)658 int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
659 {
660 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) {
661 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
662 }
663
664 if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
665 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
666 }
667
668 if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||
669 mbedtls_mpi_bitlen(&ctx->E) < 2 ||
670 mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
671 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
672 }
673
674 return 0;
675 }
676
677 /*
678 * Check for the consistency of all fields in an RSA private key context
679 */
mbedtls_rsa_check_privkey(const mbedtls_rsa_context * ctx)680 int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
681 {
682 if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
683 rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
684 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
685 }
686
687 if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
688 &ctx->D, &ctx->E, NULL, NULL) != 0) {
689 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
690 }
691
692 #if !defined(MBEDTLS_RSA_NO_CRT)
693 else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
694 &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
695 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
696 }
697 #endif
698
699 return 0;
700 }
701
702 /*
703 * Check if contexts holding a public and private key match
704 */
mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context * pub,const mbedtls_rsa_context * prv)705 int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
706 const mbedtls_rsa_context *prv)
707 {
708 if (mbedtls_rsa_check_pubkey(pub) != 0 ||
709 mbedtls_rsa_check_privkey(prv) != 0) {
710 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
711 }
712
713 if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||
714 mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
715 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
716 }
717
718 return 0;
719 }
720
721 /*
722 * Do an RSA public key operation
723 */
mbedtls_rsa_public(mbedtls_rsa_context * ctx,const unsigned char * input,unsigned char * output)724 int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
725 const unsigned char *input,
726 unsigned char *output)
727 {
728 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
729 size_t olen;
730 mbedtls_mpi T;
731
732 if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) {
733 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
734 }
735
736 mbedtls_mpi_init(&T);
737
738 #if defined(MBEDTLS_THREADING_C)
739 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
740 return ret;
741 }
742 #endif
743
744 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
745
746 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
747 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
748 goto cleanup;
749 }
750
751 olen = ctx->len;
752 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
753 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
754
755 cleanup:
756 #if defined(MBEDTLS_THREADING_C)
757 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
758 return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
759 }
760 #endif
761
762 mbedtls_mpi_free(&T);
763
764 if (ret != 0) {
765 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
766 }
767
768 return 0;
769 }
770
771 /*
772 * Generate or update blinding values, see section 10 of:
773 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
774 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
775 * Berlin Heidelberg, 1996. p. 104-113.
776 */
rsa_prepare_blinding(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)777 static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
778 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
779 {
780 int ret, count = 0;
781 mbedtls_mpi R;
782
783 mbedtls_mpi_init(&R);
784
785 if (ctx->Vf.p != NULL) {
786 /* We already have blinding values, just update them by squaring */
787 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
788 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
789 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
790 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
791
792 goto cleanup;
793 }
794
795 /* Unblinding value: Vf = random number, invertible mod N */
796 do {
797 if (count++ > 10) {
798 ret = MBEDTLS_ERR_RSA_RNG_FAILED;
799 goto cleanup;
800 }
801
802 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
803
804 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
805 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
806 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
807 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
808
809 /* At this point, Vi is invertible mod N if and only if both Vf and R
810 * are invertible mod N. If one of them isn't, we don't need to know
811 * which one, we just loop and choose new values for both of them.
812 * (Each iteration succeeds with overwhelming probability.) */
813 ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
814 if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
815 goto cleanup;
816 }
817
818 } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
819
820 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
821 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
822 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
823
824 /* Blinding value: Vi = Vf^(-e) mod N
825 * (Vi already contains Vf^-1 at this point) */
826 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
827
828
829 cleanup:
830 mbedtls_mpi_free(&R);
831
832 return ret;
833 }
834
835 /*
836 * Exponent blinding supposed to prevent side-channel attacks using multiple
837 * traces of measurements to recover the RSA key. The more collisions are there,
838 * the more bits of the key can be recovered. See [3].
839 *
840 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
841 * observations on average.
842 *
843 * For example with 28 byte blinding to achieve 2 collisions the adversary has
844 * to make 2^112 observations on average.
845 *
846 * (With the currently (as of 2017 April) known best algorithms breaking 2048
847 * bit RSA requires approximately as much time as trying out 2^112 random keys.
848 * Thus in this sense with 28 byte blinding the security is not reduced by
849 * side-channel attacks like the one in [3])
850 *
851 * This countermeasure does not help if the key recovery is possible with a
852 * single trace.
853 */
854 #define RSA_EXPONENT_BLINDING 28
855
856 /*
857 * Do an RSA private key operation
858 */
mbedtls_rsa_private(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * input,unsigned char * output)859 int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
860 int (*f_rng)(void *, unsigned char *, size_t),
861 void *p_rng,
862 const unsigned char *input,
863 unsigned char *output)
864 {
865 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
866 size_t olen;
867
868 /* Temporary holding the result */
869 mbedtls_mpi T;
870
871 /* Temporaries holding P-1, Q-1 and the
872 * exponent blinding factor, respectively. */
873 mbedtls_mpi P1, Q1, R;
874
875 #if !defined(MBEDTLS_RSA_NO_CRT)
876 /* Temporaries holding the results mod p resp. mod q. */
877 mbedtls_mpi TP, TQ;
878
879 /* Temporaries holding the blinded exponents for
880 * the mod p resp. mod q computation (if used). */
881 mbedtls_mpi DP_blind, DQ_blind;
882
883 /* Pointers to actual exponents to be used - either the unblinded
884 * or the blinded ones, depending on the presence of a PRNG. */
885 mbedtls_mpi *DP = &ctx->DP;
886 mbedtls_mpi *DQ = &ctx->DQ;
887 #else
888 /* Temporary holding the blinded exponent (if used). */
889 mbedtls_mpi D_blind;
890
891 /* Pointer to actual exponent to be used - either the unblinded
892 * or the blinded one, depending on the presence of a PRNG. */
893 mbedtls_mpi *D = &ctx->D;
894 #endif /* MBEDTLS_RSA_NO_CRT */
895
896 /* Temporaries holding the initial input and the double
897 * checked result; should be the same in the end. */
898 mbedtls_mpi I, C;
899
900 if (f_rng == NULL) {
901 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
902 }
903
904 if (rsa_check_context(ctx, 1 /* private key checks */,
905 1 /* blinding on */) != 0) {
906 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
907 }
908
909 #if defined(MBEDTLS_THREADING_C)
910 if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
911 return ret;
912 }
913 #endif
914
915 /* MPI Initialization */
916 mbedtls_mpi_init(&T);
917
918 mbedtls_mpi_init(&P1);
919 mbedtls_mpi_init(&Q1);
920 mbedtls_mpi_init(&R);
921
922 #if defined(MBEDTLS_RSA_NO_CRT)
923 mbedtls_mpi_init(&D_blind);
924 #else
925 mbedtls_mpi_init(&DP_blind);
926 mbedtls_mpi_init(&DQ_blind);
927 #endif
928
929 #if !defined(MBEDTLS_RSA_NO_CRT)
930 mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
931 #endif
932
933 mbedtls_mpi_init(&I);
934 mbedtls_mpi_init(&C);
935
936 /* End of MPI initialization */
937
938 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
939 if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
940 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
941 goto cleanup;
942 }
943
944 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
945
946 /*
947 * Blinding
948 * T = T * Vi mod N
949 */
950 MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
951 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
952 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
953
954 /*
955 * Exponent blinding
956 */
957 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
958 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
959
960 #if defined(MBEDTLS_RSA_NO_CRT)
961 /*
962 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
963 */
964 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
965 f_rng, p_rng));
966 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
967 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
968 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
969
970 D = &D_blind;
971 #else
972 /*
973 * DP_blind = ( P - 1 ) * R + DP
974 */
975 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
976 f_rng, p_rng));
977 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
978 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
979 &ctx->DP));
980
981 DP = &DP_blind;
982
983 /*
984 * DQ_blind = ( Q - 1 ) * R + DQ
985 */
986 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
987 f_rng, p_rng));
988 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
989 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
990 &ctx->DQ));
991
992 DQ = &DQ_blind;
993 #endif /* MBEDTLS_RSA_NO_CRT */
994
995 #if defined(MBEDTLS_RSA_NO_CRT)
996 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, D, &ctx->N, &ctx->RN));
997 #else
998 /*
999 * Faster decryption using the CRT
1000 *
1001 * TP = input ^ dP mod P
1002 * TQ = input ^ dQ mod Q
1003 */
1004
1005 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, DP, &ctx->P, &ctx->RP));
1006 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, DQ, &ctx->Q, &ctx->RQ));
1007
1008 /*
1009 * T = (TP - TQ) * (Q^-1 mod P) mod P
1010 */
1011 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
1012 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
1013 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
1014
1015 /*
1016 * T = TQ + T * Q
1017 */
1018 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
1019 MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
1020 #endif /* MBEDTLS_RSA_NO_CRT */
1021
1022 /*
1023 * Unblind
1024 * T = T * Vf mod N
1025 */
1026 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vf));
1027 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
1028
1029 /* Verify the result to prevent glitching attacks. */
1030 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
1031 &ctx->N, &ctx->RN));
1032 if (mbedtls_mpi_cmp_mpi(&C, &I) != 0) {
1033 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1034 goto cleanup;
1035 }
1036
1037 olen = ctx->len;
1038 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
1039
1040 cleanup:
1041 #if defined(MBEDTLS_THREADING_C)
1042 if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
1043 return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1044 }
1045 #endif
1046
1047 mbedtls_mpi_free(&P1);
1048 mbedtls_mpi_free(&Q1);
1049 mbedtls_mpi_free(&R);
1050
1051 #if defined(MBEDTLS_RSA_NO_CRT)
1052 mbedtls_mpi_free(&D_blind);
1053 #else
1054 mbedtls_mpi_free(&DP_blind);
1055 mbedtls_mpi_free(&DQ_blind);
1056 #endif
1057
1058 mbedtls_mpi_free(&T);
1059
1060 #if !defined(MBEDTLS_RSA_NO_CRT)
1061 mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
1062 #endif
1063
1064 mbedtls_mpi_free(&C);
1065 mbedtls_mpi_free(&I);
1066
1067 if (ret != 0 && ret >= -0x007f) {
1068 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
1069 }
1070
1071 return ret;
1072 }
1073
1074 #if defined(MBEDTLS_PKCS1_V21)
1075 /**
1076 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
1077 *
1078 * \param dst buffer to mask
1079 * \param dlen length of destination buffer
1080 * \param src source of the mask generation
1081 * \param slen length of the source buffer
1082 * \param md_alg message digest to use
1083 */
mgf_mask(unsigned char * dst,size_t dlen,unsigned char * src,size_t slen,mbedtls_md_type_t md_alg)1084 static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
1085 size_t slen, mbedtls_md_type_t md_alg)
1086 {
1087 unsigned char counter[4];
1088 unsigned char *p;
1089 unsigned int hlen;
1090 size_t i, use_len;
1091 unsigned char mask[MBEDTLS_HASH_MAX_SIZE];
1092 #if defined(MBEDTLS_MD_C)
1093 int ret = 0;
1094 const mbedtls_md_info_t *md_info;
1095 mbedtls_md_context_t md_ctx;
1096
1097 mbedtls_md_init(&md_ctx);
1098 md_info = mbedtls_md_info_from_type(md_alg);
1099 if (md_info == NULL) {
1100 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1101 }
1102
1103 mbedtls_md_init(&md_ctx);
1104 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
1105 goto exit;
1106 }
1107
1108 hlen = mbedtls_md_get_size(md_info);
1109 #else
1110 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
1111 psa_algorithm_t alg = mbedtls_psa_translate_md(md_alg);
1112 psa_status_t status = PSA_SUCCESS;
1113 size_t out_len;
1114
1115 hlen = PSA_HASH_LENGTH(alg);
1116 #endif
1117
1118 memset(mask, 0, sizeof(mask));
1119 memset(counter, 0, 4);
1120
1121 /* Generate and apply dbMask */
1122 p = dst;
1123
1124 while (dlen > 0) {
1125 use_len = hlen;
1126 if (dlen < hlen) {
1127 use_len = dlen;
1128 }
1129
1130 #if defined(MBEDTLS_MD_C)
1131 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
1132 goto exit;
1133 }
1134 if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) {
1135 goto exit;
1136 }
1137 if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) {
1138 goto exit;
1139 }
1140 if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) {
1141 goto exit;
1142 }
1143 #else
1144 if ((status = psa_hash_setup(&op, alg)) != PSA_SUCCESS) {
1145 goto exit;
1146 }
1147 if ((status = psa_hash_update(&op, src, slen)) != PSA_SUCCESS) {
1148 goto exit;
1149 }
1150 if ((status = psa_hash_update(&op, counter, 4)) != PSA_SUCCESS) {
1151 goto exit;
1152 }
1153 status = psa_hash_finish(&op, mask, sizeof(mask), &out_len);
1154 if (status != PSA_SUCCESS) {
1155 goto exit;
1156 }
1157 #endif
1158
1159 for (i = 0; i < use_len; ++i) {
1160 *p++ ^= mask[i];
1161 }
1162
1163 counter[3]++;
1164
1165 dlen -= use_len;
1166 }
1167
1168 exit:
1169 mbedtls_platform_zeroize(mask, sizeof(mask));
1170 #if defined(MBEDTLS_MD_C)
1171 mbedtls_md_free(&md_ctx);
1172
1173 return ret;
1174 #else
1175 psa_hash_abort(&op);
1176
1177 return PSA_TO_MBEDTLS_ERR(status);
1178 #endif
1179 }
1180
1181 /**
1182 * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
1183 *
1184 * \param hash the input hash
1185 * \param hlen length of the input hash
1186 * \param salt the input salt
1187 * \param slen length of the input salt
1188 * \param out the output buffer - must be large enough for \p md_alg
1189 * \param md_alg message digest to use
1190 */
hash_mprime(const unsigned char * hash,size_t hlen,const unsigned char * salt,size_t slen,unsigned char * out,mbedtls_md_type_t md_alg)1191 static int hash_mprime(const unsigned char *hash, size_t hlen,
1192 const unsigned char *salt, size_t slen,
1193 unsigned char *out, mbedtls_md_type_t md_alg)
1194 {
1195 const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
1196
1197 #if defined(MBEDTLS_MD_C)
1198 mbedtls_md_context_t md_ctx;
1199 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1200
1201 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
1202 if (md_info == NULL) {
1203 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1204 }
1205
1206 mbedtls_md_init(&md_ctx);
1207 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
1208 goto exit;
1209 }
1210 if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
1211 goto exit;
1212 }
1213 if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) {
1214 goto exit;
1215 }
1216 if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) {
1217 goto exit;
1218 }
1219 if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
1220 goto exit;
1221 }
1222 if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) {
1223 goto exit;
1224 }
1225
1226 exit:
1227 mbedtls_md_free(&md_ctx);
1228
1229 return ret;
1230 #else
1231 psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
1232 psa_algorithm_t alg = mbedtls_psa_translate_md(md_alg);
1233 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1234 size_t out_size = PSA_HASH_LENGTH(alg);
1235 size_t out_len;
1236
1237 if ((status = psa_hash_setup(&op, alg)) != PSA_SUCCESS) {
1238 goto exit;
1239 }
1240 if ((status = psa_hash_update(&op, zeros, sizeof(zeros))) != PSA_SUCCESS) {
1241 goto exit;
1242 }
1243 if ((status = psa_hash_update(&op, hash, hlen)) != PSA_SUCCESS) {
1244 goto exit;
1245 }
1246 if ((status = psa_hash_update(&op, salt, slen)) != PSA_SUCCESS) {
1247 goto exit;
1248 }
1249 status = psa_hash_finish(&op, out, out_size, &out_len);
1250 if (status != PSA_SUCCESS) {
1251 goto exit;
1252 }
1253
1254 exit:
1255 psa_hash_abort(&op);
1256
1257 return PSA_TO_MBEDTLS_ERR(status);
1258 #endif /* !MBEDTLS_MD_C */
1259 }
1260
1261 /**
1262 * Compute a hash.
1263 *
1264 * \param md_alg algorithm to use
1265 * \param input input message to hash
1266 * \param ilen input length
1267 * \param output the output buffer - must be large enough for \p md_alg
1268 */
compute_hash(mbedtls_md_type_t md_alg,const unsigned char * input,size_t ilen,unsigned char * output)1269 static int compute_hash(mbedtls_md_type_t md_alg,
1270 const unsigned char *input, size_t ilen,
1271 unsigned char *output)
1272 {
1273 #if defined(MBEDTLS_MD_C)
1274 const mbedtls_md_info_t *md_info;
1275
1276 md_info = mbedtls_md_info_from_type(md_alg);
1277 if (md_info == NULL) {
1278 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1279 }
1280
1281 return mbedtls_md(md_info, input, ilen, output);
1282 #else
1283 psa_algorithm_t alg = mbedtls_psa_translate_md(md_alg);
1284 psa_status_t status;
1285 size_t out_size = PSA_HASH_LENGTH(alg);
1286 size_t out_len;
1287
1288 status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len);
1289
1290 return PSA_TO_MBEDTLS_ERR(status);
1291 #endif /* !MBEDTLS_MD_C */
1292 }
1293 #endif /* MBEDTLS_PKCS1_V21 */
1294
1295 #if defined(MBEDTLS_PKCS1_V21)
1296 /*
1297 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1298 */
mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * label,size_t label_len,size_t ilen,const unsigned char * input,unsigned char * output)1299 int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
1300 int (*f_rng)(void *, unsigned char *, size_t),
1301 void *p_rng,
1302 const unsigned char *label, size_t label_len,
1303 size_t ilen,
1304 const unsigned char *input,
1305 unsigned char *output)
1306 {
1307 size_t olen;
1308 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1309 unsigned char *p = output;
1310 unsigned int hlen;
1311
1312 if (f_rng == NULL) {
1313 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1314 }
1315
1316 hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
1317 if (hlen == 0) {
1318 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1319 }
1320
1321 olen = ctx->len;
1322
1323 /* first comparison checks for overflow */
1324 if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) {
1325 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1326 }
1327
1328 memset(output, 0, olen);
1329
1330 *p++ = 0;
1331
1332 /* Generate a random octet string seed */
1333 if ((ret = f_rng(p_rng, p, hlen)) != 0) {
1334 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1335 }
1336
1337 p += hlen;
1338
1339 /* Construct DB */
1340 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p);
1341 if (ret != 0) {
1342 return ret;
1343 }
1344 p += hlen;
1345 p += olen - 2 * hlen - 2 - ilen;
1346 *p++ = 1;
1347 if (ilen != 0) {
1348 memcpy(p, input, ilen);
1349 }
1350
1351 /* maskedDB: Apply dbMask to DB */
1352 if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1353 ctx->hash_id)) != 0) {
1354 return ret;
1355 }
1356
1357 /* maskedSeed: Apply seedMask to seed */
1358 if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1359 ctx->hash_id)) != 0) {
1360 return ret;
1361 }
1362
1363 return mbedtls_rsa_public(ctx, output, output);
1364 }
1365 #endif /* MBEDTLS_PKCS1_V21 */
1366
1367 #if defined(MBEDTLS_PKCS1_V15)
1368 /*
1369 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1370 */
mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,size_t ilen,const unsigned char * input,unsigned char * output)1371 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
1372 int (*f_rng)(void *, unsigned char *, size_t),
1373 void *p_rng, size_t ilen,
1374 const unsigned char *input,
1375 unsigned char *output)
1376 {
1377 size_t nb_pad, olen;
1378 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1379 unsigned char *p = output;
1380
1381 olen = ctx->len;
1382
1383 /* first comparison checks for overflow */
1384 if (ilen + 11 < ilen || olen < ilen + 11) {
1385 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1386 }
1387
1388 nb_pad = olen - 3 - ilen;
1389
1390 *p++ = 0;
1391
1392 if (f_rng == NULL) {
1393 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1394 }
1395
1396 *p++ = MBEDTLS_RSA_CRYPT;
1397
1398 while (nb_pad-- > 0) {
1399 int rng_dl = 100;
1400
1401 do {
1402 ret = f_rng(p_rng, p, 1);
1403 } while (*p == 0 && --rng_dl && ret == 0);
1404
1405 /* Check if RNG failed to generate data */
1406 if (rng_dl == 0 || ret != 0) {
1407 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1408 }
1409
1410 p++;
1411 }
1412
1413 *p++ = 0;
1414 if (ilen != 0) {
1415 memcpy(p, input, ilen);
1416 }
1417
1418 return mbedtls_rsa_public(ctx, output, output);
1419 }
1420 #endif /* MBEDTLS_PKCS1_V15 */
1421
1422 /*
1423 * Add the message padding, then do an RSA operation
1424 */
mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,size_t ilen,const unsigned char * input,unsigned char * output)1425 int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
1426 int (*f_rng)(void *, unsigned char *, size_t),
1427 void *p_rng,
1428 size_t ilen,
1429 const unsigned char *input,
1430 unsigned char *output)
1431 {
1432 switch (ctx->padding) {
1433 #if defined(MBEDTLS_PKCS1_V15)
1434 case MBEDTLS_RSA_PKCS_V15:
1435 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng,
1436 ilen, input, output);
1437 #endif
1438
1439 #if defined(MBEDTLS_PKCS1_V21)
1440 case MBEDTLS_RSA_PKCS_V21:
1441 return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,
1442 ilen, input, output);
1443 #endif
1444
1445 default:
1446 return MBEDTLS_ERR_RSA_INVALID_PADDING;
1447 }
1448 }
1449
1450 #if defined(MBEDTLS_PKCS1_V21)
1451 /*
1452 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1453 */
mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,const unsigned char * label,size_t label_len,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1454 int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
1455 int (*f_rng)(void *, unsigned char *, size_t),
1456 void *p_rng,
1457 const unsigned char *label, size_t label_len,
1458 size_t *olen,
1459 const unsigned char *input,
1460 unsigned char *output,
1461 size_t output_max_len)
1462 {
1463 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1464 size_t ilen, i, pad_len;
1465 unsigned char *p, bad, pad_done;
1466 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1467 unsigned char lhash[MBEDTLS_HASH_MAX_SIZE];
1468 unsigned int hlen;
1469
1470 /*
1471 * Parameters sanity checks
1472 */
1473 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1474 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1475 }
1476
1477 ilen = ctx->len;
1478
1479 if (ilen < 16 || ilen > sizeof(buf)) {
1480 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1481 }
1482
1483 hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
1484 if (hlen == 0) {
1485 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1486 }
1487
1488 // checking for integer underflow
1489 if (2 * hlen + 2 > ilen) {
1490 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1491 }
1492
1493 /*
1494 * RSA operation
1495 */
1496 ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
1497
1498 if (ret != 0) {
1499 goto cleanup;
1500 }
1501
1502 /*
1503 * Unmask data and generate lHash
1504 */
1505 /* seed: Apply seedMask to maskedSeed */
1506 if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1507 ctx->hash_id)) != 0 ||
1508 /* DB: Apply dbMask to maskedDB */
1509 (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1510 ctx->hash_id)) != 0) {
1511 goto cleanup;
1512 }
1513
1514 /* Generate lHash */
1515 ret = compute_hash((mbedtls_md_type_t) ctx->hash_id,
1516 label, label_len, lhash);
1517 if (ret != 0) {
1518 goto cleanup;
1519 }
1520
1521 /*
1522 * Check contents, in "constant-time"
1523 */
1524 p = buf;
1525 bad = 0;
1526
1527 bad |= *p++; /* First byte must be 0 */
1528
1529 p += hlen; /* Skip seed */
1530
1531 /* Check lHash */
1532 for (i = 0; i < hlen; i++) {
1533 bad |= lhash[i] ^ *p++;
1534 }
1535
1536 /* Get zero-padding len, but always read till end of buffer
1537 * (minus one, for the 01 byte) */
1538 pad_len = 0;
1539 pad_done = 0;
1540 for (i = 0; i < ilen - 2 * hlen - 2; i++) {
1541 pad_done |= p[i];
1542 pad_len += ((pad_done | (unsigned char) -pad_done) >> 7) ^ 1;
1543 }
1544
1545 p += pad_len;
1546 bad |= *p++ ^ 0x01;
1547
1548 /*
1549 * The only information "leaked" is whether the padding was correct or not
1550 * (eg, no data is copied if it was not correct). This meets the
1551 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1552 * the different error conditions.
1553 */
1554 if (bad != 0) {
1555 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1556 goto cleanup;
1557 }
1558
1559 if (ilen - (p - buf) > output_max_len) {
1560 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1561 goto cleanup;
1562 }
1563
1564 *olen = ilen - (p - buf);
1565 if (*olen != 0) {
1566 memcpy(output, p, *olen);
1567 }
1568 ret = 0;
1569
1570 cleanup:
1571 mbedtls_platform_zeroize(buf, sizeof(buf));
1572 mbedtls_platform_zeroize(lhash, sizeof(lhash));
1573
1574 return ret;
1575 }
1576 #endif /* MBEDTLS_PKCS1_V21 */
1577
1578 #if defined(MBEDTLS_PKCS1_V15)
1579 /*
1580 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1581 */
mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1582 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
1583 int (*f_rng)(void *, unsigned char *, size_t),
1584 void *p_rng,
1585 size_t *olen,
1586 const unsigned char *input,
1587 unsigned char *output,
1588 size_t output_max_len)
1589 {
1590 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1591 size_t ilen;
1592 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1593
1594 ilen = ctx->len;
1595
1596 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
1597 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1598 }
1599
1600 if (ilen < 16 || ilen > sizeof(buf)) {
1601 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1602 }
1603
1604 ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
1605
1606 if (ret != 0) {
1607 goto cleanup;
1608 }
1609
1610 ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen,
1611 output, output_max_len, olen);
1612
1613 cleanup:
1614 mbedtls_platform_zeroize(buf, sizeof(buf));
1615
1616 return ret;
1617 }
1618 #endif /* MBEDTLS_PKCS1_V15 */
1619
1620 /*
1621 * Do an RSA operation, then remove the message padding
1622 */
mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,size_t * olen,const unsigned char * input,unsigned char * output,size_t output_max_len)1623 int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
1624 int (*f_rng)(void *, unsigned char *, size_t),
1625 void *p_rng,
1626 size_t *olen,
1627 const unsigned char *input,
1628 unsigned char *output,
1629 size_t output_max_len)
1630 {
1631 switch (ctx->padding) {
1632 #if defined(MBEDTLS_PKCS1_V15)
1633 case MBEDTLS_RSA_PKCS_V15:
1634 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen,
1635 input, output, output_max_len);
1636 #endif
1637
1638 #if defined(MBEDTLS_PKCS1_V21)
1639 case MBEDTLS_RSA_PKCS_V21:
1640 return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,
1641 olen, input, output,
1642 output_max_len);
1643 #endif
1644
1645 default:
1646 return MBEDTLS_ERR_RSA_INVALID_PADDING;
1647 }
1648 }
1649
1650 #if defined(MBEDTLS_PKCS1_V21)
rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)1651 static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
1652 int (*f_rng)(void *, unsigned char *, size_t),
1653 void *p_rng,
1654 mbedtls_md_type_t md_alg,
1655 unsigned int hashlen,
1656 const unsigned char *hash,
1657 int saltlen,
1658 unsigned char *sig)
1659 {
1660 size_t olen;
1661 unsigned char *p = sig;
1662 unsigned char *salt = NULL;
1663 size_t slen, min_slen, hlen, offset = 0;
1664 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1665 size_t msb;
1666
1667 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
1668 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1669 }
1670
1671 if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
1672 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1673 }
1674
1675 if (f_rng == NULL) {
1676 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1677 }
1678
1679 olen = ctx->len;
1680
1681 if (md_alg != MBEDTLS_MD_NONE) {
1682 /* Gather length of hash to sign */
1683 size_t exp_hashlen = mbedtls_hash_info_get_size(md_alg);
1684 if (exp_hashlen == 0) {
1685 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1686 }
1687
1688 if (hashlen != exp_hashlen) {
1689 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1690 }
1691 }
1692
1693 hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
1694 if (hlen == 0) {
1695 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1696 }
1697
1698 if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
1699 /* Calculate the largest possible salt length, up to the hash size.
1700 * Normally this is the hash length, which is the maximum salt length
1701 * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
1702 * enough room, use the maximum salt length that fits. The constraint is
1703 * that the hash length plus the salt length plus 2 bytes must be at most
1704 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
1705 * (PKCS#1 v2.2) §9.1.1 step 3. */
1706 min_slen = hlen - 2;
1707 if (olen < hlen + min_slen + 2) {
1708 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1709 } else if (olen >= hlen + hlen + 2) {
1710 slen = hlen;
1711 } else {
1712 slen = olen - hlen - 2;
1713 }
1714 } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {
1715 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1716 } else {
1717 slen = (size_t) saltlen;
1718 }
1719
1720 memset(sig, 0, olen);
1721
1722 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1723 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
1724 p += olen - hlen - slen - 2;
1725 *p++ = 0x01;
1726
1727 /* Generate salt of length slen in place in the encoded message */
1728 salt = p;
1729 if ((ret = f_rng(p_rng, salt, slen)) != 0) {
1730 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
1731 }
1732
1733 p += slen;
1734
1735 /* Generate H = Hash( M' ) */
1736 ret = hash_mprime(hash, hashlen, salt, slen, p, ctx->hash_id);
1737 if (ret != 0) {
1738 return ret;
1739 }
1740
1741 /* Compensate for boundary condition when applying mask */
1742 if (msb % 8 == 0) {
1743 offset = 1;
1744 }
1745
1746 /* maskedDB: Apply dbMask to DB */
1747 ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen,
1748 ctx->hash_id);
1749 if (ret != 0) {
1750 return ret;
1751 }
1752
1753 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
1754 sig[0] &= 0xFF >> (olen * 8 - msb);
1755
1756 p += hlen;
1757 *p++ = 0xBC;
1758
1759 return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
1760 }
1761
1762 /*
1763 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
1764 * the option to pass in the salt length.
1765 */
mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,int saltlen,unsigned char * sig)1766 int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
1767 int (*f_rng)(void *, unsigned char *, size_t),
1768 void *p_rng,
1769 mbedtls_md_type_t md_alg,
1770 unsigned int hashlen,
1771 const unsigned char *hash,
1772 int saltlen,
1773 unsigned char *sig)
1774 {
1775 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
1776 hashlen, hash, saltlen, sig);
1777 }
1778
1779
1780 /*
1781 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1782 */
mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)1783 int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
1784 int (*f_rng)(void *, unsigned char *, size_t),
1785 void *p_rng,
1786 mbedtls_md_type_t md_alg,
1787 unsigned int hashlen,
1788 const unsigned char *hash,
1789 unsigned char *sig)
1790 {
1791 return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
1792 hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
1793 }
1794 #endif /* MBEDTLS_PKCS1_V21 */
1795
1796 #if defined(MBEDTLS_PKCS1_V15)
1797 /*
1798 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1799 */
1800
1801 /* Construct a PKCS v1.5 encoding of a hashed message
1802 *
1803 * This is used both for signature generation and verification.
1804 *
1805 * Parameters:
1806 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1807 * MBEDTLS_MD_NONE if raw data is signed.
1808 * - hashlen: Length of hash. Must match md_alg if that's not NONE.
1809 * - hash: Buffer containing the hashed message or the raw data.
1810 * - dst_len: Length of the encoded message.
1811 * - dst: Buffer to hold the encoded message.
1812 *
1813 * Assumptions:
1814 * - hash has size hashlen.
1815 * - dst points to a buffer of size at least dst_len.
1816 *
1817 */
rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,size_t dst_len,unsigned char * dst)1818 static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
1819 unsigned int hashlen,
1820 const unsigned char *hash,
1821 size_t dst_len,
1822 unsigned char *dst)
1823 {
1824 size_t oid_size = 0;
1825 size_t nb_pad = dst_len;
1826 unsigned char *p = dst;
1827 const char *oid = NULL;
1828
1829 /* Are we signing hashed or raw data? */
1830 if (md_alg != MBEDTLS_MD_NONE) {
1831 unsigned char md_size = mbedtls_hash_info_get_size(md_alg);
1832 if (md_size == 0) {
1833 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1834 }
1835
1836 if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
1837 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1838 }
1839
1840 if (hashlen != md_size) {
1841 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1842 }
1843
1844 /* Double-check that 8 + hashlen + oid_size can be used as a
1845 * 1-byte ASN.1 length encoding and that there's no overflow. */
1846 if (8 + hashlen + oid_size >= 0x80 ||
1847 10 + hashlen < hashlen ||
1848 10 + hashlen + oid_size < 10 + hashlen) {
1849 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1850 }
1851
1852 /*
1853 * Static bounds check:
1854 * - Need 10 bytes for five tag-length pairs.
1855 * (Insist on 1-byte length encodings to protect against variants of
1856 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
1857 * - Need hashlen bytes for hash
1858 * - Need oid_size bytes for hash alg OID.
1859 */
1860 if (nb_pad < 10 + hashlen + oid_size) {
1861 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1862 }
1863 nb_pad -= 10 + hashlen + oid_size;
1864 } else {
1865 if (nb_pad < hashlen) {
1866 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1867 }
1868
1869 nb_pad -= hashlen;
1870 }
1871
1872 /* Need space for signature header and padding delimiter (3 bytes),
1873 * and 8 bytes for the minimal padding */
1874 if (nb_pad < 3 + 8) {
1875 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1876 }
1877 nb_pad -= 3;
1878
1879 /* Now nb_pad is the amount of memory to be filled
1880 * with padding, and at least 8 bytes long. */
1881
1882 /* Write signature header and padding */
1883 *p++ = 0;
1884 *p++ = MBEDTLS_RSA_SIGN;
1885 memset(p, 0xFF, nb_pad);
1886 p += nb_pad;
1887 *p++ = 0;
1888
1889 /* Are we signing raw data? */
1890 if (md_alg == MBEDTLS_MD_NONE) {
1891 memcpy(p, hash, hashlen);
1892 return 0;
1893 }
1894
1895 /* Signing hashed data, add corresponding ASN.1 structure
1896 *
1897 * DigestInfo ::= SEQUENCE {
1898 * digestAlgorithm DigestAlgorithmIdentifier,
1899 * digest Digest }
1900 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1901 * Digest ::= OCTET STRING
1902 *
1903 * Schematic:
1904 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
1905 * TAG-NULL + LEN [ NULL ] ]
1906 * TAG-OCTET + LEN [ HASH ] ]
1907 */
1908 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1909 *p++ = (unsigned char) (0x08 + oid_size + hashlen);
1910 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
1911 *p++ = (unsigned char) (0x04 + oid_size);
1912 *p++ = MBEDTLS_ASN1_OID;
1913 *p++ = (unsigned char) oid_size;
1914 memcpy(p, oid, oid_size);
1915 p += oid_size;
1916 *p++ = MBEDTLS_ASN1_NULL;
1917 *p++ = 0x00;
1918 *p++ = MBEDTLS_ASN1_OCTET_STRING;
1919 *p++ = (unsigned char) hashlen;
1920 memcpy(p, hash, hashlen);
1921 p += hashlen;
1922
1923 /* Just a sanity-check, should be automatic
1924 * after the initial bounds check. */
1925 if (p != dst + dst_len) {
1926 mbedtls_platform_zeroize(dst, dst_len);
1927 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1928 }
1929
1930 return 0;
1931 }
1932
1933 /*
1934 * Do an RSA operation to sign the message digest
1935 */
mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)1936 int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
1937 int (*f_rng)(void *, unsigned char *, size_t),
1938 void *p_rng,
1939 mbedtls_md_type_t md_alg,
1940 unsigned int hashlen,
1941 const unsigned char *hash,
1942 unsigned char *sig)
1943 {
1944 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1945 unsigned char *sig_try = NULL, *verif = NULL;
1946
1947 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
1948 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1949 }
1950
1951 if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
1952 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1953 }
1954
1955 /*
1956 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
1957 */
1958
1959 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
1960 ctx->len, sig)) != 0) {
1961 return ret;
1962 }
1963
1964 /* Private key operation
1965 *
1966 * In order to prevent Lenstra's attack, make the signature in a
1967 * temporary buffer and check it before returning it.
1968 */
1969
1970 sig_try = mbedtls_calloc(1, ctx->len);
1971 if (sig_try == NULL) {
1972 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
1973 }
1974
1975 verif = mbedtls_calloc(1, ctx->len);
1976 if (verif == NULL) {
1977 mbedtls_free(sig_try);
1978 return MBEDTLS_ERR_MPI_ALLOC_FAILED;
1979 }
1980
1981 MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
1982 MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
1983
1984 if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
1985 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
1986 goto cleanup;
1987 }
1988
1989 memcpy(sig, sig_try, ctx->len);
1990
1991 cleanup:
1992 mbedtls_platform_zeroize(sig_try, ctx->len);
1993 mbedtls_platform_zeroize(verif, ctx->len);
1994 mbedtls_free(sig_try);
1995 mbedtls_free(verif);
1996
1997 if (ret != 0) {
1998 memset(sig, '!', ctx->len);
1999 }
2000 return ret;
2001 }
2002 #endif /* MBEDTLS_PKCS1_V15 */
2003
2004 /*
2005 * Do an RSA operation to sign the message digest
2006 */
mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context * ctx,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,unsigned char * sig)2007 int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
2008 int (*f_rng)(void *, unsigned char *, size_t),
2009 void *p_rng,
2010 mbedtls_md_type_t md_alg,
2011 unsigned int hashlen,
2012 const unsigned char *hash,
2013 unsigned char *sig)
2014 {
2015 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
2016 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2017 }
2018
2019 switch (ctx->padding) {
2020 #if defined(MBEDTLS_PKCS1_V15)
2021 case MBEDTLS_RSA_PKCS_V15:
2022 return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng,
2023 md_alg, hashlen, hash, sig);
2024 #endif
2025
2026 #if defined(MBEDTLS_PKCS1_V21)
2027 case MBEDTLS_RSA_PKCS_V21:
2028 return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
2029 hashlen, hash, sig);
2030 #endif
2031
2032 default:
2033 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2034 }
2035 }
2036
2037 #if defined(MBEDTLS_PKCS1_V21)
2038 /*
2039 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2040 */
mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context * ctx,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,mbedtls_md_type_t mgf1_hash_id,int expected_salt_len,const unsigned char * sig)2041 int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
2042 mbedtls_md_type_t md_alg,
2043 unsigned int hashlen,
2044 const unsigned char *hash,
2045 mbedtls_md_type_t mgf1_hash_id,
2046 int expected_salt_len,
2047 const unsigned char *sig)
2048 {
2049 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2050 size_t siglen;
2051 unsigned char *p;
2052 unsigned char *hash_start;
2053 unsigned char result[MBEDTLS_HASH_MAX_SIZE];
2054 unsigned int hlen;
2055 size_t observed_salt_len, msb;
2056 unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
2057
2058 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
2059 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2060 }
2061
2062 siglen = ctx->len;
2063
2064 if (siglen < 16 || siglen > sizeof(buf)) {
2065 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2066 }
2067
2068 ret = mbedtls_rsa_public(ctx, sig, buf);
2069
2070 if (ret != 0) {
2071 return ret;
2072 }
2073
2074 p = buf;
2075
2076 if (buf[siglen - 1] != 0xBC) {
2077 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2078 }
2079
2080 if (md_alg != MBEDTLS_MD_NONE) {
2081 /* Gather length of hash to sign */
2082 size_t exp_hashlen = mbedtls_hash_info_get_size(md_alg);
2083 if (exp_hashlen == 0) {
2084 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2085 }
2086
2087 if (hashlen != exp_hashlen) {
2088 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2089 }
2090 }
2091
2092 hlen = mbedtls_hash_info_get_size(mgf1_hash_id);
2093 if (hlen == 0) {
2094 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2095 }
2096
2097 /*
2098 * Note: EMSA-PSS verification is over the length of N - 1 bits
2099 */
2100 msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
2101
2102 if (buf[0] >> (8 - siglen * 8 + msb)) {
2103 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2104 }
2105
2106 /* Compensate for boundary condition when applying mask */
2107 if (msb % 8 == 0) {
2108 p++;
2109 siglen -= 1;
2110 }
2111
2112 if (siglen < hlen + 2) {
2113 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2114 }
2115 hash_start = p + siglen - hlen - 1;
2116
2117 ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id);
2118 if (ret != 0) {
2119 return ret;
2120 }
2121
2122 buf[0] &= 0xFF >> (siglen * 8 - msb);
2123
2124 while (p < hash_start - 1 && *p == 0) {
2125 p++;
2126 }
2127
2128 if (*p++ != 0x01) {
2129 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2130 }
2131
2132 observed_salt_len = hash_start - p;
2133
2134 if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
2135 observed_salt_len != (size_t) expected_salt_len) {
2136 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2137 }
2138
2139 /*
2140 * Generate H = Hash( M' )
2141 */
2142 ret = hash_mprime(hash, hashlen, p, observed_salt_len,
2143 result, mgf1_hash_id);
2144 if (ret != 0) {
2145 return ret;
2146 }
2147
2148 if (memcmp(hash_start, result, hlen) != 0) {
2149 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
2150 }
2151
2152 return 0;
2153 }
2154
2155 /*
2156 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2157 */
mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context * ctx,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2158 int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
2159 mbedtls_md_type_t md_alg,
2160 unsigned int hashlen,
2161 const unsigned char *hash,
2162 const unsigned char *sig)
2163 {
2164 mbedtls_md_type_t mgf1_hash_id;
2165 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
2166 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2167 }
2168
2169 mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
2170 ? (mbedtls_md_type_t) ctx->hash_id
2171 : md_alg;
2172
2173 return mbedtls_rsa_rsassa_pss_verify_ext(ctx,
2174 md_alg, hashlen, hash,
2175 mgf1_hash_id,
2176 MBEDTLS_RSA_SALT_LEN_ANY,
2177 sig);
2178
2179 }
2180 #endif /* MBEDTLS_PKCS1_V21 */
2181
2182 #if defined(MBEDTLS_PKCS1_V15)
2183 /*
2184 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2185 */
mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context * ctx,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2186 int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
2187 mbedtls_md_type_t md_alg,
2188 unsigned int hashlen,
2189 const unsigned char *hash,
2190 const unsigned char *sig)
2191 {
2192 int ret = 0;
2193 size_t sig_len;
2194 unsigned char *encoded = NULL, *encoded_expected = NULL;
2195
2196 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
2197 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2198 }
2199
2200 sig_len = ctx->len;
2201
2202 /*
2203 * Prepare expected PKCS1 v1.5 encoding of hash.
2204 */
2205
2206 if ((encoded = mbedtls_calloc(1, sig_len)) == NULL ||
2207 (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
2208 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2209 goto cleanup;
2210 }
2211
2212 if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
2213 encoded_expected)) != 0) {
2214 goto cleanup;
2215 }
2216
2217 /*
2218 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2219 */
2220
2221 ret = mbedtls_rsa_public(ctx, sig, encoded);
2222 if (ret != 0) {
2223 goto cleanup;
2224 }
2225
2226 /*
2227 * Compare
2228 */
2229
2230 if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
2231 sig_len)) != 0) {
2232 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2233 goto cleanup;
2234 }
2235
2236 cleanup:
2237
2238 if (encoded != NULL) {
2239 mbedtls_platform_zeroize(encoded, sig_len);
2240 mbedtls_free(encoded);
2241 }
2242
2243 if (encoded_expected != NULL) {
2244 mbedtls_platform_zeroize(encoded_expected, sig_len);
2245 mbedtls_free(encoded_expected);
2246 }
2247
2248 return ret;
2249 }
2250 #endif /* MBEDTLS_PKCS1_V15 */
2251
2252 /*
2253 * Do an RSA operation and check the message digest
2254 */
mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context * ctx,mbedtls_md_type_t md_alg,unsigned int hashlen,const unsigned char * hash,const unsigned char * sig)2255 int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
2256 mbedtls_md_type_t md_alg,
2257 unsigned int hashlen,
2258 const unsigned char *hash,
2259 const unsigned char *sig)
2260 {
2261 if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
2262 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2263 }
2264
2265 switch (ctx->padding) {
2266 #if defined(MBEDTLS_PKCS1_V15)
2267 case MBEDTLS_RSA_PKCS_V15:
2268 return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg,
2269 hashlen, hash, sig);
2270 #endif
2271
2272 #if defined(MBEDTLS_PKCS1_V21)
2273 case MBEDTLS_RSA_PKCS_V21:
2274 return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg,
2275 hashlen, hash, sig);
2276 #endif
2277
2278 default:
2279 return MBEDTLS_ERR_RSA_INVALID_PADDING;
2280 }
2281 }
2282
2283 /*
2284 * Copy the components of an RSA key
2285 */
mbedtls_rsa_copy(mbedtls_rsa_context * dst,const mbedtls_rsa_context * src)2286 int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
2287 {
2288 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2289
2290 dst->len = src->len;
2291
2292 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
2293 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
2294
2295 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
2296 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
2297 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
2298
2299 #if !defined(MBEDTLS_RSA_NO_CRT)
2300 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
2301 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
2302 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
2303 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
2304 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
2305 #endif
2306
2307 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
2308
2309 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
2310 MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
2311
2312 dst->padding = src->padding;
2313 dst->hash_id = src->hash_id;
2314
2315 cleanup:
2316 if (ret != 0) {
2317 mbedtls_rsa_free(dst);
2318 }
2319
2320 return ret;
2321 }
2322
2323 /*
2324 * Free the components of an RSA key
2325 */
mbedtls_rsa_free(mbedtls_rsa_context * ctx)2326 void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
2327 {
2328 if (ctx == NULL) {
2329 return;
2330 }
2331
2332 mbedtls_mpi_free(&ctx->Vi);
2333 mbedtls_mpi_free(&ctx->Vf);
2334 mbedtls_mpi_free(&ctx->RN);
2335 mbedtls_mpi_free(&ctx->D);
2336 mbedtls_mpi_free(&ctx->Q);
2337 mbedtls_mpi_free(&ctx->P);
2338 mbedtls_mpi_free(&ctx->E);
2339 mbedtls_mpi_free(&ctx->N);
2340
2341 #if !defined(MBEDTLS_RSA_NO_CRT)
2342 mbedtls_mpi_free(&ctx->RQ);
2343 mbedtls_mpi_free(&ctx->RP);
2344 mbedtls_mpi_free(&ctx->QP);
2345 mbedtls_mpi_free(&ctx->DQ);
2346 mbedtls_mpi_free(&ctx->DP);
2347 #endif /* MBEDTLS_RSA_NO_CRT */
2348
2349 #if defined(MBEDTLS_THREADING_C)
2350 /* Free the mutex, but only if it hasn't been freed already. */
2351 if (ctx->ver != 0) {
2352 mbedtls_mutex_free(&ctx->mutex);
2353 ctx->ver = 0;
2354 }
2355 #endif
2356 }
2357
2358 #endif /* !MBEDTLS_RSA_ALT */
2359
2360 #if defined(MBEDTLS_SELF_TEST)
2361
2362 #include "mbedtls/md.h"
2363
2364 /*
2365 * Example RSA-1024 keypair, for test purposes
2366 */
2367 #define KEY_LEN 128
2368
2369 #define RSA_N "9292758453063D803DD603D5E777D788" \
2370 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2371 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2372 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2373 "93A89813FBF3C4F8066D2D800F7C38A8" \
2374 "1AE31942917403FF4946B0A83D3D3E05" \
2375 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2376 "5E94BB77B07507233A0BC7BAC8F90F79"
2377
2378 #define RSA_E "10001"
2379
2380 #define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2381 "66CA472BC44D253102F8B4A9D3BFA750" \
2382 "91386C0077937FE33FA3252D28855837" \
2383 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2384 "DF79C5CE07EE72C7F123142198164234" \
2385 "CABB724CF78B8173B9F880FC86322407" \
2386 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2387 "071513A1E85B5DFA031F21ECAE91A34D"
2388
2389 #define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2390 "2C01CAD19EA484A87EA4377637E75500" \
2391 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2392 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2393
2394 #define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2395 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2396 "910E4168387E3C30AA1E00C339A79508" \
2397 "8452DD96A9A5EA5D9DCA68DA636032AF"
2398
2399 #define PT_LEN 24
2400 #define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2401 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2402
2403 #if defined(MBEDTLS_PKCS1_V15)
myrand(void * rng_state,unsigned char * output,size_t len)2404 static int myrand(void *rng_state, unsigned char *output, size_t len)
2405 {
2406 #if !defined(__OpenBSD__) && !defined(__NetBSD__)
2407 size_t i;
2408
2409 if (rng_state != NULL) {
2410 rng_state = NULL;
2411 }
2412
2413 for (i = 0; i < len; ++i) {
2414 output[i] = rand();
2415 }
2416 #else
2417 if (rng_state != NULL) {
2418 rng_state = NULL;
2419 }
2420
2421 arc4random_buf(output, len);
2422 #endif /* !OpenBSD && !NetBSD */
2423
2424 return 0;
2425 }
2426 #endif /* MBEDTLS_PKCS1_V15 */
2427
2428 /*
2429 * Checkup routine
2430 */
mbedtls_rsa_self_test(int verbose)2431 int mbedtls_rsa_self_test(int verbose)
2432 {
2433 int ret = 0;
2434 #if defined(MBEDTLS_PKCS1_V15)
2435 size_t len;
2436 mbedtls_rsa_context rsa;
2437 unsigned char rsa_plaintext[PT_LEN];
2438 unsigned char rsa_decrypted[PT_LEN];
2439 unsigned char rsa_ciphertext[KEY_LEN];
2440 #if defined(MBEDTLS_SHA1_C)
2441 unsigned char sha1sum[20];
2442 #endif
2443
2444 mbedtls_mpi K;
2445
2446 mbedtls_mpi_init(&K);
2447 mbedtls_rsa_init(&rsa);
2448
2449 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
2450 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
2451 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
2452 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
2453 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
2454 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
2455 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
2456 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
2457 MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
2458 MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
2459
2460 MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
2461
2462 if (verbose != 0) {
2463 mbedtls_printf(" RSA key validation: ");
2464 }
2465
2466 if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||
2467 mbedtls_rsa_check_privkey(&rsa) != 0) {
2468 if (verbose != 0) {
2469 mbedtls_printf("failed\n");
2470 }
2471
2472 ret = 1;
2473 goto cleanup;
2474 }
2475
2476 if (verbose != 0) {
2477 mbedtls_printf("passed\n PKCS#1 encryption : ");
2478 }
2479
2480 memcpy(rsa_plaintext, RSA_PT, PT_LEN);
2481
2482 if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL,
2483 PT_LEN, rsa_plaintext,
2484 rsa_ciphertext) != 0) {
2485 if (verbose != 0) {
2486 mbedtls_printf("failed\n");
2487 }
2488
2489 ret = 1;
2490 goto cleanup;
2491 }
2492
2493 if (verbose != 0) {
2494 mbedtls_printf("passed\n PKCS#1 decryption : ");
2495 }
2496
2497 if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL,
2498 &len, rsa_ciphertext, rsa_decrypted,
2499 sizeof(rsa_decrypted)) != 0) {
2500 if (verbose != 0) {
2501 mbedtls_printf("failed\n");
2502 }
2503
2504 ret = 1;
2505 goto cleanup;
2506 }
2507
2508 if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
2509 if (verbose != 0) {
2510 mbedtls_printf("failed\n");
2511 }
2512
2513 ret = 1;
2514 goto cleanup;
2515 }
2516
2517 if (verbose != 0) {
2518 mbedtls_printf("passed\n");
2519 }
2520
2521 #if defined(MBEDTLS_SHA1_C)
2522 if (verbose != 0) {
2523 mbedtls_printf(" PKCS#1 data sign : ");
2524 }
2525
2526 if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
2527 rsa_plaintext, PT_LEN, sha1sum) != 0) {
2528 if (verbose != 0) {
2529 mbedtls_printf("failed\n");
2530 }
2531
2532 return 1;
2533 }
2534
2535 if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
2536 MBEDTLS_MD_SHA1, 20,
2537 sha1sum, rsa_ciphertext) != 0) {
2538 if (verbose != 0) {
2539 mbedtls_printf("failed\n");
2540 }
2541
2542 ret = 1;
2543 goto cleanup;
2544 }
2545
2546 if (verbose != 0) {
2547 mbedtls_printf("passed\n PKCS#1 sig. verify: ");
2548 }
2549
2550 if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20,
2551 sha1sum, rsa_ciphertext) != 0) {
2552 if (verbose != 0) {
2553 mbedtls_printf("failed\n");
2554 }
2555
2556 ret = 1;
2557 goto cleanup;
2558 }
2559
2560 if (verbose != 0) {
2561 mbedtls_printf("passed\n");
2562 }
2563 #endif /* MBEDTLS_SHA1_C */
2564
2565 if (verbose != 0) {
2566 mbedtls_printf("\n");
2567 }
2568
2569 cleanup:
2570 mbedtls_mpi_free(&K);
2571 mbedtls_rsa_free(&rsa);
2572 #else /* MBEDTLS_PKCS1_V15 */
2573 ((void) verbose);
2574 #endif /* MBEDTLS_PKCS1_V15 */
2575 return ret;
2576 }
2577
2578 #endif /* MBEDTLS_SELF_TEST */
2579
2580 #endif /* MBEDTLS_RSA_C */
2581
