ReactOS 0.4.15-dev-7942-gd23573b
rsa.c
Go to the documentation of this file.
1/*
2 * The RSA public-key cryptosystem
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47/*
48 * The following sources were referenced in the design of this implementation
49 * of the RSA algorithm:
50 *
51 * [1] A method for obtaining digital signatures and public-key cryptosystems
52 * R Rivest, A Shamir, and L Adleman
53 * http://people.csail.mit.edu/rivest/pubs.html#RSA78
54 *
55 * [2] Handbook of Applied Cryptography - 1997, Chapter 8
56 * Menezes, van Oorschot and Vanstone
57 *
58 * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
59 * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
60 * Stefan Mangard
61 * https://arxiv.org/abs/1702.08719v2
62 *
63 */
64
65#if !defined(MBEDTLS_CONFIG_FILE)
66#include "mbedtls/config.h"
67#else
68#include MBEDTLS_CONFIG_FILE
69#endif
70
71#if defined(MBEDTLS_RSA_C)
72
73#include "mbedtls/rsa.h"
74#include "mbedtls/rsa_internal.h"
75#include "mbedtls/oid.h"
76#include "mbedtls/platform_util.h"
77
78#include <string.h>
79
80#if defined(MBEDTLS_PKCS1_V21)
81#include "mbedtls/md.h"
82#endif
83
84#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
85#include <stdlib.h>
86#endif
87
88#if defined(MBEDTLS_PLATFORM_C)
89#include "mbedtls/platform.h"
90#else
91#include <stdio.h>
92#define mbedtls_printf printf
93#define mbedtls_calloc calloc
94#define mbedtls_free free
95#endif
96
97#if !defined(MBEDTLS_RSA_ALT)
98
99/* Parameter validation macros */
100#define RSA_VALIDATE_RET( cond ) \
101 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
102#define RSA_VALIDATE( cond ) \
103 MBEDTLS_INTERNAL_VALIDATE( cond )
104
105#if defined(MBEDTLS_PKCS1_V15)
106/* constant-time buffer comparison */
107static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
108{
109 size_t i;
110 const unsigned char *A = (const unsigned char *) a;
111 const unsigned char *B = (const unsigned char *) b;
112 unsigned char diff = 0;
113
114 for( i = 0; i < n; i++ )
115 diff |= A[i] ^ B[i];
116
117 return( diff );
118}
119#endif /* MBEDTLS_PKCS1_V15 */
120
121int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
122 const mbedtls_mpi *N,
123 const mbedtls_mpi *P, const mbedtls_mpi *Q,
124 const mbedtls_mpi *D, const mbedtls_mpi *E )
125{
126 int ret;
127 RSA_VALIDATE_RET( ctx != NULL );
128
129 if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
130 ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
131 ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
132 ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
133 ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
134 {
135 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
136 }
137
138 if( N != NULL )
139 ctx->len = mbedtls_mpi_size( &ctx->N );
140
141 return( 0 );
142}
143
144int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
145 unsigned char const *N, size_t N_len,
146 unsigned char const *P, size_t P_len,
147 unsigned char const *Q, size_t Q_len,
148 unsigned char const *D, size_t D_len,
149 unsigned char const *E, size_t E_len )
150{
151 int ret = 0;
152 RSA_VALIDATE_RET( ctx != NULL );
153
154 if( N != NULL )
155 {
156 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
157 ctx->len = mbedtls_mpi_size( &ctx->N );
158 }
159
160 if( P != NULL )
161 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
162
163 if( Q != NULL )
164 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
165
166 if( D != NULL )
167 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
168
169 if( E != NULL )
170 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
171
172cleanup:
173
174 if( ret != 0 )
175 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
176
177 return( 0 );
178}
179
180/*
181 * Checks whether the context fields are set in such a way
182 * that the RSA primitives will be able to execute without error.
183 * It does *not* make guarantees for consistency of the parameters.
184 */
185static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
186 int blinding_needed )
187{
188#if !defined(MBEDTLS_RSA_NO_CRT)
189 /* blinding_needed is only used for NO_CRT to decide whether
190 * P,Q need to be present or not. */
191 ((void) blinding_needed);
192#endif
193
194 if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
195 ctx->len > MBEDTLS_MPI_MAX_SIZE )
196 {
197 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
198 }
199
200 /*
201 * 1. Modular exponentiation needs positive, odd moduli.
202 */
203
204 /* Modular exponentiation wrt. N is always used for
205 * RSA public key operations. */
206 if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
207 mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0 )
208 {
209 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
210 }
211
212#if !defined(MBEDTLS_RSA_NO_CRT)
213 /* Modular exponentiation for P and Q is only
214 * used for private key operations and if CRT
215 * is used. */
216 if( is_priv &&
217 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
218 mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||
219 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
220 mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0 ) )
221 {
222 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
223 }
224#endif /* !MBEDTLS_RSA_NO_CRT */
225
226 /*
227 * 2. Exponents must be positive
228 */
229
230 /* Always need E for public key operations */
231 if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
232 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
233
234#if defined(MBEDTLS_RSA_NO_CRT)
235 /* For private key operations, use D or DP & DQ
236 * as (unblinded) exponents. */
237 if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
238 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
239#else
240 if( is_priv &&
241 ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
242 mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0 ) )
243 {
244 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
245 }
246#endif /* MBEDTLS_RSA_NO_CRT */
247
248 /* Blinding shouldn't make exponents negative either,
249 * so check that P, Q >= 1 if that hasn't yet been
250 * done as part of 1. */
251#if defined(MBEDTLS_RSA_NO_CRT)
252 if( is_priv && blinding_needed &&
253 ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
254 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
255 {
256 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
257 }
258#endif
259
260 /* It wouldn't lead to an error if it wasn't satisfied,
261 * but check for QP >= 1 nonetheless. */
262#if !defined(MBEDTLS_RSA_NO_CRT)
263 if( is_priv &&
264 mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
265 {
266 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
267 }
268#endif
269
270 return( 0 );
271}
272
273int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
274{
275 int ret = 0;
276 int have_N, have_P, have_Q, have_D, have_E;
277#if !defined(MBEDTLS_RSA_NO_CRT)
278 int have_DP, have_DQ, have_QP;
279#endif
280 int n_missing, pq_missing, d_missing, is_pub, is_priv;
281
282 RSA_VALIDATE_RET( ctx != NULL );
283
284 have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
285 have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
286 have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
287 have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
288 have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
289
290#if !defined(MBEDTLS_RSA_NO_CRT)
291 have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
292 have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
293 have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
294#endif
295
296 /*
297 * Check whether provided parameters are enough
298 * to deduce all others. The following incomplete
299 * parameter sets for private keys are supported:
300 *
301 * (1) P, Q missing.
302 * (2) D and potentially N missing.
303 *
304 */
305
306 n_missing = have_P && have_Q && have_D && have_E;
307 pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
308 d_missing = have_P && have_Q && !have_D && have_E;
309 is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
310
311 /* These three alternatives are mutually exclusive */
312 is_priv = n_missing || pq_missing || d_missing;
313
314 if( !is_priv && !is_pub )
315 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
316
317 /*
318 * Step 1: Deduce N if P, Q are provided.
319 */
320
321 if( !have_N && have_P && have_Q )
322 {
323 if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
324 &ctx->Q ) ) != 0 )
325 {
326 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
327 }
328
329 ctx->len = mbedtls_mpi_size( &ctx->N );
330 }
331
332 /*
333 * Step 2: Deduce and verify all remaining core parameters.
334 */
335
336 if( pq_missing )
337 {
338 ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
339 &ctx->P, &ctx->Q );
340 if( ret != 0 )
341 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
342
343 }
344 else if( d_missing )
345 {
346 if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
347 &ctx->Q,
348 &ctx->E,
349 &ctx->D ) ) != 0 )
350 {
351 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
352 }
353 }
354
355 /*
356 * Step 3: Deduce all additional parameters specific
357 * to our current RSA implementation.
358 */
359
360#if !defined(MBEDTLS_RSA_NO_CRT)
361 if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
362 {
363 ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
364 &ctx->DP, &ctx->DQ, &ctx->QP );
365 if( ret != 0 )
366 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
367 }
368#endif /* MBEDTLS_RSA_NO_CRT */
369
370 /*
371 * Step 3: Basic sanity checks
372 */
373
374 return( rsa_check_context( ctx, is_priv, 1 ) );
375}
376
377int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
378 unsigned char *N, size_t N_len,
379 unsigned char *P, size_t P_len,
380 unsigned char *Q, size_t Q_len,
381 unsigned char *D, size_t D_len,
382 unsigned char *E, size_t E_len )
383{
384 int ret = 0;
385 int is_priv;
386 RSA_VALIDATE_RET( ctx != NULL );
387
388 /* Check if key is private or public */
389 is_priv =
390 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
391 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
392 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
393 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
394 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
395
396 if( !is_priv )
397 {
398 /* If we're trying to export private parameters for a public key,
399 * something must be wrong. */
400 if( P != NULL || Q != NULL || D != NULL )
401 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
402
403 }
404
405 if( N != NULL )
406 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
407
408 if( P != NULL )
409 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
410
411 if( Q != NULL )
412 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
413
414 if( D != NULL )
415 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
416
417 if( E != NULL )
418 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
419
420cleanup:
421
422 return( ret );
423}
424
425int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
426 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
427 mbedtls_mpi *D, mbedtls_mpi *E )
428{
429 int ret;
430 int is_priv;
431 RSA_VALIDATE_RET( ctx != NULL );
432
433 /* Check if key is private or public */
434 is_priv =
435 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
436 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
437 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
438 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
439 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
440
441 if( !is_priv )
442 {
443 /* If we're trying to export private parameters for a public key,
444 * something must be wrong. */
445 if( P != NULL || Q != NULL || D != NULL )
446 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
447
448 }
449
450 /* Export all requested core parameters. */
451
452 if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||
453 ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||
454 ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
455 ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||
456 ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
457 {
458 return( ret );
459 }
460
461 return( 0 );
462}
463
464/*
465 * Export CRT parameters
466 * This must also be implemented if CRT is not used, for being able to
467 * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
468 * can be used in this case.
469 */
470int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
471 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
472{
473 int ret;
474 int is_priv;
475 RSA_VALIDATE_RET( ctx != NULL );
476
477 /* Check if key is private or public */
478 is_priv =
479 mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
480 mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
481 mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
482 mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
483 mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
484
485 if( !is_priv )
486 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
487
488#if !defined(MBEDTLS_RSA_NO_CRT)
489 /* Export all requested blinding parameters. */
490 if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
491 ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
492 ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
493 {
494 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
495 }
496#else
497 if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
498 DP, DQ, QP ) ) != 0 )
499 {
500 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
501 }
502#endif
503
504 return( 0 );
505}
506
507/*
508 * Initialize an RSA context
509 */
510void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
511 int padding,
512 int hash_id )
513{
514 RSA_VALIDATE( ctx != NULL );
515 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
516 padding == MBEDTLS_RSA_PKCS_V21 );
517
518 memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
519
520 mbedtls_rsa_set_padding( ctx, padding, hash_id );
521
522#if defined(MBEDTLS_THREADING_C)
523 /* Set ctx->ver to nonzero to indicate that the mutex has been
524 * initialized and will need to be freed. */
525 ctx->ver = 1;
526 mbedtls_mutex_init( &ctx->mutex );
527#endif
528}
529
530/*
531 * Set padding for an existing RSA context
532 */
533void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
534 int hash_id )
535{
536 RSA_VALIDATE( ctx != NULL );
537 RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
538 padding == MBEDTLS_RSA_PKCS_V21 );
539
540 ctx->padding = padding;
541 ctx->hash_id = hash_id;
542}
543
544/*
545 * Get length in bytes of RSA modulus
546 */
547
548size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
549{
550 return( ctx->len );
551}
552
553
554#if defined(MBEDTLS_GENPRIME)
555
556/*
557 * Generate an RSA keypair
558 *
559 * This generation method follows the RSA key pair generation procedure of
560 * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
561 */
562int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
563 int (*f_rng)(void *, unsigned char *, size_t),
564 void *p_rng,
565 unsigned int nbits, int exponent )
566{
567 int ret;
568 mbedtls_mpi H, G, L;
569 int prime_quality = 0;
570 RSA_VALIDATE_RET( ctx != NULL );
571 RSA_VALIDATE_RET( f_rng != NULL );
572
573 /*
574 * If the modulus is 1024 bit long or shorter, then the security strength of
575 * the RSA algorithm is less than or equal to 80 bits and therefore an error
576 * rate of 2^-80 is sufficient.
577 */
578 if( nbits > 1024 )
579 prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
580
581 mbedtls_mpi_init( &H );
582 mbedtls_mpi_init( &G );
583 mbedtls_mpi_init( &L );
584
585 if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
586 {
587 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
588 goto cleanup;
589 }
590
591 /*
592 * find primes P and Q with Q < P so that:
593 * 1. |P-Q| > 2^( nbits / 2 - 100 )
594 * 2. GCD( E, (P-1)*(Q-1) ) == 1
595 * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
596 */
597 MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
598
599 do
600 {
601 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
602 prime_quality, f_rng, p_rng ) );
603
604 MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
605 prime_quality, f_rng, p_rng ) );
606
607 /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
608 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
609 if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
610 continue;
611
612 /* not required by any standards, but some users rely on the fact that P > Q */
613 if( H.s < 0 )
614 mbedtls_mpi_swap( &ctx->P, &ctx->Q );
615
616 /* Temporarily replace P,Q by P-1, Q-1 */
617 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
618 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
619 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
620
621 /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
622 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
623 if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
624 continue;
625
626 /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
627 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
628 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
629 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
630
631 if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
632 continue;
633
634 break;
635 }
636 while( 1 );
637
638 /* Restore P,Q */
639 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P, &ctx->P, 1 ) );
640 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q, &ctx->Q, 1 ) );
641
642 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
643
644 ctx->len = mbedtls_mpi_size( &ctx->N );
645
646#if !defined(MBEDTLS_RSA_NO_CRT)
647 /*
648 * DP = D mod (P - 1)
649 * DQ = D mod (Q - 1)
650 * QP = Q^-1 mod P
651 */
652 MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
653 &ctx->DP, &ctx->DQ, &ctx->QP ) );
654#endif /* MBEDTLS_RSA_NO_CRT */
655
656 /* Double-check */
657 MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
658
659cleanup:
660
661 mbedtls_mpi_free( &H );
662 mbedtls_mpi_free( &G );
663 mbedtls_mpi_free( &L );
664
665 if( ret != 0 )
666 {
667 mbedtls_rsa_free( ctx );
668 if( ( -ret & ~0x7f ) == 0 )
669 ret = MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret;
670 return( ret );
671 }
672
673 return( 0 );
674}
675
676#endif /* MBEDTLS_GENPRIME */
677
678/*
679 * Check a public RSA key
680 */
681int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
682{
683 RSA_VALIDATE_RET( ctx != NULL );
684
685 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
686 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
687
688 if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
689 {
690 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
691 }
692
693 if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||
694 mbedtls_mpi_bitlen( &ctx->E ) < 2 ||
695 mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
696 {
697 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
698 }
699
700 return( 0 );
701}
702
703/*
704 * Check for the consistency of all fields in an RSA private key context
705 */
706int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
707{
708 RSA_VALIDATE_RET( ctx != NULL );
709
710 if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
711 rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
712 {
713 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
714 }
715
716 if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
717 &ctx->D, &ctx->E, NULL, NULL ) != 0 )
718 {
719 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
720 }
721
722#if !defined(MBEDTLS_RSA_NO_CRT)
723 else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
724 &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
725 {
726 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
727 }
728#endif
729
730 return( 0 );
731}
732
733/*
734 * Check if contexts holding a public and private key match
735 */
736int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
737 const mbedtls_rsa_context *prv )
738{
739 RSA_VALIDATE_RET( pub != NULL );
740 RSA_VALIDATE_RET( prv != NULL );
741
742 if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
743 mbedtls_rsa_check_privkey( prv ) != 0 )
744 {
745 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
746 }
747
748 if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
749 mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
750 {
751 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
752 }
753
754 return( 0 );
755}
756
757/*
758 * Do an RSA public key operation
759 */
760int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
761 const unsigned char *input,
762 unsigned char *output )
763{
764 int ret;
765 size_t olen;
766 mbedtls_mpi T;
767 RSA_VALIDATE_RET( ctx != NULL );
768 RSA_VALIDATE_RET( input != NULL );
769 RSA_VALIDATE_RET( output != NULL );
770
771 if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
772 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
773
774 mbedtls_mpi_init( &T );
775
776#if defined(MBEDTLS_THREADING_C)
777 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
778 return( ret );
779#endif
780
781 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
782
783 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
784 {
785 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
786 goto cleanup;
787 }
788
789 olen = ctx->len;
790 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
791 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
792
793cleanup:
794#if defined(MBEDTLS_THREADING_C)
795 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
796 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
797#endif
798
799 mbedtls_mpi_free( &T );
800
801 if( ret != 0 )
802 return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
803
804 return( 0 );
805}
806
807/*
808 * Generate or update blinding values, see section 10 of:
809 * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
810 * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
811 * Berlin Heidelberg, 1996. p. 104-113.
812 */
813static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
814 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
815{
816 int ret, count = 0;
817 mbedtls_mpi R;
818
819 mbedtls_mpi_init( &R );
820
821 if( ctx->Vf.p != NULL )
822 {
823 /* We already have blinding values, just update them by squaring */
824 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
825 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
826 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
827 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
828
829 goto cleanup;
830 }
831
832 /* Unblinding value: Vf = random number, invertible mod N */
833 do {
834 if( count++ > 10 )
835 {
836 ret = MBEDTLS_ERR_RSA_RNG_FAILED;
837 goto cleanup;
838 }
839
840 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
841
842 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
843 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
844 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
845 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
846
847 /* At this point, Vi is invertible mod N if and only if both Vf and R
848 * are invertible mod N. If one of them isn't, we don't need to know
849 * which one, we just loop and choose new values for both of them.
850 * (Each iteration succeeds with overwhelming probability.) */
851 ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
852 if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
853 goto cleanup;
854
855 } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
856
857 /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
858 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
859 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
860
861 /* Blinding value: Vi = Vf^(-e) mod N
862 * (Vi already contains Vf^-1 at this point) */
863 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
864
865
866cleanup:
867 mbedtls_mpi_free( &R );
868
869 return( ret );
870}
871
872/*
873 * Exponent blinding supposed to prevent side-channel attacks using multiple
874 * traces of measurements to recover the RSA key. The more collisions are there,
875 * the more bits of the key can be recovered. See [3].
876 *
877 * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
878 * observations on avarage.
879 *
880 * For example with 28 byte blinding to achieve 2 collisions the adversary has
881 * to make 2^112 observations on avarage.
882 *
883 * (With the currently (as of 2017 April) known best algorithms breaking 2048
884 * bit RSA requires approximately as much time as trying out 2^112 random keys.
885 * Thus in this sense with 28 byte blinding the security is not reduced by
886 * side-channel attacks like the one in [3])
887 *
888 * This countermeasure does not help if the key recovery is possible with a
889 * single trace.
890 */
891#define RSA_EXPONENT_BLINDING 28
892
893/*
894 * Do an RSA private key operation
895 */
896int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
897 int (*f_rng)(void *, unsigned char *, size_t),
898 void *p_rng,
899 const unsigned char *input,
900 unsigned char *output )
901{
902 int ret;
903 size_t olen;
904
905 /* Temporary holding the result */
906 mbedtls_mpi T;
907
908 /* Temporaries holding P-1, Q-1 and the
909 * exponent blinding factor, respectively. */
910 mbedtls_mpi P1, Q1, R;
911
912#if !defined(MBEDTLS_RSA_NO_CRT)
913 /* Temporaries holding the results mod p resp. mod q. */
914 mbedtls_mpi TP, TQ;
915
916 /* Temporaries holding the blinded exponents for
917 * the mod p resp. mod q computation (if used). */
918 mbedtls_mpi DP_blind, DQ_blind;
919
920 /* Pointers to actual exponents to be used - either the unblinded
921 * or the blinded ones, depending on the presence of a PRNG. */
922 mbedtls_mpi *DP = &ctx->DP;
923 mbedtls_mpi *DQ = &ctx->DQ;
924#else
925 /* Temporary holding the blinded exponent (if used). */
926 mbedtls_mpi D_blind;
927
928 /* Pointer to actual exponent to be used - either the unblinded
929 * or the blinded one, depending on the presence of a PRNG. */
930 mbedtls_mpi *D = &ctx->D;
931#endif /* MBEDTLS_RSA_NO_CRT */
932
933 /* Temporaries holding the initial input and the double
934 * checked result; should be the same in the end. */
935 mbedtls_mpi I, C;
936
937 RSA_VALIDATE_RET( ctx != NULL );
938 RSA_VALIDATE_RET( input != NULL );
939 RSA_VALIDATE_RET( output != NULL );
940
941 if( rsa_check_context( ctx, 1 /* private key checks */,
942 f_rng != NULL /* blinding y/n */ ) != 0 )
943 {
944 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
945 }
946
947#if defined(MBEDTLS_THREADING_C)
948 if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
949 return( ret );
950#endif
951
952 /* MPI Initialization */
953 mbedtls_mpi_init( &T );
954
955 mbedtls_mpi_init( &P1 );
956 mbedtls_mpi_init( &Q1 );
957 mbedtls_mpi_init( &R );
958
959 if( f_rng != NULL )
960 {
961#if defined(MBEDTLS_RSA_NO_CRT)
962 mbedtls_mpi_init( &D_blind );
963#else
964 mbedtls_mpi_init( &DP_blind );
965 mbedtls_mpi_init( &DQ_blind );
966#endif
967 }
968
969#if !defined(MBEDTLS_RSA_NO_CRT)
970 mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
971#endif
972
973 mbedtls_mpi_init( &I );
974 mbedtls_mpi_init( &C );
975
976 /* End of MPI initialization */
977
978 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
979 if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
980 {
981 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
982 goto cleanup;
983 }
984
985 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
986
987 if( f_rng != NULL )
988 {
989 /*
990 * Blinding
991 * T = T * Vi mod N
992 */
993 MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
994 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
995 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
996
997 /*
998 * Exponent blinding
999 */
1000 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
1001 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
1002
1003#if defined(MBEDTLS_RSA_NO_CRT)
1004 /*
1005 * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
1006 */
1007 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
1008 f_rng, p_rng ) );
1009 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
1010 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
1011 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
1012
1013 D = &D_blind;
1014#else
1015 /*
1016 * DP_blind = ( P - 1 ) * R + DP
1017 */
1018 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
1019 f_rng, p_rng ) );
1020 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
1021 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
1022 &ctx->DP ) );
1023
1024 DP = &DP_blind;
1025
1026 /*
1027 * DQ_blind = ( Q - 1 ) * R + DQ
1028 */
1029 MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
1030 f_rng, p_rng ) );
1031 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
1032 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
1033 &ctx->DQ ) );
1034
1035 DQ = &DQ_blind;
1036#endif /* MBEDTLS_RSA_NO_CRT */
1037 }
1038
1039#if defined(MBEDTLS_RSA_NO_CRT)
1040 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
1041#else
1042 /*
1043 * Faster decryption using the CRT
1044 *
1045 * TP = input ^ dP mod P
1046 * TQ = input ^ dQ mod Q
1047 */
1048
1049 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
1050 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
1051
1052 /*
1053 * T = (TP - TQ) * (Q^-1 mod P) mod P
1054 */
1055 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
1056 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
1057 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
1058
1059 /*
1060 * T = TQ + T * Q
1061 */
1062 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
1063 MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
1064#endif /* MBEDTLS_RSA_NO_CRT */
1065
1066 if( f_rng != NULL )
1067 {
1068 /*
1069 * Unblind
1070 * T = T * Vf mod N
1071 */
1072 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
1073 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
1074 }
1075
1076 /* Verify the result to prevent glitching attacks. */
1077 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
1078 &ctx->N, &ctx->RN ) );
1079 if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
1080 {
1081 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
1082 goto cleanup;
1083 }
1084
1085 olen = ctx->len;
1086 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
1087
1088cleanup:
1089#if defined(MBEDTLS_THREADING_C)
1090 if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
1091 return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
1092#endif
1093
1094 mbedtls_mpi_free( &P1 );
1095 mbedtls_mpi_free( &Q1 );
1096 mbedtls_mpi_free( &R );
1097
1098 if( f_rng != NULL )
1099 {
1100#if defined(MBEDTLS_RSA_NO_CRT)
1101 mbedtls_mpi_free( &D_blind );
1102#else
1103 mbedtls_mpi_free( &DP_blind );
1104 mbedtls_mpi_free( &DQ_blind );
1105#endif
1106 }
1107
1108 mbedtls_mpi_free( &T );
1109
1110#if !defined(MBEDTLS_RSA_NO_CRT)
1111 mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
1112#endif
1113
1114 mbedtls_mpi_free( &C );
1115 mbedtls_mpi_free( &I );
1116
1117 if( ret != 0 && ret >= -0x007f )
1118 return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
1119
1120 return( ret );
1121}
1122
1123#if defined(MBEDTLS_PKCS1_V21)
1133static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
1134 size_t slen, mbedtls_md_context_t *md_ctx )
1135{
1136 unsigned char mask[MBEDTLS_MD_MAX_SIZE];
1137 unsigned char counter[4];
1138 unsigned char *p;
1139 unsigned int hlen;
1140 size_t i, use_len;
1141 int ret = 0;
1142
1143 memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
1144 memset( counter, 0, 4 );
1145
1146 hlen = mbedtls_md_get_size( md_ctx->md_info );
1147
1148 /* Generate and apply dbMask */
1149 p = dst;
1150
1151 while( dlen > 0 )
1152 {
1153 use_len = hlen;
1154 if( dlen < hlen )
1155 use_len = dlen;
1156
1157 if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
1158 goto exit;
1159 if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
1160 goto exit;
1161 if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
1162 goto exit;
1163 if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
1164 goto exit;
1165
1166 for( i = 0; i < use_len; ++i )
1167 *p++ ^= mask[i];
1168
1169 counter[3]++;
1170
1171 dlen -= use_len;
1172 }
1173
1174exit:
1175 mbedtls_platform_zeroize( mask, sizeof( mask ) );
1176
1177 return( ret );
1178}
1179#endif /* MBEDTLS_PKCS1_V21 */
1180
1181#if defined(MBEDTLS_PKCS1_V21)
1182/*
1183 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
1184 */
1185int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
1186 int (*f_rng)(void *, unsigned char *, size_t),
1187 void *p_rng,
1188 int mode,
1189 const unsigned char *label, size_t label_len,
1190 size_t ilen,
1191 const unsigned char *input,
1192 unsigned char *output )
1193{
1194 size_t olen;
1195 int ret;
1196 unsigned char *p = output;
1197 unsigned int hlen;
1198 const mbedtls_md_info_t *md_info;
1199 mbedtls_md_context_t md_ctx;
1200
1201 RSA_VALIDATE_RET( ctx != NULL );
1202 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1203 mode == MBEDTLS_RSA_PUBLIC );
1204 RSA_VALIDATE_RET( output != NULL );
1205 RSA_VALIDATE_RET( input != NULL );
1206 RSA_VALIDATE_RET( label_len == 0 || label != NULL );
1207
1208 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1209 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1210
1211 if( f_rng == NULL )
1212 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1213
1214 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1215 if( md_info == NULL )
1216 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1217
1218 olen = ctx->len;
1219 hlen = mbedtls_md_get_size( md_info );
1220
1221 /* first comparison checks for overflow */
1222 if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
1223 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1224
1225 memset( output, 0, olen );
1226
1227 *p++ = 0;
1228
1229 /* Generate a random octet string seed */
1230 if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
1231 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1232
1233 p += hlen;
1234
1235 /* Construct DB */
1236 if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
1237 return( ret );
1238 p += hlen;
1239 p += olen - 2 * hlen - 2 - ilen;
1240 *p++ = 1;
1241 memcpy( p, input, ilen );
1242
1243 mbedtls_md_init( &md_ctx );
1244 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1245 goto exit;
1246
1247 /* maskedDB: Apply dbMask to DB */
1248 if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
1249 &md_ctx ) ) != 0 )
1250 goto exit;
1251
1252 /* maskedSeed: Apply seedMask to seed */
1253 if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
1254 &md_ctx ) ) != 0 )
1255 goto exit;
1256
1257exit:
1258 mbedtls_md_free( &md_ctx );
1259
1260 if( ret != 0 )
1261 return( ret );
1262
1263 return( ( mode == MBEDTLS_RSA_PUBLIC )
1264 ? mbedtls_rsa_public( ctx, output, output )
1265 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
1266}
1267#endif /* MBEDTLS_PKCS1_V21 */
1268
1269#if defined(MBEDTLS_PKCS1_V15)
1270/*
1271 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
1272 */
1273int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
1274 int (*f_rng)(void *, unsigned char *, size_t),
1275 void *p_rng,
1276 int mode, size_t ilen,
1277 const unsigned char *input,
1278 unsigned char *output )
1279{
1280 size_t nb_pad, olen;
1281 int ret;
1282 unsigned char *p = output;
1283
1284 RSA_VALIDATE_RET( ctx != NULL );
1285 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1286 mode == MBEDTLS_RSA_PUBLIC );
1287 RSA_VALIDATE_RET( output != NULL );
1288 RSA_VALIDATE_RET( input != NULL );
1289
1290 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1291 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1292
1293 olen = ctx->len;
1294
1295 /* first comparison checks for overflow */
1296 if( ilen + 11 < ilen || olen < ilen + 11 )
1297 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1298
1299 nb_pad = olen - 3 - ilen;
1300
1301 *p++ = 0;
1302 if( mode == MBEDTLS_RSA_PUBLIC )
1303 {
1304 if( f_rng == NULL )
1305 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1306
1307 *p++ = MBEDTLS_RSA_CRYPT;
1308
1309 while( nb_pad-- > 0 )
1310 {
1311 int rng_dl = 100;
1312
1313 do {
1314 ret = f_rng( p_rng, p, 1 );
1315 } while( *p == 0 && --rng_dl && ret == 0 );
1316
1317 /* Check if RNG failed to generate data */
1318 if( rng_dl == 0 || ret != 0 )
1319 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1320
1321 p++;
1322 }
1323 }
1324 else
1325 {
1326 *p++ = MBEDTLS_RSA_SIGN;
1327
1328 while( nb_pad-- > 0 )
1329 *p++ = 0xFF;
1330 }
1331
1332 *p++ = 0;
1333 memcpy( p, input, ilen );
1334
1335 return( ( mode == MBEDTLS_RSA_PUBLIC )
1336 ? mbedtls_rsa_public( ctx, output, output )
1337 : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
1338}
1339#endif /* MBEDTLS_PKCS1_V15 */
1340
1341/*
1342 * Add the message padding, then do an RSA operation
1343 */
1344int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
1345 int (*f_rng)(void *, unsigned char *, size_t),
1346 void *p_rng,
1347 int mode, size_t ilen,
1348 const unsigned char *input,
1349 unsigned char *output )
1350{
1351 RSA_VALIDATE_RET( ctx != NULL );
1352 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1353 mode == MBEDTLS_RSA_PUBLIC );
1354 RSA_VALIDATE_RET( output != NULL );
1355 RSA_VALIDATE_RET( input != NULL );
1356
1357 switch( ctx->padding )
1358 {
1359#if defined(MBEDTLS_PKCS1_V15)
1360 case MBEDTLS_RSA_PKCS_V15:
1361 return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
1362 input, output );
1363#endif
1364
1365#if defined(MBEDTLS_PKCS1_V21)
1366 case MBEDTLS_RSA_PKCS_V21:
1367 return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1368 ilen, input, output );
1369#endif
1370
1371 default:
1372 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1373 }
1374}
1375
1376#if defined(MBEDTLS_PKCS1_V21)
1377/*
1378 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
1379 */
1380int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
1381 int (*f_rng)(void *, unsigned char *, size_t),
1382 void *p_rng,
1383 int mode,
1384 const unsigned char *label, size_t label_len,
1385 size_t *olen,
1386 const unsigned char *input,
1387 unsigned char *output,
1388 size_t output_max_len )
1389{
1390 int ret;
1391 size_t ilen, i, pad_len;
1392 unsigned char *p, bad, pad_done;
1393 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1394 unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
1395 unsigned int hlen;
1396 const mbedtls_md_info_t *md_info;
1397 mbedtls_md_context_t md_ctx;
1398
1399 RSA_VALIDATE_RET( ctx != NULL );
1400 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1401 mode == MBEDTLS_RSA_PUBLIC );
1402 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1403 RSA_VALIDATE_RET( label_len == 0 || label != NULL );
1404 RSA_VALIDATE_RET( input != NULL );
1405 RSA_VALIDATE_RET( olen != NULL );
1406
1407 /*
1408 * Parameters sanity checks
1409 */
1410 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1411 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1412
1413 ilen = ctx->len;
1414
1415 if( ilen < 16 || ilen > sizeof( buf ) )
1416 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1417
1418 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1419 if( md_info == NULL )
1420 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1421
1422 hlen = mbedtls_md_get_size( md_info );
1423
1424 // checking for integer underflow
1425 if( 2 * hlen + 2 > ilen )
1426 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1427
1428 /*
1429 * RSA operation
1430 */
1431 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1432 ? mbedtls_rsa_public( ctx, input, buf )
1433 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
1434
1435 if( ret != 0 )
1436 goto cleanup;
1437
1438 /*
1439 * Unmask data and generate lHash
1440 */
1441 mbedtls_md_init( &md_ctx );
1442 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1443 {
1444 mbedtls_md_free( &md_ctx );
1445 goto cleanup;
1446 }
1447
1448 /* seed: Apply seedMask to maskedSeed */
1449 if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
1450 &md_ctx ) ) != 0 ||
1451 /* DB: Apply dbMask to maskedDB */
1452 ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
1453 &md_ctx ) ) != 0 )
1454 {
1455 mbedtls_md_free( &md_ctx );
1456 goto cleanup;
1457 }
1458
1459 mbedtls_md_free( &md_ctx );
1460
1461 /* Generate lHash */
1462 if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
1463 goto cleanup;
1464
1465 /*
1466 * Check contents, in "constant-time"
1467 */
1468 p = buf;
1469 bad = 0;
1470
1471 bad |= *p++; /* First byte must be 0 */
1472
1473 p += hlen; /* Skip seed */
1474
1475 /* Check lHash */
1476 for( i = 0; i < hlen; i++ )
1477 bad |= lhash[i] ^ *p++;
1478
1479 /* Get zero-padding len, but always read till end of buffer
1480 * (minus one, for the 01 byte) */
1481 pad_len = 0;
1482 pad_done = 0;
1483 for( i = 0; i < ilen - 2 * hlen - 2; i++ )
1484 {
1485 pad_done |= p[i];
1486 pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1487 }
1488
1489 p += pad_len;
1490 bad |= *p++ ^ 0x01;
1491
1492 /*
1493 * The only information "leaked" is whether the padding was correct or not
1494 * (eg, no data is copied if it was not correct). This meets the
1495 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
1496 * the different error conditions.
1497 */
1498 if( bad != 0 )
1499 {
1500 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
1501 goto cleanup;
1502 }
1503
1504 if( ilen - ( p - buf ) > output_max_len )
1505 {
1506 ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
1507 goto cleanup;
1508 }
1509
1510 *olen = ilen - (p - buf);
1511 memcpy( output, p, *olen );
1512 ret = 0;
1513
1514cleanup:
1515 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1516 mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
1517
1518 return( ret );
1519}
1520#endif /* MBEDTLS_PKCS1_V21 */
1521
1522#if defined(MBEDTLS_PKCS1_V15)
1528static unsigned all_or_nothing_int( unsigned value )
1529{
1530 /* MSVC has a warning about unary minus on unsigned, but this is
1531 * well-defined and precisely what we want to do here */
1532#if defined(_MSC_VER)
1533#pragma warning( push )
1534#pragma warning( disable : 4146 )
1535#endif
1536 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
1537#if defined(_MSC_VER)
1538#pragma warning( pop )
1539#endif
1540}
1541
1552static unsigned size_greater_than( size_t size, size_t max )
1553{
1554 /* Return the sign bit (1 for negative) of (max - size). */
1555 return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) );
1556}
1557
1568static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 )
1569{
1570 unsigned mask = all_or_nothing_int( cond );
1571 return( ( mask & if1 ) | (~mask & if0 ) );
1572}
1573
1590static void mem_move_to_left( void *start,
1591 size_t total,
1592 size_t offset )
1593{
1594 volatile unsigned char *buf = start;
1595 size_t i, n;
1596 if( total == 0 )
1597 return;
1598 for( i = 0; i < total; i++ )
1599 {
1600 unsigned no_op = size_greater_than( total - offset, i );
1601 /* The first `total - offset` passes are a no-op. The last
1602 * `offset` passes shift the data one byte to the left and
1603 * zero out the last byte. */
1604 for( n = 0; n < total - 1; n++ )
1605 {
1606 unsigned char current = buf[n];
1607 unsigned char next = buf[n+1];
1608 buf[n] = if_int( no_op, current, next );
1609 }
1610 buf[total-1] = if_int( no_op, buf[total-1], 0 );
1611 }
1612}
1613
1614/*
1615 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
1616 */
1617int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
1618 int (*f_rng)(void *, unsigned char *, size_t),
1619 void *p_rng,
1620 int mode, size_t *olen,
1621 const unsigned char *input,
1622 unsigned char *output,
1623 size_t output_max_len )
1624{
1625 int ret;
1626 size_t ilen, i, plaintext_max_size;
1627 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
1628 /* The following variables take sensitive values: their value must
1629 * not leak into the observable behavior of the function other than
1630 * the designated outputs (output, olen, return value). Otherwise
1631 * this would open the execution of the function to
1632 * side-channel-based variants of the Bleichenbacher padding oracle
1633 * attack. Potential side channels include overall timing, memory
1634 * access patterns (especially visible to an adversary who has access
1635 * to a shared memory cache), and branches (especially visible to
1636 * an adversary who has access to a shared code cache or to a shared
1637 * branch predictor). */
1638 size_t pad_count = 0;
1639 unsigned bad = 0;
1640 unsigned char pad_done = 0;
1641 size_t plaintext_size = 0;
1642 unsigned output_too_large;
1643
1644 RSA_VALIDATE_RET( ctx != NULL );
1645 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1646 mode == MBEDTLS_RSA_PUBLIC );
1647 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1648 RSA_VALIDATE_RET( input != NULL );
1649 RSA_VALIDATE_RET( olen != NULL );
1650
1651 ilen = ctx->len;
1652 plaintext_max_size = ( output_max_len > ilen - 11 ?
1653 ilen - 11 :
1654 output_max_len );
1655
1656 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
1657 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1658
1659 if( ilen < 16 || ilen > sizeof( buf ) )
1660 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1661
1662 ret = ( mode == MBEDTLS_RSA_PUBLIC )
1663 ? mbedtls_rsa_public( ctx, input, buf )
1664 : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
1665
1666 if( ret != 0 )
1667 goto cleanup;
1668
1669 /* Check and get padding length in constant time and constant
1670 * memory trace. The first byte must be 0. */
1671 bad |= buf[0];
1672
1673 if( mode == MBEDTLS_RSA_PRIVATE )
1674 {
1675 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
1676 * where PS must be at least 8 nonzero bytes. */
1677 bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
1678
1679 /* Read the whole buffer. Set pad_done to nonzero if we find
1680 * the 0x00 byte and remember the padding length in pad_count. */
1681 for( i = 2; i < ilen; i++ )
1682 {
1683 pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
1684 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
1685 }
1686 }
1687 else
1688 {
1689 /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
1690 * where PS must be at least 8 bytes with the value 0xFF. */
1691 bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
1692
1693 /* Read the whole buffer. Set pad_done to nonzero if we find
1694 * the 0x00 byte and remember the padding length in pad_count.
1695 * If there's a non-0xff byte in the padding, the padding is bad. */
1696 for( i = 2; i < ilen; i++ )
1697 {
1698 pad_done |= if_int( buf[i], 0, 1 );
1699 pad_count += if_int( pad_done, 0, 1 );
1700 bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
1701 }
1702 }
1703
1704 /* If pad_done is still zero, there's no data, only unfinished padding. */
1705 bad |= if_int( pad_done, 0, 1 );
1706
1707 /* There must be at least 8 bytes of padding. */
1708 bad |= size_greater_than( 8, pad_count );
1709
1710 /* If the padding is valid, set plaintext_size to the number of
1711 * remaining bytes after stripping the padding. If the padding
1712 * is invalid, avoid leaking this fact through the size of the
1713 * output: use the maximum message size that fits in the output
1714 * buffer. Do it without branches to avoid leaking the padding
1715 * validity through timing. RSA keys are small enough that all the
1716 * size_t values involved fit in unsigned int. */
1717 plaintext_size = if_int( bad,
1718 (unsigned) plaintext_max_size,
1719 (unsigned) ( ilen - pad_count - 3 ) );
1720
1721 /* Set output_too_large to 0 if the plaintext fits in the output
1722 * buffer and to 1 otherwise. */
1723 output_too_large = size_greater_than( plaintext_size,
1724 plaintext_max_size );
1725
1726 /* Set ret without branches to avoid timing attacks. Return:
1727 * - INVALID_PADDING if the padding is bad (bad != 0).
1728 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
1729 * plaintext does not fit in the output buffer.
1730 * - 0 if the padding is correct. */
1731 ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
1732 if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
1733 0 ) );
1734
1735 /* If the padding is bad or the plaintext is too large, zero the
1736 * data that we're about to copy to the output buffer.
1737 * We need to copy the same amount of data
1738 * from the same buffer whether the padding is good or not to
1739 * avoid leaking the padding validity through overall timing or
1740 * through memory or cache access patterns. */
1741 bad = all_or_nothing_int( bad | output_too_large );
1742 for( i = 11; i < ilen; i++ )
1743 buf[i] &= ~bad;
1744
1745 /* If the plaintext is too large, truncate it to the buffer size.
1746 * Copy anyway to avoid revealing the length through timing, because
1747 * revealing the length is as bad as revealing the padding validity
1748 * for a Bleichenbacher attack. */
1749 plaintext_size = if_int( output_too_large,
1750 (unsigned) plaintext_max_size,
1751 (unsigned) plaintext_size );
1752
1753 /* Move the plaintext to the leftmost position where it can start in
1754 * the working buffer, i.e. make it start plaintext_max_size from
1755 * the end of the buffer. Do this with a memory access trace that
1756 * does not depend on the plaintext size. After this move, the
1757 * starting location of the plaintext is no longer sensitive
1758 * information. */
1759 mem_move_to_left( buf + ilen - plaintext_max_size,
1760 plaintext_max_size,
1761 plaintext_max_size - plaintext_size );
1762
1763 /* Finally copy the decrypted plaintext plus trailing zeros
1764 * into the output buffer. */
1765 memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
1766
1767 /* Report the amount of data we copied to the output buffer. In case
1768 * of errors (bad padding or output too large), the value of *olen
1769 * when this function returns is not specified. Making it equivalent
1770 * to the good case limits the risks of leaking the padding validity. */
1771 *olen = plaintext_size;
1772
1773cleanup:
1774 mbedtls_platform_zeroize( buf, sizeof( buf ) );
1775
1776 return( ret );
1777}
1778#endif /* MBEDTLS_PKCS1_V15 */
1779
1780/*
1781 * Do an RSA operation, then remove the message padding
1782 */
1783int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
1784 int (*f_rng)(void *, unsigned char *, size_t),
1785 void *p_rng,
1786 int mode, size_t *olen,
1787 const unsigned char *input,
1788 unsigned char *output,
1789 size_t output_max_len)
1790{
1791 RSA_VALIDATE_RET( ctx != NULL );
1792 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1793 mode == MBEDTLS_RSA_PUBLIC );
1794 RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
1795 RSA_VALIDATE_RET( input != NULL );
1796 RSA_VALIDATE_RET( olen != NULL );
1797
1798 switch( ctx->padding )
1799 {
1800#if defined(MBEDTLS_PKCS1_V15)
1801 case MBEDTLS_RSA_PKCS_V15:
1802 return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
1803 input, output, output_max_len );
1804#endif
1805
1806#if defined(MBEDTLS_PKCS1_V21)
1807 case MBEDTLS_RSA_PKCS_V21:
1808 return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
1809 olen, input, output,
1810 output_max_len );
1811#endif
1812
1813 default:
1814 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
1815 }
1816}
1817
1818#if defined(MBEDTLS_PKCS1_V21)
1819/*
1820 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
1821 */
1822int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
1823 int (*f_rng)(void *, unsigned char *, size_t),
1824 void *p_rng,
1825 int mode,
1826 mbedtls_md_type_t md_alg,
1827 unsigned int hashlen,
1828 const unsigned char *hash,
1829 unsigned char *sig )
1830{
1831 size_t olen;
1832 unsigned char *p = sig;
1833 unsigned char salt[MBEDTLS_MD_MAX_SIZE];
1834 size_t slen, min_slen, hlen, offset = 0;
1835 int ret;
1836 size_t msb;
1837 const mbedtls_md_info_t *md_info;
1838 mbedtls_md_context_t md_ctx;
1839 RSA_VALIDATE_RET( ctx != NULL );
1840 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
1841 mode == MBEDTLS_RSA_PUBLIC );
1842 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
1843 hashlen == 0 ) ||
1844 hash != NULL );
1845 RSA_VALIDATE_RET( sig != NULL );
1846
1847 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
1848 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1849
1850 if( f_rng == NULL )
1851 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1852
1853 olen = ctx->len;
1854
1855 if( md_alg != MBEDTLS_MD_NONE )
1856 {
1857 /* Gather length of hash to sign */
1858 md_info = mbedtls_md_info_from_type( md_alg );
1859 if( md_info == NULL )
1860 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1861
1862 hashlen = mbedtls_md_get_size( md_info );
1863 }
1864
1865 md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
1866 if( md_info == NULL )
1867 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1868
1869 hlen = mbedtls_md_get_size( md_info );
1870
1871 /* Calculate the largest possible salt length. Normally this is the hash
1872 * length, which is the maximum length the salt can have. If there is not
1873 * enough room, use the maximum salt length that fits. The constraint is
1874 * that the hash length plus the salt length plus 2 bytes must be at most
1875 * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
1876 * (PKCS#1 v2.2) §9.1.1 step 3. */
1877 min_slen = hlen - 2;
1878 if( olen < hlen + min_slen + 2 )
1879 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1880 else if( olen >= hlen + hlen + 2 )
1881 slen = hlen;
1882 else
1883 slen = olen - hlen - 2;
1884
1885 memset( sig, 0, olen );
1886
1887 /* Generate salt of length slen */
1888 if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
1889 return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
1890
1891 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
1892 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1893 p += olen - hlen - slen - 2;
1894 *p++ = 0x01;
1895 memcpy( p, salt, slen );
1896 p += slen;
1897
1898 mbedtls_md_init( &md_ctx );
1899 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
1900 goto exit;
1901
1902 /* Generate H = Hash( M' ) */
1903 if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
1904 goto exit;
1905 if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
1906 goto exit;
1907 if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
1908 goto exit;
1909 if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
1910 goto exit;
1911 if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
1912 goto exit;
1913
1914 /* Compensate for boundary condition when applying mask */
1915 if( msb % 8 == 0 )
1916 offset = 1;
1917
1918 /* maskedDB: Apply dbMask to DB */
1919 if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
1920 &md_ctx ) ) != 0 )
1921 goto exit;
1922
1923 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
1924 sig[0] &= 0xFF >> ( olen * 8 - msb );
1925
1926 p += hlen;
1927 *p++ = 0xBC;
1928
1929 mbedtls_platform_zeroize( salt, sizeof( salt ) );
1930
1931exit:
1932 mbedtls_md_free( &md_ctx );
1933
1934 if( ret != 0 )
1935 return( ret );
1936
1937 return( ( mode == MBEDTLS_RSA_PUBLIC )
1938 ? mbedtls_rsa_public( ctx, sig, sig )
1939 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
1940}
1941#endif /* MBEDTLS_PKCS1_V21 */
1942
1943#if defined(MBEDTLS_PKCS1_V15)
1944/*
1945 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
1946 */
1947
1948/* Construct a PKCS v1.5 encoding of a hashed message
1949 *
1950 * This is used both for signature generation and verification.
1951 *
1952 * Parameters:
1953 * - md_alg: Identifies the hash algorithm used to generate the given hash;
1954 * MBEDTLS_MD_NONE if raw data is signed.
1955 * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
1956 * - hash: Buffer containing the hashed message or the raw data.
1957 * - dst_len: Length of the encoded message.
1958 * - dst: Buffer to hold the encoded message.
1959 *
1960 * Assumptions:
1961 * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
1962 * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
1963 * - dst points to a buffer of size at least dst_len.
1964 *
1965 */
1966static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
1967 unsigned int hashlen,
1968 const unsigned char *hash,
1969 size_t dst_len,
1970 unsigned char *dst )
1971{
1972 size_t oid_size = 0;
1973 size_t nb_pad = dst_len;
1974 unsigned char *p = dst;
1975 const char *oid = NULL;
1976
1977 /* Are we signing hashed or raw data? */
1978 if( md_alg != MBEDTLS_MD_NONE )
1979 {
1980 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
1981 if( md_info == NULL )
1982 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1983
1984 if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
1985 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1986
1987 hashlen = mbedtls_md_get_size( md_info );
1988
1989 /* Double-check that 8 + hashlen + oid_size can be used as a
1990 * 1-byte ASN.1 length encoding and that there's no overflow. */
1991 if( 8 + hashlen + oid_size >= 0x80 ||
1992 10 + hashlen < hashlen ||
1993 10 + hashlen + oid_size < 10 + hashlen )
1994 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
1995
1996 /*
1997 * Static bounds check:
1998 * - Need 10 bytes for five tag-length pairs.
1999 * (Insist on 1-byte length encodings to protect against variants of
2000 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
2001 * - Need hashlen bytes for hash
2002 * - Need oid_size bytes for hash alg OID.
2003 */
2004 if( nb_pad < 10 + hashlen + oid_size )
2005 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2006 nb_pad -= 10 + hashlen + oid_size;
2007 }
2008 else
2009 {
2010 if( nb_pad < hashlen )
2011 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2012
2013 nb_pad -= hashlen;
2014 }
2015
2016 /* Need space for signature header and padding delimiter (3 bytes),
2017 * and 8 bytes for the minimal padding */
2018 if( nb_pad < 3 + 8 )
2019 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2020 nb_pad -= 3;
2021
2022 /* Now nb_pad is the amount of memory to be filled
2023 * with padding, and at least 8 bytes long. */
2024
2025 /* Write signature header and padding */
2026 *p++ = 0;
2027 *p++ = MBEDTLS_RSA_SIGN;
2028 memset( p, 0xFF, nb_pad );
2029 p += nb_pad;
2030 *p++ = 0;
2031
2032 /* Are we signing raw data? */
2033 if( md_alg == MBEDTLS_MD_NONE )
2034 {
2035 memcpy( p, hash, hashlen );
2036 return( 0 );
2037 }
2038
2039 /* Signing hashed data, add corresponding ASN.1 structure
2040 *
2041 * DigestInfo ::= SEQUENCE {
2042 * digestAlgorithm DigestAlgorithmIdentifier,
2043 * digest Digest }
2044 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
2045 * Digest ::= OCTET STRING
2046 *
2047 * Schematic:
2048 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
2049 * TAG-NULL + LEN [ NULL ] ]
2050 * TAG-OCTET + LEN [ HASH ] ]
2051 */
2052 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
2053 *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
2054 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
2055 *p++ = (unsigned char)( 0x04 + oid_size );
2056 *p++ = MBEDTLS_ASN1_OID;
2057 *p++ = (unsigned char) oid_size;
2058 memcpy( p, oid, oid_size );
2059 p += oid_size;
2060 *p++ = MBEDTLS_ASN1_NULL;
2061 *p++ = 0x00;
2062 *p++ = MBEDTLS_ASN1_OCTET_STRING;
2063 *p++ = (unsigned char) hashlen;
2064 memcpy( p, hash, hashlen );
2065 p += hashlen;
2066
2067 /* Just a sanity-check, should be automatic
2068 * after the initial bounds check. */
2069 if( p != dst + dst_len )
2070 {
2071 mbedtls_platform_zeroize( dst, dst_len );
2072 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2073 }
2074
2075 return( 0 );
2076}
2077
2078/*
2079 * Do an RSA operation to sign the message digest
2080 */
2081int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
2082 int (*f_rng)(void *, unsigned char *, size_t),
2083 void *p_rng,
2084 int mode,
2085 mbedtls_md_type_t md_alg,
2086 unsigned int hashlen,
2087 const unsigned char *hash,
2088 unsigned char *sig )
2089{
2090 int ret;
2091 unsigned char *sig_try = NULL, *verif = NULL;
2092
2093 RSA_VALIDATE_RET( ctx != NULL );
2094 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2095 mode == MBEDTLS_RSA_PUBLIC );
2096 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2097 hashlen == 0 ) ||
2098 hash != NULL );
2099 RSA_VALIDATE_RET( sig != NULL );
2100
2101 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
2102 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2103
2104 /*
2105 * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
2106 */
2107
2108 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
2109 ctx->len, sig ) ) != 0 )
2110 return( ret );
2111
2112 /*
2113 * Call respective RSA primitive
2114 */
2115
2116 if( mode == MBEDTLS_RSA_PUBLIC )
2117 {
2118 /* Skip verification on a public key operation */
2119 return( mbedtls_rsa_public( ctx, sig, sig ) );
2120 }
2121
2122 /* Private key operation
2123 *
2124 * In order to prevent Lenstra's attack, make the signature in a
2125 * temporary buffer and check it before returning it.
2126 */
2127
2128 sig_try = mbedtls_calloc( 1, ctx->len );
2129 if( sig_try == NULL )
2130 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
2131
2132 verif = mbedtls_calloc( 1, ctx->len );
2133 if( verif == NULL )
2134 {
2135 mbedtls_free( sig_try );
2136 return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
2137 }
2138
2139 MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
2140 MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
2141
2142 if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )
2143 {
2144 ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
2145 goto cleanup;
2146 }
2147
2148 memcpy( sig, sig_try, ctx->len );
2149
2150cleanup:
2151 mbedtls_free( sig_try );
2152 mbedtls_free( verif );
2153
2154 return( ret );
2155}
2156#endif /* MBEDTLS_PKCS1_V15 */
2157
2158/*
2159 * Do an RSA operation to sign the message digest
2160 */
2161int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
2162 int (*f_rng)(void *, unsigned char *, size_t),
2163 void *p_rng,
2164 int mode,
2165 mbedtls_md_type_t md_alg,
2166 unsigned int hashlen,
2167 const unsigned char *hash,
2168 unsigned char *sig )
2169{
2170 RSA_VALIDATE_RET( ctx != NULL );
2171 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2172 mode == MBEDTLS_RSA_PUBLIC );
2173 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2174 hashlen == 0 ) ||
2175 hash != NULL );
2176 RSA_VALIDATE_RET( sig != NULL );
2177
2178 switch( ctx->padding )
2179 {
2180#if defined(MBEDTLS_PKCS1_V15)
2181 case MBEDTLS_RSA_PKCS_V15:
2182 return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
2183 hashlen, hash, sig );
2184#endif
2185
2186#if defined(MBEDTLS_PKCS1_V21)
2187 case MBEDTLS_RSA_PKCS_V21:
2188 return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
2189 hashlen, hash, sig );
2190#endif
2191
2192 default:
2193 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2194 }
2195}
2196
2197#if defined(MBEDTLS_PKCS1_V21)
2198/*
2199 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2200 */
2201int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
2202 int (*f_rng)(void *, unsigned char *, size_t),
2203 void *p_rng,
2204 int mode,
2205 mbedtls_md_type_t md_alg,
2206 unsigned int hashlen,
2207 const unsigned char *hash,
2208 mbedtls_md_type_t mgf1_hash_id,
2209 int expected_salt_len,
2210 const unsigned char *sig )
2211{
2212 int ret;
2213 size_t siglen;
2214 unsigned char *p;
2215 unsigned char *hash_start;
2216 unsigned char result[MBEDTLS_MD_MAX_SIZE];
2217 unsigned char zeros[8];
2218 unsigned int hlen;
2219 size_t observed_salt_len, msb;
2220 const mbedtls_md_info_t *md_info;
2221 mbedtls_md_context_t md_ctx;
2222 unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
2223
2224 RSA_VALIDATE_RET( ctx != NULL );
2225 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2226 mode == MBEDTLS_RSA_PUBLIC );
2227 RSA_VALIDATE_RET( sig != NULL );
2228 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2229 hashlen == 0 ) ||
2230 hash != NULL );
2231
2232 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
2233 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2234
2235 siglen = ctx->len;
2236
2237 if( siglen < 16 || siglen > sizeof( buf ) )
2238 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2239
2240 ret = ( mode == MBEDTLS_RSA_PUBLIC )
2241 ? mbedtls_rsa_public( ctx, sig, buf )
2242 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
2243
2244 if( ret != 0 )
2245 return( ret );
2246
2247 p = buf;
2248
2249 if( buf[siglen - 1] != 0xBC )
2250 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2251
2252 if( md_alg != MBEDTLS_MD_NONE )
2253 {
2254 /* Gather length of hash to sign */
2255 md_info = mbedtls_md_info_from_type( md_alg );
2256 if( md_info == NULL )
2257 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2258
2259 hashlen = mbedtls_md_get_size( md_info );
2260 }
2261
2262 md_info = mbedtls_md_info_from_type( mgf1_hash_id );
2263 if( md_info == NULL )
2264 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2265
2266 hlen = mbedtls_md_get_size( md_info );
2267
2268 memset( zeros, 0, 8 );
2269
2270 /*
2271 * Note: EMSA-PSS verification is over the length of N - 1 bits
2272 */
2273 msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
2274
2275 if( buf[0] >> ( 8 - siglen * 8 + msb ) )
2276 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2277
2278 /* Compensate for boundary condition when applying mask */
2279 if( msb % 8 == 0 )
2280 {
2281 p++;
2282 siglen -= 1;
2283 }
2284
2285 if( siglen < hlen + 2 )
2286 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2287 hash_start = p + siglen - hlen - 1;
2288
2289 mbedtls_md_init( &md_ctx );
2290 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
2291 goto exit;
2292
2293 ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
2294 if( ret != 0 )
2295 goto exit;
2296
2297 buf[0] &= 0xFF >> ( siglen * 8 - msb );
2298
2299 while( p < hash_start - 1 && *p == 0 )
2300 p++;
2301
2302 if( *p++ != 0x01 )
2303 {
2304 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2305 goto exit;
2306 }
2307
2308 observed_salt_len = hash_start - p;
2309
2310 if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
2311 observed_salt_len != (size_t) expected_salt_len )
2312 {
2313 ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
2314 goto exit;
2315 }
2316
2317 /*
2318 * Generate H = Hash( M' )
2319 */
2320 ret = mbedtls_md_starts( &md_ctx );
2321 if ( ret != 0 )
2322 goto exit;
2323 ret = mbedtls_md_update( &md_ctx, zeros, 8 );
2324 if ( ret != 0 )
2325 goto exit;
2326 ret = mbedtls_md_update( &md_ctx, hash, hashlen );
2327 if ( ret != 0 )
2328 goto exit;
2329 ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
2330 if ( ret != 0 )
2331 goto exit;
2332 ret = mbedtls_md_finish( &md_ctx, result );
2333 if ( ret != 0 )
2334 goto exit;
2335
2336 if( memcmp( hash_start, result, hlen ) != 0 )
2337 {
2338 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2339 goto exit;
2340 }
2341
2342exit:
2343 mbedtls_md_free( &md_ctx );
2344
2345 return( ret );
2346}
2347
2348/*
2349 * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
2350 */
2351int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
2352 int (*f_rng)(void *, unsigned char *, size_t),
2353 void *p_rng,
2354 int mode,
2355 mbedtls_md_type_t md_alg,
2356 unsigned int hashlen,
2357 const unsigned char *hash,
2358 const unsigned char *sig )
2359{
2360 mbedtls_md_type_t mgf1_hash_id;
2361 RSA_VALIDATE_RET( ctx != NULL );
2362 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2363 mode == MBEDTLS_RSA_PUBLIC );
2364 RSA_VALIDATE_RET( sig != NULL );
2365 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2366 hashlen == 0 ) ||
2367 hash != NULL );
2368
2369 mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
2370 ? (mbedtls_md_type_t) ctx->hash_id
2371 : md_alg;
2372
2373 return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
2374 md_alg, hashlen, hash,
2375 mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
2376 sig ) );
2377
2378}
2379#endif /* MBEDTLS_PKCS1_V21 */
2380
2381#if defined(MBEDTLS_PKCS1_V15)
2382/*
2383 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
2384 */
2385int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
2386 int (*f_rng)(void *, unsigned char *, size_t),
2387 void *p_rng,
2388 int mode,
2389 mbedtls_md_type_t md_alg,
2390 unsigned int hashlen,
2391 const unsigned char *hash,
2392 const unsigned char *sig )
2393{
2394 int ret = 0;
2395 size_t sig_len;
2396 unsigned char *encoded = NULL, *encoded_expected = NULL;
2397
2398 RSA_VALIDATE_RET( ctx != NULL );
2399 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2400 mode == MBEDTLS_RSA_PUBLIC );
2401 RSA_VALIDATE_RET( sig != NULL );
2402 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2403 hashlen == 0 ) ||
2404 hash != NULL );
2405
2406 sig_len = ctx->len;
2407
2408 if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
2409 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
2410
2411 /*
2412 * Prepare expected PKCS1 v1.5 encoding of hash.
2413 */
2414
2415 if( ( encoded = mbedtls_calloc( 1, sig_len ) ) == NULL ||
2416 ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
2417 {
2418 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
2419 goto cleanup;
2420 }
2421
2422 if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
2423 encoded_expected ) ) != 0 )
2424 goto cleanup;
2425
2426 /*
2427 * Apply RSA primitive to get what should be PKCS1 encoded hash.
2428 */
2429
2430 ret = ( mode == MBEDTLS_RSA_PUBLIC )
2431 ? mbedtls_rsa_public( ctx, sig, encoded )
2432 : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
2433 if( ret != 0 )
2434 goto cleanup;
2435
2436 /*
2437 * Compare
2438 */
2439
2440 if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,
2441 sig_len ) ) != 0 )
2442 {
2443 ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
2444 goto cleanup;
2445 }
2446
2447cleanup:
2448
2449 if( encoded != NULL )
2450 {
2451 mbedtls_platform_zeroize( encoded, sig_len );
2452 mbedtls_free( encoded );
2453 }
2454
2455 if( encoded_expected != NULL )
2456 {
2457 mbedtls_platform_zeroize( encoded_expected, sig_len );
2458 mbedtls_free( encoded_expected );
2459 }
2460
2461 return( ret );
2462}
2463#endif /* MBEDTLS_PKCS1_V15 */
2464
2465/*
2466 * Do an RSA operation and check the message digest
2467 */
2468int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
2469 int (*f_rng)(void *, unsigned char *, size_t),
2470 void *p_rng,
2471 int mode,
2472 mbedtls_md_type_t md_alg,
2473 unsigned int hashlen,
2474 const unsigned char *hash,
2475 const unsigned char *sig )
2476{
2477 RSA_VALIDATE_RET( ctx != NULL );
2478 RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
2479 mode == MBEDTLS_RSA_PUBLIC );
2480 RSA_VALIDATE_RET( sig != NULL );
2481 RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
2482 hashlen == 0 ) ||
2483 hash != NULL );
2484
2485 switch( ctx->padding )
2486 {
2487#if defined(MBEDTLS_PKCS1_V15)
2488 case MBEDTLS_RSA_PKCS_V15:
2489 return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
2490 hashlen, hash, sig );
2491#endif
2492
2493#if defined(MBEDTLS_PKCS1_V21)
2494 case MBEDTLS_RSA_PKCS_V21:
2495 return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
2496 hashlen, hash, sig );
2497#endif
2498
2499 default:
2500 return( MBEDTLS_ERR_RSA_INVALID_PADDING );
2501 }
2502}
2503
2504/*
2505 * Copy the components of an RSA key
2506 */
2507int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
2508{
2509 int ret;
2510 RSA_VALIDATE_RET( dst != NULL );
2511 RSA_VALIDATE_RET( src != NULL );
2512
2513 dst->len = src->len;
2514
2515 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
2516 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
2517
2518 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
2519 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
2520 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
2521
2522#if !defined(MBEDTLS_RSA_NO_CRT)
2523 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
2524 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
2525 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
2526 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
2527 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
2528#endif
2529
2530 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
2531
2532 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
2533 MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
2534
2535 dst->padding = src->padding;
2536 dst->hash_id = src->hash_id;
2537
2538cleanup:
2539 if( ret != 0 )
2540 mbedtls_rsa_free( dst );
2541
2542 return( ret );
2543}
2544
2545/*
2546 * Free the components of an RSA key
2547 */
2548void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
2549{
2550 if( ctx == NULL )
2551 return;
2552
2553 mbedtls_mpi_free( &ctx->Vi );
2554 mbedtls_mpi_free( &ctx->Vf );
2555 mbedtls_mpi_free( &ctx->RN );
2556 mbedtls_mpi_free( &ctx->D );
2557 mbedtls_mpi_free( &ctx->Q );
2558 mbedtls_mpi_free( &ctx->P );
2559 mbedtls_mpi_free( &ctx->E );
2560 mbedtls_mpi_free( &ctx->N );
2561
2562#if !defined(MBEDTLS_RSA_NO_CRT)
2563 mbedtls_mpi_free( &ctx->RQ );
2564 mbedtls_mpi_free( &ctx->RP );
2565 mbedtls_mpi_free( &ctx->QP );
2566 mbedtls_mpi_free( &ctx->DQ );
2567 mbedtls_mpi_free( &ctx->DP );
2568#endif /* MBEDTLS_RSA_NO_CRT */
2569
2570#if defined(MBEDTLS_THREADING_C)
2571 /* Free the mutex, but only if it hasn't been freed already. */
2572 if( ctx->ver != 0 )
2573 {
2574 mbedtls_mutex_free( &ctx->mutex );
2575 ctx->ver = 0;
2576 }
2577#endif
2578}
2579
2580#endif /* !MBEDTLS_RSA_ALT */
2581
2582#if defined(MBEDTLS_SELF_TEST)
2583
2584#include "mbedtls/sha1.h"
2585
2586/*
2587 * Example RSA-1024 keypair, for test purposes
2588 */
2589#define KEY_LEN 128
2590
2591#define RSA_N "9292758453063D803DD603D5E777D788" \
2592 "8ED1D5BF35786190FA2F23EBC0848AEA" \
2593 "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
2594 "7130B9CED7ACDF54CFC7555AC14EEBAB" \
2595 "93A89813FBF3C4F8066D2D800F7C38A8" \
2596 "1AE31942917403FF4946B0A83D3D3E05" \
2597 "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
2598 "5E94BB77B07507233A0BC7BAC8F90F79"
2599
2600#define RSA_E "10001"
2601
2602#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
2603 "66CA472BC44D253102F8B4A9D3BFA750" \
2604 "91386C0077937FE33FA3252D28855837" \
2605 "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
2606 "DF79C5CE07EE72C7F123142198164234" \
2607 "CABB724CF78B8173B9F880FC86322407" \
2608 "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
2609 "071513A1E85B5DFA031F21ECAE91A34D"
2610
2611#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
2612 "2C01CAD19EA484A87EA4377637E75500" \
2613 "FCB2005C5C7DD6EC4AC023CDA285D796" \
2614 "C3D9E75E1EFC42488BB4F1D13AC30A57"
2615
2616#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
2617 "E211C2B9E5DB1ED0BF61D0D9899620F4" \
2618 "910E4168387E3C30AA1E00C339A79508" \
2619 "8452DD96A9A5EA5D9DCA68DA636032AF"
2620
2621#define PT_LEN 24
2622#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
2623 "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
2624
2625#if defined(MBEDTLS_PKCS1_V15)
2626static int myrand( void *rng_state, unsigned char *output, size_t len )
2627{
2628#if !defined(__OpenBSD__) && !defined(__NetBSD__)
2629 size_t i;
2630
2631 if( rng_state != NULL )
2632 rng_state = NULL;
2633
2634 for( i = 0; i < len; ++i )
2635 output[i] = rand();
2636#else
2637 if( rng_state != NULL )
2638 rng_state = NULL;
2639
2640 arc4random_buf( output, len );
2641#endif /* !OpenBSD && !NetBSD */
2642
2643 return( 0 );
2644}
2645#endif /* MBEDTLS_PKCS1_V15 */
2646
2647/*
2648 * Checkup routine
2649 */
2650int mbedtls_rsa_self_test( int verbose )
2651{
2652 int ret = 0;
2653#if defined(MBEDTLS_PKCS1_V15)
2654 size_t len;
2655 mbedtls_rsa_context rsa;
2656 unsigned char rsa_plaintext[PT_LEN];
2657 unsigned char rsa_decrypted[PT_LEN];
2658 unsigned char rsa_ciphertext[KEY_LEN];
2659#if defined(MBEDTLS_SHA1_C)
2660 unsigned char sha1sum[20];
2661#endif
2662
2663 mbedtls_mpi K;
2664
2665 mbedtls_mpi_init( &K );
2666 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
2667
2668 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N ) );
2669 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
2670 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P ) );
2671 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
2672 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q ) );
2673 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
2674 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D ) );
2675 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
2676 MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E ) );
2677 MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
2678
2679 MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
2680
2681 if( verbose != 0 )
2682 mbedtls_printf( " RSA key validation: " );
2683
2684 if( mbedtls_rsa_check_pubkey( &rsa ) != 0 ||
2685 mbedtls_rsa_check_privkey( &rsa ) != 0 )
2686 {
2687 if( verbose != 0 )
2688 mbedtls_printf( "failed\n" );
2689
2690 ret = 1;
2691 goto cleanup;
2692 }
2693
2694 if( verbose != 0 )
2695 mbedtls_printf( "passed\n PKCS#1 encryption : " );
2696
2697 memcpy( rsa_plaintext, RSA_PT, PT_LEN );
2698
2699 if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
2700 PT_LEN, rsa_plaintext,
2701 rsa_ciphertext ) != 0 )
2702 {
2703 if( verbose != 0 )
2704 mbedtls_printf( "failed\n" );
2705
2706 ret = 1;
2707 goto cleanup;
2708 }
2709
2710 if( verbose != 0 )
2711 mbedtls_printf( "passed\n PKCS#1 decryption : " );
2712
2713 if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
2714 &len, rsa_ciphertext, rsa_decrypted,
2715 sizeof(rsa_decrypted) ) != 0 )
2716 {
2717 if( verbose != 0 )
2718 mbedtls_printf( "failed\n" );
2719
2720 ret = 1;
2721 goto cleanup;
2722 }
2723
2724 if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
2725 {
2726 if( verbose != 0 )
2727 mbedtls_printf( "failed\n" );
2728
2729 ret = 1;
2730 goto cleanup;
2731 }
2732
2733 if( verbose != 0 )
2734 mbedtls_printf( "passed\n" );
2735
2736#if defined(MBEDTLS_SHA1_C)
2737 if( verbose != 0 )
2738 mbedtls_printf( " PKCS#1 data sign : " );
2739
2740 if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
2741 {
2742 if( verbose != 0 )
2743 mbedtls_printf( "failed\n" );
2744
2745 return( 1 );
2746 }
2747
2748 if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
2749 MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
2750 sha1sum, rsa_ciphertext ) != 0 )
2751 {
2752 if( verbose != 0 )
2753 mbedtls_printf( "failed\n" );
2754
2755 ret = 1;
2756 goto cleanup;
2757 }
2758
2759 if( verbose != 0 )
2760 mbedtls_printf( "passed\n PKCS#1 sig. verify: " );
2761
2762 if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
2763 MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
2764 sha1sum, rsa_ciphertext ) != 0 )
2765 {
2766 if( verbose != 0 )
2767 mbedtls_printf( "failed\n" );
2768
2769 ret = 1;
2770 goto cleanup;
2771 }
2772
2773 if( verbose != 0 )
2774 mbedtls_printf( "passed\n" );
2775#endif /* MBEDTLS_SHA1_C */
2776
2777 if( verbose != 0 )
2778 mbedtls_printf( "\n" );
2779
2780cleanup:
2781 mbedtls_mpi_free( &K );
2782 mbedtls_rsa_free( &rsa );
2783#else /* MBEDTLS_PKCS1_V15 */
2784 ((void) verbose);
2785#endif /* MBEDTLS_PKCS1_V15 */
2786 return( ret );
2787}
2788
2789#endif /* MBEDTLS_SELF_TEST */
2790
2791#endif /* MBEDTLS_RSA_C */
N
#define N
Definition: crc32.c:57
memcmp
int memcmp(void *Buffer1, void *Buffer2, ACPI_SIZE Count)
Definition: utclib.c:112
MBEDTLS_MPI_MAX_SIZE
#define MBEDTLS_MPI_MAX_SIZE
Definition: bignum.h:107
mbedtls_mpi_read_string
int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
Import an MPI from an ASCII string.
mbedtls_mpi_sub_mpi
int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
Perform a signed subtraction of MPIs: X = A - B.
mbedtls_mpi_sub_int
int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
Perform a signed subtraction of an MPI and an integer: X = A - b.
mbedtls_mpi_add_int
int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
Perform a signed addition of an MPI and an integer: X = A + b.
MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
#define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
Definition: bignum.h:71
mbedtls_mpi_copy
int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y)
Make a copy of an MPI.
MBEDTLS_ERR_MPI_BAD_INPUT_DATA
#define MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Definition: bignum.h:66
MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR
@ MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR
Definition: bignum.h:968
mbedtls_mpi_size
size_t mbedtls_mpi_size(const mbedtls_mpi *X)
Return the total size of an MPI value in bytes.
mbedtls_mpi_exp_mod
int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR)
Perform a sliding-window exponentiation: X = A^E mod N.
mbedtls_mpi_div_mpi
int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)
Perform a division with remainder of two MPIs: A = Q * B + R.
mbedtls_mpi_add_mpi
int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
Perform a signed addition of MPIs: X = A + B.
mbedtls_mpi_swap
void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y)
Swap the contents of two MPIs.
mbedtls_mpi_lset
int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
Store integer value in MPI.
mbedtls_mpi_bitlen
size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
Return the number of bits up to and including the most significant bit of value 1.
mbedtls_mpi_read_binary
int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen)
Import an MPI from unsigned big endian binary data.
mbedtls_mpi_cmp_mpi
int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y)
Compare two MPIs.
mbedtls_mpi_mod_mpi
int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)
Perform a modular reduction. R = A mod B.
mbedtls_mpi_fill_random
int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Fill an MPI with a number of random bytes.
mbedtls_mpi_gen_prime
int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Generate a prime number.
mbedtls_mpi_init
void mbedtls_mpi_init(mbedtls_mpi *X)
Initialize an MPI context.
MBEDTLS_ERR_MPI_ALLOC_FAILED
#define MBEDTLS_ERR_MPI_ALLOC_FAILED
Definition: bignum.h:72
mbedtls_mpi_mul_mpi
int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
Perform a multiplication of two MPIs: X = A * B.
MBEDTLS_MPI_CHK
#define MBEDTLS_MPI_CHK(f)
Definition: bignum.h:74
mbedtls_mpi_inv_mod
int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N)
Compute the modular inverse: X = A^-1 mod N.
mbedtls_mpi_get_bit
int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
Get a specific bit from an MPI.
mbedtls_mpi_free
void mbedtls_mpi_free(mbedtls_mpi *X)
This function frees the components of an MPI context.
mbedtls_mpi_write_binary
int mbedtls_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf, size_t buflen)
Export an MPI into unsigned big endian binary data of fixed size.
mbedtls_mpi_cmp_int
int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
Compare an MPI with an integer.
mbedtls_mpi_gcd
int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B)
Compute the greatest common divisor: G = gcd(A, B)
G
#define G(r, i, a, b, c, d)
Definition: blake2b-ref.c:117
D
#define D(d)
Definition: builtin.c:4557
C
#define C(c)
Definition: builtin.c:4556
A
Definition: ehthrow.cxx:93
B
Definition: ehthrow.cxx:54
C
Definition: terminate.cpp:24
NULL
#define NULL
Definition: types.h:112
P
#define P(row, col)
E
static const WCHAR E[]
Definition: oid.c:1253
cleanup
static void cleanup(void)
Definition: main.c:1335
int
unsigned int(__cdecl typeof(jpeg_read_scanlines))(struct jpeg_decompress_struct *
Definition: typeof.h:31
char
unsigned char
Definition: typeof.h:29
total
size_t total
Definition: fxusbpipeapi.cpp:306
start
GLuint start
Definition: gl.h:1545
count
GLuint GLuint GLsizei count
Definition: gl.h:1545
size
GLsizeiptr size
Definition: glext.h:5919
n
GLdouble n
Definition: glext.h:7729
src
GLenum src
Definition: glext.h:6340
mask
GLenum GLint GLuint mask
Definition: glext.h:6028
b
GLboolean GLboolean GLboolean b
Definition: glext.h:6204
mode
GLenum mode
Definition: glext.h:6217
buf
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
dst
GLenum GLenum dst
Definition: glext.h:6340
p
GLfloat GLfloat p
Definition: glext.h:8902
len
GLenum GLsizei len
Definition: glext.h:6722
a
GLboolean GLboolean GLboolean GLboolean a
Definition: glext.h:6204
input
GLenum GLenum GLenum input
Definition: glext.h:9031
result
GLuint64EXT * result
Definition: glext.h:11304
offset
GLintptr offset
Definition: glext.h:5920
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
MBEDTLS_ASN1_OCTET_STRING
#define MBEDTLS_ASN1_OCTET_STRING
Definition: asn1.h:100
MBEDTLS_ASN1_SEQUENCE
#define MBEDTLS_ASN1_SEQUENCE
Definition: asn1.h:104
MBEDTLS_ASN1_CONSTRUCTED
#define MBEDTLS_ASN1_CONSTRUCTED
Definition: asn1.h:114
MBEDTLS_ASN1_OID
#define MBEDTLS_ASN1_OID
Definition: asn1.h:102
MBEDTLS_ASN1_NULL
#define MBEDTLS_ASN1_NULL
Definition: asn1.h:101
rand
_Check_return_ int __cdecl rand(void)
Definition: rand.c:10
sha1.h
This file contains SHA-1 definitions and functions.
mbedtls_sha1_ret
int mbedtls_sha1_ret(const unsigned char *input, size_t ilen, unsigned char output[20])
This function calculates the SHA-1 checksum of a buffer.
I
#define I(s)
T
#define T
Definition: mbstring.h:31
md.h
This file contains the generic message-digest wrapper.
mbedtls_md_setup
int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac)
This function selects the message digest algorithm to use, and allocates internal structures.
mbedtls_md_type_t
mbedtls_md_type_t
Supported message digests.
Definition: md.h:83
MBEDTLS_MD_NONE
@ MBEDTLS_MD_NONE
Definition: md.h:84
MBEDTLS_MD_SHA1
@ MBEDTLS_MD_SHA1
Definition: md.h:88
mbedtls_md_starts
int mbedtls_md_starts(mbedtls_md_context_t *ctx)
This function starts a message-digest computation.
mbedtls_md
int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen, unsigned char *output)
This function calculates the message-digest of a buffer, with respect to a configurable message-diges...
mbedtls_md_update
int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
This function feeds an input buffer into an ongoing message-digest computation.
MBEDTLS_MD_MAX_SIZE
#define MBEDTLS_MD_MAX_SIZE
Definition: md.h:97
mbedtls_md_init
void mbedtls_md_init(mbedtls_md_context_t *ctx)
This function initializes a message-digest context without binding it to a particular message-digest ...
mbedtls_md_finish
int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output)
This function finishes the digest operation, and writes the result to the output buffer.
mbedtls_md_get_size
unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info)
This function extracts the message-digest size from the message-digest information structure.
mbedtls_md_free
void mbedtls_md_free(mbedtls_md_context_t *ctx)
This function clears the internal structure of ctx and frees any embedded internal structure,...
memcpy
#define memcpy(s1, s2, n)
Definition: mkisofs.h:878
current
struct task_struct * current
Definition: linux.c:32
label
static const WCHAR label[]
Definition: itemdlg.c:1546
H
#define H
padding
static const DWORD padding[]
Definition: mciwnd.c:89
L
#define L(x)
Definition: ntvdm.h:50
oid.h
Object Identifier (OID) database.
mbedtls_oid_get_oid_by_md
int mbedtls_oid_get_oid_by_md(mbedtls_md_type_t md_alg, const char **oid, size_t *olen)
Translate md_type into hash algorithm OID.
mbedtls_platform_zeroize
void mbedtls_platform_zeroize(void *buf, size_t len)
Securely zeroize a buffer.
Definition: platform_util.c:98
platform_util.h
Common and shared functions used by multiple modules in the Mbed TLS library.
no_op
void no_op(void)
Definition: psehtest2.c:30
next
static unsigned __int64 next
Definition: rand_nt.c:6
verbose
#define verbose
Definition: rosglue.h:36
rsa.h
This file provides an API for the RSA public-key cryptosystem.
MBEDTLS_RSA_PRIVATE
#define MBEDTLS_RSA_PRIVATE
Definition: rsa.h:95
mbedtls_rsa_pkcs1_encrypt
int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
This function adds the message padding, then performs an RSA operation.
mbedtls_rsa_complete
int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
This function completes an RSA context from a set of imported core parameters.
MBEDTLS_RSA_PUBLIC
#define MBEDTLS_RSA_PUBLIC
Definition: rsa.h:94
mbedtls_rsa_pkcs1_verify
int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, const unsigned char *sig)
This function performs a public RSA operation and checks the message digest.
mbedtls_rsa_init
void mbedtls_rsa_init(mbedtls_rsa_context *ctx, int padding, int hash_id)
This function initializes an RSA context.
mbedtls_rsa_rsassa_pkcs1_v15_verify
int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, const unsigned char *sig)
This function performs a PKCS#1 v1.5 verification operation (RSASSA-PKCS1-v1_5-VERIFY).
MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
Definition: rsa.h:81
mbedtls_rsa_import
int mbedtls_rsa_import(mbedtls_rsa_context *ctx, const mbedtls_mpi *N, const mbedtls_mpi *P, const mbedtls_mpi *Q, const mbedtls_mpi *D, const mbedtls_mpi *E)
This function imports a set of core parameters into an RSA context.
mbedtls_rsa_check_pub_priv
int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv)
This function checks a public-private RSA key pair.
MBEDTLS_ERR_RSA_VERIFY_FAILED
#define MBEDTLS_ERR_RSA_VERIFY_FAILED
Definition: rsa.h:80
mbedtls_rsa_import_raw
int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx, unsigned char const *N, size_t N_len, unsigned char const *P, size_t P_len, unsigned char const *Q, size_t Q_len, unsigned char const *D, size_t D_len, unsigned char const *E, size_t E_len)
This function imports core RSA parameters, in raw big-endian binary format, into an RSA context.
mbedtls_rsa_private
int mbedtls_rsa_private(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, const unsigned char *input, unsigned char *output)
This function performs an RSA private key operation.
mbedtls_rsa_gen_key
int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, unsigned int nbits, int exponent)
This function generates an RSA keypair.
MBEDTLS_RSA_PKCS_V15
#define MBEDTLS_RSA_PKCS_V15
Definition: rsa.h:97
mbedtls_rsa_pkcs1_sign
int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
This function performs a private RSA operation to sign a message digest using PKCS#1.
mbedtls_rsa_get_len
size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
This function retrieves the length of RSA modulus in Bytes.
mbedtls_rsa_rsaes_pkcs1_v15_encrypt
int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
This function performs a PKCS#1 v1.5 encryption operation (RSAES-PKCS1-v1_5-ENCRYPT).
mbedtls_rsa_rsaes_pkcs1_v15_decrypt
int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
This function performs a PKCS#1 v1.5 decryption operation (RSAES-PKCS1-v1_5-DECRYPT).
mbedtls_rsa_pkcs1_decrypt
int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
This function performs an RSA operation, then removes the message padding.
mbedtls_rsa_export
int mbedtls_rsa_export(const mbedtls_rsa_context *ctx, mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, mbedtls_mpi *D, mbedtls_mpi *E)
This function exports the core parameters of an RSA key.
mbedtls_rsa_export_raw
int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx, unsigned char *N, size_t N_len, unsigned char *P, size_t P_len, unsigned char *Q, size_t Q_len, unsigned char *D, size_t D_len, unsigned char *E, size_t E_len)
This function exports core parameters of an RSA key in raw big-endian binary format.
MBEDTLS_ERR_RSA_RNG_FAILED
#define MBEDTLS_ERR_RSA_RNG_FAILED
Definition: rsa.h:82
mbedtls_rsa_copy
int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
This function copies the components of an RSA context.
mbedtls_rsa_rsassa_pss_verify
int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, const unsigned char *sig)
This function performs a PKCS#1 v2.1 PSS verification operation (RSASSA-PSS-VERIFY).
mbedtls_rsa_free
void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
This function frees the components of an RSA key.
MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
Definition: rsa.h:77
MBEDTLS_RSA_PKCS_V21
#define MBEDTLS_RSA_PKCS_V21
Definition: rsa.h:98
mbedtls_rsa_export_crt
int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx, mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
This function exports CRT parameters of a private RSA key.
mbedtls_rsa_public
int mbedtls_rsa_public(mbedtls_rsa_context *ctx, const unsigned char *input, unsigned char *output)
This function performs an RSA public key operation.
MBEDTLS_RSA_SIGN
#define MBEDTLS_RSA_SIGN
Definition: rsa.h:100
mbedtls_rsa_check_privkey
int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
This function checks if a context contains an RSA private key and perform basic consistency checks.
MBEDTLS_RSA_SALT_LEN_ANY
#define MBEDTLS_RSA_SALT_LEN_ANY
Definition: rsa.h:103
MBEDTLS_ERR_RSA_BAD_INPUT_DATA
#define MBEDTLS_ERR_RSA_BAD_INPUT_DATA
Definition: rsa.h:74
mbedtls_rsa_rsassa_pss_verify_ext
int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, mbedtls_md_type_t mgf1_hash_id, int expected_salt_len, const unsigned char *sig)
This function performs a PKCS#1 v2.1 PSS verification operation (RSASSA-PSS-VERIFY).
mbedtls_rsa_rsaes_oaep_encrypt
int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t ilen, const unsigned char *input, unsigned char *output)
This function performs a PKCS#1 v2.1 OAEP encryption operation (RSAES-OAEP-ENCRYPT).
MBEDTLS_RSA_CRYPT
#define MBEDTLS_RSA_CRYPT
Definition: rsa.h:101
mbedtls_rsa_check_pubkey
int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
This function checks if a context contains at least an RSA public key.
mbedtls_rsa_set_padding
void mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding, int hash_id)
This function sets padding for an already initialized RSA context. See mbedtls_rsa_init() for details...
MBEDTLS_ERR_RSA_INVALID_PADDING
#define MBEDTLS_ERR_RSA_INVALID_PADDING
Definition: rsa.h:75
MBEDTLS_ERR_RSA_KEY_GEN_FAILED
#define MBEDTLS_ERR_RSA_KEY_GEN_FAILED
Definition: rsa.h:76
MBEDTLS_ERR_RSA_PUBLIC_FAILED
#define MBEDTLS_ERR_RSA_PUBLIC_FAILED
Definition: rsa.h:78
mbedtls_rsa_rsassa_pss_sign
int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
This function performs a PKCS#1 v2.1 PSS signature operation (RSASSA-PSS-SIGN).
mbedtls_rsa_rsassa_pkcs1_v15_sign
int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
This function performs a PKCS#1 v1.5 signature operation (RSASSA-PKCS1-v1_5-SIGN).
MBEDTLS_ERR_RSA_PRIVATE_FAILED
#define MBEDTLS_ERR_RSA_PRIVATE_FAILED
Definition: rsa.h:79
mbedtls_rsa_rsaes_oaep_decrypt
int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, const unsigned char *label, size_t label_len, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
This function performs a PKCS#1 v2.1 OAEP decryption operation (RSAES-OAEP-DECRYPT).
rsa_internal.h
Context-independent RSA helper functions.
mbedtls_rsa_deduce_private_exponent
int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P, mbedtls_mpi const *Q, mbedtls_mpi const *E, mbedtls_mpi *D)
Compute RSA private exponent from prime moduli and public key.
mbedtls_rsa_validate_params
int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P, const mbedtls_mpi *Q, const mbedtls_mpi *D, const mbedtls_mpi *E, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Check validity of core RSA parameters.
mbedtls_rsa_deduce_primes
int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, mbedtls_mpi const *E, mbedtls_mpi const *D, mbedtls_mpi *P, mbedtls_mpi *Q)
Compute RSA prime moduli P, Q from public modulus N=PQ and a pair of private and public key.
mbedtls_rsa_deduce_crt
int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q, const mbedtls_mpi *D, mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
Generate RSA-CRT parameters.
mbedtls_rsa_validate_crt
int mbedtls_rsa_validate_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q, const mbedtls_mpi *D, const mbedtls_mpi *DP, const mbedtls_mpi *DQ, const mbedtls_mpi *QP)
Check validity of RSA CRT parameters.
mbedtls_md_info_from_type
#define mbedtls_md_info_from_type
Definition: schannel_mbedtls_lazyload.h:172
config.h
Configuration options (set of defines)
platform.h
This file contains the definitions and functions of the Mbed TLS platform abstraction layer.
mbedtls_free
#define mbedtls_free
Definition: platform.h:168
mbedtls_calloc
#define mbedtls_calloc
Definition: platform.h:169
exit
#define exit(n)
Definition: config.h:202
memset
#define memset(x, y, z)
Definition: compat.h:39
R
#define R(b, x)
Definition: sha2.c:134
hash
Definition: _hash_fun.h:40
mbedtls_md_context_t
Definition: md.h:111
mbedtls_md_context_t::md_info
const mbedtls_md_info_t * md_info
Definition: md.h:113
mbedtls_md_info_t
Definition: md_internal.h:73
mbedtls_mpi
MPI structure.
Definition: bignum.h:211
mbedtls_rsa_context
The RSA context structure.
Definition: rsa.h:126
mbedtls_rsa_context::N
mbedtls_mpi N
Definition: rsa.h:133
mbedtls_rsa_context::E
mbedtls_mpi E
Definition: rsa.h:134
max
#define max(a, b)
Definition: svc.c:63
MBEDTLS_ERR_THREADING_MUTEX_ERROR
#define MBEDTLS_ERR_THREADING_MUTEX_ERROR
Definition: threading.h:69
mbedtls_printf
#define mbedtls_printf
Definition: timing.c:57
value
Definition: pdh_main.c:94
ret
int ret
Definition: wcstombs-tests.c:31