Merge pull request #8437 from LinuxJedi/SE050-changes

Minor SE050 improvements

.wolfssl_known_macro_extras

@@ -759,9 +759,11 @@ WOLFSSL_RSA_DECRYPT_TO_0_LEN
 WOLFSSL_RW_THREADED
 WOLFSSL_SAKKE_SMALL
 WOLFSSL_SAKKE_SMALL_MODEXP
+WOLFSSL_SE050_AUTO_ERASE
 WOLFSSL_SE050_CRYPT
 WOLFSSL_SE050_HASH
 WOLFSSL_SE050_INIT
+WOLFSSL_SE050_NO_RSA
 WOLFSSL_SE050_NO_TRNG
 WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
 WOLFSSL_SETTINGS_FILE

wolfcrypt/src/curve25519.c

@@ -639,6 +639,9 @@ int wc_curve25519_import_private_ex(const byte* priv, word32 privSz,
     }
 
 #ifdef WOLFSSL_SE050
+#ifdef WOLFSSL_SE050_AUTO_ERASE
+    wc_se050_erase_object(key->keyId);
+#endif
     /* release NXP resources if set */
     se050_curve25519_free_key(key);
 #endif

wolfcrypt/src/ecc.c

@@ -7950,6 +7950,9 @@ int wc_ecc_free(ecc_key* key)
 #endif
 
 #ifdef WOLFSSL_SE050
+#ifdef WOLFSSL_SE050_AUTO_ERASE
+    wc_se050_erase_object(key->keyId);
+#endif
     se050_ecc_free_key(key);
 #endif
 

wolfcrypt/src/ed25519.c

@@ -1104,6 +1104,9 @@ void wc_ed25519_free(ed25519_key* key)
 #endif
 
 #ifdef WOLFSSL_SE050
+#ifdef WOLFSSL_SE050_AUTO_ERASE
+    wc_se050_erase_object(key->keyId);
+#endif
     se050_ed25519_free_key(key);
 #endif
 

wolfcrypt/src/port/nxp/README_SE050.md

@@ -205,6 +205,10 @@ value based on an incrementing counter past the value defined by this define.
 
 If not defined, this value will default to **100**.
 
+**`WOLFSSL_SE050_AUTO_ERASE`**
+
+Automatically erases the key from the SE050 when `wc_*_free()` is called.
+
 **`WOLFSSL_SE050_FACTORY_RESET`**
 
 When defined, calls to `wolfSSL_Init()` or `wolfCrypt_Init()` will factory
@@ -237,6 +241,11 @@ a Raspberry Pi with SE05x EdgeLock dev kit. If `WOLFSSL_SE050_NO_TRNG` is
 defined, wolfCrypt will instead fall back to using `/dev/random` and
 `/dev/urandom` on the Raspberry Pi.
 
+**`WOLFSSL_SE050_NO_RSA`**
+
+Disables using the SE050 for RSA, useful for the SE050E which does not have
+RSA support.
+
 ## wolfSSL HostCrypto Support
 
 The NXP SE05x Plug & Trust Middleware by default can use either OpenSSL or

wolfcrypt/src/port/nxp/se050_port.c

@@ -54,7 +54,7 @@
     #define SE050_ECC_DER_MAX 256
     #endif
 #endif
-#ifndef NO_RSA
+#if !defined(NO_RSA) && !defined(WOLFSSL_SE050_NO_RSA)
     #include <wolfssl/wolfcrypt/rsa.h>
     struct RsaKey;
 #endif
@@ -659,7 +659,7 @@ int wc_se050_get_binary_object(word32 keyId, byte* out, word32* outSz)
     return ret;
 }
 
-#ifndef NO_RSA
+#if !defined(NO_RSA) && !defined(WOLFSSL_SE050_NO_RSA)
 
 /**
  * Use specified SE050 key ID with this RsaKey struct.

wolfcrypt/src/rsa.c

@@ -53,7 +53,7 @@ RSA keys can be used to encrypt, decrypt, sign and verify data.
 #if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
 #include <xsecure_rsaclient.h>
 #endif
-#ifdef WOLFSSL_SE050
+#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
 #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
 #endif
 #ifdef WOLFSSL_HAVE_SP_RSA
@@ -298,7 +298,7 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
                      int devId)
 {
     int ret = 0;
-#ifdef WOLFSSL_SE050
+#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
     /* SE050 TLS users store a word32 at id, need to cast back */
     word32* keyPtr = NULL;
 #endif
@@ -312,7 +312,7 @@ int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
     if (ret == 0 && id != NULL && len != 0) {
         XMEMCPY(key->id, id, (size_t)len);
         key->idLen = len;
-    #ifdef WOLFSSL_SE050
+    #if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
         /* Set SE050 ID from word32, populate RsaKey with public from SE050 */
         if (len == (int)sizeof(word32)) {
             keyPtr = (word32*)key->id;
@@ -521,7 +521,7 @@ static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
 }
 #endif /* WOLFSSL_CRYPTOCELL */
 
-#ifdef WOLFSSL_SE050
+#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
 /* Use specified hardware key ID with RsaKey operations. Unlike devId,
  * keyId is a word32 so can handle key IDs larger than an int.
  *
@@ -3368,7 +3368,7 @@ static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
             return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
                                   cc310_hashModeRSA(hash, 0));
         }
-    #elif defined(WOLFSSL_SE050)
+    #elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
         if (rsa_type == RSA_PUBLIC_ENCRYPT && pad_value == RSA_BLOCK_TYPE_2) {
             return se050_rsa_public_encrypt(in, inLen, out, outLen, key,
                                             rsa_type, pad_value, pad_type, hash,
@@ -3530,7 +3530,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
             return cc310_RsaSSL_Verify(in, inLen, out, key,
                                        cc310_hashModeRSA(hash, 0));
         }
-    #elif defined(WOLFSSL_SE050)
+    #elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
         if (rsa_type == RSA_PRIVATE_DECRYPT && pad_value == RSA_BLOCK_TYPE_2) {
             ret = se050_rsa_private_decrypt(in, inLen, out, outLen, key,
                                             rsa_type, pad_value, pad_type, hash,
@@ -4783,7 +4783,8 @@ int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
 {
 #ifndef WC_NO_RNG
-#if !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SE050)
+#if !defined(WOLFSSL_CRYPTOCELL) && \
+    (!defined(WOLFSSL_SE050) || defined(WOLFSSL_SE050_NO_RSA))
 #ifdef WOLFSSL_SMALL_STACK
     mp_int *p = NULL;
     mp_int *q = NULL;
@@ -4826,7 +4827,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
 #if defined(WOLFSSL_CRYPTOCELL)
     err = cc310_RSA_GenerateKeyPair(key, size, e);
     goto out;
-#elif defined(WOLFSSL_SE050)
+#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
     err = se050_rsa_create_key(key, size, e);
     goto out;
 #else