diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 2cfdcaec3..bcebe14af 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -3058,130 +3058,6 @@ int wc_AesSetIV(Aes* aes, const byte* iv) #endif /* AES-CBC block */ #endif /* HAVE_AES_CBC */ -#ifdef WOLFSSL_AES_CFB -/* CFB 128 - * - * aes structure holding key to use for encryption - * out buffer to hold result of encryption (must be at least as large as input - * buffer) - * in buffer to encrypt - * sz size of input buffer - * - * returns 0 on success and negative error values on failure - */ -int wc_AesCfbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) -{ - byte* tmp = NULL; - byte* reg = NULL; - - WOLFSSL_ENTER("wc_AesCfbEncrypt"); - - if (aes == NULL || out == NULL || in == NULL) { - return BAD_FUNC_ARG; - } - - if (aes->left && sz) { - reg = (byte*)aes->reg + AES_BLOCK_SIZE - aes->left; - } - - /* consume any unused bytes left in aes->tmp */ - tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left; - while (aes->left && sz) { - *(out++) = *(reg++) = *(in++) ^ *(tmp++); - aes->left--; - sz--; - } - - while (sz >= AES_BLOCK_SIZE) { - wc_AesEncrypt(aes, (byte*)aes->reg, out); - xorbuf(out, in, AES_BLOCK_SIZE); - XMEMCPY(aes->reg, out, AES_BLOCK_SIZE); - out += AES_BLOCK_SIZE; - in += AES_BLOCK_SIZE; - sz -= AES_BLOCK_SIZE; - aes->left = 0; - } - - /* encrypt left over data */ - if (sz) { - wc_AesEncrypt(aes, (byte*)aes->reg, (byte*)aes->tmp); - aes->left = AES_BLOCK_SIZE; - tmp = (byte*)aes->tmp; - reg = (byte*)aes->reg; - - while (sz--) { - *(out++) = *(reg++) = *(in++) ^ *(tmp++); - aes->left--; - } - } - - return 0; -} - - -#ifdef HAVE_AES_DECRYPT -/* CFB 128 - * - * aes structure holding key to use for decryption - * out buffer to hold result of decryption (must be at least as large as input - * buffer) - * in buffer to decrypt - * sz size of input buffer - * - * returns 0 on success and negative error values on failure - */ -int wc_AesCfbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) -{ - byte* tmp; - - WOLFSSL_ENTER("wc_AesCfbDecrypt"); - - if (aes == NULL || out == NULL || in == NULL) { - return BAD_FUNC_ARG; - } - - /* check if more input needs copied over to aes->reg */ - if (aes->left && sz) { - int size = min(aes->left, sz); - XMEMCPY((byte*)aes->reg + AES_BLOCK_SIZE - aes->left, in, size); - } - - /* consume any unused bytes left in aes->tmp */ - tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left; - while (aes->left && sz) { - *(out++) = *(in++) ^ *(tmp++); - aes->left--; - sz--; - } - - while (sz > AES_BLOCK_SIZE) { - wc_AesEncrypt(aes, (byte*)aes->reg, out); - xorbuf(out, in, AES_BLOCK_SIZE); - XMEMCPY(aes->reg, in, AES_BLOCK_SIZE); - out += AES_BLOCK_SIZE; - in += AES_BLOCK_SIZE; - sz -= AES_BLOCK_SIZE; - aes->left = 0; - } - - /* decrypt left over data */ - if (sz) { - wc_AesEncrypt(aes, (byte*)aes->reg, (byte*)aes->tmp); - XMEMCPY(aes->reg, in, sz); - aes->left = AES_BLOCK_SIZE; - tmp = (byte*)aes->tmp; - - while (sz--) { - *(out++) = *(in++) ^ *(tmp++); - aes->left--; - } - } - - return 0; -} -#endif /* HAVE_AES_DECRYPT */ -#endif /* WOLFSSL_AES_CFB */ - #ifdef HAVE_AES_ECB #if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES) /* implemented in wolfcrypt/src/port/caam/caam_aes.c */ @@ -7833,6 +7709,130 @@ int wc_AesGetKeySize(Aes* aes, word32* keySize) #endif /* !WOLFSSL_ARMASM */ #endif /* !WOLFSSL_TI_CRYPT */ +#ifdef WOLFSSL_AES_CFB +/* CFB 128 + * + * aes structure holding key to use for encryption + * out buffer to hold result of encryption (must be at least as large as input + * buffer) + * in buffer to encrypt + * sz size of input buffer + * + * returns 0 on success and negative error values on failure + */ +int wc_AesCfbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) +{ + byte* tmp = NULL; + byte* reg = NULL; + + WOLFSSL_ENTER("wc_AesCfbEncrypt"); + + if (aes == NULL || out == NULL || in == NULL) { + return BAD_FUNC_ARG; + } + + if (aes->left && sz) { + reg = (byte*)aes->reg + AES_BLOCK_SIZE - aes->left; + } + + /* consume any unused bytes left in aes->tmp */ + tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left; + while (aes->left && sz) { + *(out++) = *(reg++) = *(in++) ^ *(tmp++); + aes->left--; + sz--; + } + + while (sz >= AES_BLOCK_SIZE) { + wc_AesEncryptDirect(aes, out, (byte*)aes->reg); + xorbuf(out, in, AES_BLOCK_SIZE); + XMEMCPY(aes->reg, out, AES_BLOCK_SIZE); + out += AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + sz -= AES_BLOCK_SIZE; + aes->left = 0; + } + + /* encrypt left over data */ + if (sz) { + wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg); + aes->left = AES_BLOCK_SIZE; + tmp = (byte*)aes->tmp; + reg = (byte*)aes->reg; + + while (sz--) { + *(out++) = *(reg++) = *(in++) ^ *(tmp++); + aes->left--; + } + } + + return 0; +} + + +#ifdef HAVE_AES_DECRYPT +/* CFB 128 + * + * aes structure holding key to use for decryption + * out buffer to hold result of decryption (must be at least as large as input + * buffer) + * in buffer to decrypt + * sz size of input buffer + * + * returns 0 on success and negative error values on failure + */ +int wc_AesCfbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) +{ + byte* tmp; + + WOLFSSL_ENTER("wc_AesCfbDecrypt"); + + if (aes == NULL || out == NULL || in == NULL) { + return BAD_FUNC_ARG; + } + + /* check if more input needs copied over to aes->reg */ + if (aes->left && sz) { + int size = min(aes->left, sz); + XMEMCPY((byte*)aes->reg + AES_BLOCK_SIZE - aes->left, in, size); + } + + /* consume any unused bytes left in aes->tmp */ + tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left; + while (aes->left && sz) { + *(out++) = *(in++) ^ *(tmp++); + aes->left--; + sz--; + } + + while (sz > AES_BLOCK_SIZE) { + wc_AesEncryptDirect(aes, out, (byte*)aes->reg); + xorbuf(out, in, AES_BLOCK_SIZE); + XMEMCPY(aes->reg, in, AES_BLOCK_SIZE); + out += AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + sz -= AES_BLOCK_SIZE; + aes->left = 0; + } + + /* decrypt left over data */ + if (sz) { + wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg); + XMEMCPY(aes->reg, in, sz); + aes->left = AES_BLOCK_SIZE; + tmp = (byte*)aes->tmp; + + while (sz--) { + *(out++) = *(in++) ^ *(tmp++); + aes->left--; + } + } + + return 0; +} +#endif /* HAVE_AES_DECRYPT */ +#endif /* WOLFSSL_AES_CFB */ + #ifdef HAVE_AES_KEYWRAP diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 9a2574589..24469490f 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -11586,6 +11586,7 @@ int openssl_pkey0_test(void) return ERR_BASE_PKEY-32; } +#ifndef HAVE_FIPS if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_OAEP_PADDING) <= 0){ printf("second set rsa padding error\n"); return ERR_BASE_PKEY-33; @@ -11595,6 +11596,7 @@ int openssl_pkey0_test(void) printf("third set rsa padding error\n"); return ERR_BASE_PKEY-34; } +#endif memset(out, 0, sizeof(out)); ret = EVP_PKEY_encrypt(enc, out, &outlen, in, sizeof(in)); @@ -11647,40 +11649,38 @@ int openssl_pkey1_test(void) unsigned char cipher[256]; unsigned char plain[256]; size_t outlen = sizeof(cipher); - char cliCert[] = "./certs/client-cert.pem"; - FILE* f; #if defined(USE_CERT_BUFFERS_2048) XMEMCPY(tmp, client_key_der_2048, sizeof_client_key_der_2048); cliKeySz = (long)sizeof_client_key_der_2048; + + x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_2048, + sizeof_client_cert_der_2048, SSL_FILETYPE_ASN1); #else + FILE* f; + f = fopen(clientKey, "rb"); if (!f) { err_sys("can't open ./certs/client-key.der, " - "Please run from wolfSSL home dir", -40); - return -40; + "Please run from wolfSSL home dir", -41); + return -41; } cliKeySz = (long)fread(tmp, 1, FOURK_BUF, f); fclose(f); + + /* using existing wolfSSL api to get public and private key */ + x509 = wolfSSL_X509_load_certificate_file(clientCert, SSL_FILETYPE_ASN1); #endif /* USE_CERT_BUFFERS */ clikey = tmp; if ((prvKey = EVP_PKEY_new()) == NULL) { - return -41; + return -42; } EVP_PKEY_free(prvKey); prvKey = NULL; - /* using existing wolfSSL api to get public and private key */ - f = fopen(cliCert, "rb"); - if (f == NULL) { - return -42; - } - - x509 = wolfSSL_X509_load_certificate_file(cliCert, SSL_FILETYPE_PEM); - fclose(f); if (x509 == NULL) { ret = -43; goto openssl_pkey1_test_done; @@ -11731,6 +11731,7 @@ int openssl_pkey1_test(void) goto openssl_pkey1_test_done; } +#ifndef HAVE_FIPS if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_OAEP_PADDING) <= 0){ ret = -52; goto openssl_pkey1_test_done; @@ -11740,6 +11741,7 @@ int openssl_pkey1_test(void) ret = -53; goto openssl_pkey1_test_done; } +#endif XMEMSET(cipher, 0, sizeof(cipher)); if (EVP_PKEY_encrypt(enc, cipher, &outlen, msg, sizeof(msg)) < 0) { diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h index 01b603c70..d86a4a30f 100644 --- a/wolfssl/openssl/rsa.h +++ b/wolfssl/openssl/rsa.h @@ -33,8 +33,19 @@ #endif #if !defined(NO_RSA) && !defined(HAVE_USER_RSA) -#define RSA_PKCS1_PADDING WC_RSA_PKCSV15_PAD -#define RSA_PKCS1_OAEP_PADDING WC_RSA_OAEP_PAD +#if defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION < 2)) + /* + choice of padding added after fips, so not available when using fips RSA + */ + + /* Padding types */ + #define RSA_PKCS1_PADDING 0 + #define RSA_PKCS1_OAEP_PADDING 1 +#else + #define RSA_PKCS1_PADDING WC_RSA_PKCSV15_PAD + #define RSA_PKCS1_OAEP_PADDING WC_RSA_OAEP_PAD +#endif /* HAVE_FIPS */ #endif #ifndef WOLFSSL_RSA_TYPE_DEFINED /* guard on redeclaration */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index ca9c8df1b..7fa9cd9e8 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1403,6 +1403,12 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_AES_DIRECT #endif #endif + #ifdef WOLFSSL_AES_CFB + /* AES-CFB makes calls to AES direct functions */ + #ifndef WOLFSSL_AES_DIRECT + #define WOLFSSL_AES_DIRECT + #endif + #endif #endif /* if desktop type system and fastmath increase default max bits */