feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Cryptocell rsa improvements to sign/verify more digest types

Browse Source
This commit is contained in:
Tesfa Mael
2019-12-30 11:08:22 -08:00
parent abc96f20fb
commit f58a9e81e9
4 changed files with 73 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
wolfcrypt/src/port/arm/cryptoCell.c
View File

@ -146,34 +146,37 @@ CRYS_ECPKI_DomainID_t cc310_mapCurve(int curve_id)
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
#ifndef NO_RSA #ifndef NO_RSA
CRYS_RSA_HASH_OpMode_t cc310_hashModeRSA(enum wc_HashType hash_type) CRYS_RSA_HASH_OpMode_t cc310_hashModeRSA(enum wc_HashType hash_type, int isHashed)
{ {
switch(hash_type) switch(hash_type)
{ {
case WC_HASH_TYPE_MD5: case WC_HASH_TYPE_MD5:
#ifndef NO_MD5 #ifndef NO_MD5
return CRYS_RSA_HASH_MD5_mode; return isHashed? CRYS_RSA_After_MD5_mode : CRYS_RSA_HASH_MD5_mode;
#endif #endif
case WC_HASH_TYPE_SHA: case WC_HASH_TYPE_SHA:
#ifndef NO_SHA #ifndef NO_SHA
return CRYS_RSA_HASH_SHA1_mode; return isHashed? CRYS_RSA_After_SHA1_mode : CRYS_RSA_HASH_SHA1_mode;
#endif #endif
case WC_HASH_TYPE_SHA224: case WC_HASH_TYPE_SHA224:
#ifdef WOLFSSL_SHA224 #ifdef WOLFSSL_SHA224
return CRYS_RSA_HASH_SHA224_mode; return isHashed? CRYS_RSA_After_SHA224_mode : CRYS_RSA_HASH_SHA224_mode;
#endif #endif
case WC_HASH_TYPE_SHA256: case WC_HASH_TYPE_SHA256:
#ifndef NO_SHA256 #ifndef NO_SHA256
return CRYS_RSA_HASH_SHA256_mode; return isHashed? CRYS_RSA_After_SHA256_mode : CRYS_RSA_HASH_SHA256_mode;
#endif #endif
case WC_HASH_TYPE_SHA384: case WC_HASH_TYPE_SHA384:
#ifdef WOLFSSL_SHA384 #ifdef WOLFSSL_SHA384
return CRYS_RSA_HASH_SHA384_mode; return isHashed? CRYS_RSA_After_SHA384_mode : CRYS_RSA_HASH_SHA384_mode;
#endif #endif
case WC_HASH_TYPE_SHA512: case WC_HASH_TYPE_SHA512:
#ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA512
return CRYS_RSA_HASH_SHA512_mode; return isHashed? CRYS_RSA_After_SHA512_mode : CRYS_RSA_HASH_SHA512_mode;
#endif #endif
case WC_HASH_TYPE_NONE:
/* default to SHA256 */
return isHashed? CRYS_RSA_After_SHA256_mode : CRYS_RSA_HASH_SHA256_mode;
default: default:
return CRYS_RSA_After_HASH_NOT_KNOWN_mode; return CRYS_RSA_After_HASH_NOT_KNOWN_mode;
} }

23
wolfcrypt/src/rsa.c
View File

@ -2522,17 +2522,12 @@ static int cc310_RsaPublicDecrypt(const byte* in, word32 inLen, byte* out,
return actualOutLen; return actualOutLen;
} }
static int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, enum wc_HashType hash) word32 outLen, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
{ {
CRYSError_t ret = 0; CRYSError_t ret = 0;
uint16_t actualOutLen = outLen*sizeof(byte); uint16_t actualOutLen = outLen*sizeof(byte);
CRYS_RSAPrivUserContext_t contextPrivate; CRYS_RSAPrivUserContext_t contextPrivate;
CRYS_RSA_HASH_OpMode_t mode = cc310_hashModeRSA(hash);
if (mode == CRYS_RSA_After_HASH_NOT_KNOWN_mode) {
mode = CRYS_RSA_HASH_SHA256_mode;
}
ret = CRYS_RSA_PKCS1v15_Sign(&wc_rndState, ret = CRYS_RSA_PKCS1v15_Sign(&wc_rndState,
wc_rndGenVectFunc, wc_rndGenVectFunc,
@ -2551,16 +2546,12 @@ static int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
return actualOutLen; return actualOutLen;
} }
static int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig, int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig,
RsaKey* key, enum wc_HashType hash) RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
{ {
CRYSError_t ret = 0; CRYSError_t ret = 0;
CRYS_RSAPubUserContext_t contextPub; CRYS_RSAPubUserContext_t contextPub;
CRYS_RSA_HASH_OpMode_t mode = cc310_hashModeRSA(hash);
if (mode == CRYS_RSA_After_HASH_NOT_KNOWN_mode) {
mode = CRYS_RSA_HASH_SHA256_mode;
}
/* verify the signature in the sig pointer */ /* verify the signature in the sig pointer */
ret = CRYS_RSA_PKCS1v15_Verify(&contextPub, ret = CRYS_RSA_PKCS1v15_Verify(&contextPub,
&key->ctx.pubKey, &key->ctx.pubKey,
@ -2765,7 +2756,8 @@ static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
} }
else if (rsa_type == RSA_PRIVATE_ENCRYPT && else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_1) { pad_value == RSA_BLOCK_TYPE_1) {
return cc310_RsaSSL_Sign(in, inLen, out, outLen, key, hash); return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
cc310_hashModeRSA(hash, 0));
} }
#endif /* WOLFSSL_CRYPTOCELL */ #endif /* WOLFSSL_CRYPTOCELL */
@ -2887,7 +2879,8 @@ static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
} }
else if (rsa_type == RSA_PUBLIC_DECRYPT && else if (rsa_type == RSA_PUBLIC_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_1) { pad_value == RSA_BLOCK_TYPE_1) {
return cc310_RsaSSL_Verify(in, inLen, out, key, hash); return cc310_RsaSSL_Verify(in, inLen, out, key,
cc310_hashModeRSA(hash, 0));
} }
#endif /* WOLFSSL_CRYPTOCELL */ #endif /* WOLFSSL_CRYPTOCELL */

56
wolfcrypt/src/signature.c
View File

@ -178,7 +178,15 @@ int wc_SignatureVerifyHash(
#ifndef NO_RSA #ifndef NO_RSA
#if defined(WOLFSSL_CRYPTOCELL) #if defined(WOLFSSL_CRYPTOCELL)
/* the signature must propagate to the cryptocell to get verfied */ /* the signature must propagate to the cryptocell to get verfied */
ret = wc_RsaSSL_Verify(hash_data, hash_len, (byte*)sig, sig_len, (RsaKey*)key); if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
ret = cc310_RsaSSL_Verify(hash_data, hash_len,(byte*)sig, key,
CRYS_RSA_HASH_SHA256_mode);
}
else {
ret = cc310_RsaSSL_Verify(hash_data, hash_len,(byte*)sig, key,
CRYS_RSA_After_SHA256_mode);
}
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("RSA Signature Verify difference!"); WOLFSSL_MSG("RSA Signature Verify difference!");
ret = SIG_VERIFY_E; ret = SIG_VERIFY_E;
@ -300,9 +308,23 @@ int wc_SignatureVerify(
} }
if (ret == 0) { if (ret == 0) {
#if defined(WOLFSSL_CRYPTOCELL)
if ((sig_type == WC_SIGNATURE_TYPE_RSA)
|| (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC)) {
if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
ret = cc310_RsaSSL_Verify(hash_data, hash_len, sig, key,
cc310_hashModeRSA(hash_type, 0));
}
else {
ret = cc310_RsaSSL_Verify(hash_data, hash_len, sig, key,
cc310_hashModeRSA(hash_type, 1));
}
}
#else
/* Verify signature using hash */ /* Verify signature using hash */
ret = wc_SignatureVerifyHash(hash_type, sig_type, ret = wc_SignatureVerifyHash(hash_type, sig_type,
hash_data, hash_enc_len, sig, sig_len, key, key_len); hash_data, hash_enc_len, sig, sig_len, key, key_len);
#endif /* WOLFSSL_CRYPTOCELL */
} }
} }
@ -378,6 +400,16 @@ int wc_SignatureGenerateHash_ex(
case WC_SIGNATURE_TYPE_RSA_W_ENC: case WC_SIGNATURE_TYPE_RSA_W_ENC:
case WC_SIGNATURE_TYPE_RSA: case WC_SIGNATURE_TYPE_RSA:
#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) #if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
#if defined(WOLFSSL_CRYPTOCELL)
if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, key,
cc310_hashModeRSA(hash_type, 0));
}
else {
ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, key,
cc310_hashModeRSA(hash_type, 1));
}
#else
/* Create signature using provided RSA key */ /* Create signature using provided RSA key */
do { do {
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
@ -388,6 +420,7 @@ int wc_SignatureGenerateHash_ex(
ret = wc_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, ret = wc_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len,
(RsaKey*)key, rng); (RsaKey*)key, rng);
} while (ret == WC_PENDING_E); } while (ret == WC_PENDING_E);
#endif /* WOLFSSL_CRYPTOCELL */
if (ret >= 0) { if (ret >= 0) {
*sig_len = ret; *sig_len = ret;
ret = 0; /* Success */ ret = 0; /* Success */
@ -484,8 +517,26 @@ int wc_SignatureGenerate_ex(
&hash_enc_len); &hash_enc_len);
#endif #endif
} }
if (ret == 0) { if (ret == 0) {
#if defined(WOLFSSL_CRYPTOCELL)
if ((sig_type == WC_SIGNATURE_TYPE_RSA)
|| (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC)) {
if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len,
key, cc310_hashModeRSA(hash_type, 0));
}
else {
ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len,
key, cc310_hashModeRSA(hash_type, 1));
}
if (ret == *sig_len) {
ret = 0;
}
}
}
}
#else
/* Generate signature using hash */ /* Generate signature using hash */
ret = wc_SignatureGenerateHash(hash_type, sig_type, ret = wc_SignatureGenerateHash(hash_type, sig_type,
hash_data, hash_enc_len, sig, sig_len, key, key_len, rng); hash_data, hash_enc_len, sig, sig_len, key, key_len, rng);
@ -496,6 +547,7 @@ int wc_SignatureGenerate_ex(
ret = wc_SignatureVerifyHash(hash_type, sig_type, hash_data, ret = wc_SignatureVerifyHash(hash_type, sig_type, hash_data,
hash_enc_len, sig, *sig_len, key, key_len); hash_enc_len, sig, *sig_len, key, key_len);
} }
#endif /* WOLFSSL_CRYPTOCELL */
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);

2
wolfssl/wolfcrypt/port/arm/cryptoCell.h
View File

@ -78,7 +78,7 @@ extern "C" {
CRYS_RSAUserPrivKey_t privKey; CRYS_RSAUserPrivKey_t privKey;
CRYS_RSAUserPubKey_t pubKey; CRYS_RSAUserPubKey_t pubKey;
} rsa_context_t; } rsa_context_t;
CRYS_RSA_HASH_OpMode_t cc310_hashModeRSA(enum wc_HashType hash_type); CRYS_RSA_HASH_OpMode_t cc310_hashModeRSA(enum wc_HashType hash_type, int isHashed);
#endif #endif
#ifdef HAVE_ECC #ifdef HAVE_ECC