Files
wolfssl/wolfcrypt/src/rsa.c
T

6058 lines
183 KiB
C
Raw Normal View History

2014-12-18 11:10:55 -07:00
/* rsa.c
*
2026-02-18 09:52:21 -07:00
* Copyright (C) 2006-2026 wolfSSL Inc.
2014-12-18 11:10:55 -07:00
*
2016-03-17 16:02:13 -06:00
* This file is part of wolfSSL.
2014-12-18 11:10:55 -07:00
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
2025-07-10 16:01:52 -06:00
* the Free Software Foundation; either version 3 of the License, or
2014-12-18 11:10:55 -07:00
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
2016-03-17 16:02:13 -06:00
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
2014-12-18 11:10:55 -07:00
*/
2020-07-09 15:13:01 -07:00
/*
2016-03-17 16:02:13 -06:00
2020-07-09 15:13:01 -07:00
DESCRIPTION
This library provides the interface to the RSA.
RSA keys can be used to encrypt, decrypt, sign and verify data.
*/
2014-12-18 11:10:55 -07:00
#define _WC_BUILDING_RSA_C
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
2014-12-18 11:10:55 -07:00
#ifndef NO_RSA
2024-03-01 19:40:27 -05:00
#if FIPS_VERSION3_GE(2,0,0)
2017-12-07 10:58:55 -08:00
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$j")
#pragma const_seg(".fipsB$j")
2017-12-07 10:58:55 -08:00
#endif
#endif
2014-12-19 09:56:51 -07:00
#include <wolfssl/wolfcrypt/rsa.h>
#include <wolfssl/wolfcrypt/logging.h>
2014-12-19 09:56:51 -07:00
2019-01-18 16:08:23 -07:00
#ifdef WOLFSSL_AFALG_XILINX_RSA
2018-08-24 10:24:53 -06:00
#include <wolfssl/wolfcrypt/port/af_alg/wc_afalg.h>
#endif
2022-05-20 14:28:39 +02:00
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
#include <xsecure_rsaclient.h>
#endif
2025-02-11 15:19:31 +00:00
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#endif
2017-08-10 17:27:22 +10:00
#ifdef WOLFSSL_HAVE_SP_RSA
#include <wolfssl/wolfcrypt/sp.h>
#endif
2026-04-13 13:18:06 -04:00
#if defined(WOLFSSL_NXP_CASPER_RSA_PUB_EXPTMOD)
2026-03-31 16:45:19 -04:00
#include <wolfssl/wolfcrypt/port/nxp/casper_port.h>
#endif
2017-08-10 17:27:22 +10:00
/*
* RSA Build Options:
*
* Core:
* NO_RSA: Disable RSA support entirely default: off
* WOLFSSL_RSA_PUBLIC_ONLY: Only include RSA public key operations default: off
* WOLFSSL_RSA_VERIFY_ONLY: Only include RSA verify operation default: off
* WOLFSSL_RSA_VERIFY_INLINE: RSA verify inline (no output copy) default: off
* WC_RSA_DIRECT: Enable direct RSA encrypt/decrypt API default: off
* WC_RSA_NO_PADDING: Enable no-padding RSA mode default: off
* WOLFSSL_RSA_KEY_CHECK: Enable RSA key pair consistency check default: off
* WOLFSSL_RSA_CHECK_D_ON_DECRYPT: Validate private exponent d default: off
* before each decrypt operation
* WOLFSSL_RSA_DECRYPT_TO_0_LEN: Allow RSA decrypt result of 0 default: off
* length (empty plaintext)
* NO_RSA_BOUNDS_CHECK: Disable RSA bounds checking on input default: off
* SHOW_GEN: Show key generation progress dots default: off
*
* Padding:
* WC_RSA_PSS: Enable RSA-PSS signature support default: off
* WC_NO_RSA_OAEP: Disable RSA OAEP padding default: off
* WOLFSSL_PSS_LONG_SALT: Allow PSS salt longer than hash length default: off
* WOLFSSL_PSS_SALT_LEN_DISCOVER: Auto-discover PSS salt length default: off
* during verification
*
* Performance:
* WC_RSA_BLINDING: Use blinding with private key ops default: on
* Note: ~20% slower, protects against
* timing side-channels
* RSA_LOW_MEM: Non-CRT private ops, less memory default: off
* WC_RSA_NONBLOCK: Non-blocking RSA operations default: off
* WC_RSA_NONBLOCK_TIME: Time-based non-blocking RSA default: off
* WOLFSSL_MP_INVMOD_CONSTANT_TIME: Constant-time modular inverse default: off
* WC_RSA_NO_FERMAT_CHECK: Skip Fermat factorization check on default: off
* key generation (p and q closeness)
*
* Key Generation:
* WOLFSSL_KEY_GEN: Enable RSA private key generation default: off
* FP_MAX_BITS: Max key bits with USE_FAST_MATH default: 4096
* Value is key size * 2 (e.g. RSA 3072 = 6144)
*
* SP Math:
* WOLFSSL_HAVE_SP_RSA: Use SP math for RSA operations default: off
* WOLFSSL_SP_MATH: Use SP math only (no multi-precision) default: off
* WOLFSSL_SP_MATH_ALL: SP math for all key sizes default: off
* WOLFSSL_SP_NO_2048: Disable SP RSA 2048-bit support default: off
* WOLFSSL_SP_NO_3072: Disable SP RSA 3072-bit support default: off
* WOLFSSL_SP_4096: Enable SP RSA 4096-bit support default: off
* WOLFSSL_SP_ASM: Use SP assembly optimizations default: off
*
* Hardware Acceleration (RSA-specific):
* WC_ASYNC_ENABLE_RSA: Enable async RSA operations default: off
* WOLFSSL_KCAPI_RSA: Linux kernel crypto API for RSA default: off
* WOLFSSL_AFALG_XILINX_RSA: AF_ALG Xilinx RSA acceleration default: off
* WOLFSSL_SE050_NO_RSA: Disable SE050 RSA default: off
* WOLFSSL_XILINX_CRYPT: Xilinx crypto RSA acceleration default: off
*/
2014-12-31 15:31:50 -07:00
#include <wolfssl/wolfcrypt/random.h>
#ifdef WOLF_CRYPTO_CB
#include <wolfssl/wolfcrypt/cryptocb.h>
#endif
2015-02-20 15:51:21 -08:00
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
#define WOLFSSL_MISC_INCLUDED
2015-02-20 15:51:21 -08:00
#include <wolfcrypt/src/misc.c>
#endif
2014-12-18 11:10:55 -07:00
2024-03-01 19:40:27 -05:00
#if FIPS_VERSION3_GE(6,0,0)
const unsigned int wolfCrypt_FIPS_rsa_ro_sanity[2] =
{ 0x1a2b3c4d, 0x00000012 };
int wolfCrypt_FIPS_RSA_sanity(void)
{
return 0;
}
#endif
enum {
RSA_STATE_NONE = 0,
RSA_STATE_ENCRYPT_PAD,
RSA_STATE_ENCRYPT_EXPTMOD,
RSA_STATE_ENCRYPT_RES,
RSA_STATE_DECRYPT_EXPTMOD,
RSA_STATE_DECRYPT_UNPAD,
RSA_STATE_DECRYPT_RES
};
static void wc_RsaCleanup(RsaKey* key)
{
#if !defined(WOLFSSL_NO_MALLOC) && (defined(WOLFSSL_ASYNC_CRYPT) || \
(!defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)))
if (key != NULL) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
/* if private operation zero temp buffer */
if ((key->data != NULL && key->dataLen > 0) &&
(key->type == RSA_PRIVATE_DECRYPT ||
key->type == RSA_PRIVATE_ENCRYPT)) {
ForceZero(key->data, key->dataLen);
}
#endif
/* make sure any allocated memory is free'd */
if (key->dataIsAlloc) {
XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
key->dataIsAlloc = 0;
}
key->data = NULL;
key->dataLen = 0;
}
#else
(void)key;
#endif
}
2024-10-17 18:48:07 -05:00
#ifndef WC_NO_CONSTRUCTORS
#define RSA_NEW_INIT_PLAIN 0
#ifdef WOLF_PRIVATE_KEY_ID
#define RSA_NEW_INIT_ID 1
#define RSA_NEW_INIT_LABEL 2
#endif
static RsaKey* _NewRsaKey_common(void* heap, int devId, int *result_code,
int rsaInitType, unsigned char* id,
int idLen, const char* label)
2024-09-24 14:29:46 -07:00
{
int ret;
2024-09-24 14:29:46 -07:00
RsaKey* key = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA);
if (key == NULL) {
ret = MEMORY_E;
}
else {
switch (rsaInitType) {
#ifdef WOLF_PRIVATE_KEY_ID
case RSA_NEW_INIT_ID:
if (id == NULL || idLen == 0 || label != NULL) {
ret = BAD_FUNC_ARG;
}
else {
ret = wc_InitRsaKey_Id(key, id, idLen, heap, devId);
}
break;
case RSA_NEW_INIT_LABEL:
if (label == NULL || id != NULL || idLen != 0) {
ret = BAD_FUNC_ARG;
}
else {
ret = wc_InitRsaKey_Label(key, label, heap, devId);
}
break;
#endif
default:
if (id != NULL || idLen != 0 || label != NULL) {
ret = BAD_FUNC_ARG;
}
else {
ret = wc_InitRsaKey_ex(key, heap, devId);
}
break;
}
if (ret != 0) {
2024-09-24 14:29:46 -07:00
XFREE(key, heap, DYNAMIC_TYPE_RSA);
key = NULL;
}
}
(void)rsaInitType;
(void)id;
(void)idLen;
(void)label;
if (result_code != NULL) {
*result_code = ret;
}
2024-09-24 14:29:46 -07:00
return key;
}
RsaKey* wc_NewRsaKey(void* heap, int devId, int *result_code)
{
return _NewRsaKey_common(heap, devId, result_code,
RSA_NEW_INIT_PLAIN, NULL, 0, NULL);
}
#ifdef WOLF_PRIVATE_KEY_ID
RsaKey* wc_NewRsaKey_Id(unsigned char* id, int len, void* heap, int devId,
int *result_code)
{
return _NewRsaKey_common(heap, devId, result_code,
RSA_NEW_INIT_ID, id, len, NULL);
}
RsaKey* wc_NewRsaKey_Label(const char* label, void* heap, int devId,
int *result_code)
{
return _NewRsaKey_common(heap, devId, result_code,
RSA_NEW_INIT_LABEL, NULL, 0, label);
}
#endif /* WOLF_PRIVATE_KEY_ID */
int wc_DeleteRsaKey(RsaKey* key, RsaKey** key_p)
2024-10-17 18:48:07 -05:00
{
2026-04-06 22:15:02 +00:00
void* heap;
if (key == NULL) {
2024-10-17 18:48:07 -05:00
return BAD_FUNC_ARG;
}
2026-04-06 22:15:02 +00:00
heap = key->heap;
wc_FreeRsaKey(key);
2026-04-06 22:15:02 +00:00
XFREE(key, heap, DYNAMIC_TYPE_RSA);
if (key_p != NULL) {
*key_p = NULL;
}
2024-10-17 18:48:07 -05:00
return 0;
}
#endif /* !WC_NO_CONSTRUCTORS */
int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
{
2024-09-24 14:29:46 -07:00
int ret = 0;
if (key == NULL) {
return BAD_FUNC_ARG;
}
2017-01-25 18:06:25 -07:00
XMEMSET(key, 0, sizeof(RsaKey));
key->type = RSA_TYPE_UNKNOWN;
key->state = RSA_STATE_NONE;
key->heap = heap;
#if !defined(WOLFSSL_NO_MALLOC) && (defined(WOLFSSL_ASYNC_CRYPT) || \
(!defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)))
key->dataIsAlloc = 0;
#endif
#ifdef WOLF_CRYPTO_CB
key->devId = devId;
#else
(void)devId;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
#ifdef WOLFSSL_CERT_GEN
XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
#endif
#ifdef WC_ASYNC_ENABLE_RSA
#ifdef WOLF_CRYPTO_CB
/* prefer crypto callback */
if (key->devId != INVALID_DEVID)
#endif
{
/* handle as async */
ret = wolfAsync_DevCtxInit(&key->asyncDev,
WOLFSSL_ASYNC_MARKER_RSA, key->heap, devId);
if (ret != 0)
return ret;
}
#endif /* WC_ASYNC_ENABLE_RSA */
#endif /* WOLFSSL_ASYNC_CRYPT */
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
if (ret != MP_OKAY)
return ret;
#if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)
ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL);
#else
ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u);
#endif
if (ret != MP_OKAY) {
mp_clear(&key->n);
mp_clear(&key->e);
return ret;
}
#else
ret = mp_init(&key->n);
if (ret != MP_OKAY)
return ret;
ret = mp_init(&key->e);
if (ret != MP_OKAY) {
mp_clear(&key->n);
return ret;
}
#endif
2017-06-07 11:37:21 -06:00
#ifdef WOLFSSL_XILINX_CRYPT
key->pubExp = 0;
key->mod = NULL;
#endif
2019-01-18 16:08:23 -07:00
#ifdef WOLFSSL_AFALG_XILINX_RSA
2018-08-24 10:24:53 -06:00
key->alFd = WC_SOCK_NOTSET;
key->rdFd = WC_SOCK_NOTSET;
#endif
#ifdef WOLFSSL_KCAPI_RSA
key->handle = NULL;
#endif
2023-08-09 09:08:44 +09:00
#if defined(WOLFSSL_RENESAS_FSPSM)
key->ctx.wrapped_pri1024_key = NULL;
key->ctx.wrapped_pub1024_key = NULL;
key->ctx.wrapped_pri2048_key = NULL;
key->ctx.wrapped_pub2048_key = NULL;
key->ctx.keySz = 0;
#endif
return ret;
}
2014-12-31 15:31:50 -07:00
int wc_InitRsaKey(RsaKey* key, void* heap)
{
return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
2014-12-31 15:31:50 -07:00
}
#ifdef WOLF_PRIVATE_KEY_ID
2018-09-12 08:56:59 +10:00
int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
int devId)
{
int ret = 0;
2025-02-11 15:19:31 +00:00
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
/* SE050 TLS users store a word32 at id, need to cast back */
word32* keyPtr = NULL;
#endif
2018-09-12 08:56:59 +10:00
if (key == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0 && (len < 0 || len > RSA_MAX_ID_LEN))
ret = BUFFER_E;
if (ret == 0)
ret = wc_InitRsaKey_ex(key, heap, devId);
if (ret == 0 && id != NULL && len != 0) {
XMEMCPY(key->id, id, (size_t)len);
2018-09-12 08:56:59 +10:00
key->idLen = len;
2025-02-11 15:19:31 +00:00
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
/* Set SE050 ID from word32, populate RsaKey with public from SE050 */
if (len == (int)sizeof(word32)) {
keyPtr = (word32*)key->id;
ret = wc_RsaUseKeyId(key, *keyPtr, 0);
}
#endif
2018-09-12 08:56:59 +10:00
}
return ret;
}
int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (key == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = (int)XSTRLEN(label);
if (labelLen == 0 || labelLen > RSA_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_InitRsaKey_ex(key, heap, devId);
if (ret == 0) {
XMEMCPY(key->label, label, (size_t)labelLen);
key->labelLen = labelLen;
}
return ret;
}
#endif /* WOLF_PRIVATE_KEY_ID */
2018-09-12 08:56:59 +10:00
2017-06-07 11:37:21 -06:00
#ifdef WOLFSSL_XILINX_CRYPT
#define MAX_E_SIZE 4
/* Used to setup hardware state
*
* key the RSA key to setup
*
* returns 0 on success
*/
int wc_InitRsaHw(RsaKey* key)
{
unsigned char* m; /* RSA modulus */
2017-06-07 11:37:21 -06:00
word32 e = 0; /* RSA public exponent */
int mSz;
int eSz;
2022-05-20 14:28:39 +02:00
int ret;
2017-06-07 11:37:21 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
mSz = mp_unsigned_bin_size(&(key->n));
2022-05-20 14:28:39 +02:00
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
if (mSz > WOLFSSL_XSECURE_RSA_KEY_SIZE) {
return BAD_FUNC_ARG;
}
/* Allocate 4 bytes more for the public exponent. */
m = (unsigned char*) XMALLOC(WOLFSSL_XSECURE_RSA_KEY_SIZE + 4, key->heap,
DYNAMIC_TYPE_KEY);
#else
2017-06-07 11:37:21 -06:00
m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY);
2022-05-20 14:28:39 +02:00
#endif
2020-05-19 16:41:51 -07:00
if (m == NULL) {
2017-06-07 11:37:21 -06:00
return MEMORY_E;
}
if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) {
WOLFSSL_MSG("Unable to get RSA key modulus");
2017-06-07 11:37:21 -06:00
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return MP_READ_E;
}
2022-05-20 14:28:39 +02:00
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
XMEMSET(m + mSz, 0, WOLFSSL_XSECURE_RSA_KEY_SIZE + 4 - mSz);
#endif
2017-06-07 11:37:21 -06:00
eSz = mp_unsigned_bin_size(&(key->e));
if (eSz > MAX_E_SIZE) {
WOLFSSL_MSG("Exponent of size 4 bytes expected");
2017-06-07 11:37:21 -06:00
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return BAD_FUNC_ARG;
}
if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz))
!= MP_OKAY) {
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
WOLFSSL_MSG("Unable to get RSA key exponent");
return MP_READ_E;
}
/* check for existing mod buffer to avoid memory leak */
XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
2017-06-07 11:37:21 -06:00
key->pubExp = e;
key->mod = m;
2022-05-20 14:28:39 +02:00
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
ret = wc_InitXsecure(&(key->xSec));
if (ret != 0) {
WOLFSSL_MSG("Unable to initialize xSecure for RSA");
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return ret;
}
XMEMCPY(&m[WOLFSSL_XSECURE_RSA_KEY_SIZE], &e, sizeof(e));
key->mSz = mSz;
#else
2017-06-07 11:37:21 -06:00
if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL,
(byte*)&(key->pubExp)) != XST_SUCCESS) {
WOLFSSL_MSG("Unable to initialize RSA on hardware");
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return BAD_STATE_E;
}
#ifdef WOLFSSL_XILINX_PATCH
/* currently a patch of xsecure_rsa.c for 2048 bit keys */
if (wc_RsaEncryptSize(key) == 256) {
if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) {
WOLFSSL_MSG("Unable to set RSA key size on hardware");
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return BAD_STATE_E;
}
}
2022-05-20 14:28:39 +02:00
#endif
2017-06-07 11:37:21 -06:00
#endif
2019-03-27 20:44:38 -07:00
return 0;
} /* WOLFSSL_XILINX_CRYPT*/
2017-06-07 11:37:21 -06:00
2019-03-27 20:44:38 -07:00
#elif defined(WOLFSSL_CRYPTOCELL)
int wc_InitRsaHw(RsaKey* key)
{
CRYSError_t ret = 0;
byte e[3];
word32 eSz = sizeof(e);
byte n[256];
word32 nSz = sizeof(n);
byte d[256];
word32 dSz = sizeof(d);
byte p[128];
word32 pSz = sizeof(p);
byte q[128];
word32 qSz = sizeof(q);
if (key == NULL) {
return BAD_FUNC_ARG;
}
ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
if (ret != 0)
return MP_READ_E;
ret = CRYS_RSA_Build_PubKey(&key->ctx.pubKey, e, eSz, n, nSz);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_Build_PubKey failed");
return ret;
}
ret = CRYS_RSA_Build_PrivKey(&key->ctx.privKey, d, dSz, e, eSz, n, nSz);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_Build_PrivKey failed");
return ret;
}
key->type = RSA_PRIVATE;
2017-06-07 11:37:21 -06:00
return 0;
}
2019-03-27 20:44:38 -07:00
static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
{
CRYSError_t ret = 0;
CRYS_RSAKGData_t KeyGenData;
CRYS_RSAKGFipsContext_t FipsCtx;
byte ex[3];
2021-01-18 09:03:58 +10:00
word16 eSz = sizeof(ex);
2019-03-27 20:44:38 -07:00
byte n[256];
2021-01-18 09:03:58 +10:00
word16 nSz = sizeof(n);
2019-03-27 20:44:38 -07:00
ret = CRYS_RSA_KG_GenerateKeyPair(&wc_rndState,
wc_rndGenVectFunc,
(byte*)&e,
2021-01-18 09:03:58 +10:00
3*sizeof(byte),
2019-03-27 20:44:38 -07:00
size,
&key->ctx.privKey,
&key->ctx.pubKey,
&KeyGenData,
&FipsCtx);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_KG_GenerateKeyPair failed");
return ret;
}
ret = CRYS_RSA_Get_PubKey(&key->ctx.pubKey, ex, &eSz, n, &nSz);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_Get_PubKey failed");
return ret;
}
ret = wc_RsaPublicKeyDecodeRaw(n, nSz, ex, eSz, key);
key->type = RSA_PRIVATE;
return ret;
}
#endif /* WOLFSSL_CRYPTOCELL */
2017-06-07 11:37:21 -06:00
2025-02-11 15:19:31 +00:00
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
/* Use specified hardware key ID with RsaKey operations. Unlike devId,
* keyId is a word32 so can handle key IDs larger than an int.
*
* key initialized RsaKey struct
* keyId hardware key ID which stores RSA key
* flags optional flags, currently unused
*
* Return 0 on success, negative on error */
int wc_RsaUseKeyId(RsaKey* key, word32 keyId, word32 flags)
{
(void)flags;
if (key == NULL) {
return BAD_FUNC_ARG;
}
return se050_rsa_use_key_id(key, keyId);
}
/* Get hardware key ID associated with this RsaKey structure.
*
* key initialized RsaKey struct
* keyId [OUT] output for key ID associated with this structure
*
* Returns 0 on success, negative on error.
*/
int wc_RsaGetKeyId(RsaKey* key, word32* keyId)
{
if (key == NULL || keyId == NULL) {
return BAD_FUNC_ARG;
}
return se050_rsa_get_key_id(key, keyId);
}
#endif /* WOLFSSL_SE050 */
2014-12-31 15:31:50 -07:00
int wc_FreeRsaKey(RsaKey* key)
{
int ret = 0;
2014-12-31 15:31:50 -07:00
if (key == NULL) {
return BAD_FUNC_ARG;
2014-12-31 15:31:50 -07:00
}
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE)
#ifndef WOLF_CRYPTO_CB_FIND
if (key->devId != INVALID_DEVID)
#endif
{
ret = wc_CryptoCb_Free(key->devId, WC_ALGO_TYPE_PK,
WC_PK_TYPE_RSA, 0, key);
/* If callback wants standard free, it returns CRYPTOCB_UNAVAILABLE.
* Otherwise assume the callback handled cleanup. */
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
return ret;
/* fall-through to software cleanup */
ret = 0;
}
#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_FREE */
#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
se050_rsa_free_key(key);
#endif
wc_RsaCleanup(key);
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
#endif
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2026-03-05 15:39:20 -06:00
/* Forcezero all private key fields that are present in this build
* configuration, since they may contain residual sensitive data even when
* key->type is not RSA_PRIVATE (e.g., after a partial key decode failure). */
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
2026-03-05 15:25:29 -06:00
mp_forcezero(&key->u);
mp_forcezero(&key->dQ);
mp_forcezero(&key->dP);
#endif
2026-03-05 15:25:29 -06:00
mp_forcezero(&key->q);
mp_forcezero(&key->p);
mp_forcezero(&key->d);
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
/* public part */
mp_clear(&key->e);
mp_clear(&key->n);
2017-06-07 11:37:21 -06:00
#ifdef WOLFSSL_XILINX_CRYPT
XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
2017-06-07 11:37:21 -06:00
key->mod = NULL;
#endif
2019-01-18 16:08:23 -07:00
#ifdef WOLFSSL_AFALG_XILINX_RSA
2018-08-24 10:24:53 -06:00
/* make sure that sockets are closed on cleanup */
if (key->alFd > 0) {
close(key->alFd);
key->alFd = WC_SOCK_NOTSET;
}
if (key->rdFd > 0) {
close(key->rdFd);
key->rdFd = WC_SOCK_NOTSET;
}
#endif
#ifdef WOLFSSL_KCAPI_RSA
KcapiRsa_Free(key);
#endif
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Check(key, sizeof(RsaKey));
#endif
2023-09-13 18:05:23 +09:00
#if defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY)
2023-08-09 09:08:44 +09:00
wc_fspsm_RsaKeyFree(key);
#endif
#ifdef WOLFSSL_MICROCHIP_TA100
wc_Microchip_rsa_free(key);
#endif
return ret;
2014-12-31 15:31:50 -07:00
}
#ifdef WOLFSSL_RSA_KEY_CHECK
2021-04-12 17:13:25 -07:00
/* Check the pair-wise consistency of the RSA key. */
static int _ifc_pairwise_consistency_test(RsaKey* key, WC_RNG* rng)
{
static const char* msg = "Everyone gets Friday off.";
#ifndef WOLFSSL_NO_MALLOC
byte* sig = NULL;
#else
byte sig[RSA_MAX_SIZE/8];
#endif
2021-04-12 17:13:25 -07:00
byte* plain;
int ret = 0;
word32 msgLen, plainLen, sigLen;
msgLen = (word32)XSTRLEN(msg);
ret = wc_RsaEncryptSize(key);
if (ret < 0)
return ret;
else if (ret == 0)
return BAD_FUNC_ARG;
sigLen = (word32)ret;
2021-04-12 17:13:25 -07:00
WOLFSSL_MSG("Doing RSA consistency test");
#ifndef WOLFSSL_NO_MALLOC
2021-04-12 17:13:25 -07:00
/* Sign and verify. */
2022-06-05 09:04:42 +09:00
sig = (byte*)XMALLOC(sigLen, key->heap, DYNAMIC_TYPE_RSA);
2021-04-12 17:13:25 -07:00
if (sig == NULL) {
return MEMORY_E;
}
#endif
2021-04-12 17:13:25 -07:00
XMEMSET(sig, 0, sigLen);
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("Pairwise CT sig", sig, sigLen);
#endif
plain = sig;
2021-04-12 17:13:25 -07:00
#ifdef WOLFSSL_ASYNC_CRYPT
/* Do blocking async calls here, caller does not support WC_PENDING_E */
do {
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
if (ret >= 0)
#endif
ret = wc_RsaSSL_Sign((const byte*)msg, msgLen, sig, sigLen, key, rng);
#ifdef WOLFSSL_ASYNC_CRYPT
} while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
#endif
2021-10-12 11:53:26 -05:00
2021-04-12 17:13:25 -07:00
if (ret > 0) {
sigLen = (word32)ret;
#ifdef WOLFSSL_ASYNC_CRYPT
/* Do blocking async calls here, caller does not support WC_PENDING_E */
2021-10-12 11:53:26 -05:00
do {
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
if (ret >= 0)
#endif
ret = wc_RsaSSL_VerifyInline(sig, sigLen, &plain, key);
#ifdef WOLFSSL_ASYNC_CRYPT
} while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
#endif
2021-04-12 17:13:25 -07:00
}
if (ret > 0) {
plainLen = (word32)ret;
ret = (msgLen != plainLen) || (XMEMCMP(plain, msg, msgLen) != 0);
}
if (ret != 0)
ret = RSA_KEY_PAIR_E;
ForceZero(sig, sigLen);
#ifndef WOLFSSL_NO_MALLOC
2022-06-05 09:04:42 +09:00
XFREE(sig, key->heap, DYNAMIC_TYPE_RSA);
#endif
2021-04-12 17:13:25 -07:00
return ret;
}
2018-04-26 14:02:43 -07:00
int wc_CheckRsaKey(RsaKey* key)
{
WC_RNG *rng = NULL;
#if !defined(WOLFSSL_SMALL_STACK) || defined(WOLFSSL_NO_MALLOC)
WC_RNG rng_buf;
#endif
2018-04-26 14:02:43 -07:00
int ret = 0;
DECL_MP_INT_SIZE_DYN(tmp, (key)? mp_bitsused(&key->n) : 0, RSA_MAX_SIZE);
if (key == NULL) {
return BAD_FUNC_ARG;
}
2018-04-26 14:02:43 -07:00
2021-12-08 23:59:19 +00:00
#ifdef WOLFSSL_CAAM
/* can not perform these checks on an encrypted key */
if (key->blackKey != 0) {
return 0;
}
#endif
if (MP_BITS_OVER_MAX(mp_bitsused(&key->n), RSA_MAX_SIZE)) {
return WC_KEY_SIZE_E;
}
2023-03-24 15:02:15 +10:00
NEW_MP_INT_SIZE(tmp, mp_bitsused(&key->n), NULL, DYNAMIC_TYPE_RSA);
#ifdef MP_INT_SIZE_CHECK_NULL
if (tmp == NULL) {
return MEMORY_E;
2021-04-12 17:13:25 -07:00
}
#endif
if (key->rng)
rng = key->rng;
else {
#if !defined(WOLFSSL_SMALL_STACK) || defined(WOLFSSL_NO_MALLOC)
rng = &rng_buf;
#else
rng = (WC_RNG *)XMALLOC(sizeof(*rng), NULL, DYNAMIC_TYPE_RNG);
if (rng == NULL) {
FREE_MP_INT_SIZE(tmp, NULL, DYNAMIC_TYPE_RSA);
return MEMORY_E;
}
#endif
ret = wc_InitRng(rng);
2025-12-23 13:05:40 -06:00
if (ret != 0) {
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
XFREE(rng, NULL, DYNAMIC_TYPE_RNG);
FREE_MP_INT_SIZE(tmp, NULL, DYNAMIC_TYPE_RSA);
#endif
return ret;
}
}
2021-04-12 17:13:25 -07:00
if (ret == 0) {
2023-03-24 15:02:15 +10:00
if (INIT_MP_INT_SIZE(tmp, mp_bitsused(&key->n)) != MP_OKAY)
2021-04-12 17:13:25 -07:00
ret = MP_INIT_E;
}
2018-04-26 14:02:43 -07:00
2021-04-12 17:13:25 -07:00
if (ret == 0)
ret = _ifc_pairwise_consistency_test(key, rng);
2018-04-26 14:02:43 -07:00
2019-11-01 16:25:57 +10:00
/* Check d is less than n. */
if (ret == 0 ) {
if (mp_cmp(&key->d, &key->n) != MP_LT) {
ret = MP_EXPTMOD_E;
}
}
/* Check p*q = n. */
if (ret == 0 ) {
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
mp_memzero_add("RSA CheckKey tmp", tmp);
#endif
2019-11-01 16:25:57 +10:00
if (mp_mul(&key->p, &key->q, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0 ) {
if (mp_cmp(&key->n, tmp) != MP_EQ) {
ret = MP_EXPTMOD_E;
}
}
2022-04-28 16:29:48 +10:00
#ifndef WC_RSA_NO_FERMAT_CHECK
/* Fermat's Factorization works when difference between p and q
* is less than (conservatively):
* n^(1/4) + 32
* ~= 2^(bit count of n)^(1/4) + 32) = 2^((bit count of n)/4 + 32)
*/
if (ret == 0) {
ret = mp_sub(&key->p, &key->q, tmp);
}
if (ret == 0) {
if (mp_count_bits(tmp) <= (mp_count_bits(&key->n) / 4 + 32)) {
ret = MP_EXPTMOD_E;
}
}
#endif
2019-11-01 16:25:57 +10:00
/* Check dP, dQ and u if they exist */
if (ret == 0 && !mp_iszero(&key->dP)) {
2020-01-15 22:15:38 +10:00
if (mp_sub_d(&key->p, 1, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
2019-11-01 16:25:57 +10:00
}
/* Check dP <= p-1. */
if (ret == 0) {
if (mp_cmp(&key->dP, tmp) != MP_LT) {
ret = MP_EXPTMOD_E;
}
}
/* Check e*dP mod p-1 = 1. (dP = 1/e mod p-1) */
if (ret == 0) {
if (mp_mulmod(&key->dP, &key->e, tmp, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0 ) {
if (!mp_isone(tmp)) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0) {
if (mp_sub_d(&key->q, 1, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
/* Check dQ <= q-1. */
if (ret == 0) {
if (mp_cmp(&key->dQ, tmp) != MP_LT) {
ret = MP_EXPTMOD_E;
}
}
/* Check e*dP mod p-1 = 1. (dQ = 1/e mod q-1) */
if (ret == 0) {
if (mp_mulmod(&key->dQ, &key->e, tmp, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0 ) {
if (!mp_isone(tmp)) {
ret = MP_EXPTMOD_E;
}
}
/* Check u <= p. */
if (ret == 0) {
if (mp_cmp(&key->u, &key->p) != MP_LT) {
ret = MP_EXPTMOD_E;
}
}
/* Check u*q mod p = 1. (u = 1/q mod p) */
if (ret == 0) {
if (mp_mulmod(&key->u, &key->q, &key->p, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0 ) {
if (!mp_isone(tmp)) {
ret = MP_EXPTMOD_E;
}
}
}
mp_forcezero(tmp);
if ((rng != NULL) && (rng != key->rng)) {
wc_FreeRng(rng);
#ifdef WOLFSSL_SMALL_STACK
XFREE(rng, NULL, DYNAMIC_TYPE_RNG);
#endif
}
#ifdef WOLFSSL_CHECK_MEM_ZERO
2022-06-13 16:21:41 +10:00
mp_memzero_check(tmp);
#endif
2026-06-05 11:30:53 +10:00
FREE_MP_INT_SIZE(tmp, NULL, DYNAMIC_TYPE_RSA);
2018-04-26 14:02:43 -07:00
return ret;
}
#endif /* WOLFSSL_RSA_KEY_CHECK */
2018-04-26 14:02:43 -07:00
2017-05-10 16:59:11 +10:00
#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
2016-01-05 10:56:15 -07:00
/* Uses MGF1 standard as a mask generation function
hType: hash type used
seed: seed to use for generating mask
seedSz: size of seed buffer
out: mask output after generation
outSz: size of output buffer
*/
#if !defined(NO_SHA) || !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
byte* out, word32 outSz, void* heap)
2016-01-05 10:56:15 -07:00
{
2022-05-03 22:57:47 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
byte* tmp = NULL;
2022-05-06 16:14:47 -07:00
byte tmpF = 0; /* 1 if dynamic memory needs freed */
2022-05-03 22:57:47 -07:00
#else
2022-05-06 12:00:32 -07:00
byte tmp[RSA_MAX_SIZE/8];
2022-05-03 22:57:47 -07:00
#endif
2016-01-14 14:26:17 -07:00
/* needs to be large enough for seed size plus counter(4) */
byte tmpA[WC_MAX_DIGEST_SIZE + 4];
2022-05-03 22:57:47 -07:00
word32 tmpSz = 0;
2016-01-05 10:56:15 -07:00
int hLen;
int ret;
word32 counter;
word32 idx;
#ifdef WOLFSSL_SMALL_STACK_CACHE
wc_HashAlg *hash;
#endif
2016-01-05 10:56:15 -07:00
hLen = wc_HashGetDigestSize(hType);
counter = 0;
idx = 0;
(void)heap;
2022-05-06 12:00:32 -07:00
XMEMSET(tmpA, 0, sizeof(tmpA));
2016-01-14 14:26:17 -07:00
/* check error return of wc_HashGetDigestSize */
if (hLen < 0) {
return hLen;
}
/* if tmp is not large enough than use some dynamic memory */
if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) {
/* find largest amount of memory needed which will be the max of
* hLen and (seedSz + 4) since tmp is used to store the hash digest */
tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen;
2022-05-03 22:57:47 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
if (tmp == NULL) {
return MEMORY_E;
}
tmpF = 1; /* make sure to free memory when done */
2022-05-17 09:21:20 -07:00
#else
if (tmpSz > RSA_MAX_SIZE/8)
return BAD_FUNC_ARG;
2022-05-03 22:57:47 -07:00
#endif
2016-01-14 14:26:17 -07:00
}
else {
/* use array on the stack */
#ifndef WOLFSSL_SMALL_STACK_CACHE
2016-01-14 14:26:17 -07:00
tmpSz = sizeof(tmpA);
#endif
2022-05-03 22:57:47 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
2016-01-14 14:26:17 -07:00
tmp = tmpA;
tmpF = 0; /* no need to free memory at end */
2022-05-06 16:14:47 -07:00
#endif
2016-01-14 14:26:17 -07:00
}
#ifdef WOLFSSL_SMALL_STACK_CACHE
hash = (wc_HashAlg*)XMALLOC(sizeof(*hash), heap, DYNAMIC_TYPE_DIGEST);
if (hash == NULL) {
2022-06-30 21:18:08 +10:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
if (tmpF) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
}
2022-06-30 21:18:08 +10:00
#endif
return MEMORY_E;
}
ret = wc_HashInit_ex(hash, hType, heap, INVALID_DEVID);
if (ret != 0) {
XFREE(hash, heap, DYNAMIC_TYPE_DIGEST);
2022-06-30 21:18:08 +10:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
if (tmpF) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
}
2022-06-30 21:18:08 +10:00
#endif
return ret;
}
#endif
2016-01-05 10:56:15 -07:00
do {
int i = 0;
XMEMCPY(tmp, seed, seedSz);
/* counter to byte array appended to tmp */
2020-07-09 15:13:01 -07:00
tmp[seedSz] = (byte)((counter >> 24) & 0xFF);
tmp[seedSz + 1] = (byte)((counter >> 16) & 0xFF);
tmp[seedSz + 2] = (byte)((counter >> 8) & 0xFF);
tmp[seedSz + 3] = (byte)((counter) & 0xFF);
2016-01-05 10:56:15 -07:00
/* hash and append to existing output */
#ifdef WOLFSSL_SMALL_STACK_CACHE
ret = wc_HashUpdate(hash, hType, tmp, (seedSz + 4));
if (ret == 0) {
ret = wc_HashFinal(hash, hType, tmp);
}
#else
ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz);
#endif
if (ret != 0) {
2016-01-14 23:58:30 -07:00
/* check for if dynamic memory was needed, then free */
#ifdef WOLFSSL_SMALL_STACK_CACHE
wc_HashFree(hash, hType);
XFREE(hash, heap, DYNAMIC_TYPE_DIGEST);
#endif
2022-05-03 22:57:47 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
2016-01-14 23:58:30 -07:00
if (tmpF) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 23:58:30 -07:00
}
2022-05-03 22:57:47 -07:00
#endif
2016-01-05 10:56:15 -07:00
return ret;
}
for (i = 0; i < hLen && idx < outSz; i++) {
out[idx++] = tmp[i];
}
counter++;
} while (idx < outSz);
2022-05-06 16:14:47 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
2016-01-14 14:26:17 -07:00
/* check for if dynamic memory was needed, then free */
if (tmpF) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
}
2022-05-06 16:14:47 -07:00
#endif
#ifdef WOLFSSL_SMALL_STACK_CACHE
wc_HashFree(hash, hType);
XFREE(hash, heap, DYNAMIC_TYPE_DIGEST);
#endif
2016-01-14 14:26:17 -07:00
2016-01-05 10:56:15 -07:00
return 0;
}
#endif /* SHA2 Hashes */
2016-01-05 10:56:15 -07:00
2026-03-24 04:21:04 -06:00
#if defined(WOLFSSL_SHA3) && \
(defined(WOLFSSL_SHAKE128) || defined(WOLFSSL_SHAKE256))
/* SHAKE XOF used directly as mask generation function (not MGF1).
* Per FIPS 186-5, SHAKE can be used as the MGF for RSA-PSS. */
static int RsaMGF_SHAKE(enum wc_HashType shakeType, byte* seed, word32 seedSz,
byte* out, word32 outSz, void* heap)
{
WC_DECLARE_VAR(shake, wc_Shake, 1, heap);
int ret;
(void)heap;
(void)shakeType;
WC_ALLOC_VAR_EX(shake, wc_Shake, 1, heap, DYNAMIC_TYPE_TMP_BUFFER,
return MEMORY_E);
#ifdef WOLFSSL_SHAKE128
if (shakeType == WC_HASH_TYPE_SHAKE128) {
2026-03-24 04:21:04 -06:00
ret = wc_InitShake128(shake, heap, INVALID_DEVID);
if (ret == 0) {
2026-03-24 04:21:04 -06:00
ret = wc_Shake128_Update(shake, seed, seedSz);
if (ret == 0)
ret = wc_Shake128_Final(shake, out, outSz);
wc_Shake128_Free(shake);
}
}
else
2026-03-24 04:21:04 -06:00
#endif
#ifdef WOLFSSL_SHAKE256
if (shakeType == WC_HASH_TYPE_SHAKE256) {
ret = wc_InitShake256(shake, heap, INVALID_DEVID);
if (ret == 0) {
2026-03-24 04:21:04 -06:00
ret = wc_Shake256_Update(shake, seed, seedSz);
if (ret == 0)
ret = wc_Shake256_Final(shake, out, outSz);
wc_Shake256_Free(shake);
}
}
else
2026-03-24 04:21:04 -06:00
#endif
{
ret = BAD_FUNC_ARG;
2026-03-24 04:21:04 -06:00
}
WC_FREE_VAR_EX(shake, heap, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
#endif /* WOLFSSL_SHA3 && (WOLFSSL_SHAKE128 || WOLFSSL_SHAKE256) */
2016-01-05 10:56:15 -07:00
/* helper function to direct which mask generation function is used
switched on type input
2016-01-05 10:56:15 -07:00
*/
static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
word32 outSz, void* heap)
2016-01-05 10:56:15 -07:00
{
int ret;
switch(type) {
#ifndef NO_SHA
2016-01-05 10:56:15 -07:00
case WC_MGF1SHA1:
ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap);
break;
#endif
#ifndef NO_SHA256
2016-11-10 15:52:26 +10:00
#ifdef WOLFSSL_SHA224
case WC_MGF1SHA224:
ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap);
break;
#endif
2016-01-05 10:56:15 -07:00
case WC_MGF1SHA256:
ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
break;
#endif
#ifdef WOLFSSL_SHA384
2016-01-05 10:56:15 -07:00
case WC_MGF1SHA384:
ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
break;
#endif
#ifdef WOLFSSL_SHA512
2016-01-05 10:56:15 -07:00
case WC_MGF1SHA512:
ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
break;
2022-04-05 18:16:20 +10:00
#ifndef WOLFSSL_NOSHA512_224
case WC_MGF1SHA512_224:
ret = RsaMGF1(WC_HASH_TYPE_SHA512_224, seed, seedSz, out, outSz,
heap);
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_MGF1SHA512_256:
ret = RsaMGF1(WC_HASH_TYPE_SHA512_256, seed, seedSz, out, outSz,
heap);
break;
#endif
2026-03-24 04:21:04 -06:00
#endif
#ifdef WOLFSSL_SHA3
#ifndef WOLFSSL_NOSHA3_224
case WC_MGF1SHA3_224:
ret = RsaMGF1(WC_HASH_TYPE_SHA3_224, seed, seedSz, out, outSz,
heap);
break;
#endif
#ifndef WOLFSSL_NOSHA3_256
case WC_MGF1SHA3_256:
ret = RsaMGF1(WC_HASH_TYPE_SHA3_256, seed, seedSz, out, outSz,
heap);
break;
#endif
#ifndef WOLFSSL_NOSHA3_384
case WC_MGF1SHA3_384:
ret = RsaMGF1(WC_HASH_TYPE_SHA3_384, seed, seedSz, out, outSz,
heap);
break;
#endif
#ifndef WOLFSSL_NOSHA3_512
case WC_MGF1SHA3_512:
ret = RsaMGF1(WC_HASH_TYPE_SHA3_512, seed, seedSz, out, outSz,
heap);
break;
#endif
#endif /* WOLFSSL_SHA3 */
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
case WC_MGF1SHAKE128:
ret = RsaMGF1(WC_HASH_TYPE_SHAKE128, seed, seedSz, out, outSz,
heap);
break;
case WC_MGFSHAKE128:
ret = RsaMGF_SHAKE(WC_HASH_TYPE_SHAKE128, seed, seedSz, out, outSz,
heap);
break;
#endif
#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
case WC_MGF1SHAKE256:
ret = RsaMGF1(WC_HASH_TYPE_SHAKE256, seed, seedSz, out, outSz,
heap);
break;
case WC_MGFSHAKE256:
ret = RsaMGF_SHAKE(WC_HASH_TYPE_SHAKE256, seed, seedSz, out, outSz,
heap);
break;
#endif
2016-01-05 10:56:15 -07:00
default:
WOLFSSL_MSG("Unknown MGF type: check build options");
2016-01-05 10:56:15 -07:00
ret = BAD_FUNC_ARG;
}
/* in case of default avoid unused warning */
2016-01-05 10:56:15 -07:00
(void)seed;
(void)seedSz;
(void)out;
(void)outSz;
2016-06-04 19:03:48 -06:00
(void)heap;
2016-01-05 10:56:15 -07:00
return ret;
}
#endif /* !WC_NO_RSA_OAEP || WC_RSA_PSS */
2016-01-05 10:56:15 -07:00
/* Padding */
2018-12-19 14:36:32 -07:00
#ifndef WOLFSSL_RSA_VERIFY_ONLY
#ifndef WC_NO_RNG
#ifndef WC_NO_RSA_OAEP
static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, byte padValue, WC_RNG* rng,
enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
void* heap)
2016-01-05 10:56:15 -07:00
{
int ret;
word32 hLen;
2016-01-05 10:56:15 -07:00
int psLen;
word32 idx;
2022-05-06 12:00:32 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
2022-05-03 22:57:47 -07:00
byte* dbMask = NULL;
2016-01-14 14:26:17 -07:00
byte* lHash = NULL;
byte* seed = NULL;
#else
2022-05-06 12:00:32 -07:00
byte dbMask[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
2016-01-14 14:26:17 -07:00
/* must be large enough to contain largest hash */
byte lHash[WC_MAX_DIGEST_SIZE];
2022-05-06 12:00:32 -07:00
byte seed[WC_MAX_DIGEST_SIZE];
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
/* no label is allowed, but catch if no label provided and length > 0 */
2016-01-05 10:56:15 -07:00
if (optLabel == NULL && labelLen > 0) {
return BUFFER_E;
}
/* limit of label is the same as limit of hash function which is massive */
ret = wc_HashGetDigestSize(hType);
if (ret < 0) {
return ret;
2016-01-05 10:56:15 -07:00
}
hLen = (word32)ret;
2016-01-05 10:56:15 -07:00
2022-05-06 12:00:32 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
if (lHash == NULL) {
return MEMORY_E;
}
seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
if (seed == NULL) {
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
return MEMORY_E;
}
#else
/* hLen should never be larger than lHash since size is max digest size,
but check before blindly calling wc_Hash */
if (hLen > sizeof(lHash)) {
2016-01-14 14:26:17 -07:00
WOLFSSL_MSG("OAEP lHash to small for digest!!");
return MEMORY_E;
}
#endif
2016-04-14 09:33:25 -06:00
if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) {
2016-01-05 10:56:15 -07:00
WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small");
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return ret;
}
/* handles check of location for idx as well as psLen, cast to int to check
for pkcsBlockLen(k) - 2 * hLen - 2 being negative
This check is similar to decryption where k > 2 * hLen + 2 as msg
size approaches 0. In decryption if k is less than or equal -- then there
is no possible room for msg.
k = RSA key size
hLen = hash digest size -- will always be >= 0 at this point
*/
if ((2 * hLen + 2) > pkcsBlockLen) {
WOLFSSL_MSG("OAEP pad error hash to big for RSA key size");
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
return BAD_FUNC_ARG;
}
if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) {
WOLFSSL_MSG("OAEP pad error message too long");
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return BAD_FUNC_ARG;
}
/* concatenate lHash || PS || 0x01 || msg */
2016-01-05 10:56:15 -07:00
idx = pkcsBlockLen - 1 - inputLen;
psLen = (int)pkcsBlockLen - (int)inputLen - 2 * (int)hLen - 2;
2016-01-05 10:56:15 -07:00
if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return BUFFER_E;
}
XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen);
pkcsBlock[idx--] = 0x01; /* PS and M separator */
XMEMSET(pkcsBlock + idx - psLen + 1, 0, (size_t)psLen);
idx -= (word32)psLen;
2016-01-14 14:26:17 -07:00
2016-01-05 10:56:15 -07:00
idx = idx - hLen + 1;
XMEMCPY(pkcsBlock + idx, lHash, hLen);
/* generate random seed */
if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
2026-05-06 15:46:59 +00:00
ForceZero(seed, hLen);
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return ret;
}
2022-05-06 12:00:32 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
2016-01-05 10:56:15 -07:00
/* create maskedDB from dbMask */
2016-06-04 19:03:48 -06:00
dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA);
2016-01-14 14:26:17 -07:00
if (dbMask == NULL) {
2022-05-03 22:57:47 -07:00
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
2026-05-06 15:46:59 +00:00
ForceZero(seed, hLen);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
return MEMORY_E;
}
2022-06-08 09:31:17 -07:00
#else
if (pkcsBlockLen - hLen - 1 > sizeof(dbMask)) {
return MEMORY_E;
}
2022-05-03 22:57:47 -07:00
#endif
2016-01-18 10:22:12 -07:00
XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */
ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap);
2016-01-05 10:56:15 -07:00
if (ret != 0) {
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(dbMask, heap, DYNAMIC_TYPE_RSA);
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
2026-05-06 15:46:59 +00:00
ForceZero(seed, hLen);
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return ret;
}
2023-03-29 15:55:48 +02:00
xorbuf(pkcsBlock + hLen + 1, dbMask,pkcsBlockLen - hLen - 1);
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(dbMask, heap, DYNAMIC_TYPE_RSA);
2016-01-05 10:56:15 -07:00
/* create maskedSeed from seedMask */
2023-03-29 15:55:48 +02:00
pkcsBlock[0] = 0x00;
2016-01-05 10:56:15 -07:00
/* create seedMask inline */
if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
pkcsBlock + 1, hLen, heap)) != 0) {
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
2026-05-06 15:46:59 +00:00
ForceZero(seed, hLen);
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return ret;
}
/* xor created seedMask with seed to make maskedSeed */
2023-03-29 15:55:48 +02:00
xorbuf(pkcsBlock + 1, seed, hLen);
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
/* Seed must be zeroized now that it has been used. */
wc_MemZero_Add("Pad OAEP seed", seed, hLen);
#endif
2016-01-05 10:56:15 -07:00
2022-06-15 11:26:11 +10:00
/* Zeroize masking bytes so that padding can't be unmasked. */
ForceZero(seed, hLen);
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2022-06-13 16:21:41 +10:00
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
wc_MemZero_Check(seed, hLen);
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
(void)padValue;
return 0;
}
#endif /* !WC_NO_RSA_OAEP */
2016-01-05 10:56:15 -07:00
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
2017-05-18 15:32:06 +10:00
/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
* XOR MGF over all bytes down to end of Salt
* Gen Hash = HASH(8 * 0x00 | Message Hash | Salt)
*
* input Digest of the message.
* inputLen Length of digest.
* pkcsBlock Buffer to write to.
* pkcsBlockLen Length of buffer to write to.
* rng Random number generator (for salt).
* htype Hash function to use.
* mgf Mask generation function.
* saltLen Length of salt to put in padding.
* bits Length of key in bits.
* heap Used for dynamic memory allocation.
* returns 0 on success, PSS_SALTLEN_E when the salt length is invalid
* and other negative values on error.
2017-05-18 15:32:06 +10:00
*/
2017-05-10 16:59:11 +10:00
static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf,
int saltLen, int bits, void* heap)
2017-05-10 16:59:11 +10:00
{
int ret = 0;
2023-03-29 15:55:48 +02:00
int hLen, o, maskLen, hiBits;
2017-05-10 16:59:11 +10:00
byte* m;
byte* s;
#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
byte msg[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
#else
byte* msg = NULL;
#endif
#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
byte* salt;
#else
byte salt[WC_MAX_DIGEST_SIZE];
#endif
#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
if (pkcsBlockLen > RSA_MAX_SIZE/8) {
return MEMORY_E;
}
#endif
2017-05-10 16:59:11 +10:00
hLen = wc_HashGetDigestSize(hType);
if (hLen < 0)
return hLen;
2020-08-03 12:17:03 +10:00
if ((int)inputLen != hLen) {
return BAD_FUNC_ARG;
}
2017-05-10 16:59:11 +10:00
hiBits = (bits - 1) & 0x7;
if (hiBits == 0) {
2020-07-09 15:13:01 -07:00
/* Per RFC8017, set the leftmost 8emLen - emBits bits of the
leftmost octet in DB to zero.
*/
*(pkcsBlock++) = 0;
pkcsBlockLen--;
}
if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
saltLen = hLen;
2018-03-28 13:58:25 -07:00
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) {
2018-03-28 13:58:25 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
}
2018-03-28 13:58:25 -07:00
#endif
}
#ifndef WOLFSSL_PSS_LONG_SALT
else if (saltLen > hLen) {
return PSS_SALTLEN_E;
}
#endif
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
return PSS_SALTLEN_E;
}
#else
else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
saltLen = (int)pkcsBlockLen - hLen - 2;
if (saltLen < 0) {
return PSS_SALTLEN_E;
}
}
else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
return PSS_SALTLEN_E;
}
#endif
if ((int)pkcsBlockLen - hLen < saltLen + 2) {
return PSS_SALTLEN_E;
}
maskLen = (int)pkcsBlockLen - 1 - hLen;
#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2023-05-05 11:40:33 +10:00
msg = (byte*)XMALLOC(
(size_t)(RSA_PSS_PAD_SZ + inputLen + (word32)saltLen),
heap, DYNAMIC_TYPE_RSA_BUFFER);
if (msg == NULL) {
return MEMORY_E;
}
#endif
salt = s = m = msg;
XMEMSET(m, 0, RSA_PSS_PAD_SZ);
m += RSA_PSS_PAD_SZ;
XMEMCPY(m, input, inputLen);
m += inputLen;
o = (int)(m - s);
if (saltLen > 0) {
2023-05-05 11:40:33 +10:00
ret = wc_RNG_GenerateBlock(rng, m, (word32)saltLen);
if (ret == 0) {
m += saltLen;
}
}
#else
if ((int)pkcsBlockLen < RSA_PSS_PAD_SZ + (int)inputLen + saltLen) {
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2023-05-05 11:40:33 +10:00
msg = (byte*)XMALLOC(
(size_t)(RSA_PSS_PAD_SZ + inputLen + (word32)saltLen),
heap, DYNAMIC_TYPE_RSA_BUFFER);
if (msg == NULL) {
return MEMORY_E;
}
#endif
m = msg;
}
else {
m = pkcsBlock;
}
s = m;
XMEMSET(m, 0, RSA_PSS_PAD_SZ);
m += RSA_PSS_PAD_SZ;
2017-05-10 16:59:11 +10:00
XMEMCPY(m, input, inputLen);
m += inputLen;
o = 0;
if (saltLen > 0) {
ret = wc_RNG_GenerateBlock(rng, salt, (word32)saltLen);
if (ret == 0) {
XMEMCPY(m, salt, (size_t)saltLen);
m += saltLen;
}
}
#endif
if (ret == 0) {
/* Put Hash at end of pkcsBlock - 1 */
ret = wc_Hash(hType, s, (word32)(m - s), pkcsBlock + maskLen, (word32)hLen);
}
if (ret == 0) {
2020-07-09 15:13:01 -07:00
/* Set the last eight bits or trailer field to the octet 0xbc */
pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM;
2017-05-10 16:59:11 +10:00
ret = RsaMGF(mgf, pkcsBlock + maskLen, (word32)hLen, pkcsBlock, (word32)maskLen, heap);
}
if (ret == 0) {
2020-07-09 15:13:01 -07:00
/* Clear the first high bit when "8emLen - emBits" is non-zero.
where emBits = n modBits - 1 */
if (hiBits)
pkcsBlock[0] &= (byte)((1 << hiBits) - 1);
2017-05-10 16:59:11 +10:00
m = pkcsBlock + maskLen - saltLen - 1;
*(m++) ^= 0x01;
xorbuf(m, salt + o, (word32)saltLen);
}
2017-05-10 16:59:11 +10:00
2021-05-19 11:08:40 +10:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
/* msg is always not NULL as we bail on allocation failure */
XFREE(msg, heap, DYNAMIC_TYPE_RSA_BUFFER);
#endif
return ret;
2017-05-10 16:59:11 +10:00
}
#endif /* WC_RSA_PSS */
#endif /* !WC_NO_RNG */
2016-01-05 10:56:15 -07:00
static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, byte padValue, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
if (input == NULL || inputLen == 0 || pkcsBlock == NULL ||
pkcsBlockLen == 0) {
2016-04-14 09:33:25 -06:00
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
2020-07-09 15:13:01 -07:00
if (pkcsBlockLen - RSA_MIN_PAD_SZ < inputLen) {
WOLFSSL_MSG("RsaPad error, invalid length");
return RSA_PAD_E;
}
2014-12-31 15:31:50 -07:00
pkcsBlock[0] = 0x0; /* set first byte to zero and advance */
pkcsBlock++; pkcsBlockLen--;
pkcsBlock[0] = padValue; /* insert padValue */
2016-04-14 09:33:25 -06:00
if (padValue == RSA_BLOCK_TYPE_1) {
2014-12-31 15:31:50 -07:00
/* pad with 0xff bytes */
XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
2016-04-14 09:33:25 -06:00
}
2014-12-31 15:31:50 -07:00
else {
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WC_NO_RNG)
2014-12-31 15:31:50 -07:00
/* pad with non-zero random bytes */
2016-04-14 09:33:25 -06:00
word32 padLen, i;
int ret;
padLen = pkcsBlockLen - inputLen - 1;
ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
if (ret != 0) {
2014-12-31 15:31:50 -07:00
return ret;
}
2014-12-31 15:31:50 -07:00
/* remove zeros */
for (i = 1; i < padLen; i++) {
2014-12-31 15:31:50 -07:00
if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
}
#else
2018-12-19 14:36:32 -07:00
(void)rng;
return RSA_WRONG_TYPE_E;
#endif
2014-12-31 15:31:50 -07:00
}
pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
return 0;
}
2016-01-05 10:56:15 -07:00
/* helper function to direct which padding is used */
int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
int saltLen, int bits, void* heap)
2016-01-05 10:56:15 -07:00
{
int ret;
switch (padType)
{
case WC_RSA_PKCSV15_PAD:
/*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/
ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen,
2017-05-10 16:59:11 +10:00
padValue, rng);
2016-01-05 10:56:15 -07:00
break;
#ifndef WC_NO_RNG
#ifndef WC_NO_RSA_OAEP
2016-01-05 10:56:15 -07:00
case WC_RSA_OAEP_PAD:
WOLFSSL_MSG("wolfSSL Using RSA OAEP padding");
ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen,
2017-05-10 16:59:11 +10:00
padValue, rng, hType, mgf, optLabel, labelLen, heap);
2016-01-05 10:56:15 -07:00
break;
#endif
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
case WC_RSA_PSS_PAD:
WOLFSSL_MSG("wolfSSL Using RSA PSS padding");
2017-05-22 09:43:55 +10:00
ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng,
hType, mgf, saltLen, bits, heap);
2017-05-10 16:59:11 +10:00
break;
#endif
#endif /* !WC_NO_RNG */
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_NO_PADDING
case WC_RSA_NO_PAD:
2023-02-27 15:05:50 +10:00
{
int bytes = (bits + WOLFSSL_BIT_SIZE - 1) / WOLFSSL_BIT_SIZE;
WOLFSSL_MSG("wolfSSL Using NO padding");
/* In the case of no padding being used check that input is exactly
* the RSA key length */
2023-02-27 15:05:50 +10:00
if ((bits <= 0) || (inputLen != (word32)bytes)) {
WOLFSSL_MSG("Bad input size");
ret = RSA_PAD_E;
}
else {
XMEMCPY(pkcsBlock, input, inputLen);
ret = 0;
}
break;
2023-02-27 15:05:50 +10:00
}
#endif
2016-01-05 10:56:15 -07:00
default:
WOLFSSL_MSG("Unknown RSA Pad Type");
ret = RSA_PAD_E;
}
/* silence warning if not used with padding scheme */
(void)input;
(void)inputLen;
(void)pkcsBlock;
(void)pkcsBlockLen;
(void)padValue;
(void)rng;
(void)padType;
2016-01-05 10:56:15 -07:00
(void)hType;
(void)mgf;
(void)optLabel;
(void)labelLen;
(void)saltLen;
2017-05-22 09:43:55 +10:00
(void)bits;
2016-06-04 19:03:48 -06:00
(void)heap;
2016-01-05 10:56:15 -07:00
return ret;
}
2018-12-19 14:36:32 -07:00
#endif /* WOLFSSL_RSA_VERIFY_ONLY */
2016-01-05 10:56:15 -07:00
/* UnPadding */
#if !defined(WC_NO_RSA_OAEP) && !defined(NO_HASH_WRAPPER)
2016-01-05 10:56:15 -07:00
/* UnPad plaintext, set start to *output, return length of plaintext,
* < 0 on error */
static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
2016-01-20 15:31:08 -07:00
byte **output, enum wc_HashType hType, int mgf,
2016-06-04 19:03:48 -06:00
byte* optLabel, word32 labelLen, void* heap)
2016-01-05 10:56:15 -07:00
{
word32 hLen;
int ret;
2016-01-14 14:26:17 -07:00
byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
2016-01-05 10:56:15 -07:00
word32 idx;
2022-05-04 17:02:45 +10:00
word32 i;
2025-08-29 08:43:15 +10:00
volatile word32 inc;
2016-01-05 10:56:15 -07:00
2022-05-06 12:00:32 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
2022-05-03 22:57:47 -07:00
byte* tmp = NULL;
#else
2022-05-06 12:00:32 -07:00
byte tmp[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
2022-05-03 22:57:47 -07:00
#endif
2022-06-13 16:21:41 +10:00
/* no label is allowed, but catch if no label provided and length > 0 */
if (optLabel == NULL && labelLen > 0) {
return BUFFER_E;
}
ret = wc_HashGetDigestSize(hType);
if ((ret < 0) || (pkcsBlockLen < (2 * (word32)ret + 2))) {
2016-01-05 10:56:15 -07:00
return BAD_FUNC_ARG;
}
hLen = (word32)ret;
2016-01-05 10:56:15 -07:00
2022-05-06 12:00:32 -07:00
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
if (tmp == NULL) {
return MEMORY_E;
}
2022-05-03 22:57:47 -07:00
#endif
2016-01-14 14:26:17 -07:00
XMEMSET(tmp, 0, pkcsBlockLen);
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("OAEP UnPad temp", tmp, pkcsBlockLen);
#endif
2016-01-14 14:26:17 -07:00
2016-01-05 10:56:15 -07:00
/* find seedMask value */
ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)),
pkcsBlockLen - hLen - 1, tmp, hLen, heap);
if (ret != 0) {
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return ret;
}
/* xor seedMask value with maskedSeed to get seed value */
2023-03-29 15:55:48 +02:00
xorbuf(tmp, pkcsBlock + 1, hLen);
2016-01-05 10:56:15 -07:00
/* get dbMask value */
ret = RsaMGF(mgf, tmp, hLen, tmp + hLen, pkcsBlockLen - hLen - 1, heap);
if (ret != 0) {
2022-06-15 11:26:11 +10:00
ForceZero(tmp, hLen);
2022-05-03 22:57:47 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER);
2022-06-13 16:21:41 +10:00
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
wc_MemZero_Check(tmp, hLen);
2022-05-03 22:57:47 -07:00
#endif
2016-01-05 10:56:15 -07:00
return ret;
}
/* get DB value by doing maskedDB xor dbMask */
2023-03-29 15:55:48 +02:00
xorbuf(pkcsBlock + hLen + 1, tmp + hLen, pkcsBlockLen - hLen - 1);
2016-01-05 10:56:15 -07:00
2022-06-15 11:26:11 +10:00
ForceZero(tmp, pkcsBlockLen);
2022-05-03 22:57:47 -07:00
#ifdef WOLFSSL_SMALL_STACK
2016-01-14 14:26:17 -07:00
/* done with use of tmp buffer */
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2022-06-13 16:21:41 +10:00
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
wc_MemZero_Check(tmp, pkcsBlockLen);
2022-05-03 22:57:47 -07:00
#endif
2016-01-14 14:26:17 -07:00
2016-06-06 10:34:35 -06:00
/* advance idx to index of PS and msg separator, account for PS size of 0*/
idx = hLen + 1 + hLen;
2022-05-04 17:02:45 +10:00
/* Don't reveal length of message: look at every byte. */
inc = 1;
for (i = hLen + 1 + hLen; i < pkcsBlockLen - 1; i++) {
/* Looking for non-zero byte. */
inc &= 1 - (((word32)0 - pkcsBlock[i]) >> 31);
idx += inc;
}
2016-01-05 10:56:15 -07:00
/* create hash of label for comparison with hash sent */
ret = wc_Hash(hType, optLabel, labelLen, h, hLen);
if (ret != 0) {
2016-01-05 10:56:15 -07:00
return ret;
}
/* say no to chosen ciphertext attack.
Comparison of lHash, Y, and separator value needs to all happen in
2016-01-05 10:56:15 -07:00
constant time.
Attackers should not be able to get error condition from the timing of
these checks.
*/
{
volatile int c = ConstantCompare(pkcsBlock + hLen + 1, h, (int)hLen);
c = c + (pkcsBlock[idx++] ^ 0x01); /* separator value is 0x01 */
c = c + (pkcsBlock[0] ^ 0x00); /* Y, the first value, should be 0 */
2016-01-05 10:56:15 -07:00
/* Return 0 data length on error. */
idx = ctMaskSelWord32(ctMaskEq(c, 0), idx, pkcsBlockLen);
}
2016-01-05 10:56:15 -07:00
/* adjust pointer to correct location in array and return size of M */
*output = (byte*)(pkcsBlock + idx);
return (int)(pkcsBlockLen - idx);
2016-01-05 10:56:15 -07:00
}
#endif /* !WC_NO_RSA_OAEP */
2016-01-05 10:56:15 -07:00
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
* MGF over all bytes down to end of Salt
*
* pkcsBlock Buffer holding decrypted data.
* pkcsBlockLen Length of buffer.
* htype Hash function to use.
* mgf Mask generation function.
* saltLen Length of salt to put in padding.
* bits Length of key in bits.
* heap Used for dynamic memory allocation.
2020-07-09 15:13:01 -07:00
* returns the sum of salt length and SHA-256 digest size on success.
* Otherwise, PSS_SALTLEN_E for an incorrect salt length,
* WC_KEY_SIZE_E for an incorrect encoded message (EM) size
and other negative values on error.
*/
2017-05-10 16:59:11 +10:00
static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
byte **output, enum wc_HashType hType, int mgf,
int saltLen, int bits, void* heap)
2017-05-10 16:59:11 +10:00
{
int ret;
byte* tmp;
int hLen, i, maskLen;
#ifdef WOLFSSL_SHA512
int orig_bits = bits;
#endif
#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
byte tmp_buf[RSA_MAX_SIZE/8];
tmp = tmp_buf;
if (pkcsBlockLen > RSA_MAX_SIZE/8) {
return MEMORY_E;
}
#endif
2017-05-10 16:59:11 +10:00
hLen = wc_HashGetDigestSize(hType);
if (hLen < 0)
return hLen;
bits = (bits - 1) & 0x7;
if ((pkcsBlock[0] & (0xff << bits)) != 0) {
return BAD_PADDING_E;
}
if (bits == 0) {
pkcsBlock++;
pkcsBlockLen--;
}
maskLen = (int)pkcsBlockLen - 1 - hLen;
if (maskLen < 0) {
WOLFSSL_MSG("RsaUnPad_PSS: Hash too large");
return WC_KEY_SIZE_E;
}
2017-05-10 16:59:11 +10:00
if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
saltLen = hLen;
2018-03-28 13:58:25 -07:00
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
if (orig_bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
2018-03-28 13:58:25 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
#endif
}
#ifndef WOLFSSL_PSS_LONG_SALT
else if (saltLen > hLen)
return PSS_SALTLEN_E;
#endif
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT)
return PSS_SALTLEN_E;
if (maskLen < saltLen + 1) {
return PSS_SALTLEN_E;
}
#else
else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER)
return PSS_SALTLEN_E;
if (saltLen != RSA_PSS_SALT_LEN_DISCOVER && maskLen < saltLen + 1) {
return WC_KEY_SIZE_E;
}
#endif
if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) {
WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error");
2017-05-10 16:59:11 +10:00
return BAD_PADDING_E;
}
2017-05-10 16:59:11 +10:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
tmp = (byte*)XMALLOC((size_t)maskLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
if (tmp == NULL) {
2017-05-10 16:59:11 +10:00
return MEMORY_E;
}
XMEMSET(tmp, 0, (size_t)maskLen);
#endif
2017-05-10 16:59:11 +10:00
if ((ret = RsaMGF(mgf, pkcsBlock + maskLen, (word32)hLen, tmp, (word32)maskLen,
heap)) != 0) {
2023-09-22 09:13:41 +09:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2023-09-22 09:13:41 +09:00
#endif
2017-05-10 16:59:11 +10:00
return ret;
}
tmp[0] &= (byte)((1 << bits) - 1);
pkcsBlock[0] &= (byte)((1 << bits) - 1);
#ifdef WOLFSSL_PSS_SALT_LEN_DISCOVER
if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
for (i = 0; i < maskLen - 1; i++) {
if (tmp[i] != pkcsBlock[i]) {
break;
}
}
if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
2023-09-22 09:13:41 +09:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2023-09-22 09:13:41 +09:00
#endif
WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
return PSS_SALTLEN_RECOVER_E;
}
saltLen = maskLen - (i + 1);
}
else
#endif
{
for (i = 0; i < maskLen - 1 - saltLen; i++) {
if (tmp[i] != pkcsBlock[i]) {
2023-09-22 09:13:41 +09:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2023-09-22 09:13:41 +09:00
#endif
WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
return PSS_SALTLEN_E;
}
}
if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
2023-09-22 09:13:41 +09:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2023-09-22 09:13:41 +09:00
#endif
WOLFSSL_MSG("RsaUnPad_PSS: Padding Error End");
return PSS_SALTLEN_E;
2017-05-10 16:59:11 +10:00
}
}
xorbuf(pkcsBlock + i, tmp + i, (word32)(maskLen - i));
2017-05-10 16:59:11 +10:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
#endif
2017-05-10 16:59:11 +10:00
*output = pkcsBlock + maskLen - saltLen;
2018-03-29 17:04:59 -07:00
return saltLen + hLen;
2017-05-10 16:59:11 +10:00
}
#endif
2016-01-05 10:56:15 -07:00
2014-12-31 15:31:50 -07:00
/* UnPad plaintext, set start to *output, return length of plaintext,
* < 0 on error */
static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
2026-04-01 14:12:02 -05:00
const byte **output, byte padValue)
2014-12-31 15:31:50 -07:00
{
int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
2019-06-27 06:38:14 +09:00
word16 i;
2014-12-31 15:31:50 -07:00
2020-05-28 14:14:19 -05:00
if (output == NULL || pkcsBlockLen < 2 || pkcsBlockLen > 0xFFFF) {
2016-04-14 09:33:25 -06:00
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
if (padValue == RSA_BLOCK_TYPE_1) {
/* First byte must be 0x00 and Second byte, block type, 0x01 */
if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) {
WOLFSSL_MSG("RsaUnPad error, invalid formatting");
return RSA_PAD_E;
}
/* check the padding until we find the separator */
2021-01-12 12:25:52 +10:00
for (i = 2; i < pkcsBlockLen; ) {
if (pkcsBlock[i++] != 0xFF) {
break;
}
}
/* Minimum of 11 bytes of pre-message data and must have separator. */
if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) {
WOLFSSL_MSG("RsaUnPad error, bad formatting");
return RSA_PAD_E;
}
2026-04-01 14:12:02 -05:00
*output = (const byte *)(pkcsBlock + i);
ret = (int)pkcsBlockLen - i;
2014-12-31 15:31:50 -07:00
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
2014-12-31 15:31:50 -07:00
else {
2025-08-29 08:43:15 +10:00
unsigned int j;
volatile word16 pastSep = 0;
volatile byte invalid = 0;
volatile byte minPad;
volatile int invalidMask;
2026-03-25 07:48:16 -05:00
byte inv;
word16 sep;
i = 0;
/* Decrypted with private key - unpad must be constant time. */
2021-01-12 12:25:52 +10:00
for (j = 2; j < pkcsBlockLen; j++) {
/* Update i if not passed the separator and at separator. */
2023-04-10 19:05:09 -05:00
i |= (word16)(~pastSep) & ctMask16Eq(pkcsBlock[j], 0x00) &
(word16)(j + 1);
2019-06-24 07:53:23 +09:00
pastSep |= ctMask16Eq(pkcsBlock[j], 0x00);
}
2026-03-25 07:48:16 -05:00
/* Snapshot volatiles to avoid multiple volatile accesses per
* expression. */
inv = invalid;
sep = pastSep;
/* Minimum of 11 bytes of pre-message data - including leading 0x00. */
2025-08-29 08:43:15 +10:00
minPad = ctMaskLT(i, RSA_MIN_PAD_SZ);
2026-03-25 07:48:16 -05:00
inv |= minPad;
/* Must have seen separator. */
2026-03-25 07:48:16 -05:00
inv |= (byte)~sep;
/* First byte must be 0x00. */
2026-03-25 07:48:16 -05:00
inv |= ctMaskNotEq(pkcsBlock[0], 0x00);
/* Check against expected block type: padValue */
2026-03-25 07:48:16 -05:00
inv |= ctMaskNotEq(pkcsBlock[1], padValue);
2026-03-25 07:48:16 -05:00
invalid = inv;
2026-04-01 14:12:02 -05:00
*output = (const byte *)(pkcsBlock + i);
2026-03-25 07:48:16 -05:00
invalidMask = (int)-1 + (int)(inv >> 7);
2025-08-29 08:43:15 +10:00
ret = invalidMask & ((int)pkcsBlockLen - i);
2014-12-31 15:31:50 -07:00
}
#endif
2014-12-31 15:31:50 -07:00
return ret;
2014-12-31 15:31:50 -07:00
}
/* helper function to direct unpadding
*
* bits is the key modulus size in bits
*/
int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out,
byte padValue, int padType, enum wc_HashType hType,
int mgf, byte* optLabel, word32 labelLen, int saltLen,
int bits, void* heap)
2016-01-05 10:56:15 -07:00
{
int ret;
switch (padType) {
2016-01-05 10:56:15 -07:00
case WC_RSA_PKCSV15_PAD:
/*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/
2026-04-01 14:12:02 -05:00
ret = RsaUnPad(pkcsBlock, pkcsBlockLen, (const byte **)(void *)out,
padValue);
2016-01-05 10:56:15 -07:00
break;
#ifndef WC_NO_RSA_OAEP
2016-01-05 10:56:15 -07:00
case WC_RSA_OAEP_PAD:
WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding");
ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out,
hType, mgf, optLabel, labelLen, heap);
2016-01-05 10:56:15 -07:00
break;
#endif
2016-01-05 10:56:15 -07:00
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
case WC_RSA_PSS_PAD:
WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding");
ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf,
saltLen, bits, heap);
2017-05-10 16:59:11 +10:00
break;
#endif
#ifdef WC_RSA_NO_PADDING
case WC_RSA_NO_PAD:
WOLFSSL_MSG("wolfSSL Using NO un-padding");
/* In the case of no padding being used check that input is exactly
* the RSA key length */
if (bits <= 0 || pkcsBlockLen !=
((word32)(bits+WOLFSSL_BIT_SIZE-1)/WOLFSSL_BIT_SIZE)) {
WOLFSSL_MSG("Bad input size");
ret = RSA_PAD_E;
}
else {
if (out != NULL) {
*out = pkcsBlock;
}
ret = (int)pkcsBlockLen;
}
break;
#endif /* WC_RSA_NO_PADDING */
2016-01-05 10:56:15 -07:00
default:
WOLFSSL_MSG("Unknown RSA UnPad Type");
2016-01-05 10:56:15 -07:00
ret = RSA_PAD_E;
}
/* silence warning if not used with padding scheme */
2016-01-05 10:56:15 -07:00
(void)hType;
(void)mgf;
(void)optLabel;
(void)labelLen;
(void)saltLen;
2017-05-22 09:43:55 +10:00
(void)bits;
2016-06-04 19:03:48 -06:00
(void)heap;
2016-01-05 10:56:15 -07:00
return ret;
}
2016-01-14 14:26:17 -07:00
2020-10-14 16:11:23 +02:00
int wc_hash2mgf(enum wc_HashType hType)
2020-09-24 17:09:34 +02:00
{
switch (hType) {
case WC_HASH_TYPE_NONE:
return WC_MGF1NONE;
2020-09-24 17:09:34 +02:00
case WC_HASH_TYPE_SHA:
2020-09-24 20:13:09 +02:00
#ifndef NO_SHA
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA1;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_SHA224:
2020-09-24 20:13:09 +02:00
#ifdef WOLFSSL_SHA224
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA224;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_SHA256:
2020-09-24 20:13:09 +02:00
#ifndef NO_SHA256
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA256;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_SHA384:
2020-09-24 20:13:09 +02:00
#ifdef WOLFSSL_SHA384
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA384;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_SHA512:
2020-09-24 20:13:09 +02:00
#ifdef WOLFSSL_SHA512
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA512;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2026-03-24 04:21:04 -06:00
#endif
case WC_HASH_TYPE_SHA512_224:
#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
return WC_MGF1SHA512_224;
#else
break;
#endif
case WC_HASH_TYPE_SHA512_256:
#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
return WC_MGF1SHA512_256;
#else
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_MD2:
case WC_HASH_TYPE_MD4:
case WC_HASH_TYPE_MD5:
case WC_HASH_TYPE_MD5_SHA:
case WC_HASH_TYPE_SHA3_224:
2026-03-24 04:21:04 -06:00
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
return WC_MGF1SHA3_224;
#else
break;
#endif
2020-09-24 17:09:34 +02:00
case WC_HASH_TYPE_SHA3_256:
2026-03-24 04:21:04 -06:00
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
return WC_MGF1SHA3_256;
#else
break;
#endif
2020-09-24 17:09:34 +02:00
case WC_HASH_TYPE_SHA3_384:
2026-03-24 04:21:04 -06:00
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
return WC_MGF1SHA3_384;
#else
break;
#endif
2020-09-24 17:09:34 +02:00
case WC_HASH_TYPE_SHA3_512:
2026-03-24 04:21:04 -06:00
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
return WC_MGF1SHA3_512;
#else
break;
#endif
2020-09-24 17:09:34 +02:00
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:
2023-02-10 11:48:59 +10:00
case WC_HASH_TYPE_SM3:
2026-03-24 04:21:04 -06:00
break;
#ifdef WOLFSSL_SHAKE128
case WC_HASH_TYPE_SHAKE128:
2026-03-24 04:21:04 -06:00
return WC_MGF1SHAKE128;
#else
case WC_HASH_TYPE_SHAKE128:
break;
#endif
#ifdef WOLFSSL_SHAKE256
case WC_HASH_TYPE_SHAKE256:
2026-03-24 04:21:04 -06:00
return WC_MGF1SHAKE256;
#else
case WC_HASH_TYPE_SHAKE256:
break;
#endif
2020-09-24 17:09:34 +02:00
default:
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
}
2020-10-14 16:11:23 +02:00
WOLFSSL_MSG("Unrecognized or unsupported hash function");
return WC_MGF1NONE;
2020-09-24 17:09:34 +02:00
}
2017-06-07 11:37:21 -06:00
#ifdef WC_RSA_NONBLOCK
static int wc_RsaFunctionNonBlock(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key)
{
int ret = 0;
#ifdef USE_FAST_MATH
word32 keyLen, len;
#endif
/* SP non-blocking RSA wrappers depend on sp_<N>_mod_exp_<W>_nb,
* which the SP generator only emits when (!RSA_PUBLIC_ONLY ||
* HAVE_SP_DH). Match that gate here so the dispatch is omitted when
* those symbols are not available. */
#if defined(WOLFSSL_HAVE_SP_RSA) && defined(WOLFSSL_SP_NONBLOCK) && \
defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP) && \
(!defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_HAVE_SP_DH))
int bits;
#endif
if (key == NULL || key->nb == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_HAVE_SP_RSA) && defined(WOLFSSL_SP_NONBLOCK) && \
defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP) && \
(!defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_HAVE_SP_DH))
bits = mp_count_bits(&key->n);
#ifndef WOLFSSL_SP_NO_2048
if (bits == 2048) {
if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
return sp_RsaPublic_2048_nb(&key->nb->sp_ctx, in, inLen,
&key->e, &key->n, out, outLen);
}
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
(defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM))
return sp_RsaPrivate_2048_nb(&key->nb->sp_ctx, in, inLen,
&key->d, &key->n, out, outLen);
#endif
}
#endif
#ifndef WOLFSSL_SP_NO_3072
if (bits == 3072) {
if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
return sp_RsaPublic_3072_nb(&key->nb->sp_ctx, in, inLen,
&key->e, &key->n, out, outLen);
}
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
(defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM))
return sp_RsaPrivate_3072_nb(&key->nb->sp_ctx, in, inLen,
&key->d, &key->n, out, outLen);
#endif
}
#endif
#ifdef WOLFSSL_SP_4096
if (bits == 4096) {
if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
return sp_RsaPublic_4096_nb(&key->nb->sp_ctx, in, inLen,
&key->e, &key->n, out, outLen);
}
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
(defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM))
return sp_RsaPrivate_4096_nb(&key->nb->sp_ctx, in, inLen,
&key->d, &key->n, out, outLen);
#endif
}
#endif
#endif /* SP nonblock RSA */
#ifdef USE_FAST_MATH
if (key->nb->exptmod.state == TFM_EXPTMOD_NB_INIT) {
if (mp_init(&key->nb->tmp) != MP_OKAY) {
ret = MP_INIT_E;
}
if (ret == 0) {
if (mp_read_unsigned_bin(&key->nb->tmp, (byte*)in, inLen) != MP_OKAY) {
ret = MP_READ_E;
}
}
}
if (ret == 0) {
switch(type) {
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY)
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->d,
&key->n, &key->nb->tmp);
if (ret == FP_WOULDBLOCK)
return ret;
if (ret != MP_OKAY)
ret = MP_EXPTMOD_E;
break;
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->e,
&key->n, &key->nb->tmp);
if (ret == FP_WOULDBLOCK)
return ret;
if (ret != MP_OKAY)
ret = MP_EXPTMOD_E;
break;
default:
ret = RSA_WRONG_TYPE_E;
break;
}
}
if (ret == 0) {
keyLen = wc_RsaEncryptSize(key);
if (keyLen > *outLen)
ret = RSA_BUFFER_E;
}
if (ret == 0) {
len = mp_unsigned_bin_size(&key->nb->tmp);
/* pad front w/ zeros to match key length */
while (len < keyLen) {
*out++ = 0x00;
len++;
}
*outLen = keyLen;
/* convert */
if (mp_to_unsigned_bin(&key->nb->tmp, out) != MP_OKAY) {
ret = MP_TO_E;
}
}
mp_clear(&key->nb->tmp);
#else
/* No non-blocking backend available for this build. The SP non-block
* dispatch above only matches enabled key sizes; if we reach this
* point the key is not 2048/3072/4096 (or SP RSA itself isn't built)
* and TFM fastmath isn't compiled in either. */
(void)in;
(void)inLen;
(void)out;
(void)outLen;
(void)type;
ret = NOT_COMPILED_IN;
#endif /* USE_FAST_MATH */
return ret;
}
#endif /* WC_RSA_NONBLOCK */
2020-05-19 16:41:51 -07:00
#ifdef WOLFSSL_XILINX_CRYPT
/*
* Xilinx hardened crypto acceleration.
*
* Returns 0 on success and negative values on error.
*/
static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
int ret = 0;
word32 keyLen;
(void)rng;
keyLen = wc_RsaEncryptSize(key);
if (keyLen > *outLen) {
WOLFSSL_MSG("Output buffer is not big enough");
return BAD_FUNC_ARG;
}
if (inLen != keyLen) {
WOLFSSL_MSG("Expected that inLen equals RSA key length");
return BAD_FUNC_ARG;
}
switch(type) {
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WOLFSSL_XILINX_CRYPTO_OLD
/* Currently public exponent is loaded by default.
* In SDK 2017.1 RSA exponent values are expected to be of 4 bytes
* leading to private key operations with Xsecure_RsaDecrypt not being
* supported */
ret = RSA_WRONG_TYPE_E;
#else
{
byte *d;
int dSz;
2022-05-20 14:28:39 +02:00
#if !defined(WOLFSSL_XILINX_CRYPT_VERSAL)
2020-05-19 16:41:51 -07:00
XSecure_Rsa rsa;
2022-05-20 14:28:39 +02:00
#endif
2020-05-19 16:41:51 -07:00
2022-05-20 14:28:39 +02:00
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
dSz = WOLFSSL_XSECURE_RSA_KEY_SIZE * 2;
#else
2020-05-19 16:41:51 -07:00
dSz = mp_unsigned_bin_size(&key->d);
2022-05-20 14:28:39 +02:00
#endif
2020-05-19 16:41:51 -07:00
d = (byte*)XMALLOC(dSz, key->heap, DYNAMIC_TYPE_PRIVATE_KEY);
if (d == NULL) {
ret = MEMORY_E;
2022-05-20 14:28:39 +02:00
} else {
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
XMEMSET(d, 0, dSz);
XMEMCPY(d, key->mod, key->mSz);
ret = mp_to_unsigned_bin(&key->d, &d[WOLFSSL_XSECURE_RSA_KEY_SIZE]);
#else
2020-05-19 16:41:51 -07:00
ret = mp_to_unsigned_bin(&key->d, d);
XSecure_RsaInitialize(&rsa, key->mod, NULL, d);
2022-05-20 14:28:39 +02:00
#endif
2020-05-19 16:41:51 -07:00
}
if (ret == 0) {
2022-05-20 14:28:39 +02:00
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)d, dSz);
WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)in, inLen);
if (XSecure_RsaPrivateDecrypt(&(key->xSec.cinst), XIL_CAST_U64(d),
XIL_CAST_U64(in), inLen,
XIL_CAST_U64(out)) != XST_SUCCESS) {
ret = BAD_STATE_E;
}
2023-08-15 15:05:47 -07:00
WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)out, inLen);
2022-05-20 14:28:39 +02:00
#else
if (XSecure_RsaPrivateDecrypt(&rsa, (u8*)in, inLen, out) !=
XST_SUCCESS) {
2020-05-19 16:41:51 -07:00
ret = BAD_STATE_E;
}
2022-05-20 14:28:39 +02:00
#endif
2020-05-19 16:41:51 -07:00
}
if (d != NULL)
ForceZero(d, dSz);
XFREE(d, key->heap, DYNAMIC_TYPE_PRIVATE_KEY);
2020-05-19 16:41:51 -07:00
}
#endif
break;
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
2022-05-20 14:28:39 +02:00
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)key->mod,
WOLFSSL_XSECURE_RSA_KEY_SIZE + 4);
WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)in, inLen);
if (XSecure_RsaPublicEncrypt(&(key->xSec.cinst),
XIL_CAST_U64(key->mod),
XIL_CAST_U64(in), inLen,
XIL_CAST_U64(out))) {
WOLFSSL_MSG("RSA public operation failed");
ret = BAD_STATE_E;
}
2023-08-15 15:05:47 -07:00
WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)out, inLen);
2022-05-20 14:28:39 +02:00
#elif defined(WOLFSSL_XILINX_CRYPTO_OLD)
2020-05-19 16:41:51 -07:00
if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) {
ret = BAD_STATE_E;
}
#else
/* starting at Xilinx release 2019 the function XSecure_RsaDecrypt was removed */
if (XSecure_RsaPublicEncrypt(&(key->xRsa), (u8*)in, inLen, out) != XST_SUCCESS) {
WOLFSSL_MSG("Error happened when calling hardware RSA public operation");
ret = BAD_STATE_E;
}
#endif
break;
default:
ret = RSA_WRONG_TYPE_E;
}
*outLen = keyLen;
return ret;
}
#elif defined(WOLFSSL_AFALG_XILINX_RSA)
2018-08-24 10:24:53 -06:00
#ifndef ERROR_OUT
#define ERROR_OUT(x) ret = (x); goto done
#endif
static const char WC_TYPE_ASYMKEY[] = "skcipher";
static const char WC_NAME_RSA[] = "xilinx-zynqmp-rsa";
#ifndef MAX_XILINX_RSA_KEY
/* max key size of 4096 bits / 512 bytes */
#define MAX_XILINX_RSA_KEY 512
#endif
static const byte XILINX_RSA_FLAG[] = {0x1};
/* AF_ALG implementation of RSA */
static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
struct msghdr msg;
struct cmsghdr* cmsg;
struct iovec iov;
byte* keyBuf = NULL;
word32 keyBufSz = 0;
char cbuf[CMSG_SPACE(4) + CMSG_SPACE(sizeof(struct af_alg_iv) + 1)] = {0};
int ret = 0;
int op = 0; /* decryption vs encryption flag */
word32 keyLen;
/* input and output buffer need to be aligned */
ALIGN64 byte outBuf[MAX_XILINX_RSA_KEY];
ALIGN64 byte inBuf[MAX_XILINX_RSA_KEY];
XMEMSET(&msg, 0, sizeof(struct msghdr));
(void)rng;
keyLen = wc_RsaEncryptSize(key);
if (keyLen > *outLen) {
ERROR_OUT(RSA_BUFFER_E);
}
if (keyLen > MAX_XILINX_RSA_KEY) {
WOLFSSL_MSG("RSA key size larger than supported");
ERROR_OUT(BAD_FUNC_ARG);
}
2025-10-21 13:57:36 +01:00
if (inLen != keyLen) {
WOLFSSL_MSG("Expected that inLen equals RSA key length");
ERROR_OUT(BAD_FUNC_ARG);
}
2018-08-24 10:24:53 -06:00
if ((keyBuf = (byte*)XMALLOC(keyLen * 2, key->heap, DYNAMIC_TYPE_KEY))
== NULL) {
ERROR_OUT(MEMORY_E);
}
if ((ret = mp_to_unsigned_bin(&(key->n), keyBuf)) != MP_OKAY) {
ERROR_OUT(MP_TO_E);
}
switch(type) {
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
op = 1; /* set as decrypt */
{
keyBufSz = mp_unsigned_bin_size(&(key->d));
if ((mp_to_unsigned_bin(&(key->d), keyBuf + keyLen))
!= MP_OKAY) {
ERROR_OUT(MP_TO_E);
}
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
/* Seed must be zeroized now that it has been used. */
wc_MemZero_Add("RSA Sync Priv Enc/Dec keyBuf", keyBuf + keyLen,
keyBufSz);
#endif
2018-08-24 10:24:53 -06:00
}
break;
case RSA_PUBLIC_DECRYPT:
case RSA_PUBLIC_ENCRYPT: {
word32 exp = 0;
word32 eSz = mp_unsigned_bin_size(&(key->e));
if ((mp_to_unsigned_bin(&(key->e), (byte*)&exp +
(sizeof(word32) - eSz))) != MP_OKAY) {
ERROR_OUT(MP_TO_E);
}
keyBufSz = sizeof(word32);
XMEMCPY(keyBuf + keyLen, (byte*)&exp, keyBufSz);
break;
}
default:
ERROR_OUT(RSA_WRONG_TYPE_E);
}
keyBufSz += keyLen; /* add size of modulus */
/* check for existing sockets before creating new ones */
if (key->alFd > 0) {
close(key->alFd);
key->alFd = WC_SOCK_NOTSET;
}
if (key->rdFd > 0) {
close(key->rdFd);
key->rdFd = WC_SOCK_NOTSET;
}
/* create new sockets and set the key to use */
if ((key->alFd = wc_Afalg_Socket()) < 0) {
WOLFSSL_MSG("Unable to create socket");
ERROR_OUT(key->alFd);
}
if ((key->rdFd = wc_Afalg_CreateRead(key->alFd, WC_TYPE_ASYMKEY,
WC_NAME_RSA)) < 0) {
WOLFSSL_MSG("Unable to bind and create read/send socket");
ERROR_OUT(key->rdFd);
}
if ((ret = setsockopt(key->alFd, SOL_ALG, ALG_SET_KEY, keyBuf,
keyBufSz)) < 0) {
WOLFSSL_MSG("Error setting RSA key");
ERROR_OUT(ret);
}
msg.msg_control = cbuf;
msg.msg_controllen = sizeof(cbuf);
cmsg = CMSG_FIRSTHDR(&msg);
if ((ret = wc_Afalg_SetOp(cmsg, op)) < 0) {
ERROR_OUT(ret);
}
/* set flag in IV spot, needed for Xilinx hardware acceleration use */
cmsg = CMSG_NXTHDR(&msg, cmsg);
if ((ret = wc_Afalg_SetIv(cmsg, (byte*)XILINX_RSA_FLAG,
sizeof(XILINX_RSA_FLAG))) != 0) {
ERROR_OUT(ret);
}
/* compose and send msg */
XMEMCPY(inBuf, (byte*)in, inLen); /* for alignment */
iov.iov_base = inBuf;
iov.iov_len = inLen;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
if ((ret = sendmsg(key->rdFd, &msg, 0)) <= 0) {
ERROR_OUT(WC_AFALG_SOCK_E);
}
if ((ret = read(key->rdFd, outBuf, inLen)) <= 0) {
ERROR_OUT(WC_AFALG_SOCK_E);
}
XMEMCPY(out, outBuf, ret);
*outLen = keyLen;
done:
/* clear key data and free buffer */
if (keyBuf != NULL) {
ForceZero(keyBuf, keyBufSz);
}
XFREE(keyBuf, key->heap, DYNAMIC_TYPE_KEY);
if (key->alFd > 0) {
close(key->alFd);
key->alFd = WC_SOCK_NOTSET;
}
if (key->rdFd > 0) {
close(key->rdFd);
key->rdFd = WC_SOCK_NOTSET;
}
return ret;
}
#elif defined(WOLFSSL_KCAPI_RSA)
static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key,
WC_RNG* rng)
{
int ret;
(void)rng;
switch(type) {
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
ret = KcapiRsa_Decrypt(key, in, inLen, out, outLen);
break;
case RSA_PUBLIC_DECRYPT:
case RSA_PUBLIC_ENCRYPT:
ret = KcapiRsa_Encrypt(key, in, inLen, out, outLen);
break;
default:
ret = RSA_WRONG_TYPE_E;
}
return ret;
}
2026-03-31 16:45:19 -04:00
2018-08-24 10:24:53 -06:00
#else
#ifndef WOLF_CRYPTO_CB_ONLY_RSA
2017-08-10 17:27:22 +10:00
#ifdef WOLFSSL_HAVE_SP_RSA
2023-03-24 15:02:15 +10:00
static int RsaFunction_SP(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
(void)rng;
2017-08-10 17:27:22 +10:00
#ifndef WOLFSSL_SP_NO_2048
if (mp_count_bits(&key->n) == 2048) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2017-08-10 17:27:22 +10:00
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WC_RSA_BLINDING
if (rng == NULL)
return MISSING_RNG_E;
#endif
#ifndef RSA_LOW_MEM
if ((mp_count_bits(&key->p) == 1024) &&
2024-08-26 15:50:45 +02:00
(mp_count_bits(&key->q) == 1024) &&
(mp_count_bits(&key->dP) > 0) &&
(mp_count_bits(&key->dQ) > 0) &&
(mp_count_bits(&key->u) > 0)) {
return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
&key->dP, &key->dQ, &key->u, &key->n,
out, outLen);
}
break;
#else
return sp_RsaPrivate_2048(in, inLen, &key->d, NULL, NULL, NULL,
NULL, NULL, &key->n, out, outLen);
#endif
#endif
2017-08-10 17:27:22 +10:00
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen);
2021-01-12 12:25:52 +10:00
default:
break;
2017-08-10 17:27:22 +10:00
}
}
#endif
#ifndef WOLFSSL_SP_NO_3072
if (mp_count_bits(&key->n) == 3072) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2017-08-10 17:27:22 +10:00
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WC_RSA_BLINDING
if (rng == NULL)
return MISSING_RNG_E;
#endif
#ifndef RSA_LOW_MEM
if ((mp_count_bits(&key->p) == 1536) &&
2024-08-26 15:50:45 +02:00
(mp_count_bits(&key->q) == 1536) &&
(mp_count_bits(&key->dP) > 0) &&
(mp_count_bits(&key->dQ) > 0) &&
(mp_count_bits(&key->u) > 0)) {
return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
&key->dP, &key->dQ, &key->u, &key->n,
out, outLen);
}
break;
#else
return sp_RsaPrivate_3072(in, inLen, &key->d, NULL, NULL, NULL,
NULL, NULL, &key->n, out, outLen);
#endif
#endif
2017-08-10 17:27:22 +10:00
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen);
2021-01-12 12:25:52 +10:00
default:
break;
2017-08-10 17:27:22 +10:00
}
}
#endif
#ifdef WOLFSSL_SP_4096
if (mp_count_bits(&key->n) == 4096) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WC_RSA_BLINDING
if (rng == NULL)
return MISSING_RNG_E;
#endif
#ifndef RSA_LOW_MEM
if ((mp_count_bits(&key->p) == 2048) &&
2024-08-26 15:50:45 +02:00
(mp_count_bits(&key->q) == 2048) &&
(mp_count_bits(&key->dP) > 0) &&
(mp_count_bits(&key->dQ) > 0) &&
(mp_count_bits(&key->u) > 0)) {
return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
&key->dP, &key->dQ, &key->u, &key->n,
out, outLen);
}
break;
#else
return sp_RsaPrivate_4096(in, inLen, &key->d, NULL, NULL, NULL,
NULL, NULL, &key->n, out, outLen);
#endif
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
return sp_RsaPublic_4096(in, inLen, &key->e, &key->n, out, outLen);
2021-01-12 12:25:52 +10:00
default:
break;
}
}
#endif
2017-08-10 17:27:22 +10:00
2023-03-24 15:02:15 +10:00
/* SP not able to do operation. */
2018-02-08 15:50:17 +10:00
return WC_KEY_SIZE_E;
2023-03-24 15:02:15 +10:00
}
#endif
#if !defined(WOLFSSL_SP_MATH)
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
static int RsaFunctionPrivate(mp_int* tmp, RsaKey* key, WC_RNG* rng)
{
int ret = 0;
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
mp_digit mp = 0;
2023-03-24 15:02:15 +10:00
DECL_MP_INT_SIZE_DYN(rnd, mp_bitsused(&key->n), RSA_MAX_SIZE);
DECL_MP_INT_SIZE_DYN(rndi, mp_bitsused(&key->n), RSA_MAX_SIZE);
#endif /* WC_RSA_BLINDING && !WC_NO_RNG */
if (MP_BITS_OVER_MAX(mp_bitsused(&key->n), RSA_MAX_SIZE)) {
return WC_KEY_SIZE_E;
}
(void)rng;
2023-03-24 15:02:15 +10:00
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
NEW_MP_INT_SIZE(rnd, mp_bitsused(&key->n), key->heap, DYNAMIC_TYPE_RSA);
NEW_MP_INT_SIZE(rndi, mp_bitsused(&key->n), key->heap, DYNAMIC_TYPE_RSA);
#ifdef MP_INT_SIZE_CHECK_NULL
if ((rnd == NULL) || (rndi == NULL)) {
FREE_MP_INT_SIZE(rnd, key->heap, DYNAMIC_TYPE_RSA);
FREE_MP_INT_SIZE(rndi, key->heap, DYNAMIC_TYPE_RSA);
return MEMORY_E;
}
2021-02-03 17:14:13 +10:00
#endif
2023-03-24 15:02:15 +10:00
if ((INIT_MP_INT_SIZE(rnd, mp_bitsused(&key->n)) != MP_OKAY) ||
(INIT_MP_INT_SIZE(rndi, mp_bitsused(&key->n)) != MP_OKAY)) {
ret = MP_INIT_E;
2023-03-24 15:02:15 +10:00
}
2014-12-31 15:31:50 -07:00
if (ret == 0) {
2023-03-24 15:02:15 +10:00
/* blind */
ret = mp_rand(rnd, mp_get_digit_count(&key->n), rng);
2023-03-24 15:02:15 +10:00
}
if (ret == 0) {
/* rndi = 1/rnd mod n */
if (mp_invmod(rnd, &key->n, rndi) != MP_OKAY) {
ret = MP_INVMOD_E;
}
}
2023-03-24 15:02:15 +10:00
if (ret == 0) {
#ifdef WOLFSSL_CHECK_MEM_ZERO
mp_memzero_add("RSA Private rnd", rnd);
mp_memzero_add("RSA Private rndi", rndi);
#endif
/* rnd = rnd^e */
#ifndef WOLFSSL_SP_MATH_ALL
if (mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
#else
if (mp_exptmod_nct(rnd, &key->e, &key->n, rnd) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
#endif
}
if (ret == 0) {
/* tmp = tmp*rnd mod n */
if (mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY) {
ret = MP_MULMOD_E;
}
}
#endif /* WC_RSA_BLINDING && !WC_NO_RNG */
#ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
if (ret == 0) {
if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
#else
2024-08-26 15:50:45 +02:00
if (ret == 0 && (mp_iszero(&key->p) || mp_iszero(&key->q) ||
mp_iszero(&key->dP) || mp_iszero(&key->dQ) || mp_iszero(&key->u))) {
2024-08-26 15:50:45 +02:00
if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
else if (ret == 0) {
2023-03-24 15:02:15 +10:00
mp_int* tmpa = tmp;
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
mp_int* tmpb = rnd;
#else
DECL_MP_INT_SIZE_DYN(tmpb, mp_bitsused(&key->n), RSA_MAX_SIZE);
#endif
2023-03-24 15:02:15 +10:00
#if !defined(WC_RSA_BLINDING) || defined(WC_NO_RNG)
NEW_MP_INT_SIZE(tmpb, mp_bitsused(&key->n), key->heap,
DYNAMIC_TYPE_RSA);
#ifdef MP_INT_SIZE_CHECK_NULL
if (tmpb == NULL) {
ret = MEMORY_E;
}
#endif
if ((ret == 0) && INIT_MP_INT_SIZE(tmpb, mp_bitsused(&key->n)) !=
MP_OKAY) {
ret = MP_INIT_E;
}
2021-02-03 17:14:13 +10:00
#endif
2023-03-24 15:02:15 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
if (ret == 0) {
mp_memzero_add("RSA Sync tmpb", tmpb);
}
#endif
/* tmpb = tmp^dQ mod q */
if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q, tmpb) != MP_OKAY)
ret = MP_EXPTMOD_E;
/* tmpa = tmp^dP mod p */
if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p, tmpa) != MP_OKAY)
ret = MP_EXPTMOD_E;
/* tmp = (tmp - tmpb) * qInv (mod p) */
#if (defined(WOLFSSL_SP_MATH) || (defined(WOLFSSL_SP_MATH_ALL)) && \
!defined(WOLFSSL_SP_INT_NEGATIVE))
if (ret == 0 && mp_submod(tmpa, tmpb, &key->p, tmp) != MP_OKAY)
ret = MP_SUB_E;
#else
if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY)
ret = MP_SUB_E;
#endif
if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p, tmp) != MP_OKAY)
ret = MP_MULMOD_E;
/* tmp = tmpb + q * tmp */
if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY)
ret = MP_MUL_E;
if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY)
ret = MP_ADD_E;
#if !defined(WC_RSA_BLINDING) || defined(WC_NO_RNG)
mp_forcezero(tmpb);
FREE_MP_INT_SIZE(tmpb, key->heap, DYNAMIC_TYPE_RSA);
#if !defined(MP_INT_SIZE_CHECK_NULL) && defined(WOLFSSL_CHECK_MEM_ZERO)
mp_memzero_check(tmpb);
#endif
#endif
}
#endif /* RSA_LOW_MEM */
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2023-11-30 13:09:55 -06:00
/* Multiply result (tmp) by blinding invertor (rndi).
* Use Montgomery form to make operation more constant time.
*/
if ((ret == 0) && (mp_montgomery_setup(&key->n, &mp) != MP_OKAY)) {
2023-03-24 15:02:15 +10:00
ret = MP_MULMOD_E;
}
if ((ret == 0) && (mp_montgomery_calc_normalization(rnd, &key->n) !=
MP_OKAY)) {
ret = MP_MULMOD_E;
}
2023-11-30 13:09:55 -06:00
/* Convert blinding invert to Montgomery form. */
if ((ret == 0) && (mp_mul(rndi, rnd, rndi) != MP_OKAY)) {
ret = MP_MULMOD_E;
}
if ((ret == 0) && (mp_mod(rndi, &key->n, rndi) != MP_OKAY)) {
ret = MP_MULMOD_E;
}
/* Multiply result by blinding invert. */
if ((ret == 0) && (mp_mul(tmp, rndi, tmp) != MP_OKAY)) {
ret = MP_MULMOD_E;
}
/* Reduce result. */
if ((ret == 0) && (mp_montgomery_reduce_ct(tmp, &key->n, mp) != MP_OKAY)) {
ret = MP_MULMOD_E;
}
2023-03-24 15:02:15 +10:00
mp_forcezero(rndi);
mp_forcezero(rnd);
FREE_MP_INT_SIZE(rndi, key->heap, DYNAMIC_TYPE_RSA);
FREE_MP_INT_SIZE(rnd, key->heap, DYNAMIC_TYPE_RSA);
#if !defined(MP_INT_SIZE_CHECK_NULL) && defined(WOLFSSL_CHECK_MEM_ZERO)
mp_memzero_check(rnd);
mp_memzero_check(rndi);
#endif
#endif /* WC_RSA_BLINDING && !WC_NO_RNG */
return ret;
}
#endif
static int RsaFunctionSync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
DECL_MP_INT_SIZE_DYN(tmp, mp_bitsused(&key->n), RSA_MAX_SIZE);
int ret = 0;
if (MP_BITS_OVER_MAX(mp_bitsused(&key->n), RSA_MAX_SIZE)) {
return WC_KEY_SIZE_E;
}
2023-03-24 15:02:15 +10:00
(void)rng;
NEW_MP_INT_SIZE(tmp, mp_bitsused(&key->n), key->heap, DYNAMIC_TYPE_RSA);
#ifdef MP_INT_SIZE_CHECK_NULL
2024-02-08 17:22:36 -08:00
if (tmp == NULL) {
WOLFSSL_MSG("NEW_MP_INT_SIZE tmp is NULL, return MEMORY_E");
2023-03-24 15:02:15 +10:00
return MEMORY_E;
2024-02-08 17:22:36 -08:00
}
2023-03-24 15:02:15 +10:00
#endif
2024-02-08 17:22:36 -08:00
if (INIT_MP_INT_SIZE(tmp, mp_bitsused(&key->n)) != MP_OKAY) {
WOLFSSL_MSG("INIT_MP_INT_SIZE failed.");
2023-03-24 15:02:15 +10:00
ret = MP_INIT_E;
2024-02-08 17:22:36 -08:00
}
2023-03-24 15:02:15 +10:00
#ifndef TEST_UNPAD_CONSTANT_TIME
2021-01-12 12:25:52 +10:00
if (ret == 0 && mp_read_unsigned_bin(tmp, in, inLen) != MP_OKAY)
ret = MP_READ_E;
2014-12-31 15:31:50 -07:00
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
if (ret == 0) {
mp_memzero_add("RSA sync tmp", tmp);
}
#endif
if (ret == 0) {
switch(type) {
2021-02-03 17:14:13 +10:00
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
{
2023-03-24 15:02:15 +10:00
ret = RsaFunctionPrivate(tmp, key, rng);
break;
}
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
2024-02-08 17:22:36 -08:00
if (mp_exptmod_nct(tmp, &key->e, &key->n, tmp) != MP_OKAY) {
WOLFSSL_MSG_CERT_LOG("mp_exptmod_nct failed");
ret = MP_EXPTMOD_E;
2024-02-08 17:22:36 -08:00
}
2020-01-15 22:15:38 +10:00
break;
default:
ret = RSA_WRONG_TYPE_E;
break;
}
}
if (ret == 0) {
2024-02-08 17:22:36 -08:00
WOLFSSL_MSG("mp_to_unsigned_bin_len_ct...");
if (mp_to_unsigned_bin_len_ct(tmp, out, (int)*outLen) != MP_OKAY) {
WOLFSSL_MSG("mp_to_unsigned_bin_len_ct failed");
ret = MP_TO_E;
}
}
#ifdef WOLFSSL_RSA_CHECK_D_ON_DECRYPT
if ((ret == 0) && (type == RSA_PRIVATE_DECRYPT)) {
mp_sub(&key->n, &key->p, tmp);
mp_sub(tmp, &key->q, tmp);
mp_add_d(tmp, 1, tmp);
mp_mulmod(&key->d, &key->e, tmp, tmp);
if (!mp_isone(tmp)) {
ret = MP_EXPTMOD_E;
}
}
#endif
#else
(void)type;
(void)key;
XMEMCPY(out, in, inLen);
#endif
2014-12-31 15:31:50 -07:00
2022-06-15 11:26:11 +10:00
mp_forcezero(tmp);
2023-03-24 15:02:15 +10:00
FREE_MP_INT_SIZE(tmp, key->heap, DYNAMIC_TYPE_RSA);
#if !defined(MP_INT_SIZE_CHECK_NULL) && defined(WOLFSSL_CHECK_MEM_ZERO)
2022-06-13 16:21:41 +10:00
mp_memzero_check(tmp);
#endif
2014-12-31 15:31:50 -07:00
return ret;
2023-03-24 15:02:15 +10:00
}
#endif /* !WOLFSSL_SP_MATH */
static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
int ret;
word32 keyLen;
2023-03-24 15:02:15 +10:00
ret = wc_RsaEncryptSize(key);
if (ret < 0) {
#ifdef DEBUG_WOLFSSL
2024-02-08 17:22:36 -08:00
WOLFSSL_MSG_EX("wc_RsaEncryptSize failed err = %d", ret);
#endif
return ret;
}
keyLen = (word32)ret;
2023-03-24 15:02:15 +10:00
if (inLen > keyLen) {
WOLFSSL_MSG("Expected that inLen be no longer RSA key length");
return BAD_FUNC_ARG;
}
if (keyLen > *outLen) {
WOLFSSL_MSG("Expected that outLen be no shorter RSA key length");
return RSA_BUFFER_E;
}
if (mp_iseven(&key->n)) {
2024-02-08 17:22:36 -08:00
WOLFSSL_MSG("MP_VAL is even");
2023-03-24 15:02:15 +10:00
return MP_VAL;
}
#if defined(WOLFSSL_NXP_CASPER_RSA_PUB_EXPTMOD)
if (type == RSA_PUBLIC_DECRYPT || type == RSA_PUBLIC_ENCRYPT) {
ret = casper_rsa_public_exptmod(in, inLen, out, outLen, key);
if (ret == 0)
return MP_OKAY;
/* else fall through for software fallback */
}
#endif
2023-03-24 15:02:15 +10:00
#ifdef WOLFSSL_HAVE_SP_RSA
ret = RsaFunction_SP(in, inLen, out, outLen, type, key, rng);
if (ret != WC_NO_ERR_TRACE(WC_KEY_SIZE_E))
2023-03-24 15:02:15 +10:00
return ret;
#endif /* WOLFSSL_HAVE_SP_RSA */
#if defined(WOLFSSL_SP_MATH)
(void)rng;
#ifndef WOLFSSL_HAVE_SP_RSA
(void)in;
(void)inLen;
(void)out;
(void)outLen;
(void)type;
(void)key;
#error RSA SP option invalid (enable WOLFSSL_HAVE_SP_RSA or disable WOLFSSL_SP_MATH)
return NOT_COMPILED_IN;
#else
WOLFSSL_MSG("SP Key Size Error");
return WC_KEY_SIZE_E;
#endif
#else
*outLen = keyLen;
return RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
#endif /* WOLFSSL_SP_MATH */
} /* wc_RsaFunctionSync */
#endif /* WOLF_CRYPTO_CB_ONLY_RSA */
2018-08-24 10:24:53 -06:00
#endif
2014-12-31 15:31:50 -07:00
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
int ret = 0;
2014-12-31 15:31:50 -07:00
(void)rng;
#ifdef WOLFSSL_ASYNC_CRYPT_SW
if (wc_AsyncSwInit(&key->asyncDev, ASYNC_SW_RSA_FUNC)) {
WC_ASYNC_SW* sw = &key->asyncDev.sw;
sw->rsaFunc.in = in;
sw->rsaFunc.inSz = inLen;
sw->rsaFunc.out = out;
sw->rsaFunc.outSz = outLen;
sw->rsaFunc.type = type;
sw->rsaFunc.key = key;
sw->rsaFunc.rng = rng;
return WC_PENDING_E;
}
#endif /* WOLFSSL_ASYNC_CRYPT_SW */
2014-12-31 15:31:50 -07:00
#ifdef WC_RSA_NONBLOCK
/* When a non-blocking context is attached and the SP nonblock backend
* is available, drive the chunked state machine here. wolfAsync_DoSw
* (line "if (ret == FP_WOULDBLOCK) ret = WC_PENDING_E;" at the bottom
* of the SW switch in wolfcrypt/src/async.c, FP_WOULDBLOCK aliases
* MP_WOULDBLOCK) translates per-yield MP_WOULDBLOCK into WC_PENDING_E
* so the TLS / async event loop can drive the operation to completion. */
if (key->nb != NULL) {
return wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
}
#endif
switch (type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef HAVE_CAVIUM
2018-04-03 09:14:20 -07:00
key->dataLen = key->n.raw.len;
ret = NitroxRsaExptMod(in, inLen,
key->d.raw.buf, key->d.raw.len,
key->n.raw.buf, key->n.raw.len,
out, outLen, key);
#elif defined(HAVE_INTEL_QA)
#ifdef RSA_LOW_MEM
ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen,
&key->d.raw, &key->n.raw,
out, outLen);
#else
ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen,
&key->p.raw, &key->q.raw,
&key->dP.raw, &key->dQ.raw,
&key->u.raw,
out, outLen);
#endif
#else
ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
#endif
break;
#endif
2014-12-31 15:31:50 -07:00
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
#ifdef HAVE_CAVIUM
2018-04-03 09:14:20 -07:00
key->dataLen = key->n.raw.len;
ret = NitroxRsaExptMod(in, inLen,
key->e.raw.buf, key->e.raw.len,
key->n.raw.buf, key->n.raw.len,
out, outLen, key);
#elif defined(HAVE_INTEL_QA)
ret = IntelQaRsaPublic(&key->asyncDev, in, inLen,
&key->e.raw, &key->n.raw,
out, outLen);
#else
ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
#endif
break;
default:
ret = RSA_WRONG_TYPE_E;
2016-04-14 09:33:25 -06:00
}
return ret;
}
#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
2014-12-31 15:31:50 -07:00
#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
/* Performs direct RSA computation without padding. The input and output must
* match the key size (ex: 2048-bits = 256 bytes). Returns the size of the
* output on success or negative value on failure. */
int wc_RsaDirect(const byte* in, word32 inLen, byte* out, word32* outSz,
RsaKey* key, int type, WC_RNG* rng)
{
int ret;
if (in == NULL || outSz == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
/* sanity check on type of RSA operation */
switch (type) {
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
case RSA_PRIVATE_DECRYPT:
break;
default:
WOLFSSL_MSG("Bad RSA type");
return BAD_FUNC_ARG;
}
if ((ret = wc_RsaEncryptSize(key)) < 0) {
return ret;
}
if (inLen != (word32)ret) {
WOLFSSL_MSG("Bad input length. Should be RSA key size");
return BAD_FUNC_ARG;
}
if (out == NULL) {
*outSz = inLen;
2024-09-06 19:33:48 -05:00
return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
}
switch (key->state) {
case RSA_STATE_NONE:
case RSA_STATE_ENCRYPT_PAD:
case RSA_STATE_ENCRYPT_EXPTMOD:
case RSA_STATE_DECRYPT_EXPTMOD:
case RSA_STATE_DECRYPT_UNPAD:
key->state = (type == RSA_PRIVATE_ENCRYPT ||
type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD:
RSA_STATE_DECRYPT_EXPTMOD;
key->dataLen = *outSz;
ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng);
if (ret >= 0 || ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
key->state = (type == RSA_PRIVATE_ENCRYPT ||
type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES:
RSA_STATE_DECRYPT_RES;
}
if (ret < 0) {
break;
}
FALL_THROUGH;
case RSA_STATE_ENCRYPT_RES:
case RSA_STATE_DECRYPT_RES:
ret = (int)key->dataLen;
break;
default:
ret = BAD_STATE_E;
}
/* if async pending then skip cleanup*/
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)
#ifdef WC_RSA_NONBLOCK
|| ret == FP_WOULDBLOCK
#endif
) {
return ret;
}
key->state = RSA_STATE_NONE;
wc_RsaCleanup(key);
return ret;
}
#endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING || OPENSSL_EXTRA || \
* OPENSSL_EXTRA_X509_SMALL */
2019-03-27 20:44:38 -07:00
#if defined(WOLFSSL_CRYPTOCELL)
static int cc310_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
{
CRYSError_t ret = 0;
CRYS_RSAPrimeData_t primeData;
int modulusSize = wc_RsaEncryptSize(key);
/* The out buffer must be at least modulus size bytes long. */
if (outLen < modulusSize)
return BAD_FUNC_ARG;
ret = CRYS_RSA_PKCS1v15_Encrypt(&wc_rndState,
wc_rndGenVectFunc,
&key->ctx.pubKey,
&primeData,
(byte*)in,
inLen,
out);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Encrypt failed");
return -1;
}
return modulusSize;
}
static int cc310_RsaPublicDecrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
{
CRYSError_t ret = 0;
CRYS_RSAPrimeData_t primeData;
2021-01-18 09:03:58 +10:00
word16 actualOutLen = outLen;
2019-03-27 20:44:38 -07:00
ret = CRYS_RSA_PKCS1v15_Decrypt(&key->ctx.privKey,
&primeData,
(byte*)in,
inLen,
out,
&actualOutLen);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Decrypt failed");
return -1;
}
return actualOutLen;
}
int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
2019-03-27 20:44:38 -07:00
{
CRYSError_t ret = 0;
2021-01-18 09:03:58 +10:00
word16 actualOutLen = outLen*sizeof(byte);
2019-03-27 20:44:38 -07:00
CRYS_RSAPrivUserContext_t contextPrivate;
ret = CRYS_RSA_PKCS1v15_Sign(&wc_rndState,
wc_rndGenVectFunc,
&contextPrivate,
&key->ctx.privKey,
mode,
(byte*)in,
inLen,
out,
&actualOutLen);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Sign failed");
return -1;
}
return actualOutLen;
}
int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig,
RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
2019-03-27 20:44:38 -07:00
{
CRYSError_t ret = 0;
CRYS_RSAPubUserContext_t contextPub;
/* verify the signature in the sig pointer */
ret = CRYS_RSA_PKCS1v15_Verify(&contextPub,
&key->ctx.pubKey,
mode,
(byte*)in,
inLen,
sig);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Verify failed");
return -1;
}
return ret;
}
#endif /* WOLFSSL_CRYPTOCELL */
2023-03-24 15:02:15 +10:00
#ifndef WOLF_CRYPTO_CB_ONLY_RSA
2026-01-07 17:13:10 +10:00
#if !defined(NO_RSA_BOUNDS_CHECK)
2023-03-24 15:02:15 +10:00
/* Check that 1 < in < n-1. (Requirement of 800-56B.) */
int RsaFunctionCheckIn(const byte* in, word32 inLen, RsaKey* key,
2023-03-24 15:02:15 +10:00
int checkSmallCt)
{
int ret = 0;
2023-03-24 15:02:15 +10:00
DECL_MP_INT_SIZE_DYN(c, mp_bitsused(&key->n), RSA_MAX_SIZE);
if (MP_BITS_OVER_MAX(mp_bitsused(&key->n), RSA_MAX_SIZE)) {
return WC_KEY_SIZE_E;
}
2023-03-24 15:02:15 +10:00
NEW_MP_INT_SIZE(c, mp_bitsused(&key->n), key->heap, DYNAMIC_TYPE_RSA);
#ifdef MP_INT_SIZE_CHECK_NULL
if (c == NULL)
ret = MEMORY_E;
#endif
if (ret == 0 && INIT_MP_INT_SIZE(c, mp_bitsused(&key->n)) != MP_OKAY) {
ret = MP_INIT_E;
}
if (ret == 0) {
if (mp_read_unsigned_bin(c, in, inLen) != 0)
ret = MP_READ_E;
}
if (ret == 0) {
/* check c > 1 */
if (checkSmallCt && (mp_cmp_d(c, 1) != MP_GT))
ret = RSA_OUT_OF_RANGE_E;
}
if (ret == 0) {
/* add c+1 */
if (mp_add_d(c, 1, c) != MP_OKAY)
ret = MP_ADD_E;
}
if (ret == 0) {
/* check c+1 < n */
if (mp_cmp(c, &key->n) != MP_LT)
ret = RSA_OUT_OF_RANGE_E;
}
mp_clear(c);
FREE_MP_INT_SIZE(c, key->heap, DYNAMIC_TYPE_RSA);
return ret;
}
2026-01-07 17:13:10 +10:00
#endif /* !NO_RSA_BOUNDS_CHECK */
2023-03-24 15:02:15 +10:00
#endif /* WOLF_CRYPTO_CB_ONLY_RSA */
2022-04-05 18:16:20 +10:00
static int wc_RsaFunction_ex(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng,
int checkSmallCt)
{
2018-02-22 17:17:54 -08:00
int ret = 0;
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
RsaPadding padding;
#endif
2014-12-31 15:31:50 -07:00
(void)rng;
(void)checkSmallCt;
if (key == NULL || in == NULL || inLen == 0 || out == NULL ||
outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) {
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
#ifdef WOLF_CRYPTO_CB
#ifndef WOLF_CRYPTO_CB_FIND
if (key->devId != INVALID_DEVID)
#endif
{
#if defined(WOLF_CRYPTO_CB_RSA_PAD)
/* If we are here, either the RSA PAD callback was already called
* and returned that it could not implement for that padding scheme,
* or this is a public verify operation. Either way indicate to the
* callback that this should be a raw RSA operation with no padding.*/
XMEMSET(&padding, 0, sizeof(RsaPadding));
padding.pad_type = WC_RSA_NO_PAD;
ret = wc_CryptoCb_RsaPad(in, inLen, out,
outLen, type, key, rng, &padding);
#else
ret = wc_CryptoCb_Rsa(in, inLen, out, outLen, type, key, rng);
#endif
#ifndef WOLF_CRYPTO_CB_ONLY_RSA
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
return ret;
/* fall-through when unavailable and try using software */
#endif
#ifdef WOLF_CRYPTO_CB_ONLY_RSA
if (ret == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
return NO_VALID_DEVID;
}
return ret;
#endif
}
#endif
#ifdef WOLF_CRYPTO_CB_ONLY_RSA
return NO_VALID_DEVID;
#else /* !WOLF_CRYPTO_CB_ONLY_RSA */
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(TEST_UNPAD_CONSTANT_TIME) && \
!defined(NO_RSA_BOUNDS_CHECK)
2018-02-22 17:17:54 -08:00
if (type == RSA_PRIVATE_DECRYPT &&
key->state == RSA_STATE_DECRYPT_EXPTMOD) {
2023-03-24 15:02:15 +10:00
ret = RsaFunctionCheckIn(in, inLen, key, checkSmallCt);
if (ret != 0) {
2018-02-22 17:17:54 -08:00
return ret;
}
2018-02-22 17:17:54 -08:00
}
#endif /* !WOLFSSL_RSA_VERIFY_ONLY && !TEST_UNPAD_CONSTANT_TIME && \
* !NO_RSA_BOUNDS_CHECK */
2026-01-07 17:13:10 +10:00
#if !defined(NO_RSA_BOUNDS_CHECK)
if (type == RSA_PUBLIC_DECRYPT &&
key->state == RSA_STATE_DECRYPT_EXPTMOD) {
ret = RsaFunctionCheckIn(in, inLen, key, checkSmallCt);
if (ret != 0) {
return ret;
}
}
#endif
2018-02-22 17:17:54 -08:00
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
key->n.raw.len > 0) {
/* wc_RsaFunctionAsync dispatches to the SP nonblock state machine
* in its compute path when key->nb is attached - wolfAsync_DoSw
* (in wolfcrypt/src/async.c) translates per-yield FP_WOULDBLOCK
* (alias of MP_WOULDBLOCK) into WC_PENDING_E so the TLS / async
* event loop can drive completion. */
ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng);
}
else
#endif
#ifdef WC_RSA_NONBLOCK
if (key->nb) {
/* Direct (non-async) nonblock dispatch - the caller (e.g. wolfcrypt
* test) drives the loop on MP_WOULDBLOCK directly. Reached when no
* async marker is set on the key. */
ret = wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
}
else
#endif
{
ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
}
/* handle error */
if (ret < 0 && ret != WC_NO_ERR_TRACE(WC_PENDING_E)
#ifdef WC_RSA_NONBLOCK
&& ret != FP_WOULDBLOCK
#endif
) {
if (ret == WC_NO_ERR_TRACE(MP_EXPTMOD_E)) {
/* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */
WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
}
key->state = RSA_STATE_NONE;
wc_RsaCleanup(key);
}
return ret;
#endif /* !WOLF_CRYPTO_CB_ONLY_RSA */
2014-12-31 15:31:50 -07:00
}
2022-04-05 18:16:20 +10:00
int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
2023-06-22 15:46:34 +02:00
/* Always check for ciphertext of 0 or 1. (Shouldn't for OAEP decrypt.) */
2022-04-05 18:16:20 +10:00
return wc_RsaFunction_ex(in, inLen, out, outLen, type, key, rng, 1);
}
2014-12-31 15:31:50 -07:00
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* Internal Wrappers */
/* Gives the option of choosing padding type
2016-01-05 10:56:15 -07:00
in : input to be encrypted
inLen: length of input buffer
out: encrypted output
outLen: length of encrypted output buffer
key : wolfSSL initialized RSA key struct
2016-01-05 10:56:15 -07:00
rng : wolfSSL initialized random number struct
rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
WC_RSA_NO_PAD or WC_RSA_PSS_PAD
2016-01-05 10:56:15 -07:00
hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
mgf : type of mask generation function to use
label : optional label
labelSz : size of optional label buffer
saltLen : Length of salt used in PSS
rng : random number generator */
static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, int rsa_type,
byte pad_value, int pad_type,
enum wc_HashType hash, int mgf,
byte* label, word32 labelSz, int saltLen,
WC_RNG* rng)
2016-01-05 10:56:15 -07:00
{
2022-04-12 12:45:02 +10:00
int ret = 0;
int sz;
int state;
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
RsaPadding padding;
#endif
2016-01-05 10:56:15 -07:00
if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
2016-01-05 10:56:15 -07:00
sz = wc_RsaEncryptSize(key);
if (sz > (int)outLen) {
2016-01-05 10:56:15 -07:00
return RSA_BUFFER_E;
}
2016-01-05 10:56:15 -07:00
2022-06-08 09:31:17 -07:00
if (sz < RSA_MIN_PAD_SZ || sz > (int)RSA_MAX_SIZE/8) {
2016-04-14 09:33:25 -06:00
return WC_KEY_SIZE_E;
}
if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
#ifdef WC_RSA_NO_PADDING
/* In the case that no padding is used the input length can and should
* be the same size as the RSA key. */
if (pad_type != WC_RSA_NO_PAD)
#endif
2016-01-05 10:56:15 -07:00
return RSA_BUFFER_E;
}
2016-01-05 10:56:15 -07:00
2021-06-09 19:09:46 +02:00
#ifndef WOLFSSL_BIND
state = key->state;
#else
/* Bind9 shares the EVP_PKEY struct across multiple threads so let's just
* force a restart on each RsaPublicEncryptEx call for it. */
state = RSA_STATE_NONE;
#ifdef WOLFSSL_ASYNC_CRYPT
#error wolfSSL does not handle building bind support with async crypto
#endif
#endif
switch (state) {
case RSA_STATE_NONE:
case RSA_STATE_ENCRYPT_PAD:
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
defined(HAVE_CAVIUM)
2018-04-03 09:14:20 -07:00
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) {
/* Async operations that include padding */
if (rsa_type == RSA_PUBLIC_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
key->state = RSA_STATE_ENCRYPT_RES;
key->dataLen = key->n.raw.len;
return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key);
}
else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
key->state = RSA_STATE_ENCRYPT_RES;
key->dataLen = key->n.raw.len;
return NitroxRsaSSL_Sign(in, inLen, out, outLen, key);
}
}
2019-03-27 20:44:38 -07:00
#elif defined(WOLFSSL_CRYPTOCELL)
if (rsa_type == RSA_PUBLIC_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
return cc310_RsaPublicEncrypt(in, inLen, out, outLen, key);
}
else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
cc310_hashModeRSA(hash, 0));
2019-03-27 20:44:38 -07:00
}
#elif defined(WOLFSSL_MICROCHIP_TA100)
if (rsa_type == RSA_PUBLIC_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
2026-01-22 21:56:52 +01:00
if (key->uKeyH != 0) {
return wc_Microchip_rsa_encrypt(in, inLen, out, outLen, key);
}
return WC_HW_E;
}
else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
2026-01-22 21:56:52 +01:00
if (key->rKeyH != 0) {
if (pad_type != WC_RSA_PSS_PAD) {
return WC_HW_E;
}
2026-01-22 21:56:52 +01:00
return wc_Microchip_rsa_sign(in, inLen, out, outLen, key);
}
return WC_HW_E;
}
2025-02-11 15:19:31 +00:00
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
if (rsa_type == RSA_PUBLIC_ENCRYPT && pad_value == RSA_BLOCK_TYPE_2) {
return se050_rsa_public_encrypt(in, inLen, out, outLen, key,
rsa_type, pad_value, pad_type, hash,
mgf, label, labelSz, sz);
}
else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_1 &&
pad_type != WC_RSA_PSS_PAD) {
/* SE050 handles PKCS#1 v1.5 signing directly. PSS signing falls
* through to software path because the SE050 PSS sign API
* (Se05x_API_RSASign) is hash-then-sign and does not support
* signing a pre-computed digest without double-hashing. */
return se050_rsa_sign(in, inLen, out, outLen, key, rsa_type,
pad_value, pad_type, hash, mgf, label,
labelSz, sz);
}
#endif /* RSA CRYPTO HW */
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
if (key->devId != INVALID_DEVID) {
XMEMSET(&padding, 0, sizeof(RsaPadding));
padding.pad_value = pad_value;
padding.pad_type = pad_type;
padding.hash = hash;
padding.mgf = mgf;
padding.label = label;
padding.labelSz = labelSz;
padding.saltLen = saltLen;
ret = wc_CryptoCb_RsaPad(in, inLen, out, &outLen, rsa_type, key, rng,
&padding);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
if (ret < 0) {
break;
}
ret = outLen;
break;
}
}
#endif
key->state = RSA_STATE_ENCRYPT_PAD;
2023-04-10 19:05:09 -05:00
ret = wc_RsaPad_ex(in, inLen, out, (word32)sz, pad_value, rng, pad_type,
hash, mgf, label, labelSz, saltLen,
mp_count_bits(&key->n), key->heap);
if (ret < 0) {
break;
}
key->state = RSA_STATE_ENCRYPT_EXPTMOD;
FALL_THROUGH;
case RSA_STATE_ENCRYPT_EXPTMOD:
key->dataLen = outLen;
2023-04-10 19:05:09 -05:00
ret = wc_RsaFunction(out, (word32)sz, out, &key->dataLen, rsa_type, key,
rng);
if (ret >= 0 || ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
key->state = RSA_STATE_ENCRYPT_RES;
}
if (ret < 0) {
break;
}
FALL_THROUGH;
case RSA_STATE_ENCRYPT_RES:
ret = (int)key->dataLen;
break;
default:
ret = BAD_STATE_E;
break;
}
/* if async pending then return and skip done cleanup below */
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)
#ifdef WC_RSA_NONBLOCK
|| ret == FP_WOULDBLOCK
#endif
) {
2016-01-05 10:56:15 -07:00
return ret;
}
2016-01-05 10:56:15 -07:00
key->state = RSA_STATE_NONE;
wc_RsaCleanup(key);
2016-01-05 10:56:15 -07:00
return ret;
}
2019-03-27 20:44:38 -07:00
#endif
/* Gives the option of choosing padding type
in : input to be decrypted
inLen: length of input buffer
out: decrypted message
outLen: length of decrypted message in bytes
outPtr: optional inline output pointer (if provided doing inline)
key : wolfSSL initialized RSA key struct
rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
WC_RSA_NO_PAD, WC_RSA_PSS_PAD
hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
mgf : type of mask generation function to use
label : optional label
labelSz : size of optional label buffer
saltLen : Length of salt used in PSS
rng : random number generator */
2021-01-12 12:25:52 +10:00
static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
word32 outLen, byte** outPtr, RsaKey* key,
int rsa_type, byte pad_value, int pad_type,
enum wc_HashType hash, int mgf,
byte* label, word32 labelSz, int saltLen,
WC_RNG* rng)
{
int ret = WC_NO_ERR_TRACE(RSA_WRONG_TYPE_E);
2019-12-18 07:09:26 -08:00
byte* pad = NULL;
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
RsaPadding padding;
#endif
if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
switch (key->state) {
case RSA_STATE_NONE:
key->dataLen = inLen;
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
defined(HAVE_CAVIUM)
/* Async operations that include padding */
2018-04-03 09:14:20 -07:00
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
pad_type != WC_RSA_PSS_PAD) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
if (rsa_type == RSA_PRIVATE_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
key->state = RSA_STATE_DECRYPT_RES;
key->data = NULL;
2018-04-03 09:14:20 -07:00
return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen,
key);
#endif
}
else if (rsa_type == RSA_PUBLIC_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
key->state = RSA_STATE_DECRYPT_RES;
key->data = NULL;
return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key);
}
}
2019-03-27 20:44:38 -07:00
#elif defined(WOLFSSL_CRYPTOCELL)
if (rsa_type == RSA_PRIVATE_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
ret = cc310_RsaPublicDecrypt(in, inLen, out, outLen, key);
if (outPtr != NULL)
*outPtr = out; /* for inline */
return ret;
}
else if (rsa_type == RSA_PUBLIC_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
return cc310_RsaSSL_Verify(in, inLen, out, key,
cc310_hashModeRSA(hash, 0));
2019-03-27 20:44:38 -07:00
}
#elif defined(WOLFSSL_MICROCHIP_TA100)
if (rsa_type == RSA_PRIVATE_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
2026-01-22 21:56:52 +01:00
if (key->rKeyH != 0) {
return wc_Microchip_rsa_decrypt(in, inLen, out, outLen, key);
}
return WC_HW_E;
}
/* Note: RSA_PUBLIC_DECRYPT (verify) is intentionally not intercepted
* here. wc_Microchip_rsa_verify takes a digest as input, not a raw
* signature blob; the proper TA100 short-circuit lives in the
* wc_RsaPSS_CheckPadding / wc_RsaPSS_VerifyCheck path which has the
* digest available. */
2025-02-11 15:19:31 +00:00
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
if (rsa_type == RSA_PRIVATE_DECRYPT && pad_value == RSA_BLOCK_TYPE_2) {
ret = se050_rsa_private_decrypt(in, inLen, out, outLen, key,
rsa_type, pad_value, pad_type, hash,
mgf, label, labelSz);
if (outPtr != NULL) {
*outPtr = out;
}
return ret;
}
#if !defined(WOLFSSL_SE050_NO_RSA_VERIFY)
else if (rsa_type == RSA_PUBLIC_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_1 &&
pad_type != WC_RSA_PSS_PAD) {
/* SE050 handles PKCS#1 v1.5 verification directly. PSS
* verification falls through to software path to match the
* software PSS signing path (SE050 PSS sign uses hash-then-sign
* which double-hashes a pre-computed digest). */
ret = se050_rsa_verify(in, inLen, out, outLen, key, rsa_type,
pad_value, pad_type, hash, mgf, label,
labelSz);
if (outPtr != NULL) {
*outPtr = out;
}
return ret;
}
#endif /* !WOLFSSL_SE050_NO_RSA_VERIFY */
#endif /* RSA CRYPTO HW */
2019-03-27 20:44:38 -07:00
2022-05-04 09:33:38 -07:00
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
!defined(WOLFSSL_NO_MALLOC)
/* verify the tmp ptr is NULL, otherwise indicates bad state */
if (key->data != NULL) {
ret = BAD_STATE_E;
break;
}
/* if not doing this inline then allocate a buffer for it */
if (outPtr == NULL) {
key->data = (byte*)XMALLOC(inLen, key->heap,
DYNAMIC_TYPE_WOLF_BIGINT);
key->dataIsAlloc = 1;
if (key->data == NULL) {
ret = MEMORY_E;
break;
}
XMEMCPY(key->data, in, inLen);
key->dataLen = inLen;
}
else {
key->dataIsAlloc = 0;
key->data = out;
}
#endif
key->state = RSA_STATE_DECRYPT_EXPTMOD;
FALL_THROUGH;
case RSA_STATE_DECRYPT_EXPTMOD:
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
if ((key->devId != INVALID_DEVID)
#if !defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY) && \
!defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY)
&& (rsa_type != RSA_PUBLIC_DECRYPT)
#endif
) {
/* Everything except verify goes to crypto cb if
* WOLF_CRYPTO_CB_RSA_PAD defined */
XMEMSET(&padding, 0, sizeof(RsaPadding));
padding.pad_value = pad_value;
padding.pad_type = pad_type;
padding.hash = hash;
padding.mgf = mgf;
padding.label = label;
padding.labelSz = labelSz;
padding.saltLen = saltLen;
ret = wc_CryptoCb_RsaPad(in, inLen, out,
&outLen, rsa_type, key, rng, &padding);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
if (outPtr != NULL) {
*outPtr = out;
}
if (ret == 0) {
ret = (int)outLen;
}
break;
}
}
#endif
2022-05-04 09:33:38 -07:00
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
!defined(WOLFSSL_NO_MALLOC)
2022-04-05 18:16:20 +10:00
ret = wc_RsaFunction_ex(key->data, inLen, key->data, &key->dataLen,
rsa_type, key, rng,
pad_type != WC_RSA_OAEP_PAD);
#else
2022-04-05 18:16:20 +10:00
ret = wc_RsaFunction_ex(in, inLen, out, &key->dataLen, rsa_type, key,
rng, pad_type != WC_RSA_OAEP_PAD);
#endif
if (ret >= 0 || ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
key->state = RSA_STATE_DECRYPT_UNPAD;
}
if (ret < 0) {
break;
}
FALL_THROUGH;
case RSA_STATE_DECRYPT_UNPAD:
2022-05-04 09:33:38 -07:00
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
!defined(WOLFSSL_NO_MALLOC)
ret = wc_RsaUnPad_ex(key->data,
key->dataLen, &pad, pad_value, pad_type, hash, mgf,
label, labelSz, saltLen, mp_count_bits(&key->n), key->heap);
#else
ret = wc_RsaUnPad_ex(out,
key->dataLen, &pad, pad_value, pad_type, hash, mgf, label,
labelSz, saltLen, mp_count_bits(&key->n), key->heap);
#endif
if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen) {
ret = RSA_BUFFER_E;
}
else if (ret >= 0 && pad != NULL) {
/* only copy output if not inline */
if (outPtr == NULL) {
2022-05-04 09:33:38 -07:00
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
!defined(WOLFSSL_NO_MALLOC)
2020-01-30 12:23:38 +10:00
if (rsa_type == RSA_PRIVATE_DECRYPT) {
2021-01-12 12:25:52 +10:00
word32 i = 0;
word32 j;
byte last = 0;
2020-01-30 12:23:38 +10:00
int start = (int)((size_t)pad - (size_t)key->data);
2021-01-12 12:25:52 +10:00
for (j = 0; j < key->dataLen; j++) {
signed char incMask;
signed char maskData;
/* When j < start + outLen then out[i] = key->data[j]
* else out[i] = last
*/
maskData = (signed char)ctMaskLT((int)j,
start + (int)outLen);
out[i] = (byte)(key->data[j] & maskData ) |
(byte)(last & (~maskData));
last = out[i];
/* Increment i when j is in range:
* [start..(start + outLen - 1)]. */
incMask = (signed char)ctMaskGTE((int)j, start);
incMask &= (signed char)ctMaskLT((int)j,
start + (int)outLen - 1);
i += (word32)((byte)(-incMask));
2020-01-30 12:23:38 +10:00
}
}
2020-01-30 12:23:38 +10:00
else
#endif
2020-01-30 12:23:38 +10:00
{
XMEMCPY(out, pad, (size_t)ret);
2020-01-30 12:23:38 +10:00
}
}
else {
*outPtr = pad;
}
#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
ret = ctMaskSelInt(ctMaskLTE(ret, (int)outLen), ret,
WC_NO_ERR_TRACE(RSA_BUFFER_E));
2022-04-05 18:16:20 +10:00
#ifndef WOLFSSL_RSA_DECRYPT_TO_0_LEN
ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret,
WC_NO_ERR_TRACE(RSA_BUFFER_E));
2022-04-05 18:16:20 +10:00
#endif
#else
if (outLen < (word32)ret)
ret = RSA_BUFFER_E;
#endif
}
key->state = RSA_STATE_DECRYPT_RES;
FALL_THROUGH;
2019-12-18 07:09:26 -08:00
case RSA_STATE_DECRYPT_RES:
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
defined(HAVE_CAVIUM)
2018-04-03 09:14:20 -07:00
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
pad_type != WC_RSA_PSS_PAD) {
ret = key->asyncDev.event.ret;
if (ret >= 0) {
/* convert result */
byte* dataLen = (byte*)&key->dataLen;
ret = (dataLen[0] << 8) | (dataLen[1]);
2018-04-03 09:14:20 -07:00
if (outPtr)
*outPtr = in;
}
}
#endif
break;
default:
ret = BAD_STATE_E;
break;
}
/* if async pending then return and skip done cleanup below */
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)
#ifdef WC_RSA_NONBLOCK
|| ret == FP_WOULDBLOCK
#endif
) {
return ret;
}
key->state = RSA_STATE_NONE;
wc_RsaCleanup(key);
return ret;
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* Public RSA Functions */
int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, WC_RNG* rng)
{
int ret;
ret = RsaPublicEncryptEx(in, inLen, out, outLen, key,
RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
return ret;
}
#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, WC_RNG* rng, int type,
enum wc_HashType hash, int mgf, byte* label,
word32 labelSz)
{
int ret;
ret = RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT,
RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng);
return ret;
2016-01-05 10:56:15 -07:00
}
2016-01-14 14:26:17 -07:00
#endif /* WC_NO_RSA_OAEP */
#endif
2016-01-05 10:56:15 -07:00
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2014-12-31 15:31:50 -07:00
int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
int ret;
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
#endif
ret = RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
return ret;
2014-12-31 15:31:50 -07:00
}
2016-01-14 14:26:17 -07:00
#ifndef WC_NO_RSA_OAEP
2016-01-05 10:56:15 -07:00
int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
RsaKey* key, int type, enum wc_HashType hash,
int mgf, byte* label, word32 labelSz)
2016-01-05 10:56:15 -07:00
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
int ret;
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
#endif
ret = RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash,
mgf, label, labelSz, 0, rng);
return ret;
2016-01-05 10:56:15 -07:00
}
2016-01-14 14:26:17 -07:00
#endif /* WC_NO_RSA_OAEP */
2016-01-05 10:56:15 -07:00
int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
2014-12-31 15:31:50 -07:00
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
int ret;
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2014-12-31 15:31:50 -07:00
#endif
ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
return ret;
2014-12-31 15:31:50 -07:00
}
#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, int type,
enum wc_HashType hash, int mgf, byte* label,
word32 labelSz)
2016-01-05 10:56:15 -07:00
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
int ret;
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2016-01-05 10:56:15 -07:00
#endif
ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label,
labelSz, 0, rng);
return ret;
2016-01-05 10:56:15 -07:00
}
#endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
2016-01-05 10:56:15 -07:00
#if !defined(WOLFSSL_CRYPTOCELL)
2014-12-31 15:31:50 -07:00
int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
int ret;
2026-01-20 10:21:12 -08:00
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2014-12-31 15:31:50 -07:00
#endif
ret = RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
return ret;
2014-12-31 15:31:50 -07:00
}
#endif
2014-12-31 15:31:50 -07:00
#ifndef WOLFSSL_RSA_VERIFY_INLINE
2014-12-31 15:31:50 -07:00
int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key)
{
2020-10-14 16:11:23 +02:00
return wc_RsaSSL_Verify_ex(in, inLen, out, outLen, key, WC_RSA_PKCSV15_PAD);
}
int wc_RsaSSL_Verify_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, int pad_type)
2020-10-14 16:11:23 +02:00
{
int ret;
ret = wc_RsaSSL_Verify_ex2(in, inLen, out, outLen, key, pad_type,
2020-10-14 16:11:23 +02:00
WC_HASH_TYPE_NONE);
return ret;
2020-10-14 16:11:23 +02:00
}
int wc_RsaSSL_Verify_ex2(const byte* in, word32 inLen, byte* out, word32 outLen,
2020-09-24 17:09:34 +02:00
RsaKey* key, int pad_type, enum wc_HashType hash)
2014-12-31 15:31:50 -07:00
{
2017-06-05 15:04:56 -06:00
WC_RNG* rng;
int ret;
2017-06-05 15:04:56 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2014-12-31 15:31:50 -07:00
#endif
2019-03-27 20:44:38 -07:00
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
2020-10-14 16:11:23 +02:00
hash, wc_hash2mgf(hash), NULL, 0, RSA_PSS_SALT_LEN_DEFAULT, rng);
#else
ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
2020-10-14 16:11:23 +02:00
hash, wc_hash2mgf(hash), NULL, 0, RSA_PSS_SALT_LEN_DISCOVER, rng);
#endif
return ret;
2014-12-31 15:31:50 -07:00
}
#endif
2014-12-31 15:31:50 -07:00
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
/* Verify the message signed with RSA-PSS.
2019-07-29 08:14:07 -07:00
* The input buffer is reused for the output buffer.
* Salt length is equal to hash length.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* returns the length of the PSS data on success and negative indicates failure.
*/
2017-05-10 16:59:11 +10:00
int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out,
enum wc_HashType hash, int mgf, RsaKey* key)
{
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
RSA_PSS_SALT_LEN_DEFAULT, key);
#else
return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
RSA_PSS_SALT_LEN_DISCOVER, key);
#endif
}
/* Verify the message signed with RSA-PSS.
2019-07-29 08:14:07 -07:00
* The input buffer is reused for the output buffer.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
* length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
* indicates salt length is determined from the data.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out,
enum wc_HashType hash, int mgf, int saltLen,
RsaKey* key)
2017-05-10 16:59:11 +10:00
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
int ret;
2026-01-20 10:21:12 -08:00
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
2017-05-10 16:59:11 +10:00
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2017-05-10 16:59:11 +10:00
#endif
ret = RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
2017-05-10 16:59:11 +10:00
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
hash, mgf, NULL, 0, saltLen, rng);
return ret;
2017-05-10 16:59:11 +10:00
}
2017-05-18 15:32:06 +10:00
/* Verify the message signed with RSA-PSS.
* Salt length is equal to hash length.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, RsaKey* key)
{
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
RSA_PSS_SALT_LEN_DEFAULT, key);
#else
return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
RSA_PSS_SALT_LEN_DISCOVER, key);
#endif
}
/* Verify the message signed with RSA-PSS.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
* length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
* indicates salt length is determined from the data.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_Verify_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, int saltLen,
RsaKey* key)
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
int ret;
2026-01-20 10:21:12 -08:00
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
#endif
ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
hash, mgf, NULL, 0, saltLen, rng);
return ret;
}
/* Checks the PSS data to ensure that the signature matches.
* Salt length is equal to hash length.
*
* in Hash of the data that is being verified.
* inSz Length of hash.
* sig Buffer holding PSS data.
* sigSz Size of PSS data.
* hashType Hash algorithm.
* returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
* NULL is passed in to in or sig or inSz is not the same as the hash
* algorithm length and 0 on success.
2017-05-18 15:32:06 +10:00
*/
int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, const byte* sig,
2017-05-18 15:32:06 +10:00
word32 sigSz, enum wc_HashType hashType)
{
2021-04-26 17:46:21 -07:00
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, RSA_PSS_SALT_LEN_DEFAULT, 0);
#else
return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, RSA_PSS_SALT_LEN_DISCOVER, 0);
#endif
}
/* Checks the PSS data to ensure that the signature matches.
*
* in Hash of the data that is being verified.
* inSz Length of hash.
* sig Buffer holding PSS data.
* sigSz Size of PSS data.
* hashType Hash algorithm.
* saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
* length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
* indicates salt length is determined from the data.
* bits Can be used to calculate salt size in FIPS case
* returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
* NULL is passed in to in or sig or inSz is not the same as the hash
* algorithm length and 0 on success.
*/
int wc_RsaPSS_CheckPadding_ex2(const byte* in, word32 inSz, const byte* sig,
word32 sigSz, enum wc_HashType hashType,
int saltLen, int bits, void* heap)
{
int ret = 0;
byte sigCheckBuf[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ];
byte *sigCheck = sigCheckBuf;
2025-04-22 14:43:01 -05:00
int digSz;
2018-03-29 17:04:59 -07:00
(void)bits;
2017-05-18 15:32:06 +10:00
2025-04-22 14:43:01 -05:00
digSz = wc_HashGetDigestSize(hashType);
if (in == NULL || sig == NULL || digSz < 0 || inSz != (word32)digSz) {
2017-05-18 15:32:06 +10:00
ret = BAD_FUNC_ARG;
}
if (ret == 0) {
if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
saltLen = (int)inSz;
2018-03-29 17:04:59 -07:00
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE) {
2018-03-29 17:04:59 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
}
2018-03-29 17:04:59 -07:00
#endif
}
#ifndef WOLFSSL_PSS_LONG_SALT
2021-04-26 17:46:21 -07:00
else if (saltLen > (int)inSz) {
ret = PSS_SALTLEN_E;
}
#endif
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
ret = PSS_SALTLEN_E;
}
#else
else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
saltLen = sigSz - inSz;
if (saltLen < 0) {
ret = PSS_SALTLEN_E;
}
}
else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
ret = PSS_SALTLEN_E;
}
#endif
}
2018-03-29 17:04:59 -07:00
/* Sig = Salt | Exp Hash */
if (ret == 0) {
word32 totalSz = 0;
if ((WC_SAFE_SUM_WORD32(inSz, (word32)saltLen, totalSz) == 0) ||
(sigSz != totalSz))
{
ret = PSS_SALTLEN_E;
}
}
2018-03-29 17:04:59 -07:00
#ifdef WOLFSSL_PSS_LONG_SALT
/* if long salt is larger then default maximum buffer then allocate a buffer */
2023-05-05 11:40:33 +10:00
if ((ret == 0) &&
(sizeof(sigCheckBuf) < (RSA_PSS_PAD_SZ + inSz + (word32)saltLen))) {
sigCheck = (byte*)XMALLOC(
(size_t)(RSA_PSS_PAD_SZ + inSz + (word32)saltLen),
heap, DYNAMIC_TYPE_RSA_BUFFER);
if (sigCheck == NULL) {
ret = MEMORY_E;
}
}
2023-02-08 16:35:03 -05:00
#else
if (ret == 0 && sizeof(sigCheckBuf) < (RSA_PSS_PAD_SZ + inSz + (word32)saltLen)) {
2023-02-08 16:35:03 -05:00
ret = BUFFER_E;
}
#endif
/* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */
if (ret == 0) {
2018-03-29 17:04:59 -07:00
XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ);
XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz);
XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, (size_t)saltLen);
ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + (word32)saltLen,
2018-03-29 17:04:59 -07:00
sigCheck, inSz);
}
if (ret == 0) {
2018-03-29 17:04:59 -07:00
if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) {
WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error");
2017-05-18 15:32:06 +10:00
ret = BAD_PADDING_E;
}
2017-05-18 15:32:06 +10:00
}
#ifdef WOLFSSL_PSS_LONG_SALT
if (sigCheck != NULL && sigCheck != sigCheckBuf) {
XFREE(sigCheck, heap, DYNAMIC_TYPE_RSA_BUFFER);
}
#endif
2021-10-26 16:17:32 -06:00
(void)heap; /* unused if memory is disabled */
2017-05-18 15:32:06 +10:00
return ret;
}
int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, const byte* sig,
word32 sigSz, enum wc_HashType hashType,
int saltLen, int bits)
{
return wc_RsaPSS_CheckPadding_ex2(in, inSz, sig, sigSz, hashType, saltLen,
bits, NULL);
}
2018-03-28 13:58:25 -07:00
/* Verify the message signed with RSA-PSS.
2019-07-29 08:14:07 -07:00
* The input buffer is reused for the output buffer.
2018-03-28 13:58:25 -07:00
* Salt length is equal to hash length.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* digest Hash of the data that is being verified.
* digestLen Length of hash.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
const byte* digest, word32 digestLen,
enum wc_HashType hash, int mgf, RsaKey* key)
{
2018-03-29 17:04:59 -07:00
int ret = 0, verify, saltLen, hLen, bits = 0;
#ifdef WOLFSSL_MICROCHIP_TA100
if (key != NULL && key->uKeyH != 0) {
int verified = 0;
ret = wc_Microchip_rsa_verify(digest, digestLen, in, inLen, key,
&verified);
if (ret != 0) {
return ret;
}
return verified ? (int)inLen : SIG_VERIFY_E;
}
#endif
2018-03-28 13:58:25 -07:00
hLen = wc_HashGetDigestSize(hash);
if (hLen < 0)
2020-10-24 13:06:42 -07:00
return BAD_FUNC_ARG;
2018-03-28 13:58:25 -07:00
if ((word32)hLen != digestLen)
return BAD_FUNC_ARG;
saltLen = hLen;
#ifdef WOLFSSL_SHA512
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
2018-03-28 13:58:25 -07:00
/* See FIPS 186-4 section 5.5 item (e). */
2018-03-29 17:04:59 -07:00
bits = mp_count_bits(&key->n);
if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
2018-03-28 13:58:25 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
#endif
verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key);
if (verify > 0)
ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, (word32)verify,
2018-03-29 17:04:59 -07:00
hash, saltLen, bits);
2018-03-28 13:58:25 -07:00
if (ret == 0)
ret = verify;
return ret;
}
/* Verify the message signed with RSA-PSS.
* Salt length is equal to hash length.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* outLen Length of the output.
* digest Hash of the data that is being verified.
* digestLen Length of hash.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_VerifyCheck(const byte* in, word32 inLen, byte* out, word32 outLen,
2018-03-28 13:58:25 -07:00
const byte* digest, word32 digestLen,
enum wc_HashType hash, int mgf,
RsaKey* key)
{
2018-03-29 17:04:59 -07:00
int ret = 0, verify, saltLen, hLen, bits = 0;
#ifdef WOLFSSL_MICROCHIP_TA100
if (key != NULL && key->uKeyH != 0) {
int verified = 0;
ret = wc_Microchip_rsa_verify(digest, digestLen, (byte*)in, inLen,
key, &verified);
if (ret != 0) {
return ret;
}
return verified ? (int)inLen : SIG_VERIFY_E;
}
#endif
2018-03-28 13:58:25 -07:00
hLen = wc_HashGetDigestSize(hash);
if (hLen < 0)
return hLen;
if ((word32)hLen != digestLen)
return BAD_FUNC_ARG;
saltLen = hLen;
#ifdef WOLFSSL_SHA512
2025-05-15 13:20:22 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
2018-03-28 13:58:25 -07:00
/* See FIPS 186-4 section 5.5 item (e). */
2018-03-29 17:04:59 -07:00
bits = mp_count_bits(&key->n);
if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
2018-03-28 13:58:25 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
#endif
verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash,
mgf, saltLen, key);
if (verify > 0)
ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, (word32)verify,
2018-03-29 17:04:59 -07:00
hash, saltLen, bits);
2018-03-28 13:58:25 -07:00
if (ret == 0)
ret = verify;
return ret;
}
2017-05-10 16:59:11 +10:00
#endif
2014-12-31 15:31:50 -07:00
2020-02-23 15:58:28 -08:00
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
2014-12-31 15:31:50 -07:00
int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
int ret;
ret = RsaPublicEncryptEx(in, inLen, out, outLen, key,
RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
return ret;
2014-12-31 15:31:50 -07:00
}
2017-05-12 11:33:52 +10:00
#ifdef WC_RSA_PSS
/* Sign the hash of a message using RSA-PSS.
* Salt length is equal to hash length.
*
* in Buffer holding hash of message.
* inLen Length of data in buffer (hash length).
* out Buffer to write encrypted signature into.
* outLen Size of buffer to write to.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* rng Random number generator.
* returns the length of the encrypted signature on success, a negative value
* indicates failure.
*/
2017-05-12 11:33:52 +10:00
int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng)
{
return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf,
RSA_PSS_SALT_LEN_DEFAULT, key, rng);
}
/* Sign the hash of a message using RSA-PSS.
*
* in Buffer holding hash of message.
* inLen Length of data in buffer (hash length).
* out Buffer to write encrypted signature into.
* outLen Size of buffer to write to.
* hash Hash algorithm.
* mgf Mask generation function.
* saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
* length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
* indicates salt length is determined from the data.
* key Public RSA key.
* rng Random number generator.
* returns the length of the encrypted signature on success, a negative value
* indicates failure.
*/
int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, int saltLen, RsaKey* key,
WC_RNG* rng)
2017-05-12 11:33:52 +10:00
{
int ret;
ret = RsaPublicEncryptEx(in, inLen, out, outLen, key,
2017-05-12 11:33:52 +10:00
RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
hash, mgf, NULL, 0, saltLen, rng);
return ret;
2017-05-12 11:33:52 +10:00
}
#endif
#endif
2014-12-31 15:31:50 -07:00
2021-01-12 12:25:52 +10:00
int wc_RsaEncryptSize(const RsaKey* key)
2014-12-31 15:31:50 -07:00
{
int ret;
2017-06-05 15:04:56 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
ret = mp_unsigned_bin_size(&key->n);
2026-01-22 21:56:52 +01:00
#if defined(WOLFSSL_MICROCHIP_TA100)
if (ret == 0 && (key->rKeyH != 0 || key->uKeyH != 0)) {
ret = 2048 / 8;
}
#endif
#ifdef WOLF_CRYPTO_CB
if (ret == 0 && key->devId != INVALID_DEVID) {
if (wc_CryptoCb_RsaGetSize(key, &ret) == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
2023-05-24 11:42:52 +10:00
ret = 2048/8; /* hardware handles, use 2048-bit as default */
}
}
#endif
return ret;
2014-12-31 15:31:50 -07:00
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
2026-03-23 15:54:26 -06:00
/* Software-only export of RSA public key elements from RsaKey.
* This internal helper avoids recursion when called from the EXPORT_KEY path. */
static int _RsaFlattenPublicKey(const RsaKey* key, byte* e, word32* eSz,
byte* n, word32* nSz)
2014-12-31 15:31:50 -07:00
{
int sz, ret;
if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
sz = mp_unsigned_bin_size(&key->e);
2026-03-23 15:54:26 -06:00
if ((word32)sz > *eSz) {
2014-12-31 15:31:50 -07:00
return RSA_BUFFER_E;
2026-03-23 15:54:26 -06:00
}
2014-12-31 15:31:50 -07:00
ret = mp_to_unsigned_bin(&key->e, e);
2026-03-23 15:54:26 -06:00
if (ret != MP_OKAY) {
2014-12-31 15:31:50 -07:00
return ret;
2026-03-23 15:54:26 -06:00
}
2014-12-31 15:31:50 -07:00
*eSz = (word32)sz;
sz = wc_RsaEncryptSize(key);
2026-03-23 15:54:26 -06:00
if ((word32)sz > *nSz) {
2014-12-31 15:31:50 -07:00
return RSA_BUFFER_E;
2026-03-23 15:54:26 -06:00
}
2014-12-31 15:31:50 -07:00
ret = mp_to_unsigned_bin(&key->n, n);
2026-03-23 15:54:26 -06:00
if (ret != MP_OKAY) {
2014-12-31 15:31:50 -07:00
return ret;
2026-03-23 15:54:26 -06:00
}
2014-12-31 15:31:50 -07:00
*nSz = (word32)sz;
return 0;
}
2026-03-23 15:54:26 -06:00
/* flatten RsaKey structure into individual elements (e, n) */
int wc_RsaFlattenPublicKey(const RsaKey* key, byte* e, word32* eSz, byte* n,
word32* nSz)
2014-12-31 15:31:50 -07:00
{
if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_EXPORT_KEY)
#ifndef WOLF_CRYPTO_CB_FIND
if (key->devId != INVALID_DEVID)
#endif
{
int ret;
WC_DECLARE_VAR(tmpKey, RsaKey, 1, NULL);
WC_ALLOC_VAR(tmpKey, RsaKey, 1, key->heap);
if (!WC_VAR_OK(tmpKey)) {
return MEMORY_E;
}
XMEMSET(tmpKey, 0, sizeof(RsaKey));
ret = wc_InitRsaKey_ex(tmpKey, key->heap, INVALID_DEVID);
if (ret != 0) {
WC_FREE_VAR(tmpKey, key->heap);
return ret;
}
ret = wc_CryptoCb_ExportKey(key->devId, WC_PK_TYPE_RSA,
key, tmpKey);
if (ret == 0) {
2026-03-23 15:54:26 -06:00
/* Call software helper (no callback recursion) */
ret = _RsaFlattenPublicKey(tmpKey, e, eSz, n, nSz);
}
2026-03-23 15:54:26 -06:00
/* wc_FreeRsaKey calls mp_forcezero on all private key components,
* so no separate ForceZero of the struct is needed here. Calling
* ForceZero before wc_FreeRsaKey would zero the mp_int metadata
* and cause a crash. */
wc_FreeRsaKey(tmpKey);
WC_FREE_VAR(tmpKey, key->heap);
2026-03-23 15:54:26 -06:00
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
return ret;
2026-03-23 15:54:26 -06:00
}
/* fall through to software */
}
#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_EXPORT_KEY */
2026-03-23 15:54:26 -06:00
return _RsaFlattenPublicKey(key, e, eSz, n, nSz);
2014-12-31 15:31:50 -07:00
}
#endif
2017-10-31 13:30:06 -07:00
#ifndef WOLFSSL_RSA_VERIFY_ONLY
static int RsaGetValue(const mp_int* in, byte* out, word32* outSz)
2017-10-31 13:30:06 -07:00
{
word32 sz;
int ret = 0;
2018-05-23 13:27:36 +10:00
/* Parameters ensured by calling function. */
2018-01-12 15:37:22 -08:00
2017-10-31 13:30:06 -07:00
sz = (word32)mp_unsigned_bin_size(in);
if (sz > *outSz)
ret = RSA_BUFFER_E;
if (ret == 0)
ret = mp_to_unsigned_bin(in, out);
if (ret == MP_OKAY)
*outSz = sz;
return ret;
}
2026-03-23 15:54:26 -06:00
/* Software-only export of RSA key elements from RsaKey.
* This internal helper avoids recursion when called from the EXPORT_KEY path. */
static int _RsaExportKey(const RsaKey* key,
byte* e, word32* eSz, byte* n, word32* nSz,
byte* d, word32* dSz, byte* p, word32* pSz,
byte* q, word32* qSz)
2017-10-31 13:30:06 -07:00
{
2026-03-23 15:54:26 -06:00
int ret = 0;
2017-10-31 13:30:06 -07:00
2026-03-23 15:54:26 -06:00
if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL
|| d == NULL || dSz == NULL || p == NULL || pSz == NULL
|| q == NULL || qSz == NULL) {
return BAD_FUNC_ARG;
}
2017-10-31 13:30:06 -07:00
2026-03-23 15:54:26 -06:00
if (ret == 0) {
2017-10-31 13:30:06 -07:00
ret = RsaGetValue(&key->e, e, eSz);
2026-03-23 15:54:26 -06:00
}
if (ret == 0) {
2017-10-31 13:30:06 -07:00
ret = RsaGetValue(&key->n, n, nSz);
2026-03-23 15:54:26 -06:00
}
2018-12-19 15:30:22 -07:00
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2026-03-23 15:54:26 -06:00
if (ret == 0) {
2017-10-31 13:30:06 -07:00
ret = RsaGetValue(&key->d, d, dSz);
2026-03-23 15:54:26 -06:00
}
if (ret == 0) {
2017-10-31 13:30:06 -07:00
ret = RsaGetValue(&key->p, p, pSz);
2026-03-23 15:54:26 -06:00
}
if (ret == 0) {
2017-10-31 13:30:06 -07:00
ret = RsaGetValue(&key->q, q, qSz);
2026-03-23 15:54:26 -06:00
}
2018-12-19 15:30:22 -07:00
#else
/* no private parts to key */
if (d == NULL || p == NULL || q == NULL || dSz == NULL || pSz == NULL
|| qSz == NULL) {
ret = BAD_FUNC_ARG;
}
else {
*dSz = 0;
*pSz = 0;
*qSz = 0;
}
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
2017-10-31 13:30:06 -07:00
return ret;
}
2026-03-23 15:54:26 -06:00
int wc_RsaExportKey(const RsaKey* key,
2017-10-31 13:30:06 -07:00
byte* e, word32* eSz, byte* n, word32* nSz,
byte* d, word32* dSz, byte* p, word32* pSz,
byte* q, word32* qSz)
{
int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
2017-10-31 13:30:06 -07:00
2026-03-23 15:54:26 -06:00
if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz) {
2017-10-31 13:30:06 -07:00
ret = 0;
2026-03-23 15:54:26 -06:00
}
2017-10-31 13:30:06 -07:00
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_EXPORT_KEY)
if (ret == 0) {
#ifndef WOLF_CRYPTO_CB_FIND
if (key->devId != INVALID_DEVID)
#endif
{
WC_DECLARE_VAR(tmpKey, RsaKey, 1, NULL);
WC_ALLOC_VAR(tmpKey, RsaKey, 1, key->heap);
if (!WC_VAR_OK(tmpKey)) {
return MEMORY_E;
}
XMEMSET(tmpKey, 0, sizeof(RsaKey));
ret = wc_InitRsaKey_ex(tmpKey, key->heap, INVALID_DEVID);
if (ret != 0) {
WC_FREE_VAR(tmpKey, key->heap);
return ret;
}
ret = wc_CryptoCb_ExportKey(key->devId, WC_PK_TYPE_RSA,
key, tmpKey);
if (ret == 0) {
2026-03-23 15:54:26 -06:00
/* Call software helper (no callback recursion) */
ret = _RsaExportKey(tmpKey, e, eSz, n, nSz,
d, dSz, p, pSz, q, qSz);
}
2026-03-23 15:54:26 -06:00
/* wc_FreeRsaKey calls mp_forcezero on all private key components,
* so no separate ForceZero of the struct is needed here. */
wc_FreeRsaKey(tmpKey);
WC_FREE_VAR(tmpKey, key->heap);
2026-03-23 15:54:26 -06:00
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
return ret;
2026-03-23 15:54:26 -06:00
}
ret = 0; /* fall through to software */
}
}
#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_EXPORT_KEY */
2026-03-23 15:54:26 -06:00
if (ret == 0) {
ret = _RsaExportKey(key, e, eSz, n, nSz, d, dSz, p, pSz, q, qSz);
2018-12-19 15:30:22 -07:00
}
2017-10-31 13:30:06 -07:00
return ret;
}
#endif
2017-10-31 13:30:06 -07:00
#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
2017-10-24 11:51:22 -07:00
/* Check that |p-q| > 2^((size/2)-100) */
2022-07-27 17:51:11 +10:00
static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size, int* valid)
2017-10-24 11:51:22 -07:00
{
2021-08-30 21:37:54 -05:00
#ifdef WOLFSSL_SMALL_STACK
mp_int *c = NULL, *d = NULL;
#else
mp_int c[1], d[1];
#endif
2017-10-24 11:51:22 -07:00
int ret;
if (p == NULL || q == NULL)
return BAD_FUNC_ARG;
2021-08-30 21:37:54 -05:00
#ifdef WOLFSSL_SMALL_STACK
if (((c = (mp_int *)XMALLOC(sizeof(*c), NULL, DYNAMIC_TYPE_WOLF_BIGINT)) == NULL) ||
((d = (mp_int *)XMALLOC(sizeof(*d), NULL, DYNAMIC_TYPE_WOLF_BIGINT)) == NULL))
ret = MEMORY_E;
else
ret = 0;
if (ret == 0)
#endif
ret = mp_init_multi(c, d, NULL, NULL, NULL, NULL);
2017-10-24 11:51:22 -07:00
/* c = 2^((size/2)-100) */
if (ret == 0)
2021-08-30 21:37:54 -05:00
ret = mp_2expt(c, (size/2)-100);
2017-10-24 11:51:22 -07:00
/* d = |p-q| */
if (ret == 0)
2021-08-30 21:37:54 -05:00
ret = mp_sub(p, q, d);
2017-10-24 11:51:22 -07:00
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
if (ret == 0)
2023-09-11 11:34:28 +02:00
mp_memzero_add("Compare PQ d", d);
2022-06-13 16:21:41 +10:00
#endif
#if !defined(WOLFSSL_SP_MATH) && (!defined(WOLFSSL_SP_MATH_ALL) || \
defined(WOLFSSL_SP_INT_NEGATIVE))
2017-10-24 11:51:22 -07:00
if (ret == 0)
2021-08-30 21:37:54 -05:00
ret = mp_abs(d, d);
#endif
2017-10-24 11:51:22 -07:00
/* compare */
if (ret == 0)
2022-07-27 17:51:11 +10:00
*valid = (mp_cmp(d, c) == MP_GT);
2017-10-24 11:51:22 -07:00
2021-08-30 21:37:54 -05:00
#ifdef WOLFSSL_SMALL_STACK
if (d != NULL) {
2022-06-15 11:26:11 +10:00
mp_forcezero(d);
2021-08-30 21:37:54 -05:00
XFREE(d, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
}
if (c != NULL) {
mp_clear(c);
XFREE(c, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
}
#else
2022-06-15 11:26:11 +10:00
mp_forcezero(d);
2021-08-30 21:37:54 -05:00
mp_clear(c);
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
mp_memzero_check(d);
#endif
2021-08-30 21:37:54 -05:00
#endif
2017-10-24 11:51:22 -07:00
return ret;
}
/* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096.
* This number was calculated using a small test tool written with a common
* large number math library. Other values of nlen may be checked with a subset
* of lower_bound. */
static const byte lower_bound[] = {
0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84,
0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F,
0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C,
0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15,
/* 512 */
0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3,
0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39,
0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A,
0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68,
/* 1024 */
0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E,
0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B,
0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A,
0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33,
0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC,
0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D,
0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E,
0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A,
/* 2048 */
0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD,
0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C,
0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51,
0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7,
0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F,
0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF,
0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07,
0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2,
/* 3072 */
0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33,
0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2,
0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82,
0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80,
0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05,
0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23,
0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B,
0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1
/* 4096 */
};
2018-01-17 11:34:27 -07:00
/* returns 1 on key size ok and 0 if not ok */
2018-06-26 11:40:34 -07:00
static WC_INLINE int RsaSizeCheck(int size)
2017-10-24 11:51:22 -07:00
{
2018-01-17 11:34:27 -07:00
if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) {
return 0;
}
#ifdef HAVE_FIPS
/* Key size requirements for CAVP */
2017-10-24 11:51:22 -07:00
switch (size) {
case 1024:
case 2048:
case 3072:
case 4096:
return 1;
}
2018-01-17 11:34:27 -07:00
2017-10-24 11:51:22 -07:00
return 0;
2018-01-17 11:34:27 -07:00
#else
return 1; /* allow unusual key sizes in non FIPS mode */
#endif /* HAVE_FIPS */
2017-10-24 11:51:22 -07:00
}
2018-07-12 14:58:19 -07:00
static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen,
int* isPrime, WC_RNG* rng)
2017-10-24 11:51:22 -07:00
{
int ret;
2021-08-30 21:37:54 -05:00
#ifdef WOLFSSL_SMALL_STACK
mp_int *tmp1 = NULL, *tmp2 = NULL;
#else
mp_int tmp1[1], tmp2[2];
#endif
2017-10-24 11:51:22 -07:00
mp_int* prime;
if (p == NULL || e == NULL || isPrime == NULL)
return BAD_FUNC_ARG;
if (!RsaSizeCheck(nlen))
return BAD_FUNC_ARG;
*isPrime = MP_NO;
2021-08-30 21:37:54 -05:00
#ifdef WOLFSSL_SMALL_STACK
if (((tmp1 = (mp_int *)XMALLOC(sizeof(*tmp1), NULL, DYNAMIC_TYPE_WOLF_BIGINT)) == NULL) ||
((tmp2 = (mp_int *)XMALLOC(sizeof(*tmp2), NULL, DYNAMIC_TYPE_WOLF_BIGINT)) == NULL)) {
ret = MEMORY_E;
goto notOkay;
}
#endif
ret = mp_init_multi(tmp1, tmp2, NULL, NULL, NULL, NULL);
2017-10-24 11:51:22 -07:00
if (ret != MP_OKAY) goto notOkay;
2023-03-21 09:08:04 +10:00
if (q != NULL) {
int valid = 0;
/* 5.4 (186-4) 5.5 (186-5) -
* check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */
2023-03-21 09:08:04 +10:00
ret = wc_CompareDiffPQ(p, q, nlen, &valid);
if ((ret != MP_OKAY) || (!valid)) goto notOkay;
prime = q;
}
else
prime = p;
/* 4.4,5.5 (186-4) 4.4,5.4 (186-5) -
* Check that prime >= (2^(1/2))(2^((nlen/2)-1))
2017-10-24 11:51:22 -07:00
* This is a comparison against lowerBound */
ret = mp_read_unsigned_bin(tmp1, lower_bound, (word32)nlen/16);
2017-10-24 11:51:22 -07:00
if (ret != MP_OKAY) goto notOkay;
2021-08-30 21:37:54 -05:00
ret = mp_cmp(prime, tmp1);
2017-10-24 11:51:22 -07:00
if (ret == MP_LT) goto exit;
/* 4.5,5.6 (186-4 & 186-5) - Check that GCD(p-1, e) == 1 */
2021-08-30 21:37:54 -05:00
ret = mp_sub_d(prime, 1, tmp1); /* tmp1 = prime-1 */
2017-10-24 11:51:22 -07:00
if (ret != MP_OKAY) goto notOkay;
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
mp_memzero_add("Check Probable Prime tmp1", tmp1);
#endif
2021-08-30 21:37:54 -05:00
ret = mp_gcd(tmp1, e, tmp2); /* tmp2 = gcd(prime-1, e) */
2017-10-24 11:51:22 -07:00
if (ret != MP_OKAY) goto notOkay;
2021-08-30 21:37:54 -05:00
ret = mp_cmp_d(tmp2, 1);
2017-10-24 11:51:22 -07:00
if (ret != MP_EQ) goto exit; /* e divides p-1 */
2018-07-12 14:58:19 -07:00
/* 4.5.1,5.6.1 - Check primality of p with 8 rounds of M-R.
2018-12-10 16:51:54 -08:00
* mp_prime_is_prime_ex() performs test divisions against the first 256
2018-07-12 14:58:19 -07:00
* prime numbers. After that it performs 8 rounds of M-R using random
* bases between 2 and n-2.
* mp_prime_is_prime() performs the same test divisions and then does
* M-R with the first 8 primes. Both functions set isPrime as a
* side-effect. */
if (rng != NULL)
ret = mp_prime_is_prime_ex(prime, 8, isPrime, rng);
else
ret = mp_prime_is_prime(prime, 8, isPrime);
2017-10-24 11:51:22 -07:00
if (ret != MP_OKAY) goto notOkay;
exit:
ret = MP_OKAY;
2021-08-30 21:37:54 -05:00
2017-10-24 11:51:22 -07:00
notOkay:
2021-08-30 21:37:54 -05:00
#ifdef WOLFSSL_SMALL_STACK
if (tmp1 != NULL) {
2022-06-15 11:26:11 +10:00
mp_forcezero(tmp1);
2021-08-30 21:37:54 -05:00
XFREE(tmp1, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
}
if (tmp2 != NULL) {
mp_clear(tmp2);
XFREE(tmp2, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
}
#else
2022-06-15 11:26:11 +10:00
mp_forcezero(tmp1);
2021-08-30 21:37:54 -05:00
mp_clear(tmp2);
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
mp_memzero_check(tmp1);
#endif
2021-08-30 21:37:54 -05:00
#endif
2017-10-24 11:51:22 -07:00
return ret;
}
2018-07-12 14:58:19 -07:00
int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz,
2017-10-24 11:51:22 -07:00
const byte* qRaw, word32 qRawSz,
const byte* eRaw, word32 eRawSz,
2018-07-12 14:58:19 -07:00
int nlen, int* isPrime, WC_RNG* rng)
2017-10-24 11:51:22 -07:00
{
#ifdef WOLFSSL_SMALL_STACK
mp_int *p = NULL, *q = NULL, *e = NULL;
#else
mp_int p[1], q[1], e[1];
#endif
2017-10-24 11:51:22 -07:00
mp_int* Q = NULL;
int ret;
if (pRaw == NULL || pRawSz == 0 ||
eRaw == NULL || eRawSz == 0 ||
isPrime == NULL) {
return BAD_FUNC_ARG;
}
if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0))
return BAD_FUNC_ARG;
#ifdef WOLFSSL_SMALL_STACK
2021-08-30 21:37:54 -05:00
if (((p = (mp_int *)XMALLOC(sizeof(*p), NULL, DYNAMIC_TYPE_RSA_BUFFER)) == NULL) ||
((q = (mp_int *)XMALLOC(sizeof(*q), NULL, DYNAMIC_TYPE_RSA_BUFFER)) == NULL) ||
((e = (mp_int *)XMALLOC(sizeof(*e), NULL, DYNAMIC_TYPE_RSA_BUFFER)) == NULL))
ret = MEMORY_E;
else
ret = 0;
if (ret == 0)
#endif
ret = mp_init_multi(p, q, e, NULL, NULL, NULL);
2017-10-24 11:51:22 -07:00
if (ret == MP_OKAY)
ret = mp_read_unsigned_bin(p, pRaw, pRawSz);
2017-10-24 11:51:22 -07:00
if (ret == MP_OKAY) {
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
mp_memzero_add("wc_CheckProbablePrime_ex p", p);
#endif
2017-10-24 11:51:22 -07:00
if (qRaw != NULL) {
ret = mp_read_unsigned_bin(q, qRaw, qRawSz);
2022-06-13 16:21:41 +10:00
if (ret == MP_OKAY) {
#ifdef WOLFSSL_CHECK_MEM_ZERO
mp_memzero_add("wc_CheckProbablePrime_ex q", q);
#endif
Q = q;
2022-06-13 16:21:41 +10:00
}
2017-10-24 11:51:22 -07:00
}
}
if (ret == MP_OKAY)
ret = mp_read_unsigned_bin(e, eRaw, eRawSz);
2017-10-24 11:51:22 -07:00
if (ret == 0) {
ret = _CheckProbablePrime(p, Q, e, nlen, isPrime, rng);
}
2017-10-24 11:51:22 -07:00
ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E;
#ifdef WOLFSSL_SMALL_STACK
2021-08-30 21:37:54 -05:00
if (p != NULL) {
2022-06-15 11:26:11 +10:00
mp_forcezero(p);
XFREE(p, NULL, DYNAMIC_TYPE_RSA_BUFFER);
}
2021-08-30 21:37:54 -05:00
if (q != NULL) {
2022-06-15 11:26:11 +10:00
mp_forcezero(q);
XFREE(q, NULL, DYNAMIC_TYPE_RSA_BUFFER);
}
2021-08-30 21:37:54 -05:00
if (e != NULL) {
mp_clear(e);
XFREE(e, NULL, DYNAMIC_TYPE_RSA_BUFFER);
}
#else
2022-06-15 11:26:11 +10:00
mp_forcezero(p);
mp_forcezero(q);
mp_clear(e);
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
mp_memzero_check(p);
mp_memzero_check(q);
#endif
#endif
2017-10-24 11:51:22 -07:00
return ret;
}
2018-07-12 14:58:19 -07:00
int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
const byte* qRaw, word32 qRawSz,
const byte* eRaw, word32 eRawSz,
int nlen, int* isPrime)
{
return wc_CheckProbablePrime_ex(pRaw, pRawSz, qRaw, qRawSz,
eRaw, eRawSz, nlen, isPrime, NULL);
}
#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
2014-12-31 15:31:50 -07:00
/* Make an RSA key for size bits, with e specified, 65537 is a good e */
int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
#ifndef WC_NO_RNG
2025-02-11 15:19:31 +00:00
#if !defined(WOLFSSL_CRYPTOCELL) && \
2025-09-10 16:03:31 -07:00
(!defined(WOLFSSL_SE050) || defined(WOLFSSL_SE050_NO_RSA)) && \
!defined(WOLF_CRYPTO_CB_ONLY_RSA) && \
!defined(WOLFSSL_MICROCHIP_TA100)
#ifdef WOLFSSL_SMALL_STACK
mp_int *p = NULL;
mp_int *q = NULL;
mp_int *tmp1 = NULL;
mp_int *tmp2 = NULL;
mp_int *tmp3 = NULL;
#else
2020-09-08 14:05:27 -05:00
mp_int p_buf, *p = &p_buf;
mp_int q_buf, *q = &q_buf;
mp_int tmp1_buf, *tmp1 = &tmp1_buf;
mp_int tmp2_buf, *tmp2 = &tmp2_buf;
mp_int tmp3_buf, *tmp3 = &tmp3_buf;
#endif /* WOLFSSL_SMALL_STACK */
int i, failCount, isPrime = 0;
word32 primeSz;
#ifndef WOLFSSL_NO_MALLOC
2017-10-24 11:51:22 -07:00
byte* buf = NULL;
#else
2024-03-25 11:31:42 -04:00
/* RSA_MAX_SIZE is the size of n in bits. */
byte buf[RSA_MAX_SIZE/16];
#endif
#endif /* !WOLFSSL_CRYPTOCELL && !WOLFSSL_SE050 */
int err;
2014-12-31 15:31:50 -07:00
if (key == NULL || rng == NULL) {
err = BAD_FUNC_ARG;
goto out;
}
if (!RsaSizeCheck(size)) {
err = BAD_FUNC_ARG;
goto out;
}
if (e < 3 || (e & 1) == 0) {
err = BAD_FUNC_ARG;
goto out;
}
#if defined(WOLFSSL_CRYPTOCELL)
err = cc310_RSA_GenerateKeyPair(key, size, e);
goto out;
#elif defined(WOLFSSL_MICROCHIP_TA100)
err = wc_Microchip_rsa_create_key(key, size, e);
goto out;
2025-02-11 15:19:31 +00:00
#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
err = se050_rsa_create_key(key, size, e);
goto out;
#else
/* software crypto */
#ifdef WOLFSSL_SMALL_STACK
p = (mp_int *)XMALLOC(sizeof *p, key->heap, DYNAMIC_TYPE_RSA);
q = (mp_int *)XMALLOC(sizeof *q, key->heap, DYNAMIC_TYPE_RSA);
tmp1 = (mp_int *)XMALLOC(sizeof *tmp1, key->heap, DYNAMIC_TYPE_RSA);
tmp2 = (mp_int *)XMALLOC(sizeof *tmp2, key->heap, DYNAMIC_TYPE_RSA);
tmp3 = (mp_int *)XMALLOC(sizeof *tmp3, key->heap, DYNAMIC_TYPE_RSA);
if ((p == NULL) ||
(q == NULL) ||
(tmp1 == NULL) ||
(tmp2 == NULL) ||
(tmp3 == NULL)) {
err = MEMORY_E;
goto out;
}
#endif
2023-03-23 12:27:38 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
XMEMSET(p, 0, sizeof(*p));
XMEMSET(q, 0, sizeof(*q));
XMEMSET(tmp1, 0, sizeof(*tmp1));
XMEMSET(tmp2, 0, sizeof(*tmp2));
XMEMSET(tmp3, 0, sizeof(*tmp3));
#endif
#ifdef WOLF_CRYPTO_CB
#ifndef WOLF_CRYPTO_CB_FIND
if (key->devId != INVALID_DEVID)
#endif
{
err = wc_CryptoCb_MakeRsaKey(key, size, e, rng);
#ifdef WOLF_CRYPTO_CB_ONLY_RSA
if (err == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
err = NO_VALID_DEVID;
goto out;
}
#else
if (err != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
goto out;
}
/* fall-through when unavailable */
#endif
}
2025-09-10 16:03:31 -07:00
#if !defined(WOLF_CRYPTO_CB_FIND) && defined(WOLF_CRYPTO_CB_ONLY_RSA)
else {
err = NO_VALID_DEVID;
}
#endif
2018-09-12 08:56:59 +10:00
#endif
#ifndef WOLF_CRYPTO_CB_ONLY_RSA
2018-12-10 16:51:54 -08:00
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
defined(WC_ASYNC_ENABLE_RSA_KEYGEN)
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
#ifdef HAVE_CAVIUM
/* TODO: Not implemented */
#elif defined(HAVE_INTEL_QA)
err = IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng);
goto out;
#elif defined(WOLFSSL_ASYNC_CRYPT_SW)
if (wc_AsyncSwInit(&key->asyncDev, ASYNC_SW_RSA_MAKE)) {
WC_ASYNC_SW* sw = &key->asyncDev.sw;
sw->rsaMake.rng = rng;
sw->rsaMake.key = key;
sw->rsaMake.size = size;
sw->rsaMake.e = e;
err = WC_PENDING_E;
goto out;
}
#endif
}
#endif
err = mp_init_multi(p, q, tmp1, tmp2, tmp3, NULL);
2014-12-31 15:31:50 -07:00
2017-10-24 11:51:22 -07:00
if (err == MP_OKAY)
2022-11-24 16:57:06 +10:00
err = mp_set_int(tmp3, (unsigned long)e);
2017-10-24 11:51:22 -07:00
2018-01-12 15:37:22 -08:00
/* The failCount value comes from NIST FIPS 186-4, section B.3.3,
* process steps 4.7 and 5.8. */
2017-10-24 11:51:22 -07:00
failCount = 5 * (size / 2);
primeSz = (word32)size / 16; /* size is the size of n in bits.
2017-10-24 11:51:22 -07:00
primeSz is in bytes. */
#ifndef WOLFSSL_NO_MALLOC
2017-10-24 11:51:22 -07:00
/* allocate buffer to work with */
if (err == MP_OKAY) {
buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA);
if (buf == NULL)
err = MEMORY_E;
}
#endif
2014-12-31 15:31:50 -07:00
/* make p */
if (err == MP_OKAY) {
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("RSA gen buf", buf, primeSz);
mp_memzero_add("RSA gen p", p);
mp_memzero_add("RSA gen q", q);
mp_memzero_add("RSA gen tmp1", tmp1);
mp_memzero_add("RSA gen tmp2", tmp2);
mp_memzero_add("RSA gen tmp3", tmp3);
#endif
2017-10-24 11:51:22 -07:00
isPrime = 0;
i = 0;
2024-02-09 00:47:23 -06:00
for (;;) {
2017-10-24 11:51:22 -07:00
#ifdef SHOW_GEN
printf(".");
fflush(stdout);
#endif
/* generate value */
err = wc_RNG_GenerateBlock(rng, buf, primeSz);
if (err == 0) {
/* prime lower bound has the MSB set, set it in candidate */
buf[0] |= 0x80;
/* make candidate odd */
buf[primeSz-1] |= 0x01;
/* load value */
err = mp_read_unsigned_bin(p, buf, primeSz);
2017-10-24 11:51:22 -07:00
}
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = _CheckProbablePrime(p, NULL, tmp3, size, &isPrime, rng);
2014-12-31 15:31:50 -07:00
2019-07-16 16:22:36 -07:00
#ifdef HAVE_FIPS
2017-10-24 11:51:22 -07:00
i++;
2018-01-18 09:51:36 -08:00
#else
/* Keep the old retry behavior in non-FIPS build. */
#endif
2024-02-09 00:47:23 -06:00
if (err != MP_OKAY || isPrime || i >= failCount)
break;
err = WC_CHECK_FOR_INTR_SIGNALS();
if (err != 0)
break;
WC_RELAX_LONG_LOOP();
2024-02-09 00:47:23 -06:00
};
2014-12-31 15:31:50 -07:00
}
2017-10-24 11:51:22 -07:00
if (err == MP_OKAY && !isPrime)
err = PRIME_GEN_E;
2014-12-31 15:31:50 -07:00
/* make q */
if (err == MP_OKAY) {
2017-10-24 11:51:22 -07:00
isPrime = 0;
i = 0;
2014-12-31 15:31:50 -07:00
do {
2017-10-24 11:51:22 -07:00
#ifdef SHOW_GEN
printf(".");
fflush(stdout);
#endif
/* generate value */
err = wc_RNG_GenerateBlock(rng, buf, primeSz);
if (err == 0) {
/* prime lower bound has the MSB set, set it in candidate */
buf[0] |= 0x80;
/* make candidate odd */
buf[primeSz-1] |= 0x01;
/* load value */
err = mp_read_unsigned_bin(q, buf, primeSz);
2017-10-24 11:51:22 -07:00
}
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = _CheckProbablePrime(p, q, tmp3, size, &isPrime, rng);
2014-12-31 15:31:50 -07:00
2022-04-28 16:29:48 +10:00
#ifndef WC_RSA_NO_FERMAT_CHECK
if (err == MP_OKAY && isPrime) {
/* Fermat's Factorization works when difference between p and q
* is less than (conservatively):
* n^(1/4) + 32
* ~= 2^(bit count of n)^(1/4) + 32)
* = 2^((bit count of n)/4 + 32)
*/
err = mp_sub(p, q, tmp1);
if (err == MP_OKAY && mp_count_bits(tmp1) <= (size / 4) + 32) {
isPrime = 0;
}
}
#endif
2019-07-16 16:22:36 -07:00
#ifdef HAVE_FIPS
2017-10-24 11:51:22 -07:00
i++;
2018-01-18 09:51:36 -08:00
#else
/* Keep the old retry behavior in non-FIPS build. */
(void)i;
#endif
err = WC_CHECK_FOR_INTR_SIGNALS();
if (err != 0)
break;
WC_RELAX_LONG_LOOP();
2017-10-24 11:51:22 -07:00
} while (err == MP_OKAY && !isPrime && i < failCount);
}
if (err == MP_OKAY && !isPrime)
err = PRIME_GEN_E;
#ifndef WOLFSSL_NO_MALLOC
2017-10-24 11:51:22 -07:00
if (buf) {
ForceZero(buf, primeSz);
XFREE(buf, key->heap, DYNAMIC_TYPE_RSA);
2014-12-31 15:31:50 -07:00
}
2024-03-25 11:31:42 -04:00
#else
2024-03-25 13:16:17 -04:00
ForceZero(buf, primeSz);
#endif
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY && mp_cmp(p, q) < 0) {
err = mp_copy(p, tmp1);
if (err == MP_OKAY)
err = mp_copy(q, p);
if (err == MP_OKAY)
mp_copy(tmp1, q);
}
2018-12-10 16:51:54 -08:00
/* Setup RsaKey buffers */
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
if (err == MP_OKAY)
err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
2018-12-10 16:51:54 -08:00
/* Software Key Calculation */
if (err == MP_OKAY) /* tmp1 = p-1 */
err = mp_sub_d(p, 1, tmp1);
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* tmp2 = q-1 */
err = mp_sub_d(q, 1, tmp2);
#ifdef WC_RSA_BLINDING
2019-12-20 12:12:38 +10:00
if (err == MP_OKAY) /* tmp3 = order of n */
err = mp_mul(tmp1, tmp2, tmp3);
2019-12-20 12:12:38 +10:00
#else
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* tmp3 = lcm(p-1, q-1), last loop */
err = mp_lcm(tmp1, tmp2, tmp3);
2019-12-20 12:12:38 +10:00
#endif
2014-12-31 15:31:50 -07:00
/* make key */
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->e = e */
2022-11-24 16:57:06 +10:00
err = mp_set_int(&key->e, (unsigned long)e);
2019-12-20 12:12:38 +10:00
#ifdef WC_RSA_BLINDING
/* Blind the inverse operation with a value that is invertable */
if (err == MP_OKAY) {
do {
err = mp_rand(&key->p, mp_get_digit_count(tmp3), rng);
2019-12-20 12:12:38 +10:00
if (err == MP_OKAY)
err = mp_set_bit(&key->p, 0);
if (err == MP_OKAY)
err = mp_set_bit(&key->p, size - 1);
if (err == MP_OKAY)
err = mp_gcd(&key->p, tmp3, &key->q);
2019-12-20 12:12:38 +10:00
}
while ((err == MP_OKAY) && !mp_isone(&key->q));
}
2022-11-24 16:57:06 +10:00
/* 8/16-bit word size requires a full multiply when e=0x10001 */
2019-12-20 12:12:38 +10:00
if (err == MP_OKAY)
2022-11-24 16:57:06 +10:00
err = mp_mul(&key->p, &key->e, &key->e);
2019-12-20 12:12:38 +10:00
#endif
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */
err = mp_invmod(&key->e, tmp3, &key->d);
2019-12-20 12:12:38 +10:00
#ifdef WC_RSA_BLINDING
/* Take off blinding from d and reset e */
if (err == MP_OKAY)
err = mp_mulmod(&key->d, &key->p, tmp3, &key->d);
2019-12-20 12:12:38 +10:00
if (err == MP_OKAY)
2022-11-24 16:57:06 +10:00
err = mp_set_int(&key->e, (unsigned long)e);
2019-12-20 12:12:38 +10:00
#endif
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->n = pq */
err = mp_mul(p, q, &key->n);
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->dP = d mod(p-1) */
err = mp_mod(&key->d, tmp1, &key->dP);
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->dQ = d mod(q-1) */
err = mp_mod(&key->d, tmp2, &key->dQ);
2020-01-23 14:52:29 -08:00
#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->u = 1/q mod p */
err = mp_invmod(q, p, &key->u);
2020-01-23 14:52:29 -08:00
#else
if (err == MP_OKAY)
err = mp_sub_d(p, 2, tmp3);
2020-01-23 14:52:29 -08:00
if (err == MP_OKAY) /* key->u = 1/q mod p = q^p-2 mod p */
2022-06-15 11:26:11 +10:00
err = mp_exptmod(q, tmp3, p, &key->u);
2020-01-23 14:52:29 -08:00
#endif
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = mp_copy(p, &key->p);
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = mp_copy(q, &key->q);
2014-12-31 15:31:50 -07:00
2018-10-18 17:29:43 +10:00
#ifdef HAVE_WOLF_BIGINT
2018-12-10 16:51:54 -08:00
/* make sure raw unsigned bin version is available */
2018-10-18 17:29:43 +10:00
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->n, &key->n.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->e, &key->e.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->d, &key->d.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->p, &key->p.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->q, &key->q.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->dP, &key->dP.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->u, &key->u.raw);
#endif
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY)
key->type = RSA_PRIVATE;
2022-06-13 16:21:41 +10:00
#ifdef WOLFSSL_CHECK_MEM_ZERO
if (err == MP_OKAY) {
mp_memzero_add("Make RSA key d", &key->d);
mp_memzero_add("Make RSA key p", &key->p);
mp_memzero_add("Make RSA key q", &key->q);
mp_memzero_add("Make RSA key dP", &key->dP);
mp_memzero_add("Make RSA key dQ", &key->dQ);
mp_memzero_add("Make RSA key u", &key->u);
}
#endif
2022-06-15 11:26:11 +10:00
/* Last value p - 1. */
mp_forcezero(tmp1);
/* Last value q - 1. */
mp_forcezero(tmp2);
/* Last value p - 2. */
mp_forcezero(tmp3);
mp_forcezero(p);
mp_forcezero(q);
2014-12-31 15:31:50 -07:00
#ifdef WOLFSSL_RSA_KEY_CHECK
/* Perform the pair-wise consistency test on the new key. */
if (err == 0)
2021-04-12 17:13:25 -07:00
err = _ifc_pairwise_consistency_test(key, rng);
#endif
if (err != 0) {
wc_FreeRsaKey(key);
goto out;
2014-12-31 15:31:50 -07:00
}
2019-03-27 20:44:38 -07:00
#if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL)
2017-06-07 11:37:21 -06:00
if (wc_InitRsaHw(key) != 0) {
return BAD_STATE_E;
}
#endif
err = 0;
#endif /* WOLF_CRYPTO_CB_ONLY_RSA */
#endif /* WOLFSSL_CRYPTOCELL / SW only */
out:
#if !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SE050)
#ifdef WOLFSSL_SMALL_STACK
2024-08-07 16:56:57 -04:00
if (key != NULL) {
XFREE(p, key->heap, DYNAMIC_TYPE_RSA);
XFREE(q, key->heap, DYNAMIC_TYPE_RSA);
XFREE(tmp1, key->heap, DYNAMIC_TYPE_RSA);
XFREE(tmp2, key->heap, DYNAMIC_TYPE_RSA);
XFREE(tmp3, key->heap, DYNAMIC_TYPE_RSA);
}
2022-06-13 16:21:41 +10:00
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
mp_memzero_check(p);
mp_memzero_check(q);
mp_memzero_check(tmp1);
mp_memzero_check(tmp2);
mp_memzero_check(tmp3);
#endif /* WOLFSSL_SMALL_STACK */
#endif /* !WOLFSSL_CRYPTOCELL && !WOLFSSL_SE050 */
return err;
#else
return NOT_COMPILED_IN;
#endif
2014-12-31 15:31:50 -07:00
}
#endif /* !FIPS || FIPS_VER >= 2 */
2014-12-31 15:31:50 -07:00
#endif /* WOLFSSL_KEY_GEN */
#ifndef WC_NO_RNG
int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
{
2021-01-14 10:10:54 +09:00
if (key == NULL || rng == NULL)
return BAD_FUNC_ARG;
key->rng = rng;
return 0;
}
#endif /* !WC_NO_RNG */
#ifdef WC_RSA_NONBLOCK
int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb)
{
if (key == NULL)
return BAD_FUNC_ARG;
if (nb) {
XMEMSET(nb, 0, sizeof(RsaNb));
}
/* Allow nb == NULL to clear non-block mode */
key->nb = nb;
return 0;
}
#if defined(WC_RSA_NONBLOCK_TIME) && defined(USE_FAST_MATH)
int wc_RsaSetNonBlockTime(RsaKey* key, word32 maxBlockUs, word32 cpuMHz)
{
if (key == NULL || key->nb == NULL) {
return BAD_FUNC_ARG;
}
/* calculate maximum number of instructions to block */
key->nb->exptmod.maxBlockInst = cpuMHz * maxBlockUs;
return 0;
}
#endif /* WC_RSA_NONBLOCK_TIME && USE_FAST_MATH */
#endif /* WC_RSA_NONBLOCK */
2014-12-31 15:31:50 -07:00
2024-05-31 17:54:58 -07:00
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
/*
* Calculate y = d mod(x-1)
*/
static int CalcDX(mp_int* y, mp_int* x, mp_int* d)
{
int err;
2024-06-05 18:53:34 +02:00
#ifndef WOLFSSL_SMALL_STACK
mp_int m[1];
#else
mp_int* m = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_WOLF_BIGINT);
if (m == NULL)
return MEMORY_E;
#endif
2024-05-31 17:54:58 -07:00
2024-06-05 18:53:34 +02:00
err = mp_init(m);
2024-05-31 17:54:58 -07:00
if (err == MP_OKAY) {
2024-06-05 18:53:34 +02:00
err = mp_sub_d(x, 1, m);
2024-05-31 17:54:58 -07:00
if (err == MP_OKAY)
2024-06-05 18:53:34 +02:00
err = mp_mod(d, m, y);
mp_forcezero(m);
2024-05-31 17:54:58 -07:00
}
2025-09-10 12:22:06 +10:00
WC_FREE_VAR_EX(m, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
2024-06-05 18:53:34 +02:00
2024-05-31 17:54:58 -07:00
return err;
}
#endif
2026-03-23 15:54:26 -06:00
/* Software-only import of RSA private key elements into RsaKey.
* This internal helper avoids recursion when called from the SETKEY path. */
static int _RsaPrivateKeyDecodeRaw(const byte* n, word32 nSz,
const byte* e, word32 eSz, const byte* d, word32 dSz,
const byte* u, word32 uSz, const byte* p, word32 pSz,
const byte* q, word32 qSz, const byte* dP, word32 dPSz,
const byte* dQ, word32 dQSz, RsaKey* key)
{
int err = MP_OKAY;
if (n == NULL || nSz == 0 || e == NULL || eSz == 0
|| d == NULL || dSz == 0 || p == NULL || pSz == 0
|| q == NULL || qSz == 0 || key == NULL) {
return BAD_FUNC_ARG;
}
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
if ((u == NULL || uSz == 0)
|| (dP != NULL && dPSz == 0)
|| (dQ != NULL && dQSz == 0)) {
return BAD_FUNC_ARG;
}
#else
(void)u;
(void)uSz;
(void)dP;
(void)dPSz;
(void)dQ;
(void)dQSz;
#endif
if (err == MP_OKAY) {
err = mp_read_unsigned_bin(&key->n, n, nSz);
}
if (err == MP_OKAY) {
err = mp_read_unsigned_bin(&key->e, e, eSz);
}
if (err == MP_OKAY) {
err = mp_read_unsigned_bin(&key->d, d, dSz);
}
if (err == MP_OKAY) {
err = mp_read_unsigned_bin(&key->p, p, pSz);
}
if (err == MP_OKAY) {
err = mp_read_unsigned_bin(&key->q, q, qSz);
}
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
if (err == MP_OKAY) {
err = mp_read_unsigned_bin(&key->u, u, uSz);
}
if (err == MP_OKAY) {
if (dP != NULL) {
err = mp_read_unsigned_bin(&key->dP, dP, dPSz);
}
else {
err = CalcDX(&key->dP, &key->p, &key->d);
}
}
if (err == MP_OKAY) {
if (dQ != NULL) {
err = mp_read_unsigned_bin(&key->dQ, dQ, dQSz);
}
else {
err = CalcDX(&key->dQ, &key->q, &key->d);
}
}
#endif
if (err == MP_OKAY) {
key->type = RSA_PRIVATE;
}
else {
mp_clear(&key->n);
mp_clear(&key->e);
mp_forcezero(&key->d);
mp_forcezero(&key->p);
mp_forcezero(&key->q);
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
mp_forcezero(&key->u);
mp_forcezero(&key->dP);
mp_forcezero(&key->dQ);
#endif
}
return err;
}
2024-05-31 17:54:58 -07:00
int wc_RsaPrivateKeyDecodeRaw(const byte* n, word32 nSz,
const byte* e, word32 eSz, const byte* d, word32 dSz,
const byte* u, word32 uSz, const byte* p, word32 pSz,
const byte* q, word32 qSz, const byte* dP, word32 dPSz,
const byte* dQ, word32 dQSz, RsaKey* key)
{
int err = MP_OKAY;
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_SETKEY)
int cbRet = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
WC_DECLARE_VAR(tmpKey, RsaKey, 1, NULL);
#endif
2024-05-31 17:54:58 -07:00
if (n == NULL || nSz == 0 || e == NULL || eSz == 0
|| d == NULL || dSz == 0 || p == NULL || pSz == 0
|| q == NULL || qSz == 0 || key == NULL) {
err = BAD_FUNC_ARG;
}
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
if (err == MP_OKAY) {
if ((u == NULL || uSz == 0)
|| (dP != NULL && dPSz == 0)
|| (dQ != NULL && dQSz == 0)) {
err = BAD_FUNC_ARG;
}
}
#else
(void)u;
(void)uSz;
(void)dP;
(void)dPSz;
(void)dQ;
(void)dQSz;
#endif
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_SETKEY)
#ifndef WOLF_CRYPTO_CB_FIND
if (err == MP_OKAY && key->devId != INVALID_DEVID)
#else
2024-05-31 17:54:58 -07:00
if (err == MP_OKAY)
#endif
{
/* Allocate temp key for callback to export from */
WC_ALLOC_VAR(tmpKey, RsaKey, 1, key->heap);
if (!WC_VAR_OK(tmpKey)) {
return MEMORY_E;
}
XMEMSET(tmpKey, 0, sizeof(RsaKey));
/* Init temp with INVALID_DEVID to prevent callback recursion */
err = wc_InitRsaKey_ex(tmpKey, key->heap, INVALID_DEVID);
if (err != MP_OKAY) {
WC_FREE_VAR(tmpKey, key->heap);
return err;
}
2026-03-23 15:54:26 -06:00
/* Import into temp via software helper (no callback recursion) */
err = _RsaPrivateKeyDecodeRaw(n, nSz, e, eSz, d, dSz,
u, uSz, p, pSz, q, qSz, dP, dPSz, dQ, dQSz, tmpKey);
if (err == MP_OKAY) {
cbRet = wc_CryptoCb_SetKey(key->devId,
WC_SETKEY_RSA_PRIV, key, tmpKey,
wc_RsaEncryptSize(tmpKey), NULL, 0, 0);
}
2026-03-23 15:54:26 -06:00
/* wc_FreeRsaKey calls mp_forcezero on all private key components,
* so no separate ForceZero of the struct is needed here. */
wc_FreeRsaKey(tmpKey);
WC_FREE_VAR(tmpKey, key->heap);
if (err != MP_OKAY) {
return err;
}
if (cbRet != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
return cbRet;
}
/* CRYPTOCB_UNAVAILABLE: fall through to software import */
err = MP_OKAY;
2024-05-31 17:54:58 -07:00
}
#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_SETKEY */
2024-05-31 17:54:58 -07:00
if (err == MP_OKAY) {
2026-03-23 15:54:26 -06:00
err = _RsaPrivateKeyDecodeRaw(n, nSz, e, eSz, d, dSz,
u, uSz, p, pSz, q, qSz, dP, dPSz, dQ, dQSz, key);
2024-05-31 17:54:58 -07:00
}
return err;
}
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
2014-12-18 11:10:55 -07:00
#endif /* NO_RSA */