Files
wolfssl/wolfcrypt/src/rsa.c
T

4437 lines
129 KiB
C
Raw Normal View History

2014-12-18 11:10:55 -07:00
/* rsa.c
*
2020-01-03 15:06:03 -08:00
* Copyright (C) 2006-2020 wolfSSL Inc.
2014-12-18 11:10:55 -07:00
*
2016-03-17 16:02:13 -06:00
* This file is part of wolfSSL.
2014-12-18 11:10:55 -07:00
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
2016-03-17 16:02:13 -06:00
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
2014-12-18 11:10:55 -07:00
*/
2020-07-09 15:13:01 -07:00
/*
2016-03-17 16:02:13 -06:00
2020-07-09 15:13:01 -07:00
DESCRIPTION
This library provides the interface to the RSA.
RSA keys can be used to encrypt, decrypt, sign and verify data.
*/
2014-12-18 11:10:55 -07:00
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
2014-12-19 09:56:51 -07:00
#include <wolfssl/wolfcrypt/settings.h>
2017-06-05 15:04:56 -06:00
#include <wolfssl/wolfcrypt/error-crypt.h>
2014-12-18 11:10:55 -07:00
#ifndef NO_RSA
2017-12-07 10:58:55 -08:00
#if defined(HAVE_FIPS) && \
2018-01-12 15:37:22 -08:00
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
2017-12-07 10:58:55 -08:00
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$e")
#pragma const_seg(".fipsB$e")
#endif
#endif
2014-12-19 09:56:51 -07:00
#include <wolfssl/wolfcrypt/rsa.h>
2019-01-18 16:08:23 -07:00
#ifdef WOLFSSL_AFALG_XILINX_RSA
2018-08-24 10:24:53 -06:00
#include <wolfssl/wolfcrypt/port/af_alg/wc_afalg.h>
#endif
2017-08-10 17:27:22 +10:00
#ifdef WOLFSSL_HAVE_SP_RSA
#include <wolfssl/wolfcrypt/sp.h>
#endif
/*
Possible RSA enable options:
* NO_RSA: Overall control of RSA default: on (not defined)
* WC_RSA_BLINDING: Uses Blinding w/ Private Ops default: off
Note: slower by ~20%
* WOLFSSL_KEY_GEN: Allows Private Key Generation default: off
* RSA_LOW_MEM: NON CRT Private Operations, less memory default: off
* WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on (not defined)
* WC_RSA_NONBLOCK: Enables support for RSA non-blocking default: off
* WC_RSA_NONBLOCK_TIME:Enables support for time based blocking default: off
* time calculation.
*/
/*
RSA Key Size Configuration:
* FP_MAX_BITS: With USE_FAST_MATH only default: 4096
If USE_FAST_MATH then use this to override default.
Value is key size * 2. Example: RSA 3072 = 6144
*/
2017-12-07 10:58:55 -08:00
/* If building for old FIPS. */
#if defined(HAVE_FIPS) && \
2018-01-12 15:37:22 -08:00
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
2017-12-07 10:58:55 -08:00
2014-12-18 11:10:55 -07:00
int wc_InitRsaKey(RsaKey* key, void* ptr)
{
2017-06-05 15:04:56 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
return InitRsaKey_fips(key, ptr);
2014-12-18 11:10:55 -07:00
}
2017-12-07 10:58:55 -08:00
int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId)
{
(void)devId;
2017-06-05 15:04:56 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
return InitRsaKey_fips(key, ptr);
}
2014-12-18 11:10:55 -07:00
2017-12-07 10:58:55 -08:00
2014-12-18 11:10:55 -07:00
int wc_FreeRsaKey(RsaKey* key)
{
return FreeRsaKey_fips(key);
2014-12-18 11:10:55 -07:00
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
2014-12-18 11:10:55 -07:00
int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, WC_RNG* rng)
2014-12-18 11:10:55 -07:00
{
2017-06-05 15:04:56 -06:00
if (in == NULL || out == NULL || key == NULL || rng == NULL) {
return BAD_FUNC_ARG;
}
return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng);
2014-12-18 11:10:55 -07:00
}
#endif
2014-12-18 11:10:55 -07:00
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2014-12-18 11:10:55 -07:00
int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
RsaKey* key)
{
2017-06-05 15:04:56 -06:00
if (in == NULL || out == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
return RsaPrivateDecryptInline_fips(in, inLen, out, key);
2014-12-18 11:10:55 -07:00
}
int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
{
2017-06-05 15:04:56 -06:00
if (in == NULL || out == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key);
2014-12-18 11:10:55 -07:00
}
int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, WC_RNG* rng)
2014-12-18 11:10:55 -07:00
{
2017-06-05 15:04:56 -06:00
if (in == NULL || out == NULL || key == NULL || inLen == 0) {
return BAD_FUNC_ARG;
}
return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng);
2014-12-18 11:10:55 -07:00
}
#endif
2014-12-18 11:10:55 -07:00
int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
{
2017-06-05 15:04:56 -06:00
if (in == NULL || out == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
return RsaSSL_VerifyInline_fips(in, inLen, out, key);
2014-12-18 11:10:55 -07:00
}
int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
{
2017-06-05 15:04:56 -06:00
if (in == NULL || out == NULL || key == NULL || inLen == 0) {
return BAD_FUNC_ARG;
}
return RsaSSL_Verify_fips(in, inLen, out, outLen, key);
2014-12-18 11:10:55 -07:00
}
int wc_RsaEncryptSize(RsaKey* key)
{
2017-06-05 15:04:56 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
return RsaEncryptSize_fips(key);
2014-12-18 11:10:55 -07:00
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
2014-12-18 11:10:55 -07:00
int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
word32* bSz)
{
2017-06-05 15:04:56 -06:00
/* not specified as fips so not needing _fips */
2014-12-18 11:10:55 -07:00
return RsaFlattenPublicKey(key, a, aSz, b, bSz);
}
#endif
2017-10-31 13:30:06 -07:00
2017-11-02 16:56:49 -07:00
#ifdef WOLFSSL_KEY_GEN
int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
2014-12-18 11:10:55 -07:00
{
return MakeRsaKey(key, size, e, rng);
}
#endif
/* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c
* wc_RsaPrivateKeyDecode
* wc_RsaPublicKeyDecode
*/
2014-12-18 11:10:55 -07:00
2018-01-10 09:26:22 -08:00
#else /* else build without fips, or for new fips */
2014-12-31 15:31:50 -07:00
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/logging.h>
#ifdef WOLF_CRYPTO_CB
#include <wolfssl/wolfcrypt/cryptocb.h>
#endif
2015-02-20 15:51:21 -08:00
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
#define WOLFSSL_MISC_INCLUDED
2015-02-20 15:51:21 -08:00
#include <wolfcrypt/src/misc.c>
#endif
2014-12-18 11:10:55 -07:00
enum {
RSA_STATE_NONE = 0,
RSA_STATE_ENCRYPT_PAD,
RSA_STATE_ENCRYPT_EXPTMOD,
RSA_STATE_ENCRYPT_RES,
RSA_STATE_DECRYPT_EXPTMOD,
RSA_STATE_DECRYPT_UNPAD,
RSA_STATE_DECRYPT_RES,
};
2018-08-24 10:24:53 -06:00
static void wc_RsaCleanup(RsaKey* key)
{
#ifndef WOLFSSL_RSA_VERIFY_INLINE
if (key && key->data) {
/* make sure any allocated memory is free'd */
if (key->dataIsAlloc) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
if (key->type == RSA_PRIVATE_DECRYPT ||
key->type == RSA_PRIVATE_ENCRYPT) {
ForceZero(key->data, key->dataLen);
}
#endif
XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
key->dataIsAlloc = 0;
}
key->data = NULL;
key->dataLen = 0;
}
#else
(void)key;
#endif
}
int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
{
int ret = 0;
if (key == NULL) {
return BAD_FUNC_ARG;
}
2017-01-25 18:06:25 -07:00
XMEMSET(key, 0, sizeof(RsaKey));
key->type = RSA_TYPE_UNKNOWN;
key->state = RSA_STATE_NONE;
key->heap = heap;
#ifndef WOLFSSL_RSA_VERIFY_INLINE
key->dataIsAlloc = 0;
key->data = NULL;
#endif
key->dataLen = 0;
2016-09-14 14:33:08 -07:00
#ifdef WC_RSA_BLINDING
key->rng = NULL;
#endif
#ifdef WOLF_CRYPTO_CB
key->devId = devId;
#else
(void)devId;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
#ifdef WOLFSSL_CERT_GEN
XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
#endif
#ifdef WC_ASYNC_ENABLE_RSA
/* handle as async */
ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA,
key->heap, devId);
if (ret != 0)
return ret;
#endif /* WC_ASYNC_ENABLE_RSA */
#endif /* WOLFSSL_ASYNC_CRYPT */
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
if (ret != MP_OKAY)
return ret;
#if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)
ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL);
#else
ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u);
#endif
if (ret != MP_OKAY) {
mp_clear(&key->n);
mp_clear(&key->e);
return ret;
}
#else
ret = mp_init(&key->n);
if (ret != MP_OKAY)
return ret;
ret = mp_init(&key->e);
if (ret != MP_OKAY) {
mp_clear(&key->n);
return ret;
}
#endif
2017-06-07 11:37:21 -06:00
#ifdef WOLFSSL_XILINX_CRYPT
key->pubExp = 0;
key->mod = NULL;
#endif
2019-01-18 16:08:23 -07:00
#ifdef WOLFSSL_AFALG_XILINX_RSA
2018-08-24 10:24:53 -06:00
key->alFd = WC_SOCK_NOTSET;
key->rdFd = WC_SOCK_NOTSET;
#endif
return ret;
}
2014-12-31 15:31:50 -07:00
int wc_InitRsaKey(RsaKey* key, void* heap)
{
return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
2014-12-31 15:31:50 -07:00
}
2018-09-12 08:56:59 +10:00
#ifdef HAVE_PKCS11
int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
int devId)
{
int ret = 0;
if (key == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0 && (len < 0 || len > RSA_MAX_ID_LEN))
ret = BUFFER_E;
if (ret == 0)
ret = wc_InitRsaKey_ex(key, heap, devId);
if (ret == 0 && id != NULL && len != 0) {
XMEMCPY(key->id, id, len);
key->idLen = len;
}
return ret;
}
int wc_InitRsaKey_Label(RsaKey* key, char* label, void* heap, int devId)
{
int ret = 0;
int labelLen = 0;
if (key == NULL || label == NULL)
ret = BAD_FUNC_ARG;
if (ret == 0) {
labelLen = XSTRLEN(label);
if (labelLen == 0 || labelLen > RSA_MAX_LABEL_LEN)
ret = BUFFER_E;
}
if (ret == 0)
ret = wc_InitRsaKey_ex(key, heap, devId);
if (ret == 0) {
XMEMCPY(key->label, label, labelLen);
key->labelLen = labelLen;
}
return ret;
}
2018-09-12 08:56:59 +10:00
#endif
2017-06-07 11:37:21 -06:00
#ifdef WOLFSSL_XILINX_CRYPT
#define MAX_E_SIZE 4
/* Used to setup hardware state
*
* key the RSA key to setup
*
* returns 0 on success
*/
int wc_InitRsaHw(RsaKey* key)
{
unsigned char* m; /* RSA modulous */
word32 e = 0; /* RSA public exponent */
int mSz;
int eSz;
if (key == NULL) {
return BAD_FUNC_ARG;
}
mSz = mp_unsigned_bin_size(&(key->n));
m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY);
2020-05-19 16:41:51 -07:00
if (m == NULL) {
2017-06-07 11:37:21 -06:00
return MEMORY_E;
}
if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) {
WOLFSSL_MSG("Unable to get RSA key modulus");
2017-06-07 11:37:21 -06:00
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return MP_READ_E;
}
eSz = mp_unsigned_bin_size(&(key->e));
if (eSz > MAX_E_SIZE) {
WOLFSSL_MSG("Exponent of size 4 bytes expected");
2017-06-07 11:37:21 -06:00
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return BAD_FUNC_ARG;
}
if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz))
!= MP_OKAY) {
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
WOLFSSL_MSG("Unable to get RSA key exponent");
return MP_READ_E;
}
/* check for existing mod buffer to avoid memory leak */
if (key->mod != NULL) {
XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
}
key->pubExp = e;
key->mod = m;
if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL,
(byte*)&(key->pubExp)) != XST_SUCCESS) {
WOLFSSL_MSG("Unable to initialize RSA on hardware");
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return BAD_STATE_E;
}
#ifdef WOLFSSL_XILINX_PATCH
/* currently a patch of xsecure_rsa.c for 2048 bit keys */
if (wc_RsaEncryptSize(key) == 256) {
if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) {
WOLFSSL_MSG("Unable to set RSA key size on hardware");
XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
return BAD_STATE_E;
}
}
#endif
2019-03-27 20:44:38 -07:00
return 0;
} /* WOLFSSL_XILINX_CRYPT*/
2017-06-07 11:37:21 -06:00
2019-03-27 20:44:38 -07:00
#elif defined(WOLFSSL_CRYPTOCELL)
int wc_InitRsaHw(RsaKey* key)
{
CRYSError_t ret = 0;
byte e[3];
word32 eSz = sizeof(e);
byte n[256];
word32 nSz = sizeof(n);
byte d[256];
word32 dSz = sizeof(d);
byte p[128];
word32 pSz = sizeof(p);
byte q[128];
word32 qSz = sizeof(q);
if (key == NULL) {
return BAD_FUNC_ARG;
}
ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
if (ret != 0)
return MP_READ_E;
ret = CRYS_RSA_Build_PubKey(&key->ctx.pubKey, e, eSz, n, nSz);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_Build_PubKey failed");
return ret;
}
ret = CRYS_RSA_Build_PrivKey(&key->ctx.privKey, d, dSz, e, eSz, n, nSz);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_Build_PrivKey failed");
return ret;
}
key->type = RSA_PRIVATE;
2017-06-07 11:37:21 -06:00
return 0;
}
2019-03-27 20:44:38 -07:00
static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
{
CRYSError_t ret = 0;
CRYS_RSAKGData_t KeyGenData;
CRYS_RSAKGFipsContext_t FipsCtx;
byte ex[3];
uint16_t eSz = sizeof(ex);
byte n[256];
uint16_t nSz = sizeof(n);
ret = CRYS_RSA_KG_GenerateKeyPair(&wc_rndState,
wc_rndGenVectFunc,
(byte*)&e,
3*sizeof(uint8_t),
size,
&key->ctx.privKey,
&key->ctx.pubKey,
&KeyGenData,
&FipsCtx);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_KG_GenerateKeyPair failed");
return ret;
}
ret = CRYS_RSA_Get_PubKey(&key->ctx.pubKey, ex, &eSz, n, &nSz);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_Get_PubKey failed");
return ret;
}
ret = wc_RsaPublicKeyDecodeRaw(n, nSz, ex, eSz, key);
key->type = RSA_PRIVATE;
return ret;
}
#endif /* WOLFSSL_CRYPTOCELL */
2017-06-07 11:37:21 -06:00
2014-12-31 15:31:50 -07:00
int wc_FreeRsaKey(RsaKey* key)
{
int ret = 0;
2014-12-31 15:31:50 -07:00
if (key == NULL) {
return BAD_FUNC_ARG;
2014-12-31 15:31:50 -07:00
}
wc_RsaCleanup(key);
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
#endif
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
if (key->type == RSA_PRIVATE) {
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
mp_forcezero(&key->u);
mp_forcezero(&key->dQ);
mp_forcezero(&key->dP);
#endif
mp_forcezero(&key->q);
mp_forcezero(&key->p);
mp_forcezero(&key->d);
}
/* private part */
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
mp_clear(&key->u);
mp_clear(&key->dQ);
mp_clear(&key->dP);
#endif
mp_clear(&key->q);
mp_clear(&key->p);
mp_clear(&key->d);
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
/* public part */
mp_clear(&key->e);
mp_clear(&key->n);
2017-06-07 11:37:21 -06:00
#ifdef WOLFSSL_XILINX_CRYPT
XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
key->mod = NULL;
#endif
2019-01-18 16:08:23 -07:00
#ifdef WOLFSSL_AFALG_XILINX_RSA
2018-08-24 10:24:53 -06:00
/* make sure that sockets are closed on cleanup */
if (key->alFd > 0) {
close(key->alFd);
key->alFd = WC_SOCK_NOTSET;
}
if (key->rdFd > 0) {
close(key->rdFd);
key->rdFd = WC_SOCK_NOTSET;
}
#endif
return ret;
2014-12-31 15:31:50 -07:00
}
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
2018-04-26 14:02:43 -07:00
/* Check the pair-wise consistency of the RSA key.
* From NIST SP 800-56B, section 6.4.1.1.
2018-04-26 14:02:43 -07:00
* Verify that k = (k^e)^d, for some k: 1 < k < n-1. */
int wc_CheckRsaKey(RsaKey* key)
{
2019-03-27 20:44:38 -07:00
#if defined(WOLFSSL_CRYPTOCELL)
return 0;
#endif
#ifdef WOLFSSL_SMALL_STACK
mp_int *k = NULL, *tmp = NULL;
#else
mp_int k[1], tmp[1];
#endif
2018-04-26 14:02:43 -07:00
int ret = 0;
#ifdef WOLFSSL_SMALL_STACK
k = (mp_int*)XMALLOC(sizeof(mp_int) * 2, NULL, DYNAMIC_TYPE_RSA);
if (k == NULL)
return MEMORY_E;
tmp = k + 1;
#endif
if (mp_init_multi(k, tmp, NULL, NULL, NULL, NULL) != MP_OKAY)
2018-04-26 14:02:43 -07:00
ret = MP_INIT_E;
if (ret == 0) {
if (key == NULL)
ret = BAD_FUNC_ARG;
}
if (ret == 0) {
if (mp_set_int(k, 0x2342) != MP_OKAY)
2018-04-26 14:02:43 -07:00
ret = MP_READ_E;
}
2019-09-19 09:08:15 +10:00
#ifdef WOLFSSL_HAVE_SP_RSA
2020-07-09 15:13:01 -07:00
if (ret == 0) {
switch (mp_count_bits(&key->n)) {
#ifndef WOLFSSL_SP_NO_2048
case 2048:
ret = sp_ModExp_2048(k, &key->e, &key->n, tmp);
if (ret != 0)
ret = MP_EXPTMOD_E;
if (ret == 0) {
ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp);
if (ret != 0)
ret = MP_EXPTMOD_E;
}
break;
#endif /* WOLFSSL_SP_NO_2048 */
#ifndef WOLFSSL_SP_NO_3072
case 3072:
ret = sp_ModExp_3072(k, &key->e, &key->n, tmp);
if (ret != 0)
ret = MP_EXPTMOD_E;
if (ret == 0) {
ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp);
if (ret != 0)
ret = MP_EXPTMOD_E;
}
break;
#endif /* WOLFSSL_SP_NO_3072 */
#ifdef WOLFSSL_SP_4096
case 4096:
ret = sp_ModExp_4096(k, &key->e, &key->n, tmp);
if (ret != 0)
ret = MP_EXPTMOD_E;
if (ret == 0) {
ret = sp_ModExp_4096(tmp, &key->d, &key->n, tmp);
if (ret != 0)
ret = MP_EXPTMOD_E;
}
break;
#endif /* WOLFSSL_SP_4096 */
default:
/* If using only single precsision math then issue key size
* error, otherwise fall-back to multi-precision math
* calculation */
#if defined(WOLFSSL_SP_MATH)
2020-07-09 15:13:01 -07:00
ret = WC_KEY_SIZE_E;
#else
if (mp_exptmod_nct(k, &key->e, &key->n, tmp) != MP_OKAY)
ret = MP_EXPTMOD_E;
if (ret == 0) {
if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
ret = MP_EXPTMOD_E;
}
#endif
break;
}
2020-07-09 15:13:01 -07:00
}
#else
2020-07-09 15:13:01 -07:00
if (ret == 0) {
if (mp_exptmod_nct(k, &key->e, &key->n, tmp) != MP_OKAY)
2020-07-09 15:13:01 -07:00
ret = MP_EXPTMOD_E;
}
2020-07-09 15:13:01 -07:00
if (ret == 0) {
if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
ret = MP_EXPTMOD_E;
}
#endif /* WOLFSSL_HAVE_SP_RSA */
2018-04-26 14:02:43 -07:00
if (ret == 0) {
if (mp_cmp(k, tmp) != MP_EQ)
2018-04-26 14:02:43 -07:00
ret = RSA_KEY_PAIR_E;
}
2019-11-01 16:25:57 +10:00
/* Check d is less than n. */
if (ret == 0 ) {
if (mp_cmp(&key->d, &key->n) != MP_LT) {
ret = MP_EXPTMOD_E;
}
}
/* Check p*q = n. */
if (ret == 0 ) {
if (mp_mul(&key->p, &key->q, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0 ) {
if (mp_cmp(&key->n, tmp) != MP_EQ) {
ret = MP_EXPTMOD_E;
}
}
/* Check dP, dQ and u if they exist */
if (ret == 0 && !mp_iszero(&key->dP)) {
2020-01-15 22:15:38 +10:00
if (mp_sub_d(&key->p, 1, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
2019-11-01 16:25:57 +10:00
}
/* Check dP <= p-1. */
if (ret == 0) {
if (mp_cmp(&key->dP, tmp) != MP_LT) {
ret = MP_EXPTMOD_E;
}
}
/* Check e*dP mod p-1 = 1. (dP = 1/e mod p-1) */
if (ret == 0) {
if (mp_mulmod(&key->dP, &key->e, tmp, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0 ) {
if (!mp_isone(tmp)) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0) {
if (mp_sub_d(&key->q, 1, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
/* Check dQ <= q-1. */
if (ret == 0) {
if (mp_cmp(&key->dQ, tmp) != MP_LT) {
ret = MP_EXPTMOD_E;
}
}
/* Check e*dP mod p-1 = 1. (dQ = 1/e mod q-1) */
if (ret == 0) {
if (mp_mulmod(&key->dQ, &key->e, tmp, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0 ) {
if (!mp_isone(tmp)) {
ret = MP_EXPTMOD_E;
}
}
/* Check u <= p. */
if (ret == 0) {
if (mp_cmp(&key->u, &key->p) != MP_LT) {
ret = MP_EXPTMOD_E;
}
}
/* Check u*q mod p = 1. (u = 1/q mod p) */
if (ret == 0) {
if (mp_mulmod(&key->u, &key->q, &key->p, tmp) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
}
if (ret == 0 ) {
if (!mp_isone(tmp)) {
ret = MP_EXPTMOD_E;
}
}
}
mp_forcezero(tmp);
mp_clear(tmp);
mp_clear(k);
#ifdef WOLFSSL_SMALL_STACK
XFREE(k, NULL, DYNAMIC_TYPE_RSA);
#endif
2018-04-26 14:02:43 -07:00
return ret;
}
#endif /* WOLFSSL_KEY_GEN && !WOLFSSL_NO_RSA_KEY_CHECK */
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
2018-04-26 14:02:43 -07:00
2017-05-10 16:59:11 +10:00
#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
2016-01-05 10:56:15 -07:00
/* Uses MGF1 standard as a mask generation function
hType: hash type used
seed: seed to use for generating mask
seedSz: size of seed buffer
out: mask output after generation
outSz: size of output buffer
*/
#if !defined(NO_SHA) || !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
byte* out, word32 outSz, void* heap)
2016-01-05 10:56:15 -07:00
{
2016-01-14 14:26:17 -07:00
byte* tmp;
/* needs to be large enough for seed size plus counter(4) */
byte tmpA[WC_MAX_DIGEST_SIZE + 4];
byte tmpF; /* 1 if dynamic memory needs freed */
word32 tmpSz;
2016-01-05 10:56:15 -07:00
int hLen;
int ret;
word32 counter;
word32 idx;
hLen = wc_HashGetDigestSize(hType);
counter = 0;
idx = 0;
(void)heap;
2016-01-14 14:26:17 -07:00
/* check error return of wc_HashGetDigestSize */
if (hLen < 0) {
return hLen;
}
/* if tmp is not large enough than use some dynamic memory */
if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) {
/* find largest amount of memory needed which will be the max of
* hLen and (seedSz + 4) since tmp is used to store the hash digest */
tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen;
tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
if (tmp == NULL) {
return MEMORY_E;
}
tmpF = 1; /* make sure to free memory when done */
}
else {
/* use array on the stack */
tmpSz = sizeof(tmpA);
tmp = tmpA;
tmpF = 0; /* no need to free memory at end */
}
2016-01-05 10:56:15 -07:00
do {
int i = 0;
XMEMCPY(tmp, seed, seedSz);
/* counter to byte array appended to tmp */
2020-07-09 15:13:01 -07:00
tmp[seedSz] = (byte)((counter >> 24) & 0xFF);
tmp[seedSz + 1] = (byte)((counter >> 16) & 0xFF);
tmp[seedSz + 2] = (byte)((counter >> 8) & 0xFF);
tmp[seedSz + 3] = (byte)((counter) & 0xFF);
2016-01-05 10:56:15 -07:00
/* hash and append to existing output */
2016-01-14 14:26:17 -07:00
if ((ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz)) != 0) {
2016-01-14 23:58:30 -07:00
/* check for if dynamic memory was needed, then free */
if (tmpF) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 23:58:30 -07:00
}
2016-01-05 10:56:15 -07:00
return ret;
}
for (i = 0; i < hLen && idx < outSz; i++) {
out[idx++] = tmp[i];
}
counter++;
} while (idx < outSz);
2016-01-05 10:56:15 -07:00
2016-01-14 14:26:17 -07:00
/* check for if dynamic memory was needed, then free */
if (tmpF) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
}
2016-01-05 10:56:15 -07:00
return 0;
}
#endif /* SHA2 Hashes */
2016-01-05 10:56:15 -07:00
/* helper function to direct which mask generation function is used
switched on type input
2016-01-05 10:56:15 -07:00
*/
static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
word32 outSz, void* heap)
2016-01-05 10:56:15 -07:00
{
int ret;
switch(type) {
#ifndef NO_SHA
2016-01-05 10:56:15 -07:00
case WC_MGF1SHA1:
ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap);
break;
#endif
#ifndef NO_SHA256
2016-11-10 15:52:26 +10:00
#ifdef WOLFSSL_SHA224
case WC_MGF1SHA224:
ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap);
break;
#endif
2016-01-05 10:56:15 -07:00
case WC_MGF1SHA256:
ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
break;
#endif
#ifdef WOLFSSL_SHA384
2016-01-05 10:56:15 -07:00
case WC_MGF1SHA384:
ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
break;
#endif
#ifdef WOLFSSL_SHA512
2016-01-05 10:56:15 -07:00
case WC_MGF1SHA512:
ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
break;
#endif
2016-01-05 10:56:15 -07:00
default:
WOLFSSL_MSG("Unknown MGF type: check build options");
2016-01-05 10:56:15 -07:00
ret = BAD_FUNC_ARG;
}
/* in case of default avoid unused warning */
2016-01-05 10:56:15 -07:00
(void)seed;
(void)seedSz;
(void)out;
(void)outSz;
2016-06-04 19:03:48 -06:00
(void)heap;
2016-01-05 10:56:15 -07:00
return ret;
}
#endif /* !WC_NO_RSA_OAEP || WC_RSA_PSS */
2016-01-05 10:56:15 -07:00
/* Padding */
2018-12-19 14:36:32 -07:00
#ifndef WOLFSSL_RSA_VERIFY_ONLY
#ifndef WC_NO_RNG
#ifndef WC_NO_RSA_OAEP
static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, byte padValue, WC_RNG* rng,
enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
void* heap)
2016-01-05 10:56:15 -07:00
{
int ret;
int hLen;
int psLen;
int i;
word32 idx;
byte* dbMask;
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
byte* lHash = NULL;
byte* seed = NULL;
#else
/* must be large enough to contain largest hash */
byte lHash[WC_MAX_DIGEST_SIZE];
byte seed[ WC_MAX_DIGEST_SIZE];
#endif
2016-01-05 10:56:15 -07:00
/* no label is allowed, but catch if no label provided and length > 0 */
2016-01-05 10:56:15 -07:00
if (optLabel == NULL && labelLen > 0) {
return BUFFER_E;
}
/* limit of label is the same as limit of hash function which is massive */
hLen = wc_HashGetDigestSize(hType);
if (hLen < 0) {
return hLen;
}
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
if (lHash == NULL) {
return MEMORY_E;
}
seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
if (seed == NULL) {
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
return MEMORY_E;
}
#else
/* hLen should never be larger than lHash since size is max digest size,
but check before blindly calling wc_Hash */
if ((word32)hLen > sizeof(lHash)) {
WOLFSSL_MSG("OAEP lHash to small for digest!!");
return MEMORY_E;
}
#endif
2016-04-14 09:33:25 -06:00
if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) {
2016-01-05 10:56:15 -07:00
WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small");
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
return ret;
}
/* handles check of location for idx as well as psLen, cast to int to check
for pkcsBlockLen(k) - 2 * hLen - 2 being negative
This check is similar to decryption where k > 2 * hLen + 2 as msg
size approaches 0. In decryption if k is less than or equal -- then there
is no possible room for msg.
k = RSA key size
hLen = hash digest size -- will always be >= 0 at this point
*/
if ((word32)(2 * hLen + 2) > pkcsBlockLen) {
WOLFSSL_MSG("OAEP pad error hash to big for RSA key size");
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
#endif
return BAD_FUNC_ARG;
}
if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) {
WOLFSSL_MSG("OAEP pad error message too long");
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
return BAD_FUNC_ARG;
}
/* concatenate lHash || PS || 0x01 || msg */
2016-01-05 10:56:15 -07:00
idx = pkcsBlockLen - 1 - inputLen;
psLen = pkcsBlockLen - inputLen - 2 * hLen - 2;
if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
return BUFFER_E;
}
XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen);
pkcsBlock[idx--] = 0x01; /* PS and M separator */
2016-01-05 10:56:15 -07:00
while (psLen > 0 && idx > 0) {
pkcsBlock[idx--] = 0x00;
psLen--;
}
2016-01-14 14:26:17 -07:00
2016-01-05 10:56:15 -07:00
idx = idx - hLen + 1;
XMEMCPY(pkcsBlock + idx, lHash, hLen);
/* generate random seed */
if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
return ret;
}
/* create maskedDB from dbMask */
2016-06-04 19:03:48 -06:00
dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA);
2016-01-14 14:26:17 -07:00
if (dbMask == NULL) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
#endif
return MEMORY_E;
}
2016-01-18 10:22:12 -07:00
XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */
2016-01-14 14:26:17 -07:00
ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap);
2016-01-05 10:56:15 -07:00
if (ret != 0) {
2016-06-04 19:03:48 -06:00
XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
return ret;
}
i = 0;
idx = hLen + 1;
while (idx < pkcsBlockLen && (word32)i < (pkcsBlockLen - hLen -1)) {
pkcsBlock[idx] = dbMask[i++] ^ pkcsBlock[idx];
idx++;
}
2016-06-04 19:03:48 -06:00
XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
2016-01-05 10:56:15 -07:00
/* create maskedSeed from seedMask */
idx = 0;
pkcsBlock[idx++] = 0x00;
/* create seedMask inline */
if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
pkcsBlock + 1, hLen, heap)) != 0) {
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
return ret;
}
/* xor created seedMask with seed to make maskedSeed */
i = 0;
while (idx < (word32)(hLen + 1) && i < hLen) {
pkcsBlock[idx] = pkcsBlock[idx] ^ seed[i++];
idx++;
}
2016-01-14 14:26:17 -07:00
#ifdef WOLFSSL_SMALL_STACK
XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
#endif
2016-01-05 10:56:15 -07:00
(void)padValue;
return 0;
}
#endif /* !WC_NO_RSA_OAEP */
2016-01-05 10:56:15 -07:00
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
2017-05-18 15:32:06 +10:00
/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
* XOR MGF over all bytes down to end of Salt
* Gen Hash = HASH(8 * 0x00 | Message Hash | Salt)
*
* input Digest of the message.
* inputLen Length of digest.
* pkcsBlock Buffer to write to.
* pkcsBlockLen Length of buffer to write to.
* rng Random number generator (for salt).
* htype Hash function to use.
* mgf Mask generation function.
* saltLen Length of salt to put in padding.
* bits Length of key in bits.
* heap Used for dynamic memory allocation.
* returns 0 on success, PSS_SALTLEN_E when the salt length is invalid
* and other negative values on error.
2017-05-18 15:32:06 +10:00
*/
2017-05-10 16:59:11 +10:00
static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf,
int saltLen, int bits, void* heap)
2017-05-10 16:59:11 +10:00
{
int ret = 0;
int hLen, i, o, maskLen, hiBits;
2017-05-10 16:59:11 +10:00
byte* m;
byte* s;
#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
byte msg[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
#else
byte* msg = NULL;
#endif
#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
byte* salt;
#else
byte salt[WC_MAX_DIGEST_SIZE];
#endif
#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
if (pkcsBlockLen > RSA_MAX_SIZE/8) {
return MEMORY_E;
}
#endif
2017-05-10 16:59:11 +10:00
hLen = wc_HashGetDigestSize(hType);
if (hLen < 0)
return hLen;
2020-08-03 12:17:03 +10:00
if ((int)inputLen != hLen) {
return BAD_FUNC_ARG;
}
2017-05-10 16:59:11 +10:00
hiBits = (bits - 1) & 0x7;
if (hiBits == 0) {
2020-07-09 15:13:01 -07:00
/* Per RFC8017, set the leftmost 8emLen - emBits bits of the
leftmost octet in DB to zero.
*/
*(pkcsBlock++) = 0;
pkcsBlockLen--;
}
if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
saltLen = hLen;
2018-03-28 13:58:25 -07:00
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) {
2018-03-28 13:58:25 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
}
2018-03-28 13:58:25 -07:00
#endif
}
#ifndef WOLFSSL_PSS_LONG_SALT
else if (saltLen > hLen) {
return PSS_SALTLEN_E;
}
#endif
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
return PSS_SALTLEN_E;
}
#else
else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
saltLen = (int)pkcsBlockLen - hLen - 2;
if (saltLen < 0) {
return PSS_SALTLEN_E;
}
}
else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
return PSS_SALTLEN_E;
}
#endif
if ((int)pkcsBlockLen - hLen < saltLen + 2) {
return PSS_SALTLEN_E;
}
maskLen = pkcsBlockLen - 1 - hLen;
#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
msg = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inputLen + saltLen, heap,
DYNAMIC_TYPE_RSA_BUFFER);
if (msg == NULL) {
return MEMORY_E;
}
#endif
salt = s = m = msg;
XMEMSET(m, 0, RSA_PSS_PAD_SZ);
m += RSA_PSS_PAD_SZ;
XMEMCPY(m, input, inputLen);
m += inputLen;
o = (int)(m - s);
if (saltLen > 0) {
ret = wc_RNG_GenerateBlock(rng, m, saltLen);
if (ret == 0) {
m += saltLen;
}
}
#else
if (pkcsBlockLen < RSA_PSS_PAD_SZ + inputLen + saltLen) {
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
msg = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inputLen + saltLen, heap,
DYNAMIC_TYPE_RSA_BUFFER);
if (msg == NULL) {
return MEMORY_E;
}
#endif
m = msg;
}
else {
m = pkcsBlock;
}
s = m;
XMEMSET(m, 0, RSA_PSS_PAD_SZ);
m += RSA_PSS_PAD_SZ;
2017-05-10 16:59:11 +10:00
XMEMCPY(m, input, inputLen);
m += inputLen;
o = 0;
if (saltLen > 0) {
ret = wc_RNG_GenerateBlock(rng, salt, saltLen);
if (ret == 0) {
XMEMCPY(m, salt, saltLen);
m += saltLen;
}
}
#endif
if (ret == 0) {
/* Put Hash at end of pkcsBlock - 1 */
ret = wc_Hash(hType, s, (word32)(m - s), pkcsBlock + maskLen, hLen);
}
if (ret == 0) {
2020-07-09 15:13:01 -07:00
/* Set the last eight bits or trailer field to the octet 0xbc */
pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM;
2017-05-10 16:59:11 +10:00
ret = RsaMGF(mgf, pkcsBlock + maskLen, hLen, pkcsBlock, maskLen, heap);
}
if (ret == 0) {
2020-07-09 15:13:01 -07:00
/* Clear the first high bit when "8emLen - emBits" is non-zero.
where emBits = n modBits - 1 */
if (hiBits)
pkcsBlock[0] &= (1 << hiBits) - 1;
2017-05-10 16:59:11 +10:00
m = pkcsBlock + maskLen - saltLen - 1;
*(m++) ^= 0x01;
for (i = 0; i < saltLen; i++) {
m[i] ^= salt[o + i];
}
}
2017-05-10 16:59:11 +10:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
if (msg != NULL) {
XFREE(msg, heap, DYNAMIC_TYPE_RSA_BUFFER);
}
#endif
return ret;
2017-05-10 16:59:11 +10:00
}
#endif /* WC_RSA_PSS */
#endif /* !WC_NO_RNG */
2016-01-05 10:56:15 -07:00
static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, byte padValue, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
if (input == NULL || inputLen == 0 || pkcsBlock == NULL ||
pkcsBlockLen == 0) {
2016-04-14 09:33:25 -06:00
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
2020-07-09 15:13:01 -07:00
if (pkcsBlockLen - RSA_MIN_PAD_SZ < inputLen) {
WOLFSSL_MSG("RsaPad error, invalid length");
return RSA_PAD_E;
}
2014-12-31 15:31:50 -07:00
pkcsBlock[0] = 0x0; /* set first byte to zero and advance */
pkcsBlock++; pkcsBlockLen--;
pkcsBlock[0] = padValue; /* insert padValue */
2016-04-14 09:33:25 -06:00
if (padValue == RSA_BLOCK_TYPE_1) {
2014-12-31 15:31:50 -07:00
/* pad with 0xff bytes */
XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
2016-04-14 09:33:25 -06:00
}
2014-12-31 15:31:50 -07:00
else {
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WC_NO_RNG)
2014-12-31 15:31:50 -07:00
/* pad with non-zero random bytes */
2016-04-14 09:33:25 -06:00
word32 padLen, i;
int ret;
padLen = pkcsBlockLen - inputLen - 1;
ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
if (ret != 0) {
2014-12-31 15:31:50 -07:00
return ret;
}
2014-12-31 15:31:50 -07:00
/* remove zeros */
for (i = 1; i < padLen; i++) {
2014-12-31 15:31:50 -07:00
if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
}
#else
2018-12-19 14:36:32 -07:00
(void)rng;
return RSA_WRONG_TYPE_E;
#endif
2014-12-31 15:31:50 -07:00
}
pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
return 0;
}
2016-01-05 10:56:15 -07:00
/* helper function to direct which padding is used */
int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
int saltLen, int bits, void* heap)
2016-01-05 10:56:15 -07:00
{
int ret;
switch (padType)
{
case WC_RSA_PKCSV15_PAD:
/*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/
ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen,
2017-05-10 16:59:11 +10:00
padValue, rng);
2016-01-05 10:56:15 -07:00
break;
#ifndef WC_NO_RNG
#ifndef WC_NO_RSA_OAEP
2016-01-05 10:56:15 -07:00
case WC_RSA_OAEP_PAD:
WOLFSSL_MSG("wolfSSL Using RSA OAEP padding");
ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen,
2017-05-10 16:59:11 +10:00
padValue, rng, hType, mgf, optLabel, labelLen, heap);
2016-01-05 10:56:15 -07:00
break;
#endif
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
case WC_RSA_PSS_PAD:
WOLFSSL_MSG("wolfSSL Using RSA PSS padding");
2017-05-22 09:43:55 +10:00
ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng,
hType, mgf, saltLen, bits, heap);
2017-05-10 16:59:11 +10:00
break;
#endif
#endif /* !WC_NO_RNG */
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_NO_PADDING
case WC_RSA_NO_PAD:
WOLFSSL_MSG("wolfSSL Using NO padding");
/* In the case of no padding being used check that input is exactly
* the RSA key length */
2018-02-22 09:55:20 -07:00
if (bits <= 0 || inputLen != ((word32)bits/WOLFSSL_BIT_SIZE)) {
WOLFSSL_MSG("Bad input size");
ret = RSA_PAD_E;
}
else {
XMEMCPY(pkcsBlock, input, inputLen);
ret = 0;
}
break;
#endif
2016-01-05 10:56:15 -07:00
default:
WOLFSSL_MSG("Unknown RSA Pad Type");
ret = RSA_PAD_E;
}
/* silence warning if not used with padding scheme */
(void)input;
(void)inputLen;
(void)pkcsBlock;
(void)pkcsBlockLen;
(void)padValue;
(void)rng;
(void)padType;
2016-01-05 10:56:15 -07:00
(void)hType;
(void)mgf;
(void)optLabel;
(void)labelLen;
(void)saltLen;
2017-05-22 09:43:55 +10:00
(void)bits;
2016-06-04 19:03:48 -06:00
(void)heap;
2016-01-05 10:56:15 -07:00
return ret;
}
2018-12-19 14:36:32 -07:00
#endif /* WOLFSSL_RSA_VERIFY_ONLY */
2016-01-05 10:56:15 -07:00
/* UnPadding */
#ifndef WC_NO_RSA_OAEP
2016-01-05 10:56:15 -07:00
/* UnPad plaintext, set start to *output, return length of plaintext,
* < 0 on error */
static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
2016-01-20 15:31:08 -07:00
byte **output, enum wc_HashType hType, int mgf,
2016-06-04 19:03:48 -06:00
byte* optLabel, word32 labelLen, void* heap)
2016-01-05 10:56:15 -07:00
{
int hLen;
int ret;
2016-01-14 14:26:17 -07:00
byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
byte* tmp;
2016-01-05 10:56:15 -07:00
word32 idx;
/* no label is allowed, but catch if no label provided and length > 0 */
if (optLabel == NULL && labelLen > 0) {
return BUFFER_E;
}
2016-01-05 10:56:15 -07:00
hLen = wc_HashGetDigestSize(hType);
if ((hLen < 0) || (pkcsBlockLen < (2 * (word32)hLen + 2))) {
return BAD_FUNC_ARG;
}
tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
if (tmp == NULL) {
return MEMORY_E;
}
XMEMSET(tmp, 0, pkcsBlockLen);
2016-01-05 10:56:15 -07:00
/* find seedMask value */
if ((ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)),
pkcsBlockLen - hLen - 1, tmp, hLen, heap)) != 0) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return ret;
}
/* xor seedMask value with maskedSeed to get seed value */
for (idx = 0; idx < (word32)hLen; idx++) {
tmp[idx] = tmp[idx] ^ pkcsBlock[1 + idx];
}
/* get dbMask value */
if ((ret = RsaMGF(mgf, tmp, hLen, tmp + hLen,
pkcsBlockLen - hLen - 1, heap)) != 0) {
XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-05 10:56:15 -07:00
return ret;
}
/* get DB value by doing maskedDB xor dbMask */
2016-01-05 10:56:15 -07:00
for (idx = 0; idx < (pkcsBlockLen - hLen - 1); idx++) {
pkcsBlock[hLen + 1 + idx] = pkcsBlock[hLen + 1 + idx] ^ tmp[idx + hLen];
}
2016-01-14 14:26:17 -07:00
/* done with use of tmp buffer */
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2016-01-14 14:26:17 -07:00
2016-06-06 10:34:35 -06:00
/* advance idx to index of PS and msg separator, account for PS size of 0*/
idx = hLen + 1 + hLen;
2016-01-05 10:56:15 -07:00
while (idx < pkcsBlockLen && pkcsBlock[idx] == 0) {idx++;}
/* create hash of label for comparison with hash sent */
2016-01-05 10:56:15 -07:00
if ((ret = wc_Hash(hType, optLabel, labelLen, h, hLen)) != 0) {
return ret;
}
/* say no to chosen ciphertext attack.
Comparison of lHash, Y, and separator value needs to all happen in
2016-01-05 10:56:15 -07:00
constant time.
Attackers should not be able to get error condition from the timing of
these checks.
*/
ret = 0;
ret |= ConstantCompare(pkcsBlock + hLen + 1, h, hLen);
ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */
2016-01-05 10:56:15 -07:00
ret += pkcsBlock[0] ^ 0x00; /* Y, the first value, should be 0 */
/* Return 0 data length on error. */
idx = ctMaskSelInt(ctMaskEq(ret, 0), idx, pkcsBlockLen);
2016-01-05 10:56:15 -07:00
/* adjust pointer to correct location in array and return size of M */
*output = (byte*)(pkcsBlock + idx);
return pkcsBlockLen - idx;
}
2016-01-14 14:26:17 -07:00
#endif /* WC_NO_RSA_OAEP */
2016-01-05 10:56:15 -07:00
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
* MGF over all bytes down to end of Salt
*
* pkcsBlock Buffer holding decrypted data.
* pkcsBlockLen Length of buffer.
* htype Hash function to use.
* mgf Mask generation function.
* saltLen Length of salt to put in padding.
* bits Length of key in bits.
* heap Used for dynamic memory allocation.
2020-07-09 15:13:01 -07:00
* returns the sum of salt length and SHA-256 digest size on success.
* Otherwise, PSS_SALTLEN_E for an incorrect salt length,
* WC_KEY_SIZE_E for an incorrect encoded message (EM) size
and other negative values on error.
*/
2017-05-10 16:59:11 +10:00
static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
byte **output, enum wc_HashType hType, int mgf,
int saltLen, int bits, void* heap)
2017-05-10 16:59:11 +10:00
{
int ret;
byte* tmp;
int hLen, i, maskLen;
#ifdef WOLFSSL_SHA512
int orig_bits = bits;
#endif
#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
byte tmp_buf[RSA_MAX_SIZE/8];
tmp = tmp_buf;
if (pkcsBlockLen > RSA_MAX_SIZE/8) {
return MEMORY_E;
}
#endif
2017-05-10 16:59:11 +10:00
hLen = wc_HashGetDigestSize(hType);
if (hLen < 0)
return hLen;
bits = (bits - 1) & 0x7;
if ((pkcsBlock[0] & (0xff << bits)) != 0) {
return BAD_PADDING_E;
}
if (bits == 0) {
pkcsBlock++;
pkcsBlockLen--;
}
maskLen = (int)pkcsBlockLen - 1 - hLen;
if (maskLen < 0) {
WOLFSSL_MSG("RsaUnPad_PSS: Hash too large");
return WC_KEY_SIZE_E;
}
2017-05-10 16:59:11 +10:00
if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
saltLen = hLen;
2018-03-28 13:58:25 -07:00
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
if (orig_bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
2018-03-28 13:58:25 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
#endif
}
#ifndef WOLFSSL_PSS_LONG_SALT
else if (saltLen > hLen)
return PSS_SALTLEN_E;
#endif
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT)
return PSS_SALTLEN_E;
if (maskLen < saltLen + 1) {
return PSS_SALTLEN_E;
}
#else
else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER)
return PSS_SALTLEN_E;
if (saltLen != RSA_PSS_SALT_LEN_DISCOVER && maskLen < saltLen + 1) {
return WC_KEY_SIZE_E;
}
#endif
if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) {
WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error");
2017-05-10 16:59:11 +10:00
return BAD_PADDING_E;
}
2017-05-10 16:59:11 +10:00
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
tmp = (byte*)XMALLOC(maskLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
if (tmp == NULL) {
2017-05-10 16:59:11 +10:00
return MEMORY_E;
}
#endif
2017-05-10 16:59:11 +10:00
if ((ret = RsaMGF(mgf, pkcsBlock + maskLen, hLen, tmp, maskLen,
heap)) != 0) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2017-05-10 16:59:11 +10:00
return ret;
}
tmp[0] &= (1 << bits) - 1;
pkcsBlock[0] &= (1 << bits) - 1;
#ifdef WOLFSSL_PSS_SALT_LEN_DISCOVER
if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
for (i = 0; i < maskLen - 1; i++) {
if (tmp[i] != pkcsBlock[i]) {
break;
}
}
if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
return PSS_SALTLEN_RECOVER_E;
}
saltLen = maskLen - (i + 1);
}
else
#endif
{
for (i = 0; i < maskLen - 1 - saltLen; i++) {
if (tmp[i] != pkcsBlock[i]) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
return PSS_SALTLEN_E;
}
}
if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
WOLFSSL_MSG("RsaUnPad_PSS: Padding Error End");
return PSS_SALTLEN_E;
2017-05-10 16:59:11 +10:00
}
}
for (i++; i < maskLen; i++)
2017-05-10 16:59:11 +10:00
pkcsBlock[i] ^= tmp[i];
#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
#endif
2017-05-10 16:59:11 +10:00
*output = pkcsBlock + maskLen - saltLen;
2018-03-29 17:04:59 -07:00
return saltLen + hLen;
2017-05-10 16:59:11 +10:00
}
#endif
2016-01-05 10:56:15 -07:00
2014-12-31 15:31:50 -07:00
/* UnPad plaintext, set start to *output, return length of plaintext,
* < 0 on error */
static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
byte **output, byte padValue)
2014-12-31 15:31:50 -07:00
{
2018-12-19 14:36:32 -07:00
int ret = BAD_FUNC_ARG;
2019-06-27 06:38:14 +09:00
word16 i;
#ifndef WOLFSSL_RSA_VERIFY_ONLY
byte invalid = 0;
#endif
2014-12-31 15:31:50 -07:00
2020-05-28 14:14:19 -05:00
if (output == NULL || pkcsBlockLen < 2 || pkcsBlockLen > 0xFFFF) {
2016-04-14 09:33:25 -06:00
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
if (padValue == RSA_BLOCK_TYPE_1) {
/* First byte must be 0x00 and Second byte, block type, 0x01 */
if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) {
WOLFSSL_MSG("RsaUnPad error, invalid formatting");
return RSA_PAD_E;
}
/* check the padding until we find the separator */
for (i = 2; i < pkcsBlockLen && pkcsBlock[i++] == 0xFF; ) { }
/* Minimum of 11 bytes of pre-message data and must have separator. */
if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) {
WOLFSSL_MSG("RsaUnPad error, bad formatting");
return RSA_PAD_E;
}
*output = (byte *)(pkcsBlock + i);
ret = pkcsBlockLen - i;
2014-12-31 15:31:50 -07:00
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
2014-12-31 15:31:50 -07:00
else {
2019-06-27 06:38:14 +09:00
word16 j;
2019-06-24 07:53:23 +09:00
word16 pastSep = 0;
/* Decrypted with private key - unpad must be constant time. */
for (i = 0, j = 2; j < pkcsBlockLen; j++) {
/* Update i if not passed the separator and at separator. */
2019-06-24 07:53:23 +09:00
i |= (~pastSep) & ctMask16Eq(pkcsBlock[j], 0x00) & (j + 1);
pastSep |= ctMask16Eq(pkcsBlock[j], 0x00);
}
/* Minimum of 11 bytes of pre-message data - including leading 0x00. */
invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ);
/* Must have seen separator. */
invalid |= ~pastSep;
/* First byte must be 0x00. */
invalid |= ctMaskNotEq(pkcsBlock[0], 0x00);
/* Check against expected block type: padValue */
invalid |= ctMaskNotEq(pkcsBlock[1], padValue);
*output = (byte *)(pkcsBlock + i);
ret = ((int)~invalid) & (pkcsBlockLen - i);
2014-12-31 15:31:50 -07:00
}
#endif
2014-12-31 15:31:50 -07:00
return ret;
2014-12-31 15:31:50 -07:00
}
/* helper function to direct unpadding
*
* bits is the key modulus size in bits
*/
int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out,
byte padValue, int padType, enum wc_HashType hType,
int mgf, byte* optLabel, word32 labelLen, int saltLen,
int bits, void* heap)
2016-01-05 10:56:15 -07:00
{
int ret;
switch (padType) {
2016-01-05 10:56:15 -07:00
case WC_RSA_PKCSV15_PAD:
/*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/
2016-01-05 10:56:15 -07:00
ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue);
break;
#ifndef WC_NO_RSA_OAEP
2016-01-05 10:56:15 -07:00
case WC_RSA_OAEP_PAD:
WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding");
ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out,
hType, mgf, optLabel, labelLen, heap);
2016-01-05 10:56:15 -07:00
break;
#endif
2016-01-05 10:56:15 -07:00
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
case WC_RSA_PSS_PAD:
WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding");
ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf,
saltLen, bits, heap);
2017-05-10 16:59:11 +10:00
break;
#endif
#ifdef WC_RSA_NO_PADDING
case WC_RSA_NO_PAD:
WOLFSSL_MSG("wolfSSL Using NO un-padding");
/* In the case of no padding being used check that input is exactly
* the RSA key length */
if (bits <= 0 || pkcsBlockLen !=
((word32)(bits+WOLFSSL_BIT_SIZE-1)/WOLFSSL_BIT_SIZE)) {
WOLFSSL_MSG("Bad input size");
ret = RSA_PAD_E;
}
else {
if (out != NULL) {
*out = pkcsBlock;
}
ret = pkcsBlockLen;
}
break;
#endif /* WC_RSA_NO_PADDING */
2016-01-05 10:56:15 -07:00
default:
WOLFSSL_MSG("Unknown RSA UnPad Type");
2016-01-05 10:56:15 -07:00
ret = RSA_PAD_E;
}
/* silence warning if not used with padding scheme */
2016-01-05 10:56:15 -07:00
(void)hType;
(void)mgf;
(void)optLabel;
(void)labelLen;
(void)saltLen;
2017-05-22 09:43:55 +10:00
(void)bits;
2016-06-04 19:03:48 -06:00
(void)heap;
2016-01-05 10:56:15 -07:00
return ret;
}
2016-01-14 14:26:17 -07:00
2020-10-14 16:11:23 +02:00
int wc_hash2mgf(enum wc_HashType hType)
2020-09-24 17:09:34 +02:00
{
switch (hType) {
case WC_HASH_TYPE_SHA:
2020-09-24 20:13:09 +02:00
#ifndef NO_SHA
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA1;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_SHA224:
2020-09-24 20:13:09 +02:00
#ifdef WOLFSSL_SHA224
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA224;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_SHA256:
2020-09-24 20:13:09 +02:00
#ifndef NO_SHA256
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA256;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_SHA384:
2020-09-24 20:13:09 +02:00
#ifdef WOLFSSL_SHA384
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA384;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_SHA512:
2020-09-24 20:13:09 +02:00
#ifdef WOLFSSL_SHA512
2020-09-24 17:09:34 +02:00
return WC_MGF1SHA512;
2020-09-24 20:13:09 +02:00
#else
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
#endif
case WC_HASH_TYPE_NONE:
case WC_HASH_TYPE_MD2:
case WC_HASH_TYPE_MD4:
case WC_HASH_TYPE_MD5:
case WC_HASH_TYPE_MD5_SHA:
case WC_HASH_TYPE_SHA3_224:
case WC_HASH_TYPE_SHA3_256:
case WC_HASH_TYPE_SHA3_384:
case WC_HASH_TYPE_SHA3_512:
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:
default:
2020-10-14 16:11:23 +02:00
break;
2020-09-24 17:09:34 +02:00
}
2020-10-14 16:11:23 +02:00
WOLFSSL_MSG("Unrecognized or unsupported hash function");
return WC_MGF1NONE;
2020-09-24 17:09:34 +02:00
}
2017-06-07 11:37:21 -06:00
#ifdef WC_RSA_NONBLOCK
static int wc_RsaFunctionNonBlock(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key)
{
int ret = 0;
word32 keyLen, len;
if (key == NULL || key->nb == NULL) {
return BAD_FUNC_ARG;
}
if (key->nb->exptmod.state == TFM_EXPTMOD_NB_INIT) {
if (mp_init(&key->nb->tmp) != MP_OKAY) {
ret = MP_INIT_E;
}
if (ret == 0) {
if (mp_read_unsigned_bin(&key->nb->tmp, (byte*)in, inLen) != MP_OKAY) {
ret = MP_READ_E;
}
}
}
if (ret == 0) {
switch(type) {
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->d,
&key->n, &key->nb->tmp);
if (ret == FP_WOULDBLOCK)
return ret;
if (ret != MP_OKAY)
ret = MP_EXPTMOD_E;
break;
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->e,
&key->n, &key->nb->tmp);
if (ret == FP_WOULDBLOCK)
return ret;
if (ret != MP_OKAY)
ret = MP_EXPTMOD_E;
break;
default:
ret = RSA_WRONG_TYPE_E;
break;
}
}
if (ret == 0) {
keyLen = wc_RsaEncryptSize(key);
if (keyLen > *outLen)
ret = RSA_BUFFER_E;
}
if (ret == 0) {
len = mp_unsigned_bin_size(&key->nb->tmp);
/* pad front w/ zeros to match key length */
while (len < keyLen) {
*out++ = 0x00;
len++;
}
*outLen = keyLen;
/* convert */
if (mp_to_unsigned_bin(&key->nb->tmp, out) != MP_OKAY) {
ret = MP_TO_E;
}
}
mp_clear(&key->nb->tmp);
return ret;
}
#endif /* WC_RSA_NONBLOCK */
2020-05-19 16:41:51 -07:00
#ifdef WOLFSSL_XILINX_CRYPT
/*
* Xilinx hardened crypto acceleration.
*
* Returns 0 on success and negative values on error.
*/
static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
int ret = 0;
word32 keyLen;
(void)rng;
keyLen = wc_RsaEncryptSize(key);
if (keyLen > *outLen) {
WOLFSSL_MSG("Output buffer is not big enough");
return BAD_FUNC_ARG;
}
if (inLen != keyLen) {
WOLFSSL_MSG("Expected that inLen equals RSA key length");
return BAD_FUNC_ARG;
}
switch(type) {
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WOLFSSL_XILINX_CRYPTO_OLD
/* Currently public exponent is loaded by default.
* In SDK 2017.1 RSA exponent values are expected to be of 4 bytes
* leading to private key operations with Xsecure_RsaDecrypt not being
* supported */
ret = RSA_WRONG_TYPE_E;
#else
{
byte *d;
int dSz;
XSecure_Rsa rsa;
dSz = mp_unsigned_bin_size(&key->d);
d = (byte*)XMALLOC(dSz, key->heap, DYNAMIC_TYPE_PRIVATE_KEY);
if (d == NULL) {
ret = MEMORY_E;
}
else {
ret = mp_to_unsigned_bin(&key->d, d);
XSecure_RsaInitialize(&rsa, key->mod, NULL, d);
}
if (ret == 0) {
if (XSecure_RsaPrivateDecrypt(&rsa, (u8*)in, inLen, out) !=
XST_SUCCESS) {
2020-05-19 16:41:51 -07:00
ret = BAD_STATE_E;
}
}
if (d != NULL) {
XFREE(d, key->heap, DYNAMIC_TYPE_PRIVATE_KEY);
}
2020-05-19 16:41:51 -07:00
}
#endif
break;
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
#ifdef WOLFSSL_XILINX_CRYPTO_OLD
if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) {
ret = BAD_STATE_E;
}
#else
/* starting at Xilinx release 2019 the function XSecure_RsaDecrypt was removed */
if (XSecure_RsaPublicEncrypt(&(key->xRsa), (u8*)in, inLen, out) != XST_SUCCESS) {
WOLFSSL_MSG("Error happened when calling hardware RSA public operation");
ret = BAD_STATE_E;
}
#endif
break;
default:
ret = RSA_WRONG_TYPE_E;
}
*outLen = keyLen;
return ret;
}
#elif defined(WOLFSSL_AFALG_XILINX_RSA)
2018-08-24 10:24:53 -06:00
#ifndef ERROR_OUT
#define ERROR_OUT(x) ret = (x); goto done
#endif
static const char WC_TYPE_ASYMKEY[] = "skcipher";
static const char WC_NAME_RSA[] = "xilinx-zynqmp-rsa";
#ifndef MAX_XILINX_RSA_KEY
/* max key size of 4096 bits / 512 bytes */
#define MAX_XILINX_RSA_KEY 512
#endif
static const byte XILINX_RSA_FLAG[] = {0x1};
/* AF_ALG implementation of RSA */
static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
struct msghdr msg;
struct cmsghdr* cmsg;
struct iovec iov;
byte* keyBuf = NULL;
word32 keyBufSz = 0;
char cbuf[CMSG_SPACE(4) + CMSG_SPACE(sizeof(struct af_alg_iv) + 1)] = {0};
int ret = 0;
int op = 0; /* decryption vs encryption flag */
word32 keyLen;
/* input and output buffer need to be aligned */
ALIGN64 byte outBuf[MAX_XILINX_RSA_KEY];
ALIGN64 byte inBuf[MAX_XILINX_RSA_KEY];
XMEMSET(&msg, 0, sizeof(struct msghdr));
(void)rng;
keyLen = wc_RsaEncryptSize(key);
if (keyLen > *outLen) {
ERROR_OUT(RSA_BUFFER_E);
}
if (keyLen > MAX_XILINX_RSA_KEY) {
WOLFSSL_MSG("RSA key size larger than supported");
ERROR_OUT(BAD_FUNC_ARG);
}
if ((keyBuf = (byte*)XMALLOC(keyLen * 2, key->heap, DYNAMIC_TYPE_KEY))
== NULL) {
ERROR_OUT(MEMORY_E);
}
if ((ret = mp_to_unsigned_bin(&(key->n), keyBuf)) != MP_OKAY) {
ERROR_OUT(MP_TO_E);
}
switch(type) {
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
op = 1; /* set as decrypt */
{
keyBufSz = mp_unsigned_bin_size(&(key->d));
if ((mp_to_unsigned_bin(&(key->d), keyBuf + keyLen))
!= MP_OKAY) {
ERROR_OUT(MP_TO_E);
}
}
break;
case RSA_PUBLIC_DECRYPT:
case RSA_PUBLIC_ENCRYPT: {
word32 exp = 0;
word32 eSz = mp_unsigned_bin_size(&(key->e));
if ((mp_to_unsigned_bin(&(key->e), (byte*)&exp +
(sizeof(word32) - eSz))) != MP_OKAY) {
ERROR_OUT(MP_TO_E);
}
keyBufSz = sizeof(word32);
XMEMCPY(keyBuf + keyLen, (byte*)&exp, keyBufSz);
break;
}
default:
ERROR_OUT(RSA_WRONG_TYPE_E);
}
keyBufSz += keyLen; /* add size of modulus */
/* check for existing sockets before creating new ones */
if (key->alFd > 0) {
close(key->alFd);
key->alFd = WC_SOCK_NOTSET;
}
if (key->rdFd > 0) {
close(key->rdFd);
key->rdFd = WC_SOCK_NOTSET;
}
/* create new sockets and set the key to use */
if ((key->alFd = wc_Afalg_Socket()) < 0) {
WOLFSSL_MSG("Unable to create socket");
ERROR_OUT(key->alFd);
}
if ((key->rdFd = wc_Afalg_CreateRead(key->alFd, WC_TYPE_ASYMKEY,
WC_NAME_RSA)) < 0) {
WOLFSSL_MSG("Unable to bind and create read/send socket");
ERROR_OUT(key->rdFd);
}
if ((ret = setsockopt(key->alFd, SOL_ALG, ALG_SET_KEY, keyBuf,
keyBufSz)) < 0) {
WOLFSSL_MSG("Error setting RSA key");
ERROR_OUT(ret);
}
msg.msg_control = cbuf;
msg.msg_controllen = sizeof(cbuf);
cmsg = CMSG_FIRSTHDR(&msg);
if ((ret = wc_Afalg_SetOp(cmsg, op)) < 0) {
ERROR_OUT(ret);
}
/* set flag in IV spot, needed for Xilinx hardware acceleration use */
cmsg = CMSG_NXTHDR(&msg, cmsg);
if ((ret = wc_Afalg_SetIv(cmsg, (byte*)XILINX_RSA_FLAG,
sizeof(XILINX_RSA_FLAG))) != 0) {
ERROR_OUT(ret);
}
/* compose and send msg */
XMEMCPY(inBuf, (byte*)in, inLen); /* for alignment */
iov.iov_base = inBuf;
iov.iov_len = inLen;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
if ((ret = sendmsg(key->rdFd, &msg, 0)) <= 0) {
ERROR_OUT(WC_AFALG_SOCK_E);
}
if ((ret = read(key->rdFd, outBuf, inLen)) <= 0) {
ERROR_OUT(WC_AFALG_SOCK_E);
}
XMEMCPY(out, outBuf, ret);
*outLen = keyLen;
done:
/* clear key data and free buffer */
if (keyBuf != NULL) {
ForceZero(keyBuf, keyBufSz);
}
XFREE(keyBuf, key->heap, DYNAMIC_TYPE_KEY);
if (key->alFd > 0) {
close(key->alFd);
key->alFd = WC_SOCK_NOTSET;
}
if (key->rdFd > 0) {
close(key->rdFd);
key->rdFd = WC_SOCK_NOTSET;
}
return ret;
}
#else
static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
#if !defined(WOLFSSL_SP_MATH)
#ifdef WOLFSSL_SMALL_STACK
2020-01-15 22:15:38 +10:00
mp_int* tmp;
#ifdef WC_RSA_BLINDING
2020-01-15 22:15:38 +10:00
mp_int* rnd;
mp_int* rndi;
#endif
#else
mp_int tmp[1];
#ifdef WC_RSA_BLINDING
mp_int rnd[1], rndi[1];
#endif
#endif
2014-12-31 15:31:50 -07:00
int ret = 0;
word32 keyLen = 0;
2018-02-08 15:50:17 +10:00
#endif
2014-12-31 15:31:50 -07:00
2017-08-10 17:27:22 +10:00
#ifdef WOLFSSL_HAVE_SP_RSA
#ifndef WOLFSSL_SP_NO_2048
if (mp_count_bits(&key->n) == 2048) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2017-08-10 17:27:22 +10:00
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WC_RSA_BLINDING
if (rng == NULL)
return MISSING_RNG_E;
#endif
#ifndef RSA_LOW_MEM
if ((mp_count_bits(&key->p) == 1024) &&
(mp_count_bits(&key->q) == 1024)) {
return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
&key->dP, &key->dQ, &key->u, &key->n,
out, outLen);
}
break;
#else
return sp_RsaPrivate_2048(in, inLen, &key->d, NULL, NULL, NULL,
NULL, NULL, &key->n, out, outLen);
#endif
#endif
2017-08-10 17:27:22 +10:00
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen);
}
}
#endif
#ifndef WOLFSSL_SP_NO_3072
if (mp_count_bits(&key->n) == 3072) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2017-08-10 17:27:22 +10:00
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WC_RSA_BLINDING
if (rng == NULL)
return MISSING_RNG_E;
#endif
#ifndef RSA_LOW_MEM
if ((mp_count_bits(&key->p) == 1536) &&
(mp_count_bits(&key->q) == 1536)) {
return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
&key->dP, &key->dQ, &key->u, &key->n,
out, outLen);
}
break;
#else
return sp_RsaPrivate_3072(in, inLen, &key->d, NULL, NULL, NULL,
NULL, NULL, &key->n, out, outLen);
#endif
#endif
2017-08-10 17:27:22 +10:00
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen);
}
}
#endif
#ifdef WOLFSSL_SP_4096
if (mp_count_bits(&key->n) == 4096) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WC_RSA_BLINDING
if (rng == NULL)
return MISSING_RNG_E;
#endif
#ifndef RSA_LOW_MEM
if ((mp_count_bits(&key->p) == 2048) &&
(mp_count_bits(&key->q) == 2048)) {
return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
&key->dP, &key->dQ, &key->u, &key->n,
out, outLen);
}
break;
#else
return sp_RsaPrivate_4096(in, inLen, &key->d, NULL, NULL, NULL,
NULL, NULL, &key->n, out, outLen);
#endif
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
return sp_RsaPublic_4096(in, inLen, &key->e, &key->n, out, outLen);
}
}
#endif
2017-08-10 17:27:22 +10:00
#endif /* WOLFSSL_HAVE_SP_RSA */
#if defined(WOLFSSL_SP_MATH)
(void)rng;
WOLFSSL_MSG("SP Key Size Error");
2018-02-08 15:50:17 +10:00
return WC_KEY_SIZE_E;
#else
(void)rng;
#ifdef WOLFSSL_SMALL_STACK
tmp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
if (tmp == NULL)
return MEMORY_E;
#ifdef WC_RSA_BLINDING
rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA);
if (rnd == NULL) {
XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
return MEMORY_E;
}
rndi = rnd + 1;
#endif /* WC_RSA_BLINDING */
#endif /* WOLFSSL_SMALL_STACK */
if (mp_init(tmp) != MP_OKAY)
ret = MP_INIT_E;
2014-12-31 15:31:50 -07:00
#ifdef WC_RSA_BLINDING
if (ret == 0) {
if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
if (mp_init_multi(rnd, rndi, NULL, NULL, NULL, NULL) != MP_OKAY) {
mp_clear(tmp);
ret = MP_INIT_E;
}
}
}
#endif
#ifndef TEST_UNPAD_CONSTANT_TIME
if (ret == 0 && mp_read_unsigned_bin(tmp, (byte*)in, inLen) != MP_OKAY)
ret = MP_READ_E;
2014-12-31 15:31:50 -07:00
if (ret == 0) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
{
#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
/* blind */
ret = mp_rand(rnd, get_digit_count(&key->n), rng);
/* rndi = 1/rnd mod n */
if (ret == 0 && mp_invmod(rnd, &key->n, rndi) != MP_OKAY)
ret = MP_INVMOD_E;
/* rnd = rnd^e */
#ifndef WOLFSSL_SP_MATH_ALL
if (ret == 0 && mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY)
ret = MP_EXPTMOD_E;
#else
if (ret == 0 && mp_exptmod_nct(rnd, &key->e, &key->n,
rnd) != MP_OKAY) {
ret = MP_EXPTMOD_E;
}
#endif
/* tmp = tmp*rnd mod n */
if (ret == 0 && mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY)
ret = MP_MULMOD_E;
#endif /* WC_RSA_BLINDING && !WC_NO_RNG */
#ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
if (ret == 0 && mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
ret = MP_EXPTMOD_E;
#else
if (ret == 0) {
#ifdef WOLFSSL_SMALL_STACK
2020-01-15 22:15:38 +10:00
mp_int* tmpa;
mp_int* tmpb = NULL;
#else
mp_int tmpa[1], tmpb[1];
#endif
int cleara = 0, clearb = 0;
#ifdef WOLFSSL_SMALL_STACK
2019-03-19 13:53:27 -07:00
tmpa = (mp_int*)XMALLOC(sizeof(mp_int) * 2,
key->heap, DYNAMIC_TYPE_RSA);
if (tmpa != NULL)
tmpb = tmpa + 1;
else
ret = MEMORY_E;
#endif
2014-12-31 15:31:50 -07:00
if (ret == 0) {
if (mp_init(tmpa) != MP_OKAY)
ret = MP_INIT_E;
else
cleara = 1;
}
2014-12-31 15:31:50 -07:00
if (ret == 0) {
if (mp_init(tmpb) != MP_OKAY)
ret = MP_INIT_E;
else
clearb = 1;
}
/* tmpa = tmp^dP mod p */
if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p,
tmpa) != MP_OKAY)
ret = MP_EXPTMOD_E;
/* tmpb = tmp^dQ mod q */
if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q,
tmpb) != MP_OKAY)
ret = MP_EXPTMOD_E;
/* tmp = (tmpa - tmpb) * qInv (mod p) */
#if defined(WOLFSSL_SP_MATH) || (defined(WOLFSSL_SP_MATH_ALL) && \
!defined(WOLFSSL_SP_INT_NEGATIVE))
if (ret == 0 && mp_submod(tmpa, tmpb, &key->p, tmp) != MP_OKAY)
ret = MP_SUB_E;
#else
if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY)
ret = MP_SUB_E;
#endif
if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p,
tmp) != MP_OKAY)
ret = MP_MULMOD_E;
/* tmp = tmpb + q * tmp */
if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY)
ret = MP_MUL_E;
if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY)
ret = MP_ADD_E;
#ifdef WOLFSSL_SMALL_STACK
if (tmpa != NULL)
#endif
{
if (cleara)
mp_clear(tmpa);
if (clearb)
mp_clear(tmpb);
#ifdef WOLFSSL_SMALL_STACK
XFREE(tmpa, key->heap, DYNAMIC_TYPE_RSA);
#endif
}
} /* tmpa/b scope */
#endif /* RSA_LOW_MEM */
#ifdef WC_RSA_BLINDING
/* unblind */
if (ret == 0 && mp_mulmod(tmp, rndi, &key->n, tmp) != MP_OKAY)
ret = MP_MULMOD_E;
#endif /* WC_RSA_BLINDING */
break;
}
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
if (mp_exptmod_nct(tmp, &key->e, &key->n, tmp) != MP_OKAY)
ret = MP_EXPTMOD_E;
2020-01-15 22:15:38 +10:00
break;
default:
ret = RSA_WRONG_TYPE_E;
break;
}
}
if (ret == 0) {
keyLen = wc_RsaEncryptSize(key);
if (keyLen > *outLen)
ret = RSA_BUFFER_E;
}
2020-05-19 16:41:51 -07:00
#ifndef WOLFSSL_XILINX_CRYPT
if (ret == 0) {
*outLen = keyLen;
if (mp_to_unsigned_bin_len(tmp, out, keyLen) != MP_OKAY)
ret = MP_TO_E;
}
2020-05-19 16:41:51 -07:00
#endif
#else
(void)type;
(void)key;
(void)keyLen;
XMEMCPY(out, in, inLen);
*outLen = inLen;
#endif
2014-12-31 15:31:50 -07:00
mp_clear(tmp);
#ifdef WOLFSSL_SMALL_STACK
XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
#endif
#ifdef WC_RSA_BLINDING
if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
mp_clear(rndi);
mp_clear(rnd);
}
#ifdef WOLFSSL_SMALL_STACK
XFREE(rnd, key->heap, DYNAMIC_TYPE_RSA);
#endif
#endif /* WC_RSA_BLINDING */
2014-12-31 15:31:50 -07:00
return ret;
#endif /* WOLFSSL_SP_MATH */
2014-12-31 15:31:50 -07:00
}
2018-08-24 10:24:53 -06:00
#endif
2014-12-31 15:31:50 -07:00
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
int ret = 0;
2014-12-31 15:31:50 -07:00
(void)rng;
#ifdef WOLFSSL_ASYNC_CRYPT_TEST
if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_FUNC)) {
WC_ASYNC_TEST* testDev = &key->asyncDev.test;
testDev->rsaFunc.in = in;
testDev->rsaFunc.inSz = inLen;
testDev->rsaFunc.out = out;
testDev->rsaFunc.outSz = outLen;
testDev->rsaFunc.type = type;
testDev->rsaFunc.key = key;
testDev->rsaFunc.rng = rng;
return WC_PENDING_E;
}
#endif /* WOLFSSL_ASYNC_CRYPT_TEST */
2014-12-31 15:31:50 -07:00
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef HAVE_CAVIUM
2018-04-03 09:14:20 -07:00
key->dataLen = key->n.raw.len;
ret = NitroxRsaExptMod(in, inLen,
key->d.raw.buf, key->d.raw.len,
key->n.raw.buf, key->n.raw.len,
out, outLen, key);
#elif defined(HAVE_INTEL_QA)
#ifdef RSA_LOW_MEM
ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen,
&key->d.raw, &key->n.raw,
out, outLen);
#else
ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen,
&key->p.raw, &key->q.raw,
&key->dP.raw, &key->dQ.raw,
&key->u.raw,
out, outLen);
#endif
#else /* WOLFSSL_ASYNC_CRYPT_TEST */
ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
#endif
break;
#endif
2014-12-31 15:31:50 -07:00
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
#ifdef HAVE_CAVIUM
2018-04-03 09:14:20 -07:00
key->dataLen = key->n.raw.len;
ret = NitroxRsaExptMod(in, inLen,
key->e.raw.buf, key->e.raw.len,
key->n.raw.buf, key->n.raw.len,
out, outLen, key);
#elif defined(HAVE_INTEL_QA)
ret = IntelQaRsaPublic(&key->asyncDev, in, inLen,
&key->e.raw, &key->n.raw,
out, outLen);
#else /* WOLFSSL_ASYNC_CRYPT_TEST */
ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
#endif
break;
default:
ret = RSA_WRONG_TYPE_E;
2016-04-14 09:33:25 -06:00
}
return ret;
}
#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
2014-12-31 15:31:50 -07:00
#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING)
/* Function that does the RSA operation directly with no padding.
*
* in buffer to do operation on
* inLen length of input buffer
* out buffer to hold results
* outSz gets set to size of result buffer. Should be passed in as length
* of out buffer. If the pointer "out" is null then outSz gets set to
* the expected buffer size needed and LENGTH_ONLY_E gets returned.
* key RSA key to use for encrypt/decrypt
* type if using private or public key {RSA_PUBLIC_ENCRYPT,
* RSA_PUBLIC_DECRYPT, RSA_PRIVATE_ENCRYPT, RSA_PRIVATE_DECRYPT}
* rng wolfSSL RNG to use if needed
*
* returns size of result on success
*/
int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz,
RsaKey* key, int type, WC_RNG* rng)
{
int ret;
if (in == NULL || outSz == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
/* sanity check on type of RSA operation */
switch (type) {
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
case RSA_PRIVATE_DECRYPT:
break;
default:
WOLFSSL_MSG("Bad RSA type");
return BAD_FUNC_ARG;
}
if ((ret = wc_RsaEncryptSize(key)) < 0) {
return BAD_FUNC_ARG;
}
if (inLen != (word32)ret) {
WOLFSSL_MSG("Bad input length. Should be RSA key size");
return BAD_FUNC_ARG;
}
if (out == NULL) {
*outSz = inLen;
return LENGTH_ONLY_E;
}
switch (key->state) {
case RSA_STATE_NONE:
case RSA_STATE_ENCRYPT_PAD:
case RSA_STATE_ENCRYPT_EXPTMOD:
case RSA_STATE_DECRYPT_EXPTMOD:
case RSA_STATE_DECRYPT_UNPAD:
key->state = (type == RSA_PRIVATE_ENCRYPT ||
type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD:
RSA_STATE_DECRYPT_EXPTMOD;
key->dataLen = *outSz;
ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng);
if (ret >= 0 || ret == WC_PENDING_E) {
key->state = (type == RSA_PRIVATE_ENCRYPT ||
type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES:
RSA_STATE_DECRYPT_RES;
}
if (ret < 0) {
break;
}
FALL_THROUGH;
case RSA_STATE_ENCRYPT_RES:
case RSA_STATE_DECRYPT_RES:
ret = key->dataLen;
break;
default:
ret = BAD_STATE_E;
}
/* if async pending then skip cleanup*/
if (ret == WC_PENDING_E
#ifdef WC_RSA_NONBLOCK
|| ret == FP_WOULDBLOCK
#endif
) {
return ret;
}
key->state = RSA_STATE_NONE;
wc_RsaCleanup(key);
return ret;
}
#endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING */
2019-03-27 20:44:38 -07:00
#if defined(WOLFSSL_CRYPTOCELL)
static int cc310_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
{
CRYSError_t ret = 0;
CRYS_RSAPrimeData_t primeData;
int modulusSize = wc_RsaEncryptSize(key);
/* The out buffer must be at least modulus size bytes long. */
if (outLen < modulusSize)
return BAD_FUNC_ARG;
ret = CRYS_RSA_PKCS1v15_Encrypt(&wc_rndState,
wc_rndGenVectFunc,
&key->ctx.pubKey,
&primeData,
(byte*)in,
inLen,
out);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Encrypt failed");
return -1;
}
return modulusSize;
}
static int cc310_RsaPublicDecrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
{
CRYSError_t ret = 0;
CRYS_RSAPrimeData_t primeData;
uint16_t actualOutLen = outLen;
ret = CRYS_RSA_PKCS1v15_Decrypt(&key->ctx.privKey,
&primeData,
(byte*)in,
inLen,
out,
&actualOutLen);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Decrypt failed");
return -1;
}
return actualOutLen;
}
int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
2019-03-27 20:44:38 -07:00
{
CRYSError_t ret = 0;
uint16_t actualOutLen = outLen*sizeof(byte);
CRYS_RSAPrivUserContext_t contextPrivate;
ret = CRYS_RSA_PKCS1v15_Sign(&wc_rndState,
wc_rndGenVectFunc,
&contextPrivate,
&key->ctx.privKey,
mode,
(byte*)in,
inLen,
out,
&actualOutLen);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Sign failed");
return -1;
}
return actualOutLen;
}
int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig,
RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
2019-03-27 20:44:38 -07:00
{
CRYSError_t ret = 0;
CRYS_RSAPubUserContext_t contextPub;
/* verify the signature in the sig pointer */
ret = CRYS_RSA_PKCS1v15_Verify(&contextPub,
&key->ctx.pubKey,
mode,
(byte*)in,
inLen,
sig);
if (ret != SA_SILIB_RET_OK){
WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Verify failed");
return -1;
}
return ret;
}
#endif /* WOLFSSL_CRYPTOCELL */
int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
2018-02-22 17:17:54 -08:00
int ret = 0;
2014-12-31 15:31:50 -07:00
if (key == NULL || in == NULL || inLen == 0 || out == NULL ||
outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) {
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
#ifdef WOLF_CRYPTO_CB
if (key->devId != INVALID_DEVID) {
ret = wc_CryptoCb_Rsa(in, inLen, out, outLen, type, key, rng);
if (ret != CRYPTOCB_UNAVAILABLE)
return ret;
/* fall-through when unavailable */
ret = 0; /* reset error code and try using software */
}
#endif
#ifndef TEST_UNPAD_CONSTANT_TIME
2018-02-22 17:17:54 -08:00
#ifndef NO_RSA_BOUNDS_CHECK
if (type == RSA_PRIVATE_DECRYPT &&
key->state == RSA_STATE_DECRYPT_EXPTMOD) {
/* Check that 1 < in < n-1. (Requirement of 800-56B.) */
#ifdef WOLFSSL_SMALL_STACK
2020-01-15 22:15:38 +10:00
mp_int* c;
#else
mp_int c[1];
#endif
2018-02-22 17:17:54 -08:00
#ifdef WOLFSSL_SMALL_STACK
c = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
if (c == NULL)
ret = MEMORY_E;
#endif
if (mp_init(c) != MP_OKAY)
2020-07-09 15:13:01 -07:00
ret = MP_INIT_E;
2018-02-22 17:17:54 -08:00
if (ret == 0) {
if (mp_read_unsigned_bin(c, in, inLen) != 0)
2018-02-22 17:17:54 -08:00
ret = MP_READ_E;
}
if (ret == 0) {
/* check c > 1 */
if (mp_cmp_d(c, 1) != MP_GT)
2018-02-22 17:17:54 -08:00
ret = RSA_OUT_OF_RANGE_E;
}
2018-04-13 07:35:18 -05:00
if (ret == 0) {
/* add c+1 */
if (mp_add_d(c, 1, c) != MP_OKAY)
2018-04-13 07:35:18 -05:00
ret = MP_ADD_E;
}
2018-02-22 17:17:54 -08:00
if (ret == 0) {
/* check c+1 < n */
if (mp_cmp(c, &key->n) != MP_LT)
2018-02-22 17:17:54 -08:00
ret = RSA_OUT_OF_RANGE_E;
}
mp_clear(c);
#ifdef WOLFSSL_SMALL_STACK
XFREE(c, key->heap, DYNAMIC_TYPE_RSA);
#endif
2018-02-22 17:17:54 -08:00
if (ret != 0)
return ret;
}
#endif /* NO_RSA_BOUNDS_CHECK */
#endif
2018-02-22 17:17:54 -08:00
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
key->n.raw.len > 0) {
ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng);
}
else
#endif
#ifdef WC_RSA_NONBLOCK
if (key->nb) {
ret = wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
}
else
#endif
{
ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
}
/* handle error */
if (ret < 0 && ret != WC_PENDING_E
#ifdef WC_RSA_NONBLOCK
&& ret != FP_WOULDBLOCK
#endif
) {
if (ret == MP_EXPTMOD_E) {
/* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */
WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
}
key->state = RSA_STATE_NONE;
wc_RsaCleanup(key);
}
return ret;
2014-12-31 15:31:50 -07:00
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* Internal Wrappers */
/* Gives the option of choosing padding type
2016-01-05 10:56:15 -07:00
in : input to be encrypted
inLen: length of input buffer
out: encrypted output
outLen: length of encrypted output buffer
key : wolfSSL initialized RSA key struct
2016-01-05 10:56:15 -07:00
rng : wolfSSL initialized random number struct
rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
WC_RSA_NO_PAD or WC_RSA_PSS_PAD
2016-01-05 10:56:15 -07:00
hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
mgf : type of mask generation function to use
label : optional label
labelSz : size of optional label buffer
saltLen : Length of salt used in PSS
rng : random number generator */
static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, int rsa_type,
byte pad_value, int pad_type,
enum wc_HashType hash, int mgf,
byte* label, word32 labelSz, int saltLen,
WC_RNG* rng)
2016-01-05 10:56:15 -07:00
{
int ret, sz;
2016-01-05 10:56:15 -07:00
if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
2016-01-05 10:56:15 -07:00
sz = wc_RsaEncryptSize(key);
if (sz > (int)outLen) {
2016-01-05 10:56:15 -07:00
return RSA_BUFFER_E;
}
2016-01-05 10:56:15 -07:00
2016-04-14 09:33:25 -06:00
if (sz < RSA_MIN_PAD_SZ) {
return WC_KEY_SIZE_E;
}
if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
#ifdef WC_RSA_NO_PADDING
/* In the case that no padding is used the input length can and should
* be the same size as the RSA key. */
if (pad_type != WC_RSA_NO_PAD)
#endif
2016-01-05 10:56:15 -07:00
return RSA_BUFFER_E;
}
2016-01-05 10:56:15 -07:00
switch (key->state) {
case RSA_STATE_NONE:
case RSA_STATE_ENCRYPT_PAD:
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
defined(HAVE_CAVIUM)
2018-04-03 09:14:20 -07:00
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) {
/* Async operations that include padding */
if (rsa_type == RSA_PUBLIC_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
key->state = RSA_STATE_ENCRYPT_RES;
key->dataLen = key->n.raw.len;
return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key);
}
else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
key->state = RSA_STATE_ENCRYPT_RES;
key->dataLen = key->n.raw.len;
return NitroxRsaSSL_Sign(in, inLen, out, outLen, key);
}
}
2019-03-27 20:44:38 -07:00
#elif defined(WOLFSSL_CRYPTOCELL)
if (rsa_type == RSA_PUBLIC_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
return cc310_RsaPublicEncrypt(in, inLen, out, outLen, key);
}
else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
cc310_hashModeRSA(hash, 0));
2019-03-27 20:44:38 -07:00
}
#endif /* WOLFSSL_CRYPTOCELL */
key->state = RSA_STATE_ENCRYPT_PAD;
ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash,
mgf, label, labelSz, saltLen, mp_count_bits(&key->n),
2017-05-22 09:43:55 +10:00
key->heap);
if (ret < 0) {
break;
}
key->state = RSA_STATE_ENCRYPT_EXPTMOD;
FALL_THROUGH;
case RSA_STATE_ENCRYPT_EXPTMOD:
key->dataLen = outLen;
ret = wc_RsaFunction(out, sz, out, &key->dataLen, rsa_type, key, rng);
if (ret >= 0 || ret == WC_PENDING_E) {
key->state = RSA_STATE_ENCRYPT_RES;
}
if (ret < 0) {
break;
}
FALL_THROUGH;
case RSA_STATE_ENCRYPT_RES:
ret = key->dataLen;
break;
default:
ret = BAD_STATE_E;
break;
}
/* if async pending then return and skip done cleanup below */
if (ret == WC_PENDING_E
#ifdef WC_RSA_NONBLOCK
|| ret == FP_WOULDBLOCK
#endif
) {
2016-01-05 10:56:15 -07:00
return ret;
}
2016-01-05 10:56:15 -07:00
key->state = RSA_STATE_NONE;
wc_RsaCleanup(key);
2016-01-05 10:56:15 -07:00
return ret;
}
2019-03-27 20:44:38 -07:00
#endif
/* Gives the option of choosing padding type
in : input to be decrypted
inLen: length of input buffer
out: decrypted message
outLen: length of decrypted message in bytes
outPtr: optional inline output pointer (if provided doing inline)
key : wolfSSL initialized RSA key struct
rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
WC_RSA_NO_PAD, WC_RSA_PSS_PAD
hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
mgf : type of mask generation function to use
label : optional label
labelSz : size of optional label buffer
saltLen : Length of salt used in PSS
rng : random number generator */
static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
word32 outLen, byte** outPtr, RsaKey* key,
int rsa_type, byte pad_value, int pad_type,
enum wc_HashType hash, int mgf,
byte* label, word32 labelSz, int saltLen,
WC_RNG* rng)
{
int ret = RSA_WRONG_TYPE_E;
2019-12-18 07:09:26 -08:00
byte* pad = NULL;
if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
switch (key->state) {
case RSA_STATE_NONE:
key->dataLen = inLen;
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
defined(HAVE_CAVIUM)
/* Async operations that include padding */
2018-04-03 09:14:20 -07:00
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
pad_type != WC_RSA_PSS_PAD) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
if (rsa_type == RSA_PRIVATE_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
key->state = RSA_STATE_DECRYPT_RES;
key->data = NULL;
2018-04-03 09:14:20 -07:00
return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen,
key);
#endif
}
else if (rsa_type == RSA_PUBLIC_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
key->state = RSA_STATE_DECRYPT_RES;
key->data = NULL;
return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key);
}
}
2019-03-27 20:44:38 -07:00
#elif defined(WOLFSSL_CRYPTOCELL)
if (rsa_type == RSA_PRIVATE_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
ret = cc310_RsaPublicDecrypt(in, inLen, out, outLen, key);
if (outPtr != NULL)
*outPtr = out; /* for inline */
return ret;
}
else if (rsa_type == RSA_PUBLIC_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
return cc310_RsaSSL_Verify(in, inLen, out, key,
cc310_hashModeRSA(hash, 0));
2019-03-27 20:44:38 -07:00
}
#endif /* WOLFSSL_CRYPTOCELL */
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
/* verify the tmp ptr is NULL, otherwise indicates bad state */
if (key->data != NULL) {
ret = BAD_STATE_E;
break;
}
/* if not doing this inline then allocate a buffer for it */
if (outPtr == NULL) {
key->data = (byte*)XMALLOC(inLen, key->heap,
DYNAMIC_TYPE_WOLF_BIGINT);
key->dataIsAlloc = 1;
if (key->data == NULL) {
ret = MEMORY_E;
break;
}
XMEMCPY(key->data, in, inLen);
}
else {
key->data = out;
}
#endif
key->state = RSA_STATE_DECRYPT_EXPTMOD;
FALL_THROUGH;
case RSA_STATE_DECRYPT_EXPTMOD:
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen,
rsa_type, key, rng);
#else
2019-09-11 22:27:52 -07:00
ret = wc_RsaFunction(in, inLen, out, &key->dataLen, rsa_type, key, rng);
#endif
if (ret >= 0 || ret == WC_PENDING_E) {
key->state = RSA_STATE_DECRYPT_UNPAD;
}
if (ret < 0) {
break;
}
FALL_THROUGH;
case RSA_STATE_DECRYPT_UNPAD:
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type,
hash, mgf, label, labelSz, saltLen,
mp_count_bits(&key->n), key->heap);
#else
ret = wc_RsaUnPad_ex(out, key->dataLen, &pad, pad_value, pad_type, hash,
mgf, label, labelSz, saltLen,
mp_count_bits(&key->n), key->heap);
#endif
if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen)
ret = RSA_BUFFER_E;
else if (ret >= 0 && pad != NULL) {
2019-09-11 22:27:52 -07:00
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
signed char c;
#endif
/* only copy output if not inline */
if (outPtr == NULL) {
2019-09-11 22:27:52 -07:00
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2020-01-30 12:23:38 +10:00
if (rsa_type == RSA_PRIVATE_DECRYPT) {
word32 i, j;
int start = (int)((size_t)pad - (size_t)key->data);
2020-01-30 12:23:38 +10:00
for (i = 0, j = 0; j < key->dataLen; j++) {
out[i] = key->data[j];
c = ctMaskGTE(j, start);
c &= ctMaskLT(i, outLen);
/* 0 - no add, -1 add */
i += (word32)((byte)(-c));
}
}
2020-01-30 12:23:38 +10:00
else
#endif
2020-01-30 12:23:38 +10:00
{
XMEMCPY(out, pad, ret);
}
}
else
*outPtr = pad;
#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
ret = ctMaskSelInt(ctMaskLTE(ret, outLen), ret, RSA_BUFFER_E);
ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret, RSA_BUFFER_E);
#else
if (outLen < (word32)ret)
ret = RSA_BUFFER_E;
#endif
}
key->state = RSA_STATE_DECRYPT_RES;
FALL_THROUGH;
2019-12-18 07:09:26 -08:00
case RSA_STATE_DECRYPT_RES:
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
defined(HAVE_CAVIUM)
2018-04-03 09:14:20 -07:00
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
pad_type != WC_RSA_PSS_PAD) {
if (ret > 0) {
/* convert result */
byte* dataLen = (byte*)&key->dataLen;
ret = (dataLen[0] << 8) | (dataLen[1]);
2018-04-03 09:14:20 -07:00
if (outPtr)
*outPtr = in;
}
}
#endif
break;
default:
ret = BAD_STATE_E;
break;
}
/* if async pending then return and skip done cleanup below */
if (ret == WC_PENDING_E
#ifdef WC_RSA_NONBLOCK
|| ret == FP_WOULDBLOCK
#endif
) {
return ret;
}
key->state = RSA_STATE_NONE;
wc_RsaCleanup(key);
return ret;
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* Public RSA Functions */
int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, WC_RNG* rng)
{
return RsaPublicEncryptEx(in, inLen, out, outLen, key,
RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
}
#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, WC_RNG* rng, int type,
enum wc_HashType hash, int mgf, byte* label,
word32 labelSz)
{
return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT,
RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng);
2016-01-05 10:56:15 -07:00
}
2016-01-14 14:26:17 -07:00
#endif /* WC_NO_RSA_OAEP */
#endif
2016-01-05 10:56:15 -07:00
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2014-12-31 15:31:50 -07:00
int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
#ifdef WC_RSA_BLINDING
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
#endif
return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2014-12-31 15:31:50 -07:00
}
2016-01-14 14:26:17 -07:00
#ifndef WC_NO_RSA_OAEP
2016-01-05 10:56:15 -07:00
int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
RsaKey* key, int type, enum wc_HashType hash,
int mgf, byte* label, word32 labelSz)
2016-01-05 10:56:15 -07:00
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
#ifdef WC_RSA_BLINDING
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
#endif
return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash,
mgf, label, labelSz, 0, rng);
2016-01-05 10:56:15 -07:00
}
2016-01-14 14:26:17 -07:00
#endif /* WC_NO_RSA_OAEP */
2016-01-05 10:56:15 -07:00
int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
2014-12-31 15:31:50 -07:00
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
#ifdef WC_RSA_BLINDING
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2014-12-31 15:31:50 -07:00
#endif
return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2014-12-31 15:31:50 -07:00
}
#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, int type,
enum wc_HashType hash, int mgf, byte* label,
word32 labelSz)
2016-01-05 10:56:15 -07:00
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
#ifdef WC_RSA_BLINDING
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2016-01-05 10:56:15 -07:00
#endif
return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label,
labelSz, 0, rng);
2016-01-05 10:56:15 -07:00
}
#endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
2016-01-05 10:56:15 -07:00
#if !defined(WOLFSSL_CRYPTOCELL)
2014-12-31 15:31:50 -07:00
int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
#ifdef WC_RSA_BLINDING
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2014-12-31 15:31:50 -07:00
#endif
return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2014-12-31 15:31:50 -07:00
}
#endif
2014-12-31 15:31:50 -07:00
#ifndef WOLFSSL_RSA_VERIFY_ONLY
2014-12-31 15:31:50 -07:00
int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key)
{
2020-10-14 16:11:23 +02:00
return wc_RsaSSL_Verify_ex(in, inLen, out, outLen, key, WC_RSA_PKCSV15_PAD);
}
int wc_RsaSSL_Verify_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, int pad_type)
2020-10-14 16:11:23 +02:00
{
return wc_RsaSSL_Verify_ex2(in, inLen, out, outLen, key, pad_type,
WC_HASH_TYPE_NONE);
}
int wc_RsaSSL_Verify_ex2(const byte* in, word32 inLen, byte* out, word32 outLen,
2020-09-24 17:09:34 +02:00
RsaKey* key, int pad_type, enum wc_HashType hash)
2014-12-31 15:31:50 -07:00
{
2017-06-05 15:04:56 -06:00
WC_RNG* rng;
if (key == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WC_RSA_BLINDING
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2014-12-31 15:31:50 -07:00
#endif
2019-03-27 20:44:38 -07:00
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
2020-10-14 16:11:23 +02:00
hash, wc_hash2mgf(hash), NULL, 0, RSA_PSS_SALT_LEN_DEFAULT, rng);
#else
return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
2020-10-14 16:11:23 +02:00
hash, wc_hash2mgf(hash), NULL, 0, RSA_PSS_SALT_LEN_DISCOVER, rng);
#endif
2014-12-31 15:31:50 -07:00
}
#endif
2014-12-31 15:31:50 -07:00
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_PSS
/* Verify the message signed with RSA-PSS.
2019-07-29 08:14:07 -07:00
* The input buffer is reused for the output buffer.
* Salt length is equal to hash length.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* returns the length of the PSS data on success and negative indicates failure.
*/
2017-05-10 16:59:11 +10:00
int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out,
enum wc_HashType hash, int mgf, RsaKey* key)
{
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
RSA_PSS_SALT_LEN_DEFAULT, key);
#else
return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
RSA_PSS_SALT_LEN_DISCOVER, key);
#endif
}
/* Verify the message signed with RSA-PSS.
2019-07-29 08:14:07 -07:00
* The input buffer is reused for the output buffer.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
* length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
* indicates salt length is determined from the data.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out,
enum wc_HashType hash, int mgf, int saltLen,
RsaKey* key)
2017-05-10 16:59:11 +10:00
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
2017-05-10 16:59:11 +10:00
#ifdef WC_RSA_BLINDING
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
2017-05-10 16:59:11 +10:00
#endif
return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
hash, mgf, NULL, 0, saltLen, rng);
2017-05-10 16:59:11 +10:00
}
2017-05-18 15:32:06 +10:00
/* Verify the message signed with RSA-PSS.
* Salt length is equal to hash length.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_Verify(byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, RsaKey* key)
{
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
RSA_PSS_SALT_LEN_DEFAULT, key);
#else
return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
RSA_PSS_SALT_LEN_DISCOVER, key);
#endif
}
/* Verify the message signed with RSA-PSS.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
* length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
* indicates salt length is determined from the data.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_Verify_ex(byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, int saltLen,
RsaKey* key)
{
2020-01-15 22:15:38 +10:00
WC_RNG* rng;
#ifdef WC_RSA_BLINDING
rng = key->rng;
2020-01-15 22:15:38 +10:00
#else
rng = NULL;
#endif
return RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
hash, mgf, NULL, 0, saltLen, rng);
}
/* Checks the PSS data to ensure that the signature matches.
* Salt length is equal to hash length.
*
* in Hash of the data that is being verified.
* inSz Length of hash.
* sig Buffer holding PSS data.
* sigSz Size of PSS data.
* hashType Hash algorithm.
* returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
* NULL is passed in to in or sig or inSz is not the same as the hash
* algorithm length and 0 on success.
2017-05-18 15:32:06 +10:00
*/
int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig,
word32 sigSz, enum wc_HashType hashType)
{
2018-03-29 17:04:59 -07:00
return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz, 0);
}
/* Checks the PSS data to ensure that the signature matches.
*
* in Hash of the data that is being verified.
* inSz Length of hash.
* sig Buffer holding PSS data.
* sigSz Size of PSS data.
* hashType Hash algorithm.
* saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
* length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
* indicates salt length is determined from the data.
* returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
* NULL is passed in to in or sig or inSz is not the same as the hash
* algorithm length and 0 on success.
*/
int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig,
word32 sigSz, enum wc_HashType hashType,
2018-03-29 17:04:59 -07:00
int saltLen, int bits)
{
int ret = 0;
#ifndef WOLFSSL_PSS_LONG_SALT
2018-03-29 17:04:59 -07:00
byte sigCheck[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ];
#else
byte *sigCheck = NULL;
#endif
2018-03-29 17:04:59 -07:00
(void)bits;
2017-05-18 15:32:06 +10:00
if (in == NULL || sig == NULL ||
inSz != (word32)wc_HashGetDigestSize(hashType)) {
2017-05-18 15:32:06 +10:00
ret = BAD_FUNC_ARG;
}
if (ret == 0) {
if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
saltLen = inSz;
2018-03-29 17:04:59 -07:00
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE) {
2018-03-29 17:04:59 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
}
2018-03-29 17:04:59 -07:00
#endif
}
#ifndef WOLFSSL_PSS_LONG_SALT
else if ((word32)saltLen > inSz) {
ret = PSS_SALTLEN_E;
}
#endif
#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
ret = PSS_SALTLEN_E;
}
#else
else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
saltLen = sigSz - inSz;
if (saltLen < 0) {
ret = PSS_SALTLEN_E;
}
}
else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
ret = PSS_SALTLEN_E;
}
#endif
}
2018-03-29 17:04:59 -07:00
/* Sig = Salt | Exp Hash */
if (ret == 0) {
if (sigSz != inSz + saltLen) {
ret = PSS_SALTLEN_E;
}
}
2018-03-29 17:04:59 -07:00
#ifdef WOLFSSL_PSS_LONG_SALT
if (ret == 0) {
sigCheck = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inSz + saltLen, NULL,
DYNAMIC_TYPE_RSA_BUFFER);
if (sigCheck == NULL) {
ret = MEMORY_E;
}
}
#endif
/* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */
if (ret == 0) {
2018-03-29 17:04:59 -07:00
XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ);
XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz);
XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, saltLen);
ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + saltLen,
sigCheck, inSz);
}
if (ret == 0) {
2018-03-29 17:04:59 -07:00
if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) {
WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error");
2017-05-18 15:32:06 +10:00
ret = BAD_PADDING_E;
}
2017-05-18 15:32:06 +10:00
}
#ifdef WOLFSSL_PSS_LONG_SALT
if (sigCheck != NULL) {
XFREE(sigCheck, NULL, DYNAMIC_TYPE_RSA_BUFFER);
}
#endif
2017-05-18 15:32:06 +10:00
return ret;
}
2018-03-28 13:58:25 -07:00
/* Verify the message signed with RSA-PSS.
2019-07-29 08:14:07 -07:00
* The input buffer is reused for the output buffer.
2018-03-28 13:58:25 -07:00
* Salt length is equal to hash length.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* digest Hash of the data that is being verified.
* digestLen Length of hash.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
const byte* digest, word32 digestLen,
enum wc_HashType hash, int mgf, RsaKey* key)
{
2018-03-29 17:04:59 -07:00
int ret = 0, verify, saltLen, hLen, bits = 0;
2018-03-28 13:58:25 -07:00
hLen = wc_HashGetDigestSize(hash);
if (hLen < 0)
2020-10-24 13:06:42 -07:00
return BAD_FUNC_ARG;
2018-03-28 13:58:25 -07:00
if ((word32)hLen != digestLen)
return BAD_FUNC_ARG;
saltLen = hLen;
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
2018-03-29 17:04:59 -07:00
bits = mp_count_bits(&key->n);
if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
2018-03-28 13:58:25 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
#endif
verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key);
if (verify > 0)
ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify,
2018-03-29 17:04:59 -07:00
hash, saltLen, bits);
2018-03-28 13:58:25 -07:00
if (ret == 0)
ret = verify;
return ret;
}
/* Verify the message signed with RSA-PSS.
* Salt length is equal to hash length.
*
* in Buffer holding encrypted data.
* inLen Length of data in buffer.
* out Pointer to address containing the PSS data.
* outLen Length of the output.
* digest Hash of the data that is being verified.
* digestLen Length of hash.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* returns the length of the PSS data on success and negative indicates failure.
*/
int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen,
const byte* digest, word32 digestLen,
enum wc_HashType hash, int mgf,
RsaKey* key)
{
2018-03-29 17:04:59 -07:00
int ret = 0, verify, saltLen, hLen, bits = 0;
2018-03-28 13:58:25 -07:00
hLen = wc_HashGetDigestSize(hash);
if (hLen < 0)
return hLen;
if ((word32)hLen != digestLen)
return BAD_FUNC_ARG;
saltLen = hLen;
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
2018-03-29 17:04:59 -07:00
bits = mp_count_bits(&key->n);
if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
2018-03-28 13:58:25 -07:00
saltLen = RSA_PSS_SALT_MAX_SZ;
#endif
verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash,
mgf, saltLen, key);
if (verify > 0)
ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify,
2018-03-29 17:04:59 -07:00
hash, saltLen, bits);
2018-03-28 13:58:25 -07:00
if (ret == 0)
ret = verify;
return ret;
}
2017-05-10 16:59:11 +10:00
#endif
2014-12-31 15:31:50 -07:00
2020-02-23 15:58:28 -08:00
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
2014-12-31 15:31:50 -07:00
int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
return RsaPublicEncryptEx(in, inLen, out, outLen, key,
RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2014-12-31 15:31:50 -07:00
}
2017-05-12 11:33:52 +10:00
#ifdef WC_RSA_PSS
/* Sign the hash of a message using RSA-PSS.
* Salt length is equal to hash length.
*
* in Buffer holding hash of message.
* inLen Length of data in buffer (hash length).
* out Buffer to write encrypted signature into.
* outLen Size of buffer to write to.
* hash Hash algorithm.
* mgf Mask generation function.
* key Public RSA key.
* rng Random number generator.
* returns the length of the encrypted signature on success, a negative value
* indicates failure.
*/
2017-05-12 11:33:52 +10:00
int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng)
{
return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf,
RSA_PSS_SALT_LEN_DEFAULT, key, rng);
}
/* Sign the hash of a message using RSA-PSS.
*
* in Buffer holding hash of message.
* inLen Length of data in buffer (hash length).
* out Buffer to write encrypted signature into.
* outLen Size of buffer to write to.
* hash Hash algorithm.
* mgf Mask generation function.
* saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
* length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
* indicates salt length is determined from the data.
* key Public RSA key.
* rng Random number generator.
* returns the length of the encrypted signature on success, a negative value
* indicates failure.
*/
int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, int saltLen, RsaKey* key,
WC_RNG* rng)
2017-05-12 11:33:52 +10:00
{
return RsaPublicEncryptEx(in, inLen, out, outLen, key,
RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
hash, mgf, NULL, 0, saltLen, rng);
2017-05-12 11:33:52 +10:00
}
#endif
#endif
2014-12-31 15:31:50 -07:00
2019-03-18 11:44:10 +10:00
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) || !defined(WOLFSSL_SP_MATH) || \
defined(WC_RSA_PSS)
2014-12-31 15:31:50 -07:00
int wc_RsaEncryptSize(RsaKey* key)
{
int ret;
2017-06-05 15:04:56 -06:00
if (key == NULL) {
return BAD_FUNC_ARG;
}
ret = mp_unsigned_bin_size(&key->n);
#ifdef WOLF_CRYPTO_CB
if (ret == 0 && key->devId != INVALID_DEVID) {
ret = 2048/8; /* hardware handles, use 2048-bit as default */
}
#endif
return ret;
2014-12-31 15:31:50 -07:00
}
#endif
2014-12-31 15:31:50 -07:00
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* flatten RsaKey structure into individual elements (e, n) */
int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
word32* nSz)
2014-12-31 15:31:50 -07:00
{
int sz, ret;
if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
return BAD_FUNC_ARG;
}
2014-12-31 15:31:50 -07:00
sz = mp_unsigned_bin_size(&key->e);
2016-07-12 16:28:59 -06:00
if ((word32)sz > *eSz)
2014-12-31 15:31:50 -07:00
return RSA_BUFFER_E;
ret = mp_to_unsigned_bin(&key->e, e);
if (ret != MP_OKAY)
return ret;
*eSz = (word32)sz;
sz = wc_RsaEncryptSize(key);
2014-12-31 15:31:50 -07:00
if ((word32)sz > *nSz)
return RSA_BUFFER_E;
ret = mp_to_unsigned_bin(&key->n, n);
if (ret != MP_OKAY)
return ret;
*nSz = (word32)sz;
return 0;
}
#endif
2017-10-31 13:30:06 -07:00
#endif /* HAVE_FIPS */
#ifndef WOLFSSL_RSA_VERIFY_ONLY
2017-10-31 13:30:06 -07:00
static int RsaGetValue(mp_int* in, byte* out, word32* outSz)
{
word32 sz;
int ret = 0;
2018-05-23 13:27:36 +10:00
/* Parameters ensured by calling function. */
2018-01-12 15:37:22 -08:00
2017-10-31 13:30:06 -07:00
sz = (word32)mp_unsigned_bin_size(in);
if (sz > *outSz)
ret = RSA_BUFFER_E;
if (ret == 0)
ret = mp_to_unsigned_bin(in, out);
if (ret == MP_OKAY)
*outSz = sz;
return ret;
}
int wc_RsaExportKey(RsaKey* key,
byte* e, word32* eSz, byte* n, word32* nSz,
byte* d, word32* dSz, byte* p, word32* pSz,
byte* q, word32* qSz)
{
int ret = BAD_FUNC_ARG;
if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz)
ret = 0;
if (ret == 0)
ret = RsaGetValue(&key->e, e, eSz);
if (ret == 0)
ret = RsaGetValue(&key->n, n, nSz);
2018-12-19 15:30:22 -07:00
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2017-10-31 13:30:06 -07:00
if (ret == 0)
ret = RsaGetValue(&key->d, d, dSz);
if (ret == 0)
ret = RsaGetValue(&key->p, p, pSz);
if (ret == 0)
ret = RsaGetValue(&key->q, q, qSz);
2018-12-19 15:30:22 -07:00
#else
/* no private parts to key */
if (d == NULL || p == NULL || q == NULL || dSz == NULL || pSz == NULL
|| qSz == NULL) {
ret = BAD_FUNC_ARG;
}
else {
*dSz = 0;
*pSz = 0;
*qSz = 0;
}
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
2017-10-31 13:30:06 -07:00
return ret;
}
#endif
2017-10-31 13:30:06 -07:00
2014-12-31 15:31:50 -07:00
#ifdef WOLFSSL_KEY_GEN
2017-10-24 11:51:22 -07:00
/* Check that |p-q| > 2^((size/2)-100) */
static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size)
{
mp_int c, d;
int ret;
if (p == NULL || q == NULL)
return BAD_FUNC_ARG;
ret = mp_init_multi(&c, &d, NULL, NULL, NULL, NULL);
/* c = 2^((size/2)-100) */
if (ret == 0)
ret = mp_2expt(&c, (size/2)-100);
/* d = |p-q| */
if (ret == 0)
ret = mp_sub(p, q, &d);
#if !defined(WOLFSSL_SP_MATH) && (!defined(WOLFSSL_SP_MATH_ALL) || \
defined(WOLFSSL_SP_INT_NEGATIVE))
2017-10-24 11:51:22 -07:00
if (ret == 0)
ret = mp_abs(&d, &d);
#endif
2017-10-24 11:51:22 -07:00
/* compare */
if (ret == 0)
ret = mp_cmp(&d, &c);
if (ret == MP_GT)
ret = MP_OKAY;
mp_clear(&d);
mp_clear(&c);
return ret;
}
/* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096.
* This number was calculated using a small test tool written with a common
* large number math library. Other values of nlen may be checked with a subset
* of lower_bound. */
static const byte lower_bound[] = {
0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84,
0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F,
0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C,
0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15,
/* 512 */
0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3,
0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39,
0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A,
0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68,
/* 1024 */
0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E,
0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B,
0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A,
0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33,
0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC,
0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D,
0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E,
0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A,
/* 2048 */
0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD,
0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C,
0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51,
0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7,
0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F,
0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF,
0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07,
0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2,
/* 3072 */
0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33,
0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2,
0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82,
0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80,
0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05,
0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23,
0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B,
0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1
/* 4096 */
};
2018-01-17 11:34:27 -07:00
/* returns 1 on key size ok and 0 if not ok */
2018-06-26 11:40:34 -07:00
static WC_INLINE int RsaSizeCheck(int size)
2017-10-24 11:51:22 -07:00
{
2018-01-17 11:34:27 -07:00
if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) {
return 0;
}
#ifdef HAVE_FIPS
/* Key size requirements for CAVP */
2017-10-24 11:51:22 -07:00
switch (size) {
case 1024:
case 2048:
case 3072:
case 4096:
return 1;
}
2018-01-17 11:34:27 -07:00
2017-10-24 11:51:22 -07:00
return 0;
2018-01-17 11:34:27 -07:00
#else
return 1; /* allow unusual key sizes in non FIPS mode */
#endif /* HAVE_FIPS */
2017-10-24 11:51:22 -07:00
}
2018-07-12 14:58:19 -07:00
static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen,
int* isPrime, WC_RNG* rng)
2017-10-24 11:51:22 -07:00
{
int ret;
mp_int tmp1, tmp2;
mp_int* prime;
if (p == NULL || e == NULL || isPrime == NULL)
return BAD_FUNC_ARG;
if (!RsaSizeCheck(nlen))
return BAD_FUNC_ARG;
*isPrime = MP_NO;
if (q != NULL) {
/* 5.4 - check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */
ret = wc_CompareDiffPQ(p, q, nlen);
if (ret != MP_OKAY) goto notOkay;
prime = q;
}
else
prime = p;
ret = mp_init_multi(&tmp1, &tmp2, NULL, NULL, NULL, NULL);
if (ret != MP_OKAY) goto notOkay;
/* 4.4,5.5 - Check that prime >= (2^(1/2))(2^((nlen/2)-1))
* This is a comparison against lowerBound */
ret = mp_read_unsigned_bin(&tmp1, lower_bound, nlen/16);
if (ret != MP_OKAY) goto notOkay;
ret = mp_cmp(prime, &tmp1);
if (ret == MP_LT) goto exit;
/* 4.5,5.6 - Check that GCD(p-1, e) == 1 */
ret = mp_sub_d(prime, 1, &tmp1); /* tmp1 = prime-1 */
if (ret != MP_OKAY) goto notOkay;
ret = mp_gcd(&tmp1, e, &tmp2); /* tmp2 = gcd(prime-1, e) */
if (ret != MP_OKAY) goto notOkay;
ret = mp_cmp_d(&tmp2, 1);
if (ret != MP_EQ) goto exit; /* e divides p-1 */
2018-07-12 14:58:19 -07:00
/* 4.5.1,5.6.1 - Check primality of p with 8 rounds of M-R.
2018-12-10 16:51:54 -08:00
* mp_prime_is_prime_ex() performs test divisions against the first 256
2018-07-12 14:58:19 -07:00
* prime numbers. After that it performs 8 rounds of M-R using random
* bases between 2 and n-2.
* mp_prime_is_prime() performs the same test divisions and then does
* M-R with the first 8 primes. Both functions set isPrime as a
* side-effect. */
if (rng != NULL)
ret = mp_prime_is_prime_ex(prime, 8, isPrime, rng);
else
ret = mp_prime_is_prime(prime, 8, isPrime);
2017-10-24 11:51:22 -07:00
if (ret != MP_OKAY) goto notOkay;
exit:
ret = MP_OKAY;
notOkay:
mp_clear(&tmp1);
mp_clear(&tmp2);
return ret;
}
2018-07-12 14:58:19 -07:00
int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz,
2017-10-24 11:51:22 -07:00
const byte* qRaw, word32 qRawSz,
const byte* eRaw, word32 eRawSz,
2018-07-12 14:58:19 -07:00
int nlen, int* isPrime, WC_RNG* rng)
2017-10-24 11:51:22 -07:00
{
mp_int p, q, e;
mp_int* Q = NULL;
int ret;
if (pRaw == NULL || pRawSz == 0 ||
eRaw == NULL || eRawSz == 0 ||
isPrime == NULL) {
return BAD_FUNC_ARG;
}
if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0))
return BAD_FUNC_ARG;
ret = mp_init_multi(&p, &q, &e, NULL, NULL, NULL);
if (ret == MP_OKAY)
ret = mp_read_unsigned_bin(&p, pRaw, pRawSz);
if (ret == MP_OKAY) {
if (qRaw != NULL) {
2018-01-12 15:37:22 -08:00
ret = mp_read_unsigned_bin(&q, qRaw, qRawSz);
2017-10-24 11:51:22 -07:00
if (ret == MP_OKAY)
Q = &q;
}
}
if (ret == MP_OKAY)
ret = mp_read_unsigned_bin(&e, eRaw, eRawSz);
if (ret == MP_OKAY)
2018-07-12 14:58:19 -07:00
ret = _CheckProbablePrime(&p, Q, &e, nlen, isPrime, rng);
2017-10-24 11:51:22 -07:00
ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E;
mp_clear(&p);
mp_clear(&q);
mp_clear(&e);
return ret;
}
2018-07-12 14:58:19 -07:00
int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
const byte* qRaw, word32 qRawSz,
const byte* eRaw, word32 eRawSz,
int nlen, int* isPrime)
{
return wc_CheckProbablePrime_ex(pRaw, pRawSz, qRaw, qRawSz,
eRaw, eRawSz, nlen, isPrime, NULL);
}
#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
2014-12-31 15:31:50 -07:00
/* Make an RSA key for size bits, with e specified, 65537 is a good e */
int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
2014-12-31 15:31:50 -07:00
{
#ifndef WC_NO_RNG
#ifdef WOLFSSL_SMALL_STACK
2020-09-08 14:05:27 -05:00
mp_int *p = (mp_int *)XMALLOC(sizeof *p, key->heap, DYNAMIC_TYPE_RSA);
mp_int *q = (mp_int *)XMALLOC(sizeof *q, key->heap, DYNAMIC_TYPE_RSA);
mp_int *tmp1 = (mp_int *)XMALLOC(sizeof *tmp1, key->heap, DYNAMIC_TYPE_RSA);
mp_int *tmp2 = (mp_int *)XMALLOC(sizeof *tmp2, key->heap, DYNAMIC_TYPE_RSA);
mp_int *tmp3 = (mp_int *)XMALLOC(sizeof *tmp3, key->heap, DYNAMIC_TYPE_RSA);
#else
2020-09-08 14:05:27 -05:00
mp_int p_buf, *p = &p_buf;
mp_int q_buf, *q = &q_buf;
mp_int tmp1_buf, *tmp1 = &tmp1_buf;
mp_int tmp2_buf, *tmp2 = &tmp2_buf;
mp_int tmp3_buf, *tmp3 = &tmp3_buf;
#endif
2018-04-03 15:48:19 -07:00
int err, i, failCount, primeSz, isPrime = 0;
2017-10-24 11:51:22 -07:00
byte* buf = NULL;
2014-12-31 15:31:50 -07:00
#ifdef WOLFSSL_SMALL_STACK
if ((p == NULL) ||
(q == NULL) ||
(tmp1 == NULL) ||
(tmp2 == NULL) ||
(tmp3 == NULL)) {
err = MEMORY_E;
goto out;
}
#endif
if (key == NULL || rng == NULL) {
err = BAD_FUNC_ARG;
goto out;
}
2014-12-31 15:31:50 -07:00
if (!RsaSizeCheck(size)) {
err = BAD_FUNC_ARG;
goto out;
}
2014-12-31 15:31:50 -07:00
if (e < 3 || (e & 1) == 0) {
err = BAD_FUNC_ARG;
goto out;
}
2014-12-31 15:31:50 -07:00
2019-03-27 20:44:38 -07:00
#if defined(WOLFSSL_CRYPTOCELL)
err = cc310_RSA_GenerateKeyPair(key, size, e);
goto out;
2019-03-27 20:44:38 -07:00
#endif /*WOLFSSL_CRYPTOCELL*/
#ifdef WOLF_CRYPTO_CB
2018-09-12 08:56:59 +10:00
if (key->devId != INVALID_DEVID) {
err = wc_CryptoCb_MakeRsaKey(key, size, e, rng);
if (err != CRYPTOCB_UNAVAILABLE)
goto out;
/* fall-through when unavailable */
2018-09-12 08:56:59 +10:00
}
#endif
2018-12-10 16:51:54 -08:00
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
defined(WC_ASYNC_ENABLE_RSA_KEYGEN)
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
#ifdef HAVE_CAVIUM
/* TODO: Not implemented */
#elif defined(HAVE_INTEL_QA)
err = IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng);
goto out;
#else
if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_MAKE)) {
WC_ASYNC_TEST* testDev = &key->asyncDev.test;
testDev->rsaMake.rng = rng;
testDev->rsaMake.key = key;
testDev->rsaMake.size = size;
testDev->rsaMake.e = e;
err = WC_PENDING_E;
goto out;
}
#endif
}
#endif
err = mp_init_multi(p, q, tmp1, tmp2, tmp3, NULL);
2014-12-31 15:31:50 -07:00
2017-10-24 11:51:22 -07:00
if (err == MP_OKAY)
err = mp_set_int(tmp3, e);
2017-10-24 11:51:22 -07:00
2018-01-12 15:37:22 -08:00
/* The failCount value comes from NIST FIPS 186-4, section B.3.3,
* process steps 4.7 and 5.8. */
2017-10-24 11:51:22 -07:00
failCount = 5 * (size / 2);
primeSz = size / 16; /* size is the size of n in bits.
primeSz is in bytes. */
/* allocate buffer to work with */
if (err == MP_OKAY) {
buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA);
if (buf == NULL)
err = MEMORY_E;
}
2014-12-31 15:31:50 -07:00
/* make p */
if (err == MP_OKAY) {
2017-10-24 11:51:22 -07:00
isPrime = 0;
i = 0;
2014-12-31 15:31:50 -07:00
do {
2017-10-24 11:51:22 -07:00
#ifdef SHOW_GEN
printf(".");
fflush(stdout);
#endif
/* generate value */
err = wc_RNG_GenerateBlock(rng, buf, primeSz);
if (err == 0) {
/* prime lower bound has the MSB set, set it in candidate */
buf[0] |= 0x80;
/* make candidate odd */
buf[primeSz-1] |= 0x01;
/* load value */
err = mp_read_unsigned_bin(p, buf, primeSz);
2017-10-24 11:51:22 -07:00
}
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = _CheckProbablePrime(p, NULL, tmp3, size, &isPrime, rng);
2014-12-31 15:31:50 -07:00
2019-07-16 16:22:36 -07:00
#ifdef HAVE_FIPS
2017-10-24 11:51:22 -07:00
i++;
2018-01-18 09:51:36 -08:00
#else
/* Keep the old retry behavior in non-FIPS build. */
(void)i;
#endif
2017-10-24 11:51:22 -07:00
} while (err == MP_OKAY && !isPrime && i < failCount);
2014-12-31 15:31:50 -07:00
}
2017-10-24 11:51:22 -07:00
if (err == MP_OKAY && !isPrime)
err = PRIME_GEN_E;
2014-12-31 15:31:50 -07:00
/* make q */
if (err == MP_OKAY) {
2017-10-24 11:51:22 -07:00
isPrime = 0;
i = 0;
2014-12-31 15:31:50 -07:00
do {
2017-10-24 11:51:22 -07:00
#ifdef SHOW_GEN
printf(".");
fflush(stdout);
#endif
/* generate value */
err = wc_RNG_GenerateBlock(rng, buf, primeSz);
if (err == 0) {
/* prime lower bound has the MSB set, set it in candidate */
buf[0] |= 0x80;
/* make candidate odd */
buf[primeSz-1] |= 0x01;
/* load value */
err = mp_read_unsigned_bin(q, buf, primeSz);
2017-10-24 11:51:22 -07:00
}
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = _CheckProbablePrime(p, q, tmp3, size, &isPrime, rng);
2014-12-31 15:31:50 -07:00
2019-07-16 16:22:36 -07:00
#ifdef HAVE_FIPS
2017-10-24 11:51:22 -07:00
i++;
2018-01-18 09:51:36 -08:00
#else
/* Keep the old retry behavior in non-FIPS build. */
(void)i;
#endif
2017-10-24 11:51:22 -07:00
} while (err == MP_OKAY && !isPrime && i < failCount);
}
if (err == MP_OKAY && !isPrime)
err = PRIME_GEN_E;
if (buf) {
ForceZero(buf, primeSz);
XFREE(buf, key->heap, DYNAMIC_TYPE_RSA);
2014-12-31 15:31:50 -07:00
}
if (err == MP_OKAY && mp_cmp(p, q) < 0) {
err = mp_copy(p, tmp1);
if (err == MP_OKAY)
err = mp_copy(q, p);
if (err == MP_OKAY)
mp_copy(tmp1, q);
}
2018-12-10 16:51:54 -08:00
/* Setup RsaKey buffers */
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
if (err == MP_OKAY)
err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
2018-12-10 16:51:54 -08:00
/* Software Key Calculation */
if (err == MP_OKAY) /* tmp1 = p-1 */
err = mp_sub_d(p, 1, tmp1);
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* tmp2 = q-1 */
err = mp_sub_d(q, 1, tmp2);
#ifdef WC_RSA_BLINDING
2019-12-20 12:12:38 +10:00
if (err == MP_OKAY) /* tmp3 = order of n */
err = mp_mul(tmp1, tmp2, tmp3);
2019-12-20 12:12:38 +10:00
#else
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* tmp3 = lcm(p-1, q-1), last loop */
err = mp_lcm(tmp1, tmp2, tmp3);
2019-12-20 12:12:38 +10:00
#endif
2014-12-31 15:31:50 -07:00
/* make key */
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->e = e */
err = mp_set_int(&key->e, (mp_digit)e);
2019-12-20 12:12:38 +10:00
#ifdef WC_RSA_BLINDING
/* Blind the inverse operation with a value that is invertable */
if (err == MP_OKAY) {
do {
err = mp_rand(&key->p, get_digit_count(tmp3), rng);
2019-12-20 12:12:38 +10:00
if (err == MP_OKAY)
err = mp_set_bit(&key->p, 0);
if (err == MP_OKAY)
err = mp_set_bit(&key->p, size - 1);
if (err == MP_OKAY)
err = mp_gcd(&key->p, tmp3, &key->q);
2019-12-20 12:12:38 +10:00
}
while ((err == MP_OKAY) && !mp_isone(&key->q));
}
if (err == MP_OKAY)
err = mp_mul_d(&key->p, (mp_digit)e, &key->e);
#endif
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */
err = mp_invmod(&key->e, tmp3, &key->d);
2019-12-20 12:12:38 +10:00
#ifdef WC_RSA_BLINDING
/* Take off blinding from d and reset e */
if (err == MP_OKAY)
err = mp_mulmod(&key->d, &key->p, tmp3, &key->d);
2019-12-20 12:12:38 +10:00
if (err == MP_OKAY)
err = mp_set_int(&key->e, (mp_digit)e);
#endif
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->n = pq */
err = mp_mul(p, q, &key->n);
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->dP = d mod(p-1) */
err = mp_mod(&key->d, tmp1, &key->dP);
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->dQ = d mod(q-1) */
err = mp_mod(&key->d, tmp2, &key->dQ);
2020-01-23 14:52:29 -08:00
#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY) /* key->u = 1/q mod p */
err = mp_invmod(q, p, &key->u);
2020-01-23 14:52:29 -08:00
#else
if (err == MP_OKAY)
err = mp_sub_d(p, 2, tmp3);
2020-01-23 14:52:29 -08:00
if (err == MP_OKAY) /* key->u = 1/q mod p = q^p-2 mod p */
err = mp_exptmod(q, tmp3 , p, &key->u);
2020-01-23 14:52:29 -08:00
#endif
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = mp_copy(p, &key->p);
2014-12-31 15:31:50 -07:00
if (err == MP_OKAY)
err = mp_copy(q, &key->q);
2014-12-31 15:31:50 -07:00
2018-10-18 17:29:43 +10:00
#ifdef HAVE_WOLF_BIGINT
2018-12-10 16:51:54 -08:00
/* make sure raw unsigned bin version is available */
2018-10-18 17:29:43 +10:00
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->n, &key->n.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->e, &key->e.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->d, &key->d.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->p, &key->p.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->q, &key->q.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->dP, &key->dP.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw);
if (err == MP_OKAY)
err = wc_mp_to_bigint(&key->u, &key->u.raw);
#endif
2018-12-10 16:51:54 -08:00
if (err == MP_OKAY)
key->type = RSA_PRIVATE;
mp_clear(tmp1);
mp_clear(tmp2);
mp_clear(tmp3);
mp_clear(p);
mp_clear(q);
2014-12-31 15:31:50 -07:00
#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
/* Perform the pair-wise consistency test on the new key. */
if (err == 0)
err = wc_CheckRsaKey(key);
#endif
if (err != 0) {
wc_FreeRsaKey(key);
goto out;
2014-12-31 15:31:50 -07:00
}
2019-03-27 20:44:38 -07:00
#if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL)
2017-06-07 11:37:21 -06:00
if (wc_InitRsaHw(key) != 0) {
return BAD_STATE_E;
}
#endif
err = 0;
out:
#ifdef WOLFSSL_SMALL_STACK
if (p)
XFREE(p, key->heap, DYNAMIC_TYPE_RSA);
if (q)
XFREE(q, key->heap, DYNAMIC_TYPE_RSA);
if (tmp1)
XFREE(tmp1, key->heap, DYNAMIC_TYPE_RSA);
if (tmp2)
XFREE(tmp2, key->heap, DYNAMIC_TYPE_RSA);
if (tmp3)
XFREE(tmp3, key->heap, DYNAMIC_TYPE_RSA);
#endif
return err;
#else
return NOT_COMPILED_IN;
#endif
2014-12-31 15:31:50 -07:00
}
#endif /* !FIPS || FIPS_VER >= 2 */
2014-12-31 15:31:50 -07:00
#endif /* WOLFSSL_KEY_GEN */
#ifdef WC_RSA_BLINDING
int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
{
if (key == NULL)
return BAD_FUNC_ARG;
key->rng = rng;
return 0;
}
#endif /* WC_RSA_BLINDING */
#ifdef WC_RSA_NONBLOCK
int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb)
{
if (key == NULL)
return BAD_FUNC_ARG;
if (nb) {
XMEMSET(nb, 0, sizeof(RsaNb));
}
/* Allow nb == NULL to clear non-block mode */
key->nb = nb;
return 0;
}
#ifdef WC_RSA_NONBLOCK_TIME
int wc_RsaSetNonBlockTime(RsaKey* key, word32 maxBlockUs, word32 cpuMHz)
{
if (key == NULL || key->nb == NULL) {
return BAD_FUNC_ARG;
}
/* calculate maximum number of instructions to block */
key->nb->exptmod.maxBlockInst = cpuMHz * maxBlockUs;
return 0;
}
#endif /* WC_RSA_NONBLOCK_TIME */
#endif /* WC_RSA_NONBLOCK */
2014-12-31 15:31:50 -07:00
2014-12-18 11:10:55 -07:00
#endif /* NO_RSA */