wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-28 04:32:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1960 from SparkiDev/sp_rsavfy

Browse Source 
Allow a very small build based on SHA-256 and RSA verify
This commit is contained in:
toddouska
2018-12-12 14:49:42 -08:00
committed by GitHub
parent 8772b5dc51 fb41510f12
commit 3f7ced3ed5
15 changed files with 4303 additions and 4042 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
wolfcrypt/src/misc.c
View File

@@ -127,7 +127,7 @@ STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
}
#ifdef WORD64_AVAILABLE
#if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS)
STATIC WC_INLINE word64 rotlFixed64(word64 x, word64 y)
@@ -169,9 +169,9 @@ STATIC WC_INLINE void ByteReverseWords64(word64* out, const word64* in,
}
#endif /* WORD64_AVAILABLE */
#endif /* WORD64_AVAILABLE && !WOLFSSL_NO_WORD64_OPS */
#ifndef WOLFSSL_NO_XOR_OPS
STATIC WC_INLINE void XorWords(wolfssl_word* r, const wolfssl_word* a, word32 n)
{
word32 i;
@@ -193,8 +193,9 @@ STATIC WC_INLINE void xorbuf(void* buf, const void* mask, word32 count)
for (i = 0; i < count; i++) b[i] ^= m[i];
}
}
#endif
#ifndef WOLFSSL_NO_FORCE_ZERO
/* Make sure compiler doesn't skip */
STATIC WC_INLINE void ForceZero(const void* mem, word32 len)
{
@@ -217,8 +218,10 @@ STATIC WC_INLINE void ForceZero(const void* mem, word32 len)
while (len--) *z++ = 0;
}
#endif
#ifndef WOLFSSL_NO_CONST_CMP
/* check all length bytes for equality, return 0 on success */
STATIC WC_INLINE int ConstantCompare(const byte* a, const byte* b, int length)
{
@@ -231,6 +234,7 @@ STATIC WC_INLINE int ConstantCompare(const byte* a, const byte* b, int length)
return compareSum;
}
#endif
#ifndef WOLFSSL_HAVE_MIN
@@ -255,6 +259,7 @@ STATIC WC_INLINE int ConstantCompare(const byte* a, const byte* b, int length)
}
#endif /* !WOLFSSL_HAVE_MAX */
#ifndef WOLFSSL_NO_INT_ENCODE
/* converts a 32 bit integer to 24 bit */
STATIC WC_INLINE void c32to24(word32 in, word24 out)
{
@@ -278,7 +283,9 @@ STATIC WC_INLINE void c32toa(word32 wc_u32, byte* c)
c[2] = (wc_u32 >> 8) & 0xff;
c[3] = wc_u32 & 0xff;
}
#endif
#ifndef WOLFSSL_NO_INT_DECODE
/* convert a 24 bit integer into a 32 bit one */
STATIC WC_INLINE void c24to32(const word24 wc_u24, word32* wc_u32)
{
@@ -309,8 +316,10 @@ STATIC WC_INLINE word32 btoi(byte b)
{
return (word32)(b - 0x30);
}
#endif
#ifndef WOLFSSL_NO_CT_OPS
/* Constant time - mask set when a > b. */
STATIC WC_INLINE byte ctMaskGT(int a, int b)
{
@@ -365,6 +374,7 @@ STATIC WC_INLINE byte ctSetLTE(int a, int b)
{
return ((word32)a - b - 1) >> 31;
}
#endif
#undef STATIC

97
wolfcrypt/src/rsa.c
View File

@@ -96,6 +96,7 @@ int wc_FreeRsaKey(RsaKey* key)
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key, WC_RNG* rng)
{
@@ -104,8 +105,10 @@ int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
}
return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng);
}
#endif
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
RsaKey* key)
{
@@ -134,6 +137,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
}
return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng);
}
#endif
int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
@@ -164,6 +168,7 @@ int wc_RsaEncryptSize(RsaKey* key)
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
word32* bSz)
{
@@ -171,6 +176,7 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
/* not specified as fips so not needing _fips */
return RsaFlattenPublicKey(key, a, aSz, b, bSz);
}
#endif
#ifdef WOLFSSL_KEY_GEN
@@ -215,19 +221,25 @@ enum {
static void wc_RsaCleanup(RsaKey* key)
{
#ifndef WOLFSSL_RSA_VERIFY_INLINE
if (key && key->data) {
/* make sure any allocated memory is free'd */
if (key->dataIsAlloc) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
if (key->type == RSA_PRIVATE_DECRYPT ||
key->type == RSA_PRIVATE_ENCRYPT) {
ForceZero(key->data, key->dataLen);
}
#endif
XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
key->dataIsAlloc = 0;
}
key->data = NULL;
key->dataLen = 0;
}
#else
(void)key;
#endif
}
int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
@@ -243,9 +255,11 @@ int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
key->type = RSA_TYPE_UNKNOWN;
key->state = RSA_STATE_NONE;
key->heap = heap;
key->data = NULL;
key->dataLen = 0;
#ifndef WOLFSSL_RSA_VERIFY_INLINE
key->dataIsAlloc = 0;
key->data = NULL;
#endif
key->dataLen = 0;
#ifdef WC_RSA_BLINDING
key->rng = NULL;
#endif
@@ -270,6 +284,7 @@ int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
#endif /* WC_ASYNC_ENABLE_RSA */
#endif /* WOLFSSL_ASYNC_CRYPT */
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
if (ret != MP_OKAY)
return ret;
@@ -284,6 +299,16 @@ int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
mp_clear(&key->e);
return ret;
}
#else
ret = mp_init(&key->n);
if (ret != MP_OKAY)
return ret;
ret = mp_init(&key->e);
if (ret != MP_OKAY) {
mp_clear(&key->n);
return ret;
}
#endif
#ifdef WOLFSSL_XILINX_CRYPT
key->pubExp = 0;
@@ -411,6 +436,7 @@ int wc_FreeRsaKey(RsaKey* key)
wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
#endif
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
if (key->type == RSA_PRIVATE) {
#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
mp_forcezero(&key->u);
@@ -430,6 +456,7 @@ int wc_FreeRsaKey(RsaKey* key)
mp_clear(&key->q);
mp_clear(&key->p);
mp_clear(&key->d);
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
/* public part */
mp_clear(&key->e);
@@ -443,7 +470,7 @@ int wc_FreeRsaKey(RsaKey* key)
return ret;
}
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
/* Check the pair-wise consistency of the RSA key.
* From NIST SP 800-56B, section 6.4.1.1.
* Verify that k = (k^e)^d, for some k: 1 < k < n-1. */
@@ -532,6 +559,7 @@ int wc_CheckRsaKey(RsaKey* key)
return ret;
}
#endif
#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
@@ -944,6 +972,7 @@ static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
}
else {
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* pad with non-zero random bytes */
word32 padLen, i;
int ret;
@@ -963,6 +992,9 @@ static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
for (i = 1; i < padLen; i++) {
if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
}
#else
return RSA_WRONG_TYPE_E;
#endif
}
pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
@@ -972,6 +1004,7 @@ static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
}
#endif /* !WC_NO_RNG */
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* helper function to direct which padding is used */
static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
@@ -1133,6 +1166,7 @@ static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
return pkcsBlockLen - idx;
}
#endif /* WC_NO_RSA_OAEP */
#endif
#ifdef WC_RSA_PSS
/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
@@ -1219,7 +1253,9 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
{
int ret;
word32 i;
#ifndef WOLFSSL_RSA_VERIFY_ONLY
byte invalid = 0;
#endif
if (output == NULL || pkcsBlockLen == 0) {
return BAD_FUNC_ARG;
@@ -1244,6 +1280,7 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
*output = (byte *)(pkcsBlock + i);
ret = pkcsBlockLen - i;
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
else {
word32 j;
byte pastSep = 0;
@@ -1267,6 +1304,7 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
*output = (byte *)(pkcsBlock + i);
ret = ((int)~invalid) & (pkcsBlockLen - i);
}
#endif
return ret;
}
@@ -1491,6 +1529,7 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
#ifndef WOLFSSL_SP_NO_2048
if (mp_count_bits(&key->n) == 2048) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WC_RSA_BLINDING
@@ -1505,6 +1544,7 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
NULL, NULL, NULL, &key->n, out, outLen);
#endif
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen);
@@ -1514,6 +1554,7 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
#ifndef WOLFSSL_SP_NO_3072
if (mp_count_bits(&key->n) == 3072) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef WC_RSA_BLINDING
@@ -1528,6 +1569,7 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
NULL, NULL, NULL, &key->n, out, outLen);
#endif
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen);
@@ -1537,6 +1579,7 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
#endif /* WOLFSSL_HAVE_SP_RSA */
#ifdef WOLFSSL_SP_MATH
(void)rng;
return WC_KEY_SIZE_E;
#else
(void)rng;
@@ -1575,6 +1618,7 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
if (ret == 0) {
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
{
@@ -1678,6 +1722,7 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
break;
}
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
#ifdef WOLFSSL_XILINX_CRYPT
@@ -1751,6 +1796,7 @@ static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
#endif /* WOLFSSL_ASYNC_CRYPT_TEST */
switch(type) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
case RSA_PRIVATE_DECRYPT:
case RSA_PRIVATE_ENCRYPT:
#ifdef HAVE_CAVIUM
@@ -1775,6 +1821,7 @@ static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
#endif
break;
#endif
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
@@ -2008,6 +2055,7 @@ int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* Internal Wrappers */
/* Gives the option of choosing padding type
in : input to be encrypted
@@ -2129,6 +2177,7 @@ static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
return ret;
}
#endif
/* Gives the option of choosing padding type
in : input to be decrypted
@@ -2170,12 +2219,14 @@ static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
/* Async operations that include padding */
if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
pad_type != WC_RSA_PSS_PAD) {
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
if (rsa_type == RSA_PRIVATE_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_2) {
key->state = RSA_STATE_DECRYPT_RES;
key->data = NULL;
return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen,
key);
#endif
}
else if (rsa_type == RSA_PUBLIC_DECRYPT &&
pad_value == RSA_BLOCK_TYPE_1) {
@@ -2186,6 +2237,7 @@ static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
}
#endif
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
/* verify the tmp ptr is NULL, otherwise indicates bad state */
if (key->data != NULL) {
ret = BAD_STATE_E;
@@ -2206,13 +2258,19 @@ static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
else {
key->data = out;
}
#endif
key->state = RSA_STATE_DECRYPT_EXPTMOD;
FALL_THROUGH;
case RSA_STATE_DECRYPT_EXPTMOD:
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen,
rsa_type, key, rng);
#else
ret = wc_RsaFunction(out, inLen, out, &key->dataLen, rsa_type, key,
rng);
#endif
if (ret >= 0 || ret == WC_PENDING_E) {
key->state = RSA_STATE_DECRYPT_UNPAD;
@@ -2226,16 +2284,25 @@ static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
case RSA_STATE_DECRYPT_UNPAD:
{
byte* pad = NULL;
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type,
hash, mgf, label, labelSz, saltLen,
mp_count_bits(&key->n), key->heap);
#else
ret = wc_RsaUnPad_ex(out, key->dataLen, &pad, pad_value, pad_type, hash,
mgf, label, labelSz, saltLen,
mp_count_bits(&key->n), key->heap);
#endif
if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen)
ret = RSA_BUFFER_E;
else if (ret >= 0 && pad != NULL) {
#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
signed char c;
#endif
/* only copy output if not inline */
if (outPtr == NULL) {
#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
word32 i, j;
int start = (int)((size_t)pad - (size_t)key->data);
@@ -2246,12 +2313,20 @@ static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
/* 0 - no add, -1 add */
i += -c;
}
#else
XMEMCPY(out, pad, ret);
#endif
}
else
*outPtr = pad;
#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
ret = ctMaskSelInt(ctMaskLTE(ret, outLen), ret, RSA_BUFFER_E);
ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret, RSA_BUFFER_E);
#else
if (outLen < (word32)ret)
ret = RSA_BUFFER_E;
#endif
}
key->state = RSA_STATE_DECRYPT_RES;
@@ -2296,6 +2371,7 @@ static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* Public RSA Functions */
int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, WC_RNG* rng)
@@ -2316,8 +2392,10 @@ int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng);
}
#endif /* WC_NO_RSA_OAEP */
#endif
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
{
WC_RNG* rng = NULL;
@@ -2373,6 +2451,7 @@ int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
labelSz, 0, rng);
}
#endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
@@ -2386,6 +2465,7 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key)
{
@@ -2403,6 +2483,7 @@ int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
}
#endif
#ifdef WC_RSA_PSS
/* Verify the message signed with RSA-PSS.
@@ -2667,6 +2748,7 @@ int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen,
#endif
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, WC_RNG* rng)
{
@@ -2720,7 +2802,9 @@ int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
hash, mgf, NULL, 0, saltLen, rng);
}
#endif
#endif
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || !defined(WOLFSSL_SP_MATH)
int wc_RsaEncryptSize(RsaKey* key)
{
int ret;
@@ -2739,8 +2823,9 @@ int wc_RsaEncryptSize(RsaKey* key)
return ret;
}
#endif
#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* flatten RsaKey structure into individual elements (e, n) */
int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
word32* nSz)
@@ -2769,11 +2854,12 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
return 0;
}
#endif
#endif /* HAVE_FIPS */
#ifndef WOLFSSL_RSA_VERIFY_ONLY
static int RsaGetValue(mp_int* in, byte* out, word32* outSz)
{
word32 sz;
@@ -2818,6 +2904,7 @@ int wc_RsaExportKey(RsaKey* key,
return ret;
}
#endif
#ifdef WOLFSSL_KEY_GEN

7
wolfcrypt/src/signature.c
View File

@@ -356,7 +356,7 @@ int wc_SignatureGenerateHash(
case WC_SIGNATURE_TYPE_RSA_W_ENC:
case WC_SIGNATURE_TYPE_RSA:
#ifndef NO_RSA
#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
/* Create signature using provided RSA key */
do {
#ifdef WOLFSSL_ASYNC_CRYPT
@@ -420,7 +420,7 @@ int wc_SignatureGenerate(
}
hash_enc_len = hash_len = ret;
#ifndef NO_RSA
#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
/* For RSA with ASN.1 encoding include room */
hash_enc_len += MAX_DER_DIGEST_ASN_SZ;
@@ -440,7 +440,8 @@ int wc_SignatureGenerate(
if (ret == 0) {
/* Handle RSA with DER encoding */
if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
#if defined(NO_RSA) || defined(NO_ASN)
#if defined(NO_RSA) || defined(NO_ASN) || \
defined(WOLFSSL_RSA_PUBLIC_ONLY)
ret = SIG_TYPE_E;
#else
ret = wc_SignatureDerEncode(hash_type, hash_data, hash_len,

2880
wolfcrypt/src/sp_arm32.c
View File

File diff suppressed because it is too large Load Diff

1632
wolfcrypt/src/sp_arm64.c
View File

File diff suppressed because it is too large Load Diff

326
wolfcrypt/src/sp_armthumb.c
View File

@@ -2303,7 +2303,8 @@ SP_NOINLINE static void sp_2048_sqr_64(sp_digit* r, const sp_digit* a)
}
#endif /* WOLFSSL_SP_SMALL */
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA)
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
#ifdef WOLFSSL_SP_SMALL
/* AND m into each word of a and store in r.
*
@@ -2738,7 +2739,7 @@ SP_NOINLINE static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
}
#endif /* WOLFSSL_SP_SMALL */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY */
/* Caclulate the bottom digit of -1/a mod 2^n.
*
@@ -2759,7 +2760,84 @@ static void sp_2048_mont_setup(sp_digit* a, sp_digit* rho)
*rho = -x;
}
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA)
/* Mul a by digit b into r. (r = a * b)
*
* r A single precision integer.
* a A single precision integer.
* b A single precision digit.
*/
SP_NOINLINE static void sp_2048_mul_d_64(sp_digit* r, const sp_digit* a,
const sp_digit b)
{
__asm__ __volatile__ (
"mov r6, #1\n\t"
"lsl r6, r6, #8\n\t"
"add r6, %[a]\n\t"
"mov r8, %[r]\n\t"
"mov r9, r6\n\t"
"mov r3, #0\n\t"
"mov r4, #0\n\t"
"1:\n\t"
"mov %[r], #0\n\t"
"mov r5, #0\n\t"
"# A[] * B\n\t"
#ifdef WOLFSSL_SP_ARM_THUMB_ASM_CORTEX_M
"ldr r6, [%[a]]\n\t"
"umull r6, r7, r6, %[b]\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
#else
"ldr r6, [%[a]]\n\t"
"lsl r6, r6, #16\n\t"
"lsl r7, %[b], #16\n\t"
"lsr r6, r6, #16\n\t"
"lsr r7, r7, #16\n\t"
"mul r7, r6\n\t"
"add r3, r7\n\t"
"adc r4, %[r]\n\t"
"adc r5, %[r]\n\t"
"lsr r7, %[b], #16\n\t"
"mul r6, r7\n\t"
"lsr r7, r6, #16\n\t"
"lsl r6, r6, #16\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
"ldr r6, [%[a]]\n\t"
"lsr r6, r6, #16\n\t"
"lsr r7, %[b], #16\n\t"
"mul r7, r6\n\t"
"add r4, r7\n\t"
"adc r5, %[r]\n\t"
"lsl r7, %[b], #16\n\t"
"lsr r7, r7, #16\n\t"
"mul r6, r7\n\t"
"lsr r7, r6, #16\n\t"
"lsl r6, r6, #16\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
#endif
"# A[] * B - Done\n\t"
"mov %[r], r8\n\t"
"str r3, [%[r]]\n\t"
"mov r3, r4\n\t"
"mov r4, r5\n\t"
"add %[r], #4\n\t"
"add %[a], #4\n\t"
"mov r8, %[r]\n\t"
"cmp %[a], r9\n\t"
"blt 1b\n\t"
"str r3, [%[r]]\n\t"
: [r] "+r" (r), [a] "+r" (a)
: [b] "r" (b)
: "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
);
}
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
/* r = 2^n mod m where n is the number of bits to reduce by.
* Given m must be 2048 bits, just need to subtract.
*
@@ -3598,7 +3676,7 @@ static int sp_2048_mod_exp_32(sp_digit* r, sp_digit* a, sp_digit* e,
}
#endif /* WOLFSSL_SP_SMALL */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY */
#ifdef WOLFSSL_HAVE_SP_DH
/* r = 2^n mod m where n is the number of bits to reduce by.
@@ -3843,82 +3921,6 @@ static void sp_2048_mont_sqr_64(sp_digit* r, sp_digit* a, sp_digit* m,
sp_2048_mont_reduce_64(r, m, mp);
}
/* Mul a by digit b into r. (r = a * b)
*
* r A single precision integer.
* a A single precision integer.
* b A single precision digit.
*/
SP_NOINLINE static void sp_2048_mul_d_64(sp_digit* r, const sp_digit* a,
const sp_digit b)
{
__asm__ __volatile__ (
"mov r6, #1\n\t"
"lsl r6, r6, #8\n\t"
"add r6, %[a]\n\t"
"mov r8, %[r]\n\t"
"mov r9, r6\n\t"
"mov r3, #0\n\t"
"mov r4, #0\n\t"
"1:\n\t"
"mov %[r], #0\n\t"
"mov r5, #0\n\t"
"# A[] * B\n\t"
#ifdef WOLFSSL_SP_ARM_THUMB_ASM_CORTEX_M
"ldr r6, [%[a]]\n\t"
"umull r6, r7, r6, %[b]\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
#else
"ldr r6, [%[a]]\n\t"
"lsl r6, r6, #16\n\t"
"lsl r7, %[b], #16\n\t"
"lsr r6, r6, #16\n\t"
"lsr r7, r7, #16\n\t"
"mul r7, r6\n\t"
"add r3, r7\n\t"
"adc r4, %[r]\n\t"
"adc r5, %[r]\n\t"
"lsr r7, %[b], #16\n\t"
"mul r6, r7\n\t"
"lsr r7, r6, #16\n\t"
"lsl r6, r6, #16\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
"ldr r6, [%[a]]\n\t"
"lsr r6, r6, #16\n\t"
"lsr r7, %[b], #16\n\t"
"mul r7, r6\n\t"
"add r4, r7\n\t"
"adc r5, %[r]\n\t"
"lsl r7, %[b], #16\n\t"
"lsr r7, r7, #16\n\t"
"mul r6, r7\n\t"
"lsr r7, r6, #16\n\t"
"lsl r6, r6, #16\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
#endif
"# A[] * B - Done\n\t"
"mov %[r], r8\n\t"
"str r3, [%[r]]\n\t"
"mov r3, r4\n\t"
"mov r4, r5\n\t"
"add %[r], #4\n\t"
"add %[a], #4\n\t"
"mov r8, %[r]\n\t"
"cmp %[a], r9\n\t"
"blt 1b\n\t"
"str r3, [%[r]]\n\t"
: [r] "+r" (r), [a] "+r" (a)
: [b] "r" (b)
: "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
);
}
/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
*
* d1 The high order half of the number to divide.
@@ -7679,7 +7681,8 @@ SP_NOINLINE static void sp_3072_sqr_96(sp_digit* r, const sp_digit* a)
}
#endif /* WOLFSSL_SP_SMALL */
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA)
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
#ifdef WOLFSSL_SP_SMALL
/* AND m into each word of a and store in r.
*
@@ -8084,7 +8087,7 @@ SP_NOINLINE static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
}
#endif /* WOLFSSL_SP_SMALL */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY */
/* Caclulate the bottom digit of -1/a mod 2^n.
*
@@ -8105,7 +8108,85 @@ static void sp_3072_mont_setup(sp_digit* a, sp_digit* rho)
*rho = -x;
}
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA)
/* Mul a by digit b into r. (r = a * b)
*
* r A single precision integer.
* a A single precision integer.
* b A single precision digit.
*/
SP_NOINLINE static void sp_3072_mul_d_96(sp_digit* r, const sp_digit* a,
const sp_digit b)
{
__asm__ __volatile__ (
"mov r6, #1\n\t"
"lsl r6, r6, #8\n\t"
"add r6, #128\n\t"
"add r6, %[a]\n\t"
"mov r8, %[r]\n\t"
"mov r9, r6\n\t"
"mov r3, #0\n\t"
"mov r4, #0\n\t"
"1:\n\t"
"mov %[r], #0\n\t"
"mov r5, #0\n\t"
"# A[] * B\n\t"
#ifdef WOLFSSL_SP_ARM_THUMB_ASM_CORTEX_M
"ldr r6, [%[a]]\n\t"
"umull r6, r7, r6, %[b]\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
#else
"ldr r6, [%[a]]\n\t"
"lsl r6, r6, #16\n\t"
"lsl r7, %[b], #16\n\t"
"lsr r6, r6, #16\n\t"
"lsr r7, r7, #16\n\t"
"mul r7, r6\n\t"
"add r3, r7\n\t"
"adc r4, %[r]\n\t"
"adc r5, %[r]\n\t"
"lsr r7, %[b], #16\n\t"
"mul r6, r7\n\t"
"lsr r7, r6, #16\n\t"
"lsl r6, r6, #16\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
"ldr r6, [%[a]]\n\t"
"lsr r6, r6, #16\n\t"
"lsr r7, %[b], #16\n\t"
"mul r7, r6\n\t"
"add r4, r7\n\t"
"adc r5, %[r]\n\t"
"lsl r7, %[b], #16\n\t"
"lsr r7, r7, #16\n\t"
"mul r6, r7\n\t"
"lsr r7, r6, #16\n\t"
"lsl r6, r6, #16\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
#endif
"# A[] * B - Done\n\t"
"mov %[r], r8\n\t"
"str r3, [%[r]]\n\t"
"mov r3, r4\n\t"
"mov r4, r5\n\t"
"add %[r], #4\n\t"
"add %[a], #4\n\t"
"mov r8, %[r]\n\t"
"cmp %[a], r9\n\t"
"blt 1b\n\t"
"str r3, [%[r]]\n\t"
: [r] "+r" (r), [a] "+r" (a)
: [b] "r" (b)
: "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
);
}
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
#ifdef WOLFSSL_SP_SMALL
/* Sub b from a into a. (a -= b)
*
@@ -9201,7 +9282,7 @@ static int sp_3072_mod_exp_48(sp_digit* r, sp_digit* a, sp_digit* e,
}
#endif /* WOLFSSL_SP_SMALL */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY */
#ifdef WOLFSSL_HAVE_SP_DH
/* r = 2^n mod m where n is the number of bits to reduce by.
@@ -9450,83 +9531,6 @@ static void sp_3072_mont_sqr_96(sp_digit* r, sp_digit* a, sp_digit* m,
sp_3072_mont_reduce_96(r, m, mp);
}
/* Mul a by digit b into r. (r = a * b)
*
* r A single precision integer.
* a A single precision integer.
* b A single precision digit.
*/
SP_NOINLINE static void sp_3072_mul_d_96(sp_digit* r, const sp_digit* a,
const sp_digit b)
{
__asm__ __volatile__ (
"mov r6, #1\n\t"
"lsl r6, r6, #8\n\t"
"add r6, #128\n\t"
"add r6, %[a]\n\t"
"mov r8, %[r]\n\t"
"mov r9, r6\n\t"
"mov r3, #0\n\t"
"mov r4, #0\n\t"
"1:\n\t"
"mov %[r], #0\n\t"
"mov r5, #0\n\t"
"# A[] * B\n\t"
#ifdef WOLFSSL_SP_ARM_THUMB_ASM_CORTEX_M
"ldr r6, [%[a]]\n\t"
"umull r6, r7, r6, %[b]\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
#else
"ldr r6, [%[a]]\n\t"
"lsl r6, r6, #16\n\t"
"lsl r7, %[b], #16\n\t"
"lsr r6, r6, #16\n\t"
"lsr r7, r7, #16\n\t"
"mul r7, r6\n\t"
"add r3, r7\n\t"
"adc r4, %[r]\n\t"
"adc r5, %[r]\n\t"
"lsr r7, %[b], #16\n\t"
"mul r6, r7\n\t"
"lsr r7, r6, #16\n\t"
"lsl r6, r6, #16\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
"ldr r6, [%[a]]\n\t"
"lsr r6, r6, #16\n\t"
"lsr r7, %[b], #16\n\t"
"mul r7, r6\n\t"
"add r4, r7\n\t"
"adc r5, %[r]\n\t"
"lsl r7, %[b], #16\n\t"
"lsr r7, r7, #16\n\t"
"mul r6, r7\n\t"
"lsr r7, r6, #16\n\t"
"lsl r6, r6, #16\n\t"
"add r3, r6\n\t"
"adc r4, r7\n\t"
"adc r5, %[r]\n\t"
#endif
"# A[] * B - Done\n\t"
"mov %[r], r8\n\t"
"str r3, [%[r]]\n\t"
"mov r3, r4\n\t"
"mov r4, r5\n\t"
"add %[r], #4\n\t"
"add %[a], #4\n\t"
"mov r8, %[r]\n\t"
"cmp %[a], r9\n\t"
"blt 1b\n\t"
"str r3, [%[r]]\n\t"
: [r] "+r" (r), [a] "+r" (a)
: [b] "r" (b)
: "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
);
}
/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
*
* d1 The high order half of the number to divide.

2366
wolfcrypt/src/sp_c32.c
View File

File diff suppressed because it is too large Load Diff

278
wolfcrypt/src/sp_c64.c
View File

@@ -50,7 +50,7 @@
#ifndef WOLFSSL_SP_ASM
#if SP_WORD_SIZE == 64
#if defined(WOLFSSL_SP_CACHE_RESISTANT) || defined(WOLFSSL_SP_SMALL)
#if (defined(WOLFSSL_SP_CACHE_RESISTANT) || defined(WOLFSSL_SP_SMALL)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
/* Mask for address to obfuscate which of the two address will be used. */
static const size_t addr_mask[2] = { 0, (size_t)-1 };
#endif
@@ -701,7 +701,8 @@ SP_NOINLINE static void sp_2048_sqr_36(sp_digit* r, const sp_digit* a)
}
#endif /* WOLFSSL_SP_SMALL */
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA)
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
#ifdef WOLFSSL_SP_SMALL
/* Add b to a into r. (r = a + b)
*
@@ -806,7 +807,7 @@ SP_NOINLINE static void sp_2048_sqr_18(sp_digit* r, const sp_digit* a)
}
#endif /* WOLFSSL_SP_SMALL */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY */
/* Caclulate the bottom digit of -1/a mod 2^n.
*
@@ -829,7 +830,62 @@ static void sp_2048_mont_setup(sp_digit* a, sp_digit* rho)
*rho = (1L << 57) - x;
}
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA)
/* Multiply a by scalar b into r. (r = a * b)
*
* r A single precision integer.
* a A single precision integer.
* b A scalar.
*/
SP_NOINLINE static void sp_2048_mul_d_36(sp_digit* r, const sp_digit* a,
const sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
int128_t tb = b;
int128_t t = 0;
int i;
for (i = 0; i < 36; i++) {
t += tb * a[i];
r[i] = t & 0x1ffffffffffffffl;
t >>= 57;
}
r[36] = (sp_digit)t;
#else
int128_t tb = b;
int128_t t[8];
int i;
t[0] = tb * a[0]; r[0] = t[0] & 0x1ffffffffffffffl;
for (i = 0; i < 32; i += 8) {
t[1] = tb * a[i+1];
r[i+1] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffl);
t[2] = tb * a[i+2];
r[i+2] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffl);
t[3] = tb * a[i+3];
r[i+3] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffl);
t[4] = tb * a[i+4];
r[i+4] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffl);
t[5] = tb * a[i+5];
r[i+5] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffl);
t[6] = tb * a[i+6];
r[i+6] = (sp_digit)(t[5] >> 57) + (t[6] & 0x1ffffffffffffffl);
t[7] = tb * a[i+7];
r[i+7] = (sp_digit)(t[6] >> 57) + (t[7] & 0x1ffffffffffffffl);
t[0] = tb * a[i+8];
r[i+8] = (sp_digit)(t[7] >> 57) + (t[0] & 0x1ffffffffffffffl);
}
t[1] = tb * a[33];
r[33] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffl);
t[2] = tb * a[34];
r[34] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffl);
t[3] = tb * a[35];
r[35] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffl);
r[36] = (sp_digit)(t[3] >> 57);
#endif /* WOLFSSL_SP_SMALL */
}
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
/* r = 2^n mod m where n is the number of bits to reduce by.
* Given m must be 2048 bits, just need to subtract.
*
@@ -1631,7 +1687,7 @@ static int sp_2048_mod_exp_18(sp_digit* r, sp_digit* a, sp_digit* e, int bits,
#endif
}
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY */
/* r = 2^n mod m where n is the number of bits to reduce by.
* Given m must be 2048 bits, just need to subtract.
@@ -1897,6 +1953,7 @@ static void sp_2048_mont_reduce_36(sp_digit* a, sp_digit* m, sp_digit mp)
int i;
sp_digit mu;
#ifdef WOLFSSL_SP_DH
if (mp != 1) {
for (i=0; i<35; i++) {
mu = (a[i] * mp) & 0x1ffffffffffffffl;
@@ -1919,6 +1976,17 @@ static void sp_2048_mont_reduce_36(sp_digit* a, sp_digit* m, sp_digit mp)
a[i+1] += a[i] >> 57;
a[i] &= 0x1ffffffffffffffl;
}
#else
for (i=0; i<35; i++) {
mu = (a[i] * mp) & 0x1ffffffffffffffl;
sp_2048_mul_add_36(a+i, m, mu);
a[i+1] += a[i] >> 57;
}
mu = (a[i] * mp) & 0x1fffffffffffffl;
sp_2048_mul_add_36(a+i, m, mu);
a[i+1] += a[i] >> 57;
a[i] &= 0x1ffffffffffffffl;
#endif
sp_2048_mont_shift_36(a, a);
sp_2048_cond_sub_36(a, a, m, 0 - ((a[35] >> 53) > 0));
@@ -1955,60 +2023,6 @@ static void sp_2048_mont_sqr_36(sp_digit* r, sp_digit* a, sp_digit* m,
sp_2048_mont_reduce_36(r, m, mp);
}
/* Multiply a by scalar b into r. (r = a * b)
*
* r A single precision integer.
* a A single precision integer.
* b A scalar.
*/
SP_NOINLINE static void sp_2048_mul_d_36(sp_digit* r, const sp_digit* a,
const sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
int128_t tb = b;
int128_t t = 0;
int i;
for (i = 0; i < 36; i++) {
t += tb * a[i];
r[i] = t & 0x1ffffffffffffffl;
t >>= 57;
}
r[36] = (sp_digit)t;
#else
int128_t tb = b;
int128_t t[8];
int i;
t[0] = tb * a[0]; r[0] = t[0] & 0x1ffffffffffffffl;
for (i = 0; i < 32; i += 8) {
t[1] = tb * a[i+1];
r[i+1] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffl);
t[2] = tb * a[i+2];
r[i+2] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffl);
t[3] = tb * a[i+3];
r[i+3] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffl);
t[4] = tb * a[i+4];
r[i+4] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffl);
t[5] = tb * a[i+5];
r[i+5] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffl);
t[6] = tb * a[i+6];
r[i+6] = (sp_digit)(t[5] >> 57) + (t[6] & 0x1ffffffffffffffl);
t[7] = tb * a[i+7];
r[i+7] = (sp_digit)(t[6] >> 57) + (t[7] & 0x1ffffffffffffffl);
t[0] = tb * a[i+8];
r[i+8] = (sp_digit)(t[7] >> 57) + (t[0] & 0x1ffffffffffffffl);
}
t[1] = tb * a[33];
r[33] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffl);
t[2] = tb * a[34];
r[34] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffl);
t[3] = tb * a[35];
r[35] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffl);
r[36] = (sp_digit)(t[3] >> 57);
#endif /* WOLFSSL_SP_SMALL */
}
/* Conditionally add a and b using the mask m.
* m is -1 to add and 0 when not.
*
@@ -2483,7 +2497,7 @@ static int sp_2048_mod_exp_36(sp_digit* r, sp_digit* a, sp_digit* e, int bits,
#endif /* SP_RSA_PRIVATE_EXP_D || WOLFSSL_HAVE_SP_DH */
#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D) && \
!defined(RSA_LOW_MEM)
!defined(RSA_LOW_MEM) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
/* AND m into each word of a and store in r.
*
* r A single precision integer.
@@ -2716,6 +2730,7 @@ int sp_RsaPublic_2048(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
#endif /* WOLFSSL_SP_SMALL */
}
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
/* RSA private key operation.
*
* in Array of bytes representing the number to exponentiate, base.
@@ -2950,6 +2965,7 @@ int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
}
#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
#endif /* WOLFSSL_HAVE_SP_RSA */
#ifdef WOLFSSL_HAVE_SP_DH
/* Convert an array of sp_digit to an mp_int.
@@ -4011,7 +4027,8 @@ SP_NOINLINE static void sp_3072_sqr_54(sp_digit* r, const sp_digit* a)
}
#endif /* WOLFSSL_SP_SMALL */
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA)
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
#ifdef WOLFSSL_SP_SMALL
/* Add b to a into r. (r = a + b)
*
@@ -4225,7 +4242,7 @@ SP_NOINLINE static void sp_3072_sqr_27(sp_digit* r, const sp_digit* a)
}
#endif /* WOLFSSL_SP_SMALL */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY */
/* Caclulate the bottom digit of -1/a mod 2^n.
*
@@ -4248,7 +4265,66 @@ static void sp_3072_mont_setup(sp_digit* a, sp_digit* rho)
*rho = (1L << 57) - x;
}
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA)
/* Multiply a by scalar b into r. (r = a * b)
*
* r A single precision integer.
* a A single precision integer.
* b A scalar.
*/
SP_NOINLINE static void sp_3072_mul_d_54(sp_digit* r, const sp_digit* a,
const sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
int128_t tb = b;
int128_t t = 0;
int i;
for (i = 0; i < 54; i++) {
t += tb * a[i];
r[i] = t & 0x1ffffffffffffffl;
t >>= 57;
}
r[54] = (sp_digit)t;
#else
int128_t tb = b;
int128_t t[8];
int i;
t[0] = tb * a[0]; r[0] = t[0] & 0x1ffffffffffffffl;
for (i = 0; i < 48; i += 8) {
t[1] = tb * a[i+1];
r[i+1] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffl);
t[2] = tb * a[i+2];
r[i+2] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffl);
t[3] = tb * a[i+3];
r[i+3] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffl);
t[4] = tb * a[i+4];
r[i+4] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffl);
t[5] = tb * a[i+5];
r[i+5] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffl);
t[6] = tb * a[i+6];
r[i+6] = (sp_digit)(t[5] >> 57) + (t[6] & 0x1ffffffffffffffl);
t[7] = tb * a[i+7];
r[i+7] = (sp_digit)(t[6] >> 57) + (t[7] & 0x1ffffffffffffffl);
t[0] = tb * a[i+8];
r[i+8] = (sp_digit)(t[7] >> 57) + (t[0] & 0x1ffffffffffffffl);
}
t[1] = tb * a[49];
r[49] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffl);
t[2] = tb * a[50];
r[50] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffl);
t[3] = tb * a[51];
r[51] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffl);
t[4] = tb * a[52];
r[52] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffl);
t[5] = tb * a[53];
r[53] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffl);
r[54] = (sp_digit)(t[5] >> 57);
#endif /* WOLFSSL_SP_SMALL */
}
#if !defined(SP_RSA_PRIVATE_EXP_D) && defined(WOLFSSL_HAVE_SP_RSA) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
/* r = 2^n mod m where n is the number of bits to reduce by.
* Given m must be 3072 bits, just need to subtract.
*
@@ -5035,7 +5111,7 @@ static int sp_3072_mod_exp_27(sp_digit* r, sp_digit* a, sp_digit* e, int bits,
#endif
}
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA */
#endif /* !SP_RSA_PRIVATE_EXP_D && WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY */
/* r = 2^n mod m where n is the number of bits to reduce by.
* Given m must be 3072 bits, just need to subtract.
@@ -5308,6 +5384,7 @@ static void sp_3072_mont_reduce_54(sp_digit* a, sp_digit* m, sp_digit mp)
int i;
sp_digit mu;
#ifdef WOLFSSL_SP_DH
if (mp != 1) {
for (i=0; i<53; i++) {
mu = (a[i] * mp) & 0x1ffffffffffffffl;
@@ -5330,6 +5407,17 @@ static void sp_3072_mont_reduce_54(sp_digit* a, sp_digit* m, sp_digit mp)
a[i+1] += a[i] >> 57;
a[i] &= 0x1ffffffffffffffl;
}
#else
for (i=0; i<53; i++) {
mu = (a[i] * mp) & 0x1ffffffffffffffl;
sp_3072_mul_add_54(a+i, m, mu);
a[i+1] += a[i] >> 57;
}
mu = (a[i] * mp) & 0x7ffffffffffffl;
sp_3072_mul_add_54(a+i, m, mu);
a[i+1] += a[i] >> 57;
a[i] &= 0x1ffffffffffffffl;
#endif
sp_3072_mont_shift_54(a, a);
sp_3072_cond_sub_54(a, a, m, 0 - ((a[53] >> 51) > 0));
@@ -5366,64 +5454,6 @@ static void sp_3072_mont_sqr_54(sp_digit* r, sp_digit* a, sp_digit* m,
sp_3072_mont_reduce_54(r, m, mp);
}
/* Multiply a by scalar b into r. (r = a * b)
*
* r A single precision integer.
* a A single precision integer.
* b A scalar.
*/
SP_NOINLINE static void sp_3072_mul_d_54(sp_digit* r, const sp_digit* a,
const sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
int128_t tb = b;
int128_t t = 0;
int i;
for (i = 0; i < 54; i++) {
t += tb * a[i];
r[i] = t & 0x1ffffffffffffffl;
t >>= 57;
}
r[54] = (sp_digit)t;
#else
int128_t tb = b;
int128_t t[8];
int i;
t[0] = tb * a[0]; r[0] = t[0] & 0x1ffffffffffffffl;
for (i = 0; i < 48; i += 8) {
t[1] = tb * a[i+1];
r[i+1] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffl);
t[2] = tb * a[i+2];
r[i+2] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffl);
t[3] = tb * a[i+3];
r[i+3] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffl);
t[4] = tb * a[i+4];
r[i+4] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffl);
t[5] = tb * a[i+5];
r[i+5] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffl);
t[6] = tb * a[i+6];
r[i+6] = (sp_digit)(t[5] >> 57) + (t[6] & 0x1ffffffffffffffl);
t[7] = tb * a[i+7];
r[i+7] = (sp_digit)(t[6] >> 57) + (t[7] & 0x1ffffffffffffffl);
t[0] = tb * a[i+8];
r[i+8] = (sp_digit)(t[7] >> 57) + (t[0] & 0x1ffffffffffffffl);
}
t[1] = tb * a[49];
r[49] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffl);
t[2] = tb * a[50];
r[50] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffl);
t[3] = tb * a[51];
r[51] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffl);
t[4] = tb * a[52];
r[52] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffl);
t[5] = tb * a[53];
r[53] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffl);
r[54] = (sp_digit)(t[5] >> 57);
#endif /* WOLFSSL_SP_SMALL */
}
/* Conditionally add a and b using the mask m.
* m is -1 to add and 0 when not.
*
@@ -5863,7 +5893,7 @@ static int sp_3072_mod_exp_54(sp_digit* r, sp_digit* a, sp_digit* e, int bits,
#endif /* SP_RSA_PRIVATE_EXP_D || WOLFSSL_HAVE_SP_DH */
#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D) && \
!defined(RSA_LOW_MEM)
!defined(RSA_LOW_MEM) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
/* AND m into each word of a and store in r.
*
* r A single precision integer.
@@ -6097,6 +6127,7 @@ int sp_RsaPublic_3072(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
#endif /* WOLFSSL_SP_SMALL */
}
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
/* RSA private key operation.
*
* in Array of bytes representing the number to exponentiate, base.
@@ -6331,6 +6362,7 @@ int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
}
#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
#endif /* WOLFSSL_HAVE_SP_RSA */
#ifdef WOLFSSL_HAVE_SP_DH
/* Convert an array of sp_digit to an mp_int.

19
wolfcrypt/src/sp_int.c
View File

@@ -52,6 +52,7 @@ int sp_init(sp_int* a)
return MP_OKAY;
}
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && (!defined(NO_DH) || defined(HAVE_ECC))
/* Initialize up to six big numbers to be zero.
*
* a SP integer.
@@ -92,6 +93,7 @@ int sp_init_multi(sp_int* a, sp_int* b, sp_int* c, sp_int* d, sp_int* e,
return MP_OKAY;
}
#endif
/* Clear the data from the big number and set to zero.
*
@@ -158,6 +160,7 @@ int sp_read_unsigned_bin(sp_int* a, const byte* in, word32 inSz)
return MP_OKAY;
}
#ifdef HAVE_ECC
/* Convert a number as string in big-endian format to a big number.
* Only supports base-16 (hexadecimal).
* Negative values not supported.
@@ -210,6 +213,7 @@ int sp_read_radix(sp_int* a, const char* in, int radix)
return MP_OKAY;
}
#endif
/* Compare two big numbers.
*
@@ -284,6 +288,7 @@ int sp_leading_bit(sp_int* a)
return bit;
}
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && (!defined(NO_DH) || defined(HAVE_ECC))
/* Convert the big number to an array of bytes in big-endian format.
* The array must be large enough for encoded number - use mp_unsigned_bin_size
* to calculate the number of bytes required.
@@ -307,6 +312,7 @@ int sp_to_unsigned_bin(sp_int* a, byte* out)
return MP_OKAY;
}
#endif
/* Convert the big number to an array of bytes in big-endian format.
* The array must be large enough for encoded number - use mp_unsigned_bin_size
@@ -333,6 +339,8 @@ int sp_to_unsigned_bin_len(sp_int* a, byte* out, int outSz)
return MP_OKAY;
}
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && (!defined(NO_DH) || defined(HAVE_ECC))
/* Ensure the data in the big number is zeroed.
*
* a SP integer.
@@ -357,6 +365,7 @@ int sp_copy(sp_int* a, sp_int* b)
}
return MP_OKAY;
}
#endif
/* Set the big number to be the value of the digit.
*
@@ -371,6 +380,7 @@ int sp_set(sp_int* a, sp_int_digit d)
return MP_OKAY;
}
#if !defined(NO_DH) || defined(HAVE_ECC)
/* Checks whether the value of the big number is zero.
*
* a SP integer.
@@ -380,7 +390,9 @@ int sp_iszero(sp_int* a)
{
return a->used == 0;
}
#endif
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && (!defined(NO_DH) || defined(HAVE_ECC))
/* Recalculate the number of digits used.
*
* a SP integer.
@@ -436,6 +448,7 @@ int sp_sub_d(sp_int* a, sp_int_digit d, sp_int* r)
return MP_OKAY;
}
#endif
/* Compare a one digit number with a big number.
*
@@ -464,6 +477,7 @@ int sp_cmp_d(sp_int *a, sp_int_digit d)
return MP_EQ;
}
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && (!defined(NO_DH) || defined(HAVE_ECC))
/* Left shift the number by number of bits.
* Bits may be larger than the word size.
*
@@ -561,8 +575,8 @@ int sp_mod(sp_int* a, sp_int* m, sp_int* r)
return MP_OKAY;
}
#endif
#if defined(USE_FAST_MATH) || !defined(NO_BIG_INT)
/* Clear all data in the big number and sets value to zero.
*
* a SP integer.
@@ -604,6 +618,7 @@ int sp_add_d(sp_int* a, sp_int_digit d, sp_int* r)
return MP_OKAY;
}
#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && (!defined(NO_DH) || defined(HAVE_ECC))
/* Left shift the big number by a number of digits.
* WIll chop off digits overflowing maximum size.
*
@@ -622,7 +637,6 @@ int sp_lshd(sp_int* a, int s)
return MP_OKAY;
}
#endif
#ifndef NO_PWDBASED
/* Add two large numbers into result: r = a + b
@@ -659,6 +673,7 @@ int sp_add(sp_int* a, sp_int* b, sp_int* r)
return MP_OKAY;
}
#endif /* NO_PWDBASED */
#endif
#ifndef NO_RSA

8
wolfcrypt/src/tfm.c
View File

@@ -2399,10 +2399,10 @@ void fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c)
/* Use Duff's device to unroll the loop. */
int idx = (c - 1) & ~3;
switch (c % 4) {
case 0: do { pd[idx+0] = *b++;
case 3: pd[idx+1] = *b++;
case 2: pd[idx+2] = *b++;
case 1: pd[idx+3] = *b++;
case 0: do { pd[idx+0] = *b++; // fallthrough
case 3: pd[idx+1] = *b++; // fallthrough
case 2: pd[idx+2] = *b++; // fallthrough
case 1: pd[idx+3] = *b++; // fallthrough
idx -= 4;
} while ((c -= 4) > 0);
}