diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 0e58d4f11b..86fe9a36de 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -880,7 +880,10 @@ WOLFSSL_SE050_AUTO_ERASE WOLFSSL_SE050_CRYPT WOLFSSL_SE050_HASH WOLFSSL_SE050_INIT +WOLFSSL_SE050_NOECDHE +WOLFSSL_SE050_NO_ECDSA_VERIFY WOLFSSL_SE050_NO_RSA +WOLFSSL_SE050_NO_RSA_VERIFY WOLFSSL_SE050_NO_TRNG WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT WOLFSSL_SERVER_EXAMPLE diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 2da1a22e6b..82ecbab6b2 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -291,6 +291,9 @@ ECC Curve Sizes: #undef HAVE_ECC_VERIFY_HELPER #define HAVE_ECC_VERIFY_HELPER #endif +#if defined(WOLFSSL_SE050_NO_ECDSA_VERIFY) + #define HAVE_ECC_VERIFY_HELPER +#endif #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \ !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \ @@ -4767,7 +4770,7 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out, err = silabs_ecc_shared_secret(private_key, public_key, out, outlen); #elif defined(WOLFSSL_KCAPI_ECC) err = KcapiEcc_SharedSecret(private_key, public_key, out, outlen); -#elif defined(WOLFSSL_SE050) +#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NOECDHE) err = se050_ecc_shared_secret(private_key, public_key, out, outlen); #else err = wc_ecc_shared_secret_ex(private_key, &public_key->pubkey, out, outlen); @@ -5761,7 +5764,7 @@ static int _ecc_make_key_ex(WC_RNG* rng, int keysize, ecc_key* key, else { err = NOT_COMPILED_IN; } -#elif defined(WOLFSSL_SE050) +#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NOECDHE) err = se050_ecc_create_key(key, key->dp->id, key->dp->size); key->type = ECC_PRIVATEKEY; #elif defined(WOLFSSL_CRYPTOCELL) @@ -9261,7 +9264,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash, #elif defined(WOLFSSL_XILINX_CRYPT_VERSAL) byte sigRS[ECC_MAX_CRYPTO_HW_SIZE * 2]; byte hashcopy[ECC_MAX_CRYPTO_HW_SIZE] = {0}; -#elif defined(WOLFSSL_SE050) +#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_ECDSA_VERIFY) #else int curveLoaded = 0; DECLARE_CURVE_SPECS(ECC_CURVE_FIELD_COUNT); diff --git a/wolfcrypt/src/port/nxp/README_SE050.md b/wolfcrypt/src/port/nxp/README_SE050.md index ee94f5a499..dcbba50f39 100644 --- a/wolfcrypt/src/port/nxp/README_SE050.md +++ b/wolfcrypt/src/port/nxp/README_SE050.md @@ -246,6 +246,25 @@ defined, wolfCrypt will instead fall back to using `/dev/random` and Disables using the SE050 for RSA, useful for the SE050E which does not have RSA support. +**`WOLFSSL_SE050_NOECDHE`** + +Disables offloading ECDH key generation and shared secret operations to the +SE050. When defined, `wc_ecc_make_key()` and `wc_ecc_shared_secret()` will +use wolfCrypt software instead of the SE050. + +**`WOLFSSL_SE050_NO_ECDSA_VERIFY`** + +When defined, ECDSA signing (`wc_ecc_sign_hash()`) continues to be offloaded +to the SE050, but ECDSA verification (`wc_ecc_verify_hash()`) uses wolfCrypt +software. + +**`WOLFSSL_SE050_NO_RSA_VERIFY`** + +When defined, RSA PKCS#1 v1.5 signing (`wc_RsaSSL_Sign()`) continues to be +offloaded to the SE050, but RSA PKCS#1 v1.5 verification (`wc_RsaSSL_Verify()`) +uses wolfCrypt software (public-key exponentiation + unpad). RSA PSS verify and +RSA key-exchange decrypt are unaffected. + ## wolfSSL HostCrypto Support The NXP SE05x Plug & Trust Middleware by default can use either OpenSSL or diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 4bd5062596..0def979200 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -3660,6 +3660,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out, } return ret; } + #if !defined(WOLFSSL_SE050_NO_RSA_VERIFY) else if (rsa_type == RSA_PUBLIC_DECRYPT && pad_value == RSA_BLOCK_TYPE_1 && pad_type != WC_RSA_PSS_PAD) { @@ -3675,6 +3676,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out, } return ret; } + #endif /* !WOLFSSL_SE050_NO_RSA_VERIFY */ #endif /* RSA CRYPTO HW */