source: azure_iot_hub/trunk/wolfssl-3.15.7/wolfcrypt/src/rsa.c@ 388

Last change on this file since 388 was 388, checked in by coas-nagasima, 5 years ago

Azure IoT Hub Device C SDK を使ったサンプルの追加
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
  • Property svn:mime-type set to text/x-csrc
File size: 99.2 KB
Line 
1/* rsa.c
2 *
3 * Copyright (C) 2006-2017 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
22
23#ifdef HAVE_CONFIG_H
24 #include <config.h>
25#endif
26
27#include <wolfssl/wolfcrypt/settings.h>
28#include <wolfssl/wolfcrypt/error-crypt.h>
29
30#ifndef NO_RSA
31
32#if defined(HAVE_FIPS) && \
33 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
34
35 /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
36 #define FIPS_NO_WRAPPERS
37
38 #ifdef USE_WINDOWS_API
39 #pragma code_seg(".fipsA$e")
40 #pragma const_seg(".fipsB$e")
41 #endif
42#endif
43
44#include <wolfssl/wolfcrypt/rsa.h>
45
46#ifdef WOLFSSL_HAVE_SP_RSA
47#include <wolfssl/wolfcrypt/sp.h>
48#endif
49
50/*
51Possible RSA enable options:
52 * NO_RSA: Overall control of RSA default: on (not defined)
53 * WC_RSA_BLINDING: Uses Blinding w/ Private Ops default: off
54 Note: slower by ~20%
55 * WOLFSSL_KEY_GEN: Allows Private Key Generation default: off
56 * RSA_LOW_MEM: NON CRT Private Operations, less memory default: off
57 * WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on (not defined)
58 * WC_RSA_NONBLOCK: Enables support for RSA non-blocking default: off
59 * WC_RSA_NONBLOCK_TIME:Enables support for time based blocking default: off
60 * time calculation.
61*/
62
63/*
64RSA Key Size Configuration:
65 * FP_MAX_BITS: With USE_FAST_MATH only default: 4096
66 If USE_FAST_MATH then use this to override default.
67 Value is key size * 2. Example: RSA 3072 = 6144
68*/
69
70
71/* If building for old FIPS. */
72#if defined(HAVE_FIPS) && \
73 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
74
75int wc_InitRsaKey(RsaKey* key, void* ptr)
76{
77 if (key == NULL) {
78 return BAD_FUNC_ARG;
79 }
80
81 return InitRsaKey_fips(key, ptr);
82}
83
84
85int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId)
86{
87 (void)devId;
88 if (key == NULL) {
89 return BAD_FUNC_ARG;
90 }
91 return InitRsaKey_fips(key, ptr);
92}
93
94
95int wc_FreeRsaKey(RsaKey* key)
96{
97 return FreeRsaKey_fips(key);
98}
99
100
101#ifndef WOLFSSL_RSA_VERIFY_ONLY
102int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
103 word32 outLen, RsaKey* key, WC_RNG* rng)
104{
105 if (in == NULL || out == NULL || key == NULL || rng == NULL) {
106 return BAD_FUNC_ARG;
107 }
108 return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng);
109}
110#endif
111
112
113#ifndef WOLFSSL_RSA_PUBLIC_ONLY
114int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
115 RsaKey* key)
116{
117 if (in == NULL || out == NULL || key == NULL) {
118 return BAD_FUNC_ARG;
119 }
120 return RsaPrivateDecryptInline_fips(in, inLen, out, key);
121}
122
123
124int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
125 word32 outLen, RsaKey* key)
126{
127 if (in == NULL || out == NULL || key == NULL) {
128 return BAD_FUNC_ARG;
129 }
130 return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key);
131}
132
133
134int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
135 word32 outLen, RsaKey* key, WC_RNG* rng)
136{
137 if (in == NULL || out == NULL || key == NULL || inLen == 0) {
138 return BAD_FUNC_ARG;
139 }
140 return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng);
141}
142#endif
143
144
145int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
146{
147 if (in == NULL || out == NULL || key == NULL) {
148 return BAD_FUNC_ARG;
149 }
150 return RsaSSL_VerifyInline_fips(in, inLen, out, key);
151}
152
153
154int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out,
155 word32 outLen, RsaKey* key)
156{
157 if (in == NULL || out == NULL || key == NULL || inLen == 0) {
158 return BAD_FUNC_ARG;
159 }
160 return RsaSSL_Verify_fips(in, inLen, out, outLen, key);
161}
162
163
164int wc_RsaEncryptSize(RsaKey* key)
165{
166 if (key == NULL) {
167 return BAD_FUNC_ARG;
168 }
169 return RsaEncryptSize_fips(key);
170}
171
172
173#ifndef WOLFSSL_RSA_VERIFY_ONLY
174int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
175 word32* bSz)
176{
177
178 /* not specified as fips so not needing _fips */
179 return RsaFlattenPublicKey(key, a, aSz, b, bSz);
180}
181#endif
182
183
184#ifdef WOLFSSL_KEY_GEN
185 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
186 {
187 return MakeRsaKey(key, size, e, rng);
188 }
189#endif
190
191
192/* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c
193* wc_RsaPrivateKeyDecode
194* wc_RsaPublicKeyDecode
195*/
196
197#else /* else build without fips, or for new fips */
198
199#include <wolfssl/wolfcrypt/random.h>
200#include <wolfssl/wolfcrypt/logging.h>
201#ifdef WOLF_CRYPTO_DEV
202 #include <wolfssl/wolfcrypt/cryptodev.h>
203#endif
204#ifdef NO_INLINE
205 #include <wolfssl/wolfcrypt/misc.h>
206#else
207 #define WOLFSSL_MISC_INCLUDED
208 #include <wolfcrypt/src/misc.c>
209#endif
210
211
212enum {
213 RSA_STATE_NONE = 0,
214
215 RSA_STATE_ENCRYPT_PAD,
216 RSA_STATE_ENCRYPT_EXPTMOD,
217 RSA_STATE_ENCRYPT_RES,
218
219 RSA_STATE_DECRYPT_EXPTMOD,
220 RSA_STATE_DECRYPT_UNPAD,
221 RSA_STATE_DECRYPT_RES,
222};
223
224static void wc_RsaCleanup(RsaKey* key)
225{
226#ifndef WOLFSSL_RSA_VERIFY_INLINE
227 if (key && key->data) {
228 /* make sure any allocated memory is free'd */
229 if (key->dataIsAlloc) {
230 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
231 if (key->type == RSA_PRIVATE_DECRYPT ||
232 key->type == RSA_PRIVATE_ENCRYPT) {
233 ForceZero(key->data, key->dataLen);
234 }
235 #endif
236 XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
237 key->dataIsAlloc = 0;
238 }
239 key->data = NULL;
240 key->dataLen = 0;
241 }
242#else
243 (void)key;
244#endif
245}
246
247int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
248{
249 int ret = 0;
250
251 if (key == NULL) {
252 return BAD_FUNC_ARG;
253 }
254
255 XMEMSET(key, 0, sizeof(RsaKey));
256
257 key->type = RSA_TYPE_UNKNOWN;
258 key->state = RSA_STATE_NONE;
259 key->heap = heap;
260#ifndef WOLFSSL_RSA_VERIFY_INLINE
261 key->dataIsAlloc = 0;
262 key->data = NULL;
263#endif
264 key->dataLen = 0;
265#ifdef WC_RSA_BLINDING
266 key->rng = NULL;
267#endif
268
269#ifdef WOLF_CRYPTO_DEV
270 key->devId = devId;
271#else
272 (void)devId;
273#endif
274
275#ifdef WOLFSSL_ASYNC_CRYPT
276 #ifdef WOLFSSL_CERT_GEN
277 XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
278 #endif
279
280 #ifdef WC_ASYNC_ENABLE_RSA
281 /* handle as async */
282 ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA,
283 key->heap, devId);
284 if (ret != 0)
285 return ret;
286 #endif /* WC_ASYNC_ENABLE_RSA */
287#endif /* WOLFSSL_ASYNC_CRYPT */
288
289#ifndef WOLFSSL_RSA_PUBLIC_ONLY
290 ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
291 if (ret != MP_OKAY)
292 return ret;
293
294#if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)
295 ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL);
296#else
297 ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u);
298#endif
299 if (ret != MP_OKAY) {
300 mp_clear(&key->n);
301 mp_clear(&key->e);
302 return ret;
303 }
304#else
305 ret = mp_init(&key->n);
306 if (ret != MP_OKAY)
307 return ret;
308 ret = mp_init(&key->e);
309 if (ret != MP_OKAY) {
310 mp_clear(&key->n);
311 return ret;
312 }
313#endif
314
315#ifdef WOLFSSL_XILINX_CRYPT
316 key->pubExp = 0;
317 key->mod = NULL;
318#endif
319
320 return ret;
321}
322
323int wc_InitRsaKey(RsaKey* key, void* heap)
324{
325 return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
326}
327
328#ifdef HAVE_PKCS11
329int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
330 int devId)
331{
332 int ret = 0;
333
334 if (key == NULL)
335 ret = BAD_FUNC_ARG;
336 if (ret == 0 && (len < 0 || len > RSA_MAX_ID_LEN))
337 ret = BUFFER_E;
338
339 if (ret == 0)
340 ret = wc_InitRsaKey_ex(key, heap, devId);
341
342 if (ret == 0 && id != NULL && len != 0) {
343 XMEMCPY(key->id, id, len);
344 key->idLen = len;
345 }
346
347 return ret;
348}
349#endif
350
351
352#ifdef WOLFSSL_XILINX_CRYPT
353#define MAX_E_SIZE 4
354/* Used to setup hardware state
355 *
356 * key the RSA key to setup
357 *
358 * returns 0 on success
359 */
360int wc_InitRsaHw(RsaKey* key)
361{
362 unsigned char* m; /* RSA modulous */
363 word32 e = 0; /* RSA public exponent */
364 int mSz;
365 int eSz;
366
367 if (key == NULL) {
368 return BAD_FUNC_ARG;
369 }
370
371 mSz = mp_unsigned_bin_size(&(key->n));
372 m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY);
373 if (m == 0) {
374 return MEMORY_E;
375 }
376
377 if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) {
378 WOLFSSL_MSG("Unable to get RSA key modulus");
379 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
380 return MP_READ_E;
381 }
382
383 eSz = mp_unsigned_bin_size(&(key->e));
384 if (eSz > MAX_E_SIZE) {
385 WOLFSSL_MSG("Exponent of size 4 bytes expected");
386 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
387 return BAD_FUNC_ARG;
388 }
389
390 if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz))
391 != MP_OKAY) {
392 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
393 WOLFSSL_MSG("Unable to get RSA key exponent");
394 return MP_READ_E;
395 }
396
397 /* check for existing mod buffer to avoid memory leak */
398 if (key->mod != NULL) {
399 XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
400 }
401
402 key->pubExp = e;
403 key->mod = m;
404
405 if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL,
406 (byte*)&(key->pubExp)) != XST_SUCCESS) {
407 WOLFSSL_MSG("Unable to initialize RSA on hardware");
408 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
409 return BAD_STATE_E;
410 }
411
412#ifdef WOLFSSL_XILINX_PATCH
413 /* currently a patch of xsecure_rsa.c for 2048 bit keys */
414 if (wc_RsaEncryptSize(key) == 256) {
415 if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) {
416 WOLFSSL_MSG("Unable to set RSA key size on hardware");
417 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
418 return BAD_STATE_E;
419 }
420 }
421#endif
422
423 return 0;
424}
425#endif /* WOLFSSL_XILINX_CRYPT */
426
427int wc_FreeRsaKey(RsaKey* key)
428{
429 int ret = 0;
430
431 if (key == NULL) {
432 return BAD_FUNC_ARG;
433 }
434
435 wc_RsaCleanup(key);
436
437#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
438 wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
439#endif
440
441#ifndef WOLFSSL_RSA_PUBLIC_ONLY
442 if (key->type == RSA_PRIVATE) {
443#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
444 mp_forcezero(&key->u);
445 mp_forcezero(&key->dQ);
446 mp_forcezero(&key->dP);
447#endif
448 mp_forcezero(&key->q);
449 mp_forcezero(&key->p);
450 mp_forcezero(&key->d);
451 }
452 /* private part */
453#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
454 mp_clear(&key->u);
455 mp_clear(&key->dQ);
456 mp_clear(&key->dP);
457#endif
458 mp_clear(&key->q);
459 mp_clear(&key->p);
460 mp_clear(&key->d);
461#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
462
463 /* public part */
464 mp_clear(&key->e);
465 mp_clear(&key->n);
466
467#ifdef WOLFSSL_XILINX_CRYPT
468 XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
469 key->mod = NULL;
470#endif
471
472 return ret;
473}
474
475#ifndef WOLFSSL_RSA_PUBLIC_ONLY
476/* Check the pair-wise consistency of the RSA key.
477 * From NIST SP 800-56B, section 6.4.1.1.
478 * Verify that k = (k^e)^d, for some k: 1 < k < n-1. */
479int wc_CheckRsaKey(RsaKey* key)
480{
481#ifdef WOLFSSL_SMALL_STACK
482 mp_int *k = NULL, *tmp = NULL;
483#else
484 mp_int k[1], tmp[1];
485#endif
486 int ret = 0;
487
488#ifdef WOLFSSL_SMALL_STACK
489 k = (mp_int*)XMALLOC(sizeof(mp_int) * 2, NULL, DYNAMIC_TYPE_RSA);
490 if (k == NULL)
491 return MEMORY_E;
492 tmp = k + 1;
493#endif
494
495 if (mp_init_multi(k, tmp, NULL, NULL, NULL, NULL) != MP_OKAY)
496 ret = MP_INIT_E;
497
498 if (ret == 0) {
499 if (key == NULL)
500 ret = BAD_FUNC_ARG;
501 }
502
503 if (ret == 0) {
504 if (mp_set_int(k, 0x2342) != MP_OKAY)
505 ret = MP_READ_E;
506 }
507
508#ifdef WOLFSSL_SP_RSA
509#ifndef WOLFSSL_SP_NO_2048
510 if (mp_count_bits(&key->n) == 2048) {
511 ret = sp_ModExp_2048(k, &key->e, &key->n, tmp);
512 if (ret != 0)
513 ret = MP_EXPTMOD_E;
514 ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp);
515 if (ret != 0)
516 ret = MP_EXPTMOD_E;
517 }
518 else
519#endif
520#ifndef WOLFSSL_SP_NO_3072
521 if (mp_count_bits(&key->n) == 3072) {
522 ret = sp_ModExp_3072(k, &key->e, &key->n, tmp);
523 if (ret != 0)
524 ret = MP_EXPTMOD_E;
525 ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp);
526 if (ret != 0)
527 ret = MP_EXPTMOD_E;
528 }
529 else
530#endif
531#endif
532#ifdef WOLFSSL_SP_MATH
533 {
534 ret = WC_KEY_SIZE_E;
535 }
536#else
537 {
538 if (ret == 0) {
539 if (mp_exptmod(k, &key->e, &key->n, tmp) != MP_OKAY)
540 ret = MP_EXPTMOD_E;
541 }
542
543 if (ret == 0) {
544 if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
545 ret = MP_EXPTMOD_E;
546 }
547 }
548#endif
549
550 if (ret == 0) {
551 if (mp_cmp(k, tmp) != MP_EQ)
552 ret = RSA_KEY_PAIR_E;
553 }
554
555 mp_forcezero(tmp);
556 mp_clear(tmp);
557 mp_clear(k);
558#ifdef WOLFSSL_SMALL_STACK
559 XFREE(k, NULL, DYNAMIC_TYPE_RSA);
560#endif
561
562 return ret;
563}
564#endif
565
566
567#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
568/* Uses MGF1 standard as a mask generation function
569 hType: hash type used
570 seed: seed to use for generating mask
571 seedSz: size of seed buffer
572 out: mask output after generation
573 outSz: size of output buffer
574 */
575static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
576 byte* out, word32 outSz, void* heap)
577{
578 byte* tmp;
579 /* needs to be large enough for seed size plus counter(4) */
580 byte tmpA[WC_MAX_DIGEST_SIZE + 4];
581 byte tmpF; /* 1 if dynamic memory needs freed */
582 word32 tmpSz;
583 int hLen;
584 int ret;
585 word32 counter;
586 word32 idx;
587 hLen = wc_HashGetDigestSize(hType);
588 counter = 0;
589 idx = 0;
590
591 (void)heap;
592
593 /* check error return of wc_HashGetDigestSize */
594 if (hLen < 0) {
595 return hLen;
596 }
597
598 /* if tmp is not large enough than use some dynamic memory */
599 if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) {
600 /* find largest amount of memory needed which will be the max of
601 * hLen and (seedSz + 4) since tmp is used to store the hash digest */
602 tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen;
603 tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER);
604 if (tmp == NULL) {
605 return MEMORY_E;
606 }
607 tmpF = 1; /* make sure to free memory when done */
608 }
609 else {
610 /* use array on the stack */
611 tmpSz = sizeof(tmpA);
612 tmp = tmpA;
613 tmpF = 0; /* no need to free memory at end */
614 }
615
616 do {
617 int i = 0;
618 XMEMCPY(tmp, seed, seedSz);
619
620 /* counter to byte array appended to tmp */
621 tmp[seedSz] = (counter >> 24) & 0xFF;
622 tmp[seedSz + 1] = (counter >> 16) & 0xFF;
623 tmp[seedSz + 2] = (counter >> 8) & 0xFF;
624 tmp[seedSz + 3] = (counter) & 0xFF;
625
626 /* hash and append to existing output */
627 if ((ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz)) != 0) {
628 /* check for if dynamic memory was needed, then free */
629 if (tmpF) {
630 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
631 }
632 return ret;
633 }
634
635 for (i = 0; i < hLen && idx < outSz; i++) {
636 out[idx++] = tmp[i];
637 }
638 counter++;
639 } while (idx < outSz);
640
641 /* check for if dynamic memory was needed, then free */
642 if (tmpF) {
643 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
644 }
645
646 return 0;
647}
648
649/* helper function to direct which mask generation function is used
650 switeched on type input
651 */
652static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
653 word32 outSz, void* heap)
654{
655 int ret;
656
657 switch(type) {
658 #ifndef NO_SHA
659 case WC_MGF1SHA1:
660 ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap);
661 break;
662 #endif
663 #ifndef NO_SHA256
664 #ifdef WOLFSSL_SHA224
665 case WC_MGF1SHA224:
666 ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap);
667 break;
668 #endif
669 case WC_MGF1SHA256:
670 ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
671 break;
672 #endif
673 #ifdef WOLFSSL_SHA384
674 case WC_MGF1SHA384:
675 ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
676 break;
677 #endif
678 #ifdef WOLFSSL_SHA512
679 case WC_MGF1SHA512:
680 ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
681 break;
682 #endif
683 default:
684 WOLFSSL_MSG("Unknown MGF type: check build options");
685 ret = BAD_FUNC_ARG;
686 }
687
688 /* in case of default avoid unused warning */
689 (void)seed;
690 (void)seedSz;
691 (void)out;
692 (void)outSz;
693 (void)heap;
694
695 return ret;
696}
697#endif /* !WC_NO_RSA_OAEP */
698
699
700/* Padding */
701#ifndef WOLFSSL_RSA_VERIFY_ONLY
702#ifndef WC_NO_RNG
703#ifndef WC_NO_RSA_OAEP
704static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
705 word32 pkcsBlockLen, byte padValue, WC_RNG* rng,
706 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
707 void* heap)
708{
709 int ret;
710 int hLen;
711 int psLen;
712 int i;
713 word32 idx;
714
715 byte* dbMask;
716
717 #ifdef WOLFSSL_SMALL_STACK
718 byte* lHash = NULL;
719 byte* seed = NULL;
720 #else
721 /* must be large enough to contain largest hash */
722 byte lHash[WC_MAX_DIGEST_SIZE];
723 byte seed[ WC_MAX_DIGEST_SIZE];
724 #endif
725
726 /* no label is allowed, but catch if no label provided and length > 0 */
727 if (optLabel == NULL && labelLen > 0) {
728 return BUFFER_E;
729 }
730
731 /* limit of label is the same as limit of hash function which is massive */
732 hLen = wc_HashGetDigestSize(hType);
733 if (hLen < 0) {
734 return hLen;
735 }
736
737 #ifdef WOLFSSL_SMALL_STACK
738 lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
739 if (lHash == NULL) {
740 return MEMORY_E;
741 }
742 seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
743 if (seed == NULL) {
744 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
745 return MEMORY_E;
746 }
747 #else
748 /* hLen should never be larger than lHash since size is max digest size,
749 but check before blindly calling wc_Hash */
750 if ((word32)hLen > sizeof(lHash)) {
751 WOLFSSL_MSG("OAEP lHash to small for digest!!");
752 return MEMORY_E;
753 }
754 #endif
755
756 if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) {
757 WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small");
758 #ifdef WOLFSSL_SMALL_STACK
759 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
760 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
761 #endif
762 return ret;
763 }
764
765 /* handles check of location for idx as well as psLen, cast to int to check
766 for pkcsBlockLen(k) - 2 * hLen - 2 being negative
767 This check is similar to decryption where k > 2 * hLen + 2 as msg
768 size approaches 0. In decryption if k is less than or equal -- then there
769 is no possible room for msg.
770 k = RSA key size
771 hLen = hash digest size -- will always be >= 0 at this point
772 */
773 if ((word32)(2 * hLen + 2) > pkcsBlockLen) {
774 WOLFSSL_MSG("OAEP pad error hash to big for RSA key size");
775 #ifdef WOLFSSL_SMALL_STACK
776 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
777 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
778 #endif
779 return BAD_FUNC_ARG;
780 }
781
782 if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) {
783 WOLFSSL_MSG("OAEP pad error message too long");
784 #ifdef WOLFSSL_SMALL_STACK
785 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
786 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
787 #endif
788 return BAD_FUNC_ARG;
789 }
790
791 /* concatenate lHash || PS || 0x01 || msg */
792 idx = pkcsBlockLen - 1 - inputLen;
793 psLen = pkcsBlockLen - inputLen - 2 * hLen - 2;
794 if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */
795 #ifdef WOLFSSL_SMALL_STACK
796 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
797 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
798 #endif
799 return BUFFER_E;
800 }
801 XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen);
802 pkcsBlock[idx--] = 0x01; /* PS and M separator */
803 while (psLen > 0 && idx > 0) {
804 pkcsBlock[idx--] = 0x00;
805 psLen--;
806 }
807
808 idx = idx - hLen + 1;
809 XMEMCPY(pkcsBlock + idx, lHash, hLen);
810
811 /* generate random seed */
812 if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
813 #ifdef WOLFSSL_SMALL_STACK
814 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
815 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
816 #endif
817 return ret;
818 }
819
820 /* create maskedDB from dbMask */
821 dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA);
822 if (dbMask == NULL) {
823 #ifdef WOLFSSL_SMALL_STACK
824 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
825 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
826 #endif
827 return MEMORY_E;
828 }
829 XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */
830
831 ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap);
832 if (ret != 0) {
833 XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
834 #ifdef WOLFSSL_SMALL_STACK
835 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
836 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
837 #endif
838 return ret;
839 }
840
841 i = 0;
842 idx = hLen + 1;
843 while (idx < pkcsBlockLen && (word32)i < (pkcsBlockLen - hLen -1)) {
844 pkcsBlock[idx] = dbMask[i++] ^ pkcsBlock[idx];
845 idx++;
846 }
847 XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
848
849
850 /* create maskedSeed from seedMask */
851 idx = 0;
852 pkcsBlock[idx++] = 0x00;
853 /* create seedMask inline */
854 if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
855 pkcsBlock + 1, hLen, heap)) != 0) {
856 #ifdef WOLFSSL_SMALL_STACK
857 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
858 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
859 #endif
860 return ret;
861 }
862
863 /* xor created seedMask with seed to make maskedSeed */
864 i = 0;
865 while (idx < (word32)(hLen + 1) && i < hLen) {
866 pkcsBlock[idx] = pkcsBlock[idx] ^ seed[i++];
867 idx++;
868 }
869
870 #ifdef WOLFSSL_SMALL_STACK
871 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
872 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
873 #endif
874 (void)padValue;
875
876 return 0;
877}
878#endif /* !WC_NO_RSA_OAEP */
879
880#ifdef WC_RSA_PSS
881
882/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
883 * XOR MGF over all bytes down to end of Salt
884 * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt)
885 *
886 * input Digest of the message.
887 * inputLen Length of digest.
888 * pkcsBlock Buffer to write to.
889 * pkcsBlockLen Length of buffer to write to.
890 * rng Random number generator (for salt).
891 * htype Hash function to use.
892 * mgf Mask generation function.
893 * saltLen Length of salt to put in padding.
894 * bits Length of key in bits.
895 * heap Used for dynamic memory allocation.
896 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid
897 * and other negative values on error.
898 */
899static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
900 word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf,
901 int saltLen, int bits, void* heap)
902{
903 int ret;
904 int hLen, i;
905 byte* s;
906 byte* m;
907 byte* h;
908 byte salt[WC_MAX_DIGEST_SIZE];
909
910 hLen = wc_HashGetDigestSize(hType);
911 if (hLen < 0)
912 return hLen;
913
914 if (saltLen == -1) {
915 saltLen = hLen;
916 #ifdef WOLFSSL_SHA512
917 /* See FIPS 186-4 section 5.5 item (e). */
918 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
919 saltLen = RSA_PSS_SALT_MAX_SZ;
920 #endif
921 }
922 else if (saltLen > hLen || saltLen < -1)
923 return PSS_SALTLEN_E;
924 if ((int)pkcsBlockLen - hLen < saltLen + 2)
925 return PSS_SALTLEN_E;
926
927 s = m = pkcsBlock;
928 XMEMSET(m, 0, RSA_PSS_PAD_SZ);
929 m += RSA_PSS_PAD_SZ;
930 XMEMCPY(m, input, inputLen);
931 m += inputLen;
932 if ((ret = wc_RNG_GenerateBlock(rng, salt, saltLen)) != 0)
933 return ret;
934 XMEMCPY(m, salt, saltLen);
935 m += saltLen;
936
937 h = pkcsBlock + pkcsBlockLen - 1 - hLen;
938 if ((ret = wc_Hash(hType, s, (word32)(m - s), h, hLen)) != 0)
939 return ret;
940 pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM;
941
942 ret = RsaMGF(mgf, h, hLen, pkcsBlock, pkcsBlockLen - hLen - 1, heap);
943 if (ret != 0)
944 return ret;
945 pkcsBlock[0] &= (1 << ((bits - 1) & 0x7)) - 1;
946
947 m = pkcsBlock + pkcsBlockLen - 1 - saltLen - hLen - 1;
948 *(m++) ^= 0x01;
949 for (i = 0; i < saltLen; i++)
950 m[i] ^= salt[i];
951
952 return 0;
953}
954#endif /* WC_RSA_PSS */
955
956static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
957 word32 pkcsBlockLen, byte padValue, WC_RNG* rng)
958{
959 if (input == NULL || inputLen == 0 || pkcsBlock == NULL ||
960 pkcsBlockLen == 0) {
961 return BAD_FUNC_ARG;
962 }
963
964 pkcsBlock[0] = 0x0; /* set first byte to zero and advance */
965 pkcsBlock++; pkcsBlockLen--;
966 pkcsBlock[0] = padValue; /* insert padValue */
967
968 if (padValue == RSA_BLOCK_TYPE_1) {
969 if (pkcsBlockLen < inputLen + 2) {
970 WOLFSSL_MSG("RsaPad error, invalid length");
971 return RSA_PAD_E;
972 }
973
974 /* pad with 0xff bytes */
975 XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
976 }
977 else {
978#ifndef WOLFSSL_RSA_VERIFY_ONLY
979 /* pad with non-zero random bytes */
980 word32 padLen, i;
981 int ret;
982
983 if (pkcsBlockLen < inputLen + 1) {
984 WOLFSSL_MSG("RsaPad error, invalid length");
985 return RSA_PAD_E;
986 }
987
988 padLen = pkcsBlockLen - inputLen - 1;
989 ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
990 if (ret != 0) {
991 return ret;
992 }
993
994 /* remove zeros */
995 for (i = 1; i < padLen; i++) {
996 if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
997 }
998#else
999 (void)rng;
1000 return RSA_WRONG_TYPE_E;
1001#endif
1002 }
1003
1004 pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
1005 XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
1006
1007 return 0;
1008}
1009#endif /* !WC_NO_RNG */
1010
1011/* helper function to direct which padding is used */
1012static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
1013 word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
1014 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
1015 int saltLen, int bits, void* heap)
1016{
1017 int ret;
1018
1019 switch (padType)
1020 {
1021#ifndef WC_NO_RNG
1022 case WC_RSA_PKCSV15_PAD:
1023 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/
1024 ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen,
1025 padValue, rng);
1026 break;
1027
1028 #ifndef WC_NO_RSA_OAEP
1029 case WC_RSA_OAEP_PAD:
1030 WOLFSSL_MSG("wolfSSL Using RSA OAEP padding");
1031 ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen,
1032 padValue, rng, hType, mgf, optLabel, labelLen, heap);
1033 break;
1034 #endif
1035
1036 #ifdef WC_RSA_PSS
1037 case WC_RSA_PSS_PAD:
1038 WOLFSSL_MSG("wolfSSL Using RSA PSS padding");
1039 ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng,
1040 hType, mgf, saltLen, bits, heap);
1041 break;
1042 #endif
1043#endif /* !WC_NO_RNG */
1044
1045 #ifdef WC_RSA_NO_PADDING
1046 case WC_RSA_NO_PAD:
1047 WOLFSSL_MSG("wolfSSL Using NO padding");
1048
1049 /* In the case of no padding being used check that input is exactly
1050 * the RSA key length */
1051 if (bits <= 0 || inputLen != ((word32)bits/WOLFSSL_BIT_SIZE)) {
1052 WOLFSSL_MSG("Bad input size");
1053 ret = RSA_PAD_E;
1054 }
1055 else {
1056 XMEMCPY(pkcsBlock, input, inputLen);
1057 ret = 0;
1058 }
1059 break;
1060 #endif
1061
1062 default:
1063 WOLFSSL_MSG("Unknown RSA Pad Type");
1064 ret = RSA_PAD_E;
1065 }
1066
1067 /* silence warning if not used with padding scheme */
1068 (void)input;
1069 (void)inputLen;
1070 (void)pkcsBlock;
1071 (void)pkcsBlockLen;
1072 (void)padValue;
1073 (void)rng;
1074 (void)padType;
1075 (void)hType;
1076 (void)mgf;
1077 (void)optLabel;
1078 (void)labelLen;
1079 (void)saltLen;
1080 (void)bits;
1081 (void)heap;
1082
1083 return ret;
1084}
1085#endif /* WOLFSSL_RSA_VERIFY_ONLY */
1086
1087
1088/* UnPadding */
1089#ifndef WC_NO_RSA_OAEP
1090/* UnPad plaintext, set start to *output, return length of plaintext,
1091 * < 0 on error */
1092static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
1093 byte **output, enum wc_HashType hType, int mgf,
1094 byte* optLabel, word32 labelLen, void* heap)
1095{
1096 int hLen;
1097 int ret;
1098 byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
1099 byte* tmp;
1100 word32 idx;
1101
1102 /* no label is allowed, but catch if no label provided and length > 0 */
1103 if (optLabel == NULL && labelLen > 0) {
1104 return BUFFER_E;
1105 }
1106
1107 hLen = wc_HashGetDigestSize(hType);
1108 if ((hLen < 0) || (pkcsBlockLen < (2 * (word32)hLen + 2))) {
1109 return BAD_FUNC_ARG;
1110 }
1111
1112 tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
1113 if (tmp == NULL) {
1114 return MEMORY_E;
1115 }
1116 XMEMSET(tmp, 0, pkcsBlockLen);
1117
1118 /* find seedMask value */
1119 if ((ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)),
1120 pkcsBlockLen - hLen - 1, tmp, hLen, heap)) != 0) {
1121 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1122 return ret;
1123 }
1124
1125 /* xor seedMask value with maskedSeed to get seed value */
1126 for (idx = 0; idx < (word32)hLen; idx++) {
1127 tmp[idx] = tmp[idx] ^ pkcsBlock[1 + idx];
1128 }
1129
1130 /* get dbMask value */
1131 if ((ret = RsaMGF(mgf, tmp, hLen, tmp + hLen,
1132 pkcsBlockLen - hLen - 1, heap)) != 0) {
1133 XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER);
1134 return ret;
1135 }
1136
1137 /* get DB value by doing maskedDB xor dbMask */
1138 for (idx = 0; idx < (pkcsBlockLen - hLen - 1); idx++) {
1139 pkcsBlock[hLen + 1 + idx] = pkcsBlock[hLen + 1 + idx] ^ tmp[idx + hLen];
1140 }
1141
1142 /* done with use of tmp buffer */
1143 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1144
1145 /* advance idx to index of PS and msg separator, account for PS size of 0*/
1146 idx = hLen + 1 + hLen;
1147 while (idx < pkcsBlockLen && pkcsBlock[idx] == 0) {idx++;}
1148
1149 /* create hash of label for comparison with hash sent */
1150 if ((ret = wc_Hash(hType, optLabel, labelLen, h, hLen)) != 0) {
1151 return ret;
1152 }
1153
1154 /* say no to chosen ciphertext attack.
1155 Comparison of lHash, Y, and separator value needs to all happen in
1156 constant time.
1157 Attackers should not be able to get error condition from the timing of
1158 these checks.
1159 */
1160 ret = 0;
1161 ret |= ConstantCompare(pkcsBlock + hLen + 1, h, hLen);
1162 ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */
1163 ret += pkcsBlock[0] ^ 0x00; /* Y, the first value, should be 0 */
1164
1165 /* Return 0 data length on error. */
1166 idx = ctMaskSelInt(ctMaskEq(ret, 0), idx, pkcsBlockLen);
1167
1168 /* adjust pointer to correct location in array and return size of M */
1169 *output = (byte*)(pkcsBlock + idx);
1170 return pkcsBlockLen - idx;
1171}
1172#endif /* WC_NO_RSA_OAEP */
1173
1174#ifdef WC_RSA_PSS
1175/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
1176 * MGF over all bytes down to end of Salt
1177 *
1178 * pkcsBlock Buffer holding decrypted data.
1179 * pkcsBlockLen Length of buffer.
1180 * htype Hash function to use.
1181 * mgf Mask generation function.
1182 * saltLen Length of salt to put in padding.
1183 * bits Length of key in bits.
1184 * heap Used for dynamic memory allocation.
1185 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid,
1186 * BAD_PADDING_E when the padding is not valid, MEMORY_E when allocation fails
1187 * and other negative values on error.
1188 */
1189static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
1190 byte **output, enum wc_HashType hType, int mgf,
1191 int saltLen, int bits, void* heap)
1192{
1193 int ret;
1194 byte* tmp;
1195 int hLen, i;
1196
1197 hLen = wc_HashGetDigestSize(hType);
1198 if (hLen < 0)
1199 return hLen;
1200
1201 if (saltLen == -1) {
1202 saltLen = hLen;
1203 #ifdef WOLFSSL_SHA512
1204 /* See FIPS 186-4 section 5.5 item (e). */
1205 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
1206 saltLen = RSA_PSS_SALT_MAX_SZ;
1207 #endif
1208 }
1209 else if (saltLen > hLen || saltLen < -1)
1210 return PSS_SALTLEN_E;
1211 if ((int)pkcsBlockLen - hLen < saltLen + 2)
1212 return PSS_SALTLEN_E;
1213
1214 if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) {
1215 WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error");
1216 return BAD_PADDING_E;
1217 }
1218
1219 tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
1220 if (tmp == NULL)
1221 return MEMORY_E;
1222
1223 if ((ret = RsaMGF(mgf, pkcsBlock + pkcsBlockLen - 1 - hLen, hLen,
1224 tmp, pkcsBlockLen - 1 - hLen, heap)) != 0) {
1225 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1226 return ret;
1227 }
1228
1229 tmp[0] &= (1 << ((bits - 1) & 0x7)) - 1;
1230 for (i = 0; i < (int)(pkcsBlockLen - 1 - saltLen - hLen - 1); i++) {
1231 if (tmp[i] != pkcsBlock[i]) {
1232 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1233 WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
1234 return BAD_PADDING_E;
1235 }
1236 }
1237 if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
1238 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1239 WOLFSSL_MSG("RsaUnPad_PSS: Padding Error End");
1240 return BAD_PADDING_E;
1241 }
1242 for (i++; i < (int)(pkcsBlockLen - 1 - hLen); i++)
1243 pkcsBlock[i] ^= tmp[i];
1244
1245 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1246
1247 *output = pkcsBlock + pkcsBlockLen - (hLen + saltLen + 1);
1248 return saltLen + hLen;
1249}
1250#endif
1251
1252/* UnPad plaintext, set start to *output, return length of plaintext,
1253 * < 0 on error */
1254static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
1255 byte **output, byte padValue)
1256{
1257 int ret = BAD_FUNC_ARG;
1258 word32 i;
1259#ifndef WOLFSSL_RSA_VERIFY_ONLY
1260 byte invalid = 0;
1261#endif
1262
1263 if (output == NULL || pkcsBlockLen == 0) {
1264 return BAD_FUNC_ARG;
1265 }
1266
1267 if (padValue == RSA_BLOCK_TYPE_1) {
1268 /* First byte must be 0x00 and Second byte, block type, 0x01 */
1269 if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) {
1270 WOLFSSL_MSG("RsaUnPad error, invalid formatting");
1271 return RSA_PAD_E;
1272 }
1273
1274 /* check the padding until we find the separator */
1275 for (i = 2; i < pkcsBlockLen && pkcsBlock[i++] == 0xFF; ) { }
1276
1277 /* Minimum of 11 bytes of pre-message data and must have separator. */
1278 if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) {
1279 WOLFSSL_MSG("RsaUnPad error, bad formatting");
1280 return RSA_PAD_E;
1281 }
1282
1283 *output = (byte *)(pkcsBlock + i);
1284 ret = pkcsBlockLen - i;
1285 }
1286#ifndef WOLFSSL_RSA_VERIFY_ONLY
1287 else {
1288 word32 j;
1289 byte pastSep = 0;
1290
1291 /* Decrypted with private key - unpad must be constant time. */
1292 for (i = 0, j = 2; j < pkcsBlockLen; j++) {
1293 /* Update i if not passed the separator and at separator. */
1294 i |= (~pastSep) & ctMaskEq(pkcsBlock[j], 0x00) & (j + 1);
1295 pastSep |= ctMaskEq(pkcsBlock[j], 0x00);
1296 }
1297
1298 /* Minimum of 11 bytes of pre-message data - including leading 0x00. */
1299 invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ);
1300 /* Must have seen separator. */
1301 invalid |= ~pastSep;
1302 /* First byte must be 0x00. */
1303 invalid |= ctMaskNotEq(pkcsBlock[0], 0x00);
1304 /* Check against expected block type: padValue */
1305 invalid |= ctMaskNotEq(pkcsBlock[1], padValue);
1306
1307 *output = (byte *)(pkcsBlock + i);
1308 ret = ((int)~invalid) & (pkcsBlockLen - i);
1309 }
1310#endif
1311
1312 return ret;
1313}
1314
1315/* helper function to direct unpadding
1316 *
1317 * bits is the key modulus size in bits
1318 */
1319static int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out,
1320 byte padValue, int padType, enum wc_HashType hType,
1321 int mgf, byte* optLabel, word32 labelLen, int saltLen,
1322 int bits, void* heap)
1323{
1324 int ret;
1325
1326 switch (padType) {
1327 case WC_RSA_PKCSV15_PAD:
1328 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/
1329 ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue);
1330 break;
1331
1332 #ifndef WC_NO_RSA_OAEP
1333 case WC_RSA_OAEP_PAD:
1334 WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding");
1335 ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out,
1336 hType, mgf, optLabel, labelLen, heap);
1337 break;
1338 #endif
1339
1340 #ifdef WC_RSA_PSS
1341 case WC_RSA_PSS_PAD:
1342 WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding");
1343 ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf,
1344 saltLen, bits, heap);
1345 break;
1346 #endif
1347
1348 #ifdef WC_RSA_NO_PADDING
1349 case WC_RSA_NO_PAD:
1350 WOLFSSL_MSG("wolfSSL Using NO un-padding");
1351
1352 /* In the case of no padding being used check that input is exactly
1353 * the RSA key length */
1354 if (bits <= 0 || pkcsBlockLen != ((word32)bits/WOLFSSL_BIT_SIZE)) {
1355 WOLFSSL_MSG("Bad input size");
1356 ret = RSA_PAD_E;
1357 }
1358 else {
1359 if (out != NULL) {
1360 *out = pkcsBlock;
1361 }
1362 ret = pkcsBlockLen;
1363 }
1364 break;
1365 #endif /* WC_RSA_NO_PADDING */
1366
1367 default:
1368 WOLFSSL_MSG("Unknown RSA UnPad Type");
1369 ret = RSA_PAD_E;
1370 }
1371
1372 /* silence warning if not used with padding scheme */
1373 (void)hType;
1374 (void)mgf;
1375 (void)optLabel;
1376 (void)labelLen;
1377 (void)saltLen;
1378 (void)bits;
1379 (void)heap;
1380
1381 return ret;
1382}
1383
1384#if defined(WOLFSSL_XILINX_CRYPT)
1385/*
1386 * Xilinx hardened crypto acceleration.
1387 *
1388 * Returns 0 on success and negative values on error.
1389 */
1390static int wc_RsaFunctionXil(const byte* in, word32 inLen, byte* out,
1391 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
1392{
1393 int ret = 0;
1394 word32 keyLen, len;
1395 (void)rng;
1396
1397 keyLen = wc_RsaEncryptSize(key);
1398 if (keyLen > *outLen) {
1399 WOLFSSL_MSG("Output buffer is not big enough");
1400 return BAD_FUNC_ARG;
1401 }
1402
1403 if (inLen != keyLen) {
1404 WOLFSSL_MSG("Expected that inLen equals RSA key length");
1405 return BAD_FUNC_ARG;
1406 }
1407
1408 switch(type) {
1409 case RSA_PRIVATE_DECRYPT:
1410 case RSA_PRIVATE_ENCRYPT:
1411 /* Currently public exponent is loaded by default.
1412 * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes
1413 * leading to private key operations with Xsecure_RsaDecrypt not being
1414 * supported */
1415 ret = RSA_WRONG_TYPE_E;
1416 break;
1417 case RSA_PUBLIC_ENCRYPT:
1418 case RSA_PUBLIC_DECRYPT:
1419 if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) {
1420 ret = BAD_STATE_E;
1421 }
1422 break;
1423 default:
1424 ret = RSA_WRONG_TYPE_E;
1425 }
1426
1427 *outLen = keyLen;
1428
1429 return ret;
1430}
1431#endif /* WOLFSSL_XILINX_CRYPT */
1432
1433#ifdef WC_RSA_NONBLOCK
1434static int wc_RsaFunctionNonBlock(const byte* in, word32 inLen, byte* out,
1435 word32* outLen, int type, RsaKey* key)
1436{
1437 int ret = 0;
1438 word32 keyLen, len;
1439
1440 if (key == NULL || key->nb == NULL) {
1441 return BAD_FUNC_ARG;
1442 }
1443
1444 if (key->nb->exptmod.state == TFM_EXPTMOD_NB_INIT) {
1445 if (mp_init(&key->nb->tmp) != MP_OKAY) {
1446 ret = MP_INIT_E;
1447 }
1448
1449 if (ret == 0) {
1450 if (mp_read_unsigned_bin(&key->nb->tmp, (byte*)in, inLen) != MP_OKAY) {
1451 ret = MP_READ_E;
1452 }
1453 }
1454 }
1455
1456 if (ret == 0) {
1457 switch(type) {
1458 case RSA_PRIVATE_DECRYPT:
1459 case RSA_PRIVATE_ENCRYPT:
1460 ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->d,
1461 &key->n, &key->nb->tmp);
1462 if (ret == FP_WOULDBLOCK)
1463 return ret;
1464 if (ret != MP_OKAY)
1465 ret = MP_EXPTMOD_E;
1466 break;
1467
1468 case RSA_PUBLIC_ENCRYPT:
1469 case RSA_PUBLIC_DECRYPT:
1470 ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->e,
1471 &key->n, &key->nb->tmp);
1472 if (ret == FP_WOULDBLOCK)
1473 return ret;
1474 if (ret != MP_OKAY)
1475 ret = MP_EXPTMOD_E;
1476 break;
1477 default:
1478 ret = RSA_WRONG_TYPE_E;
1479 break;
1480 }
1481 }
1482
1483 if (ret == 0) {
1484 keyLen = wc_RsaEncryptSize(key);
1485 if (keyLen > *outLen)
1486 ret = RSA_BUFFER_E;
1487 }
1488 if (ret == 0) {
1489 len = mp_unsigned_bin_size(&key->nb->tmp);
1490
1491 /* pad front w/ zeros to match key length */
1492 while (len < keyLen) {
1493 *out++ = 0x00;
1494 len++;
1495 }
1496
1497 *outLen = keyLen;
1498
1499 /* convert */
1500 if (mp_to_unsigned_bin(&key->nb->tmp, out) != MP_OKAY) {
1501 ret = MP_TO_E;
1502 }
1503 }
1504
1505 mp_clear(&key->nb->tmp);
1506
1507 return ret;
1508}
1509#endif /* WC_RSA_NONBLOCK */
1510
1511static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
1512 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
1513{
1514#ifndef WOLFSSL_SP_MATH
1515#ifdef WOLFSSL_SMALL_STACK
1516 mp_int* tmp = NULL;
1517#ifdef WC_RSA_BLINDING
1518 mp_int* rnd = NULL;
1519 mp_int* rndi = NULL;
1520#endif
1521#else
1522 mp_int tmp[1];
1523#ifdef WC_RSA_BLINDING
1524 mp_int rnd[1], rndi[1];
1525#endif
1526#endif
1527 int ret = 0;
1528 word32 keyLen = 0;
1529#endif
1530
1531#ifdef WOLFSSL_HAVE_SP_RSA
1532#ifndef WOLFSSL_SP_NO_2048
1533 if (mp_count_bits(&key->n) == 2048) {
1534 switch(type) {
1535#ifndef WOLFSSL_RSA_PUBLIC_ONLY
1536 case RSA_PRIVATE_DECRYPT:
1537 case RSA_PRIVATE_ENCRYPT:
1538 #ifdef WC_RSA_BLINDING
1539 if (rng == NULL)
1540 return MISSING_RNG_E;
1541 #endif
1542 #ifndef RSA_LOW_MEM
1543 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
1544 &key->dP, &key->dQ, &key->u, &key->n,
1545 out, outLen);
1546 #else
1547 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
1548 NULL, NULL, NULL, &key->n, out, outLen);
1549 #endif
1550#endif
1551 case RSA_PUBLIC_ENCRYPT:
1552 case RSA_PUBLIC_DECRYPT:
1553 return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen);
1554 }
1555 }
1556#endif
1557#ifndef WOLFSSL_SP_NO_3072
1558 if (mp_count_bits(&key->n) == 3072) {
1559 switch(type) {
1560#ifndef WOLFSSL_RSA_PUBLIC_ONLY
1561 case RSA_PRIVATE_DECRYPT:
1562 case RSA_PRIVATE_ENCRYPT:
1563 #ifdef WC_RSA_BLINDING
1564 if (rng == NULL)
1565 return MISSING_RNG_E;
1566 #endif
1567 #ifndef RSA_LOW_MEM
1568 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
1569 &key->dP, &key->dQ, &key->u, &key->n,
1570 out, outLen);
1571 #else
1572 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
1573 NULL, NULL, NULL, &key->n, out, outLen);
1574 #endif
1575#endif
1576 case RSA_PUBLIC_ENCRYPT:
1577 case RSA_PUBLIC_DECRYPT:
1578 return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen);
1579 }
1580 }
1581#endif
1582#endif /* WOLFSSL_HAVE_SP_RSA */
1583
1584#ifdef WOLFSSL_SP_MATH
1585 (void)rng;
1586 return WC_KEY_SIZE_E;
1587#else
1588 (void)rng;
1589
1590#ifdef WOLFSSL_SMALL_STACK
1591 tmp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
1592 if (tmp == NULL)
1593 return MEMORY_E;
1594#ifdef WC_RSA_BLINDING
1595 rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA);
1596 if (rnd == NULL) {
1597 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
1598 return MEMORY_E;
1599 }
1600 rndi = rnd + 1;
1601#endif /* WC_RSA_BLINDING */
1602#endif /* WOLFSSL_SMALL_STACK */
1603
1604 if (mp_init(tmp) != MP_OKAY)
1605 ret = MP_INIT_E;
1606
1607#ifdef WC_RSA_BLINDING
1608 if (ret == 0) {
1609 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
1610 if (mp_init_multi(rnd, rndi, NULL, NULL, NULL, NULL) != MP_OKAY) {
1611 mp_clear(tmp);
1612 ret = MP_INIT_E;
1613 }
1614 }
1615 }
1616#endif
1617
1618#ifndef TEST_UNPAD_CONSTANT_TIME
1619 if (ret == 0 && mp_read_unsigned_bin(tmp, (byte*)in, inLen) != MP_OKAY)
1620 ret = MP_READ_E;
1621
1622 if (ret == 0) {
1623 switch(type) {
1624 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
1625 case RSA_PRIVATE_DECRYPT:
1626 case RSA_PRIVATE_ENCRYPT:
1627 {
1628 #if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
1629 /* blind */
1630 ret = mp_rand(rnd, get_digit_count(&key->n), rng);
1631
1632 /* rndi = 1/rnd mod n */
1633 if (ret == 0 && mp_invmod(rnd, &key->n, rndi) != MP_OKAY)
1634 ret = MP_INVMOD_E;
1635
1636 /* rnd = rnd^e */
1637 if (ret == 0 && mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY)
1638 ret = MP_EXPTMOD_E;
1639
1640 /* tmp = tmp*rnd mod n */
1641 if (ret == 0 && mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY)
1642 ret = MP_MULMOD_E;
1643 #endif /* WC_RSA_BLINDING && !WC_NO_RNG */
1644
1645 #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
1646 if (ret == 0 && mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
1647 ret = MP_EXPTMOD_E;
1648 #else
1649 if (ret == 0) {
1650 #ifdef WOLFSSL_SMALL_STACK
1651 mp_int* tmpa = NULL;
1652 mp_int* tmpb = NULL;
1653 #else
1654 mp_int tmpa[1], tmpb[1];
1655 #endif
1656 int cleara = 0, clearb = 0;
1657
1658 #ifdef WOLFSSL_SMALL_STACK
1659 tmpa = XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA);
1660 if (tmpa != NULL)
1661 tmpb = tmpa + 1;
1662 else
1663 ret = MEMORY_E;
1664 #endif
1665
1666 if (ret == 0) {
1667 if (mp_init(tmpa) != MP_OKAY)
1668 ret = MP_INIT_E;
1669 else
1670 cleara = 1;
1671 }
1672
1673 if (ret == 0) {
1674 if (mp_init(tmpb) != MP_OKAY)
1675 ret = MP_INIT_E;
1676 else
1677 clearb = 1;
1678 }
1679
1680 /* tmpa = tmp^dP mod p */
1681 if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p,
1682 tmpa) != MP_OKAY)
1683 ret = MP_EXPTMOD_E;
1684
1685 /* tmpb = tmp^dQ mod q */
1686 if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q,
1687 tmpb) != MP_OKAY)
1688 ret = MP_EXPTMOD_E;
1689
1690 /* tmp = (tmpa - tmpb) * qInv (mod p) */
1691 if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY)
1692 ret = MP_SUB_E;
1693
1694 if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p,
1695 tmp) != MP_OKAY)
1696 ret = MP_MULMOD_E;
1697
1698 /* tmp = tmpb + q * tmp */
1699 if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY)
1700 ret = MP_MUL_E;
1701
1702 if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY)
1703 ret = MP_ADD_E;
1704
1705 #ifdef WOLFSSL_SMALL_STACK
1706 if (tmpa != NULL)
1707 #endif
1708 {
1709 if (cleara)
1710 mp_clear(tmpa);
1711 if (clearb)
1712 mp_clear(tmpb);
1713 #ifdef WOLFSSL_SMALL_STACK
1714 XFREE(tmpa, key->heap, DYNAMIC_TYPE_RSA);
1715 #endif
1716 }
1717 } /* tmpa/b scope */
1718 #endif /* RSA_LOW_MEM */
1719
1720 #ifdef WC_RSA_BLINDING
1721 /* unblind */
1722 if (ret == 0 && mp_mulmod(tmp, rndi, &key->n, tmp) != MP_OKAY)
1723 ret = MP_MULMOD_E;
1724 #endif /* WC_RSA_BLINDING */
1725
1726 break;
1727 }
1728 #endif
1729 case RSA_PUBLIC_ENCRYPT:
1730 case RSA_PUBLIC_DECRYPT:
1731 #ifdef WOLFSSL_XILINX_CRYPT
1732 ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng);
1733 #else
1734 if (mp_exptmod(tmp, &key->e, &key->n, tmp) != MP_OKAY)
1735 ret = MP_EXPTMOD_E;
1736 break;
1737 #endif
1738 default:
1739 ret = RSA_WRONG_TYPE_E;
1740 break;
1741 }
1742 }
1743
1744 if (ret == 0) {
1745 keyLen = wc_RsaEncryptSize(key);
1746 if (keyLen > *outLen)
1747 ret = RSA_BUFFER_E;
1748 }
1749 if (ret == 0) {
1750 *outLen = keyLen;
1751 if (mp_to_unsigned_bin_len(tmp, out, keyLen) != MP_OKAY)
1752 ret = MP_TO_E;
1753 }
1754#else
1755 (void)type;
1756 (void)key;
1757 (void)keyLen;
1758 XMEMCPY(out, in, inLen);
1759 *outLen = inLen;
1760#endif
1761
1762 mp_clear(tmp);
1763#ifdef WOLFSSL_SMALL_STACK
1764 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
1765#endif
1766#ifdef WC_RSA_BLINDING
1767 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
1768 mp_clear(rndi);
1769 mp_clear(rnd);
1770 }
1771#ifdef WOLFSSL_SMALL_STACK
1772 XFREE(rnd, key->heap, DYNAMIC_TYPE_RSA);
1773#endif
1774#endif /* WC_RSA_BLINDING */
1775 return ret;
1776#endif /* WOLFSSL_SP_MATH */
1777}
1778
1779#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
1780static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
1781 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
1782{
1783 int ret = 0;
1784
1785 (void)rng;
1786
1787#ifdef WOLFSSL_ASYNC_CRYPT_TEST
1788 if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_FUNC)) {
1789 WC_ASYNC_TEST* testDev = &key->asyncDev.test;
1790 testDev->rsaFunc.in = in;
1791 testDev->rsaFunc.inSz = inLen;
1792 testDev->rsaFunc.out = out;
1793 testDev->rsaFunc.outSz = outLen;
1794 testDev->rsaFunc.type = type;
1795 testDev->rsaFunc.key = key;
1796 testDev->rsaFunc.rng = rng;
1797 return WC_PENDING_E;
1798 }
1799#endif /* WOLFSSL_ASYNC_CRYPT_TEST */
1800
1801 switch(type) {
1802#ifndef WOLFSSL_RSA_PUBLIC_ONLY
1803 case RSA_PRIVATE_DECRYPT:
1804 case RSA_PRIVATE_ENCRYPT:
1805 #ifdef HAVE_CAVIUM
1806 key->dataLen = key->n.raw.len;
1807 ret = NitroxRsaExptMod(in, inLen,
1808 key->d.raw.buf, key->d.raw.len,
1809 key->n.raw.buf, key->n.raw.len,
1810 out, outLen, key);
1811 #elif defined(HAVE_INTEL_QA)
1812 #ifdef RSA_LOW_MEM
1813 ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen,
1814 &key->d.raw, &key->n.raw,
1815 out, outLen);
1816 #else
1817 ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen,
1818 &key->p.raw, &key->q.raw,
1819 &key->dP.raw, &key->dQ.raw,
1820 &key->u.raw,
1821 out, outLen);
1822 #endif
1823 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
1824 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
1825 #endif
1826 break;
1827#endif
1828
1829 case RSA_PUBLIC_ENCRYPT:
1830 case RSA_PUBLIC_DECRYPT:
1831 #ifdef HAVE_CAVIUM
1832 key->dataLen = key->n.raw.len;
1833 ret = NitroxRsaExptMod(in, inLen,
1834 key->e.raw.buf, key->e.raw.len,
1835 key->n.raw.buf, key->n.raw.len,
1836 out, outLen, key);
1837 #elif defined(HAVE_INTEL_QA)
1838 ret = IntelQaRsaPublic(&key->asyncDev, in, inLen,
1839 &key->e.raw, &key->n.raw,
1840 out, outLen);
1841 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
1842 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
1843 #endif
1844 break;
1845
1846 default:
1847 ret = RSA_WRONG_TYPE_E;
1848 }
1849
1850 return ret;
1851}
1852#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
1853
1854#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING)
1855/* Function that does the RSA operation directly with no padding.
1856 *
1857 * in buffer to do operation on
1858 * inLen length of input buffer
1859 * out buffer to hold results
1860 * outSz gets set to size of result buffer. Should be passed in as length
1861 * of out buffer. If the pointer "out" is null then outSz gets set to
1862 * the expected buffer size needed and LENGTH_ONLY_E gets returned.
1863 * key RSA key to use for encrypt/decrypt
1864 * type if using private or public key {RSA_PUBLIC_ENCRYPT,
1865 * RSA_PUBLIC_DECRYPT, RSA_PRIVATE_ENCRYPT, RSA_PRIVATE_DECRYPT}
1866 * rng wolfSSL RNG to use if needed
1867 *
1868 * returns size of result on success
1869 */
1870int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz,
1871 RsaKey* key, int type, WC_RNG* rng)
1872{
1873 int ret;
1874
1875 if (in == NULL || outSz == NULL || key == NULL) {
1876 return BAD_FUNC_ARG;
1877 }
1878
1879 /* sanity check on type of RSA operation */
1880 switch (type) {
1881 case RSA_PUBLIC_ENCRYPT:
1882 case RSA_PUBLIC_DECRYPT:
1883 case RSA_PRIVATE_ENCRYPT:
1884 case RSA_PRIVATE_DECRYPT:
1885 break;
1886 default:
1887 WOLFSSL_MSG("Bad RSA type");
1888 return BAD_FUNC_ARG;
1889 }
1890
1891 if ((ret = wc_RsaEncryptSize(key)) < 0) {
1892 return BAD_FUNC_ARG;
1893 }
1894
1895 if (inLen != (word32)ret) {
1896 WOLFSSL_MSG("Bad input length. Should be RSA key size");
1897 return BAD_FUNC_ARG;
1898 }
1899
1900 if (out == NULL) {
1901 *outSz = inLen;
1902 return LENGTH_ONLY_E;
1903 }
1904
1905 switch (key->state) {
1906 case RSA_STATE_NONE:
1907 case RSA_STATE_ENCRYPT_PAD:
1908 case RSA_STATE_ENCRYPT_EXPTMOD:
1909 case RSA_STATE_DECRYPT_EXPTMOD:
1910 case RSA_STATE_DECRYPT_UNPAD:
1911 key->state = (type == RSA_PRIVATE_ENCRYPT ||
1912 type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD:
1913 RSA_STATE_DECRYPT_EXPTMOD;
1914
1915 key->dataLen = *outSz;
1916
1917 ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng);
1918 if (ret >= 0 || ret == WC_PENDING_E) {
1919 key->state = (type == RSA_PRIVATE_ENCRYPT ||
1920 type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES:
1921 RSA_STATE_DECRYPT_RES;
1922 }
1923 if (ret < 0) {
1924 break;
1925 }
1926
1927 FALL_THROUGH;
1928
1929 case RSA_STATE_ENCRYPT_RES:
1930 case RSA_STATE_DECRYPT_RES:
1931 ret = key->dataLen;
1932 break;
1933
1934 default:
1935 ret = BAD_STATE_E;
1936 }
1937
1938 /* if async pending then skip cleanup*/
1939 if (ret == WC_PENDING_E
1940 #ifdef WC_RSA_NONBLOCK
1941 || ret == FP_WOULDBLOCK
1942 #endif
1943 ) {
1944 return ret;
1945 }
1946
1947 key->state = RSA_STATE_NONE;
1948 wc_RsaCleanup(key);
1949
1950 return ret;
1951}
1952#endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING */
1953
1954
1955int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
1956 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
1957{
1958 int ret = 0;
1959
1960 if (key == NULL || in == NULL || inLen == 0 || out == NULL ||
1961 outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) {
1962 return BAD_FUNC_ARG;
1963 }
1964
1965#ifdef WOLF_CRYPTO_DEV
1966 if (key->devId != INVALID_DEVID) {
1967 ret = wc_CryptoDev_Rsa(in, inLen, out, outLen, type, key, rng);
1968 if (ret != NOT_COMPILED_IN)
1969 return ret;
1970 ret = 0; /* reset error code and try using software */
1971 }
1972#endif
1973
1974#ifndef TEST_UNPAD_CONSTANT_TIME
1975#ifndef NO_RSA_BOUNDS_CHECK
1976 if (type == RSA_PRIVATE_DECRYPT &&
1977 key->state == RSA_STATE_DECRYPT_EXPTMOD) {
1978
1979 /* Check that 1 < in < n-1. (Requirement of 800-56B.) */
1980#ifdef WOLFSSL_SMALL_STACK
1981 mp_int* c = NULL;
1982#else
1983 mp_int c[1];
1984#endif
1985
1986#ifdef WOLFSSL_SMALL_STACK
1987 c = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
1988 if (c == NULL)
1989 ret = MEMORY_E;
1990#endif
1991
1992 if (mp_init(c) != MP_OKAY)
1993 ret = MEMORY_E;
1994 if (ret == 0) {
1995 if (mp_read_unsigned_bin(c, in, inLen) != 0)
1996 ret = MP_READ_E;
1997 }
1998 if (ret == 0) {
1999 /* check c > 1 */
2000 if (mp_cmp_d(c, 1) != MP_GT)
2001 ret = RSA_OUT_OF_RANGE_E;
2002 }
2003 if (ret == 0) {
2004 /* add c+1 */
2005 if (mp_add_d(c, 1, c) != MP_OKAY)
2006 ret = MP_ADD_E;
2007 }
2008 if (ret == 0) {
2009 /* check c+1 < n */
2010 if (mp_cmp(c, &key->n) != MP_LT)
2011 ret = RSA_OUT_OF_RANGE_E;
2012 }
2013 mp_clear(c);
2014
2015#ifdef WOLFSSL_SMALL_STACK
2016 XFREE(c, key->heap, DYNAMIC_TYPE_RSA);
2017#endif
2018
2019 if (ret != 0)
2020 return ret;
2021 }
2022#endif /* NO_RSA_BOUNDS_CHECK */
2023#endif
2024
2025#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
2026 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
2027 key->n.raw.len > 0) {
2028 ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng);
2029 }
2030 else
2031#endif
2032#ifdef WC_RSA_NONBLOCK
2033 if (key->nb) {
2034 ret = wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
2035 }
2036 else
2037#endif
2038 {
2039 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
2040 }
2041
2042 /* handle error */
2043 if (ret < 0 && ret != WC_PENDING_E
2044 #ifdef WC_RSA_NONBLOCK
2045 && ret != FP_WOULDBLOCK
2046 #endif
2047 ) {
2048 if (ret == MP_EXPTMOD_E) {
2049 /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */
2050 WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
2051 }
2052
2053 key->state = RSA_STATE_NONE;
2054 wc_RsaCleanup(key);
2055 }
2056
2057 return ret;
2058}
2059
2060
2061#ifndef WOLFSSL_RSA_VERIFY_ONLY
2062/* Internal Wrappers */
2063/* Gives the option of choosing padding type
2064 in : input to be encrypted
2065 inLen: length of input buffer
2066 out: encrypted output
2067 outLen: length of encrypted output buffer
2068 key : wolfSSL initialized RSA key struct
2069 rng : wolfSSL initialized random number struct
2070 rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
2071 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
2072 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
2073 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
2074 WC_RSA_NO_PAD or WC_RSA_PSS_PAD
2075 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
2076 mgf : type of mask generation function to use
2077 label : optional label
2078 labelSz : size of optional label buffer
2079 saltLen : Length of salt used in PSS
2080 rng : random number generator */
2081static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
2082 word32 outLen, RsaKey* key, int rsa_type,
2083 byte pad_value, int pad_type,
2084 enum wc_HashType hash, int mgf,
2085 byte* label, word32 labelSz, int saltLen,
2086 WC_RNG* rng)
2087{
2088 int ret, sz;
2089
2090 if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
2091 return BAD_FUNC_ARG;
2092 }
2093
2094 sz = wc_RsaEncryptSize(key);
2095 if (sz > (int)outLen) {
2096 return RSA_BUFFER_E;
2097 }
2098
2099 if (sz < RSA_MIN_PAD_SZ) {
2100 return WC_KEY_SIZE_E;
2101 }
2102
2103 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
2104#ifdef WC_RSA_NO_PADDING
2105 /* In the case that no padding is used the input length can and should
2106 * be the same size as the RSA key. */
2107 if (pad_type != WC_RSA_NO_PAD)
2108#endif
2109 return RSA_BUFFER_E;
2110 }
2111
2112 switch (key->state) {
2113 case RSA_STATE_NONE:
2114 case RSA_STATE_ENCRYPT_PAD:
2115 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
2116 defined(HAVE_CAVIUM)
2117 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
2118 pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) {
2119 /* Async operations that include padding */
2120 if (rsa_type == RSA_PUBLIC_ENCRYPT &&
2121 pad_value == RSA_BLOCK_TYPE_2) {
2122 key->state = RSA_STATE_ENCRYPT_RES;
2123 key->dataLen = key->n.raw.len;
2124 return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key);
2125 }
2126 else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
2127 pad_value == RSA_BLOCK_TYPE_1) {
2128 key->state = RSA_STATE_ENCRYPT_RES;
2129 key->dataLen = key->n.raw.len;
2130 return NitroxRsaSSL_Sign(in, inLen, out, outLen, key);
2131 }
2132 }
2133 #endif
2134
2135 key->state = RSA_STATE_ENCRYPT_PAD;
2136 ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash,
2137 mgf, label, labelSz, saltLen, mp_count_bits(&key->n),
2138 key->heap);
2139 if (ret < 0) {
2140 break;
2141 }
2142
2143 key->state = RSA_STATE_ENCRYPT_EXPTMOD;
2144 FALL_THROUGH;
2145
2146 case RSA_STATE_ENCRYPT_EXPTMOD:
2147
2148 key->dataLen = outLen;
2149 ret = wc_RsaFunction(out, sz, out, &key->dataLen, rsa_type, key, rng);
2150
2151 if (ret >= 0 || ret == WC_PENDING_E) {
2152 key->state = RSA_STATE_ENCRYPT_RES;
2153 }
2154 if (ret < 0) {
2155 break;
2156 }
2157
2158 FALL_THROUGH;
2159
2160 case RSA_STATE_ENCRYPT_RES:
2161 ret = key->dataLen;
2162 break;
2163
2164 default:
2165 ret = BAD_STATE_E;
2166 break;
2167 }
2168
2169 /* if async pending then return and skip done cleanup below */
2170 if (ret == WC_PENDING_E
2171 #ifdef WC_RSA_NONBLOCK
2172 || ret == FP_WOULDBLOCK
2173 #endif
2174 ) {
2175 return ret;
2176 }
2177
2178 key->state = RSA_STATE_NONE;
2179 wc_RsaCleanup(key);
2180
2181 return ret;
2182}
2183#endif
2184
2185/* Gives the option of choosing padding type
2186 in : input to be decrypted
2187 inLen: length of input buffer
2188 out: decrypted message
2189 outLen: length of decrypted message in bytes
2190 outPtr: optional inline output pointer (if provided doing inline)
2191 key : wolfSSL initialized RSA key struct
2192 rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
2193 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
2194 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
2195 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
2196 WC_RSA_NO_PAD, WC_RSA_PSS_PAD
2197 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
2198 mgf : type of mask generation function to use
2199 label : optional label
2200 labelSz : size of optional label buffer
2201 saltLen : Length of salt used in PSS
2202 rng : random number generator */
2203static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
2204 word32 outLen, byte** outPtr, RsaKey* key,
2205 int rsa_type, byte pad_value, int pad_type,
2206 enum wc_HashType hash, int mgf,
2207 byte* label, word32 labelSz, int saltLen,
2208 WC_RNG* rng)
2209{
2210 int ret = RSA_WRONG_TYPE_E;
2211
2212 if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
2213 return BAD_FUNC_ARG;
2214 }
2215
2216 switch (key->state) {
2217 case RSA_STATE_NONE:
2218 key->dataLen = inLen;
2219
2220 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
2221 defined(HAVE_CAVIUM)
2222 /* Async operations that include padding */
2223 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
2224 pad_type != WC_RSA_PSS_PAD) {
2225#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2226 if (rsa_type == RSA_PRIVATE_DECRYPT &&
2227 pad_value == RSA_BLOCK_TYPE_2) {
2228 key->state = RSA_STATE_DECRYPT_RES;
2229 key->data = NULL;
2230 return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen,
2231 key);
2232#endif
2233 }
2234 else if (rsa_type == RSA_PUBLIC_DECRYPT &&
2235 pad_value == RSA_BLOCK_TYPE_1) {
2236 key->state = RSA_STATE_DECRYPT_RES;
2237 key->data = NULL;
2238 return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key);
2239 }
2240 }
2241 #endif
2242
2243#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2244 /* verify the tmp ptr is NULL, otherwise indicates bad state */
2245 if (key->data != NULL) {
2246 ret = BAD_STATE_E;
2247 break;
2248 }
2249
2250 /* if not doing this inline then allocate a buffer for it */
2251 if (outPtr == NULL) {
2252 key->data = (byte*)XMALLOC(inLen, key->heap,
2253 DYNAMIC_TYPE_WOLF_BIGINT);
2254 key->dataIsAlloc = 1;
2255 if (key->data == NULL) {
2256 ret = MEMORY_E;
2257 break;
2258 }
2259 XMEMCPY(key->data, in, inLen);
2260 }
2261 else {
2262 key->data = out;
2263 }
2264#endif
2265
2266 key->state = RSA_STATE_DECRYPT_EXPTMOD;
2267 FALL_THROUGH;
2268
2269 case RSA_STATE_DECRYPT_EXPTMOD:
2270#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2271 ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen,
2272 rsa_type, key, rng);
2273#else
2274 ret = wc_RsaFunction(out, inLen, out, &key->dataLen, rsa_type, key,
2275 rng);
2276#endif
2277
2278 if (ret >= 0 || ret == WC_PENDING_E) {
2279 key->state = RSA_STATE_DECRYPT_UNPAD;
2280 }
2281 if (ret < 0) {
2282 break;
2283 }
2284
2285 FALL_THROUGH;
2286
2287 case RSA_STATE_DECRYPT_UNPAD:
2288 {
2289 byte* pad = NULL;
2290#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2291 ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type,
2292 hash, mgf, label, labelSz, saltLen,
2293 mp_count_bits(&key->n), key->heap);
2294#else
2295 ret = wc_RsaUnPad_ex(out, key->dataLen, &pad, pad_value, pad_type, hash,
2296 mgf, label, labelSz, saltLen,
2297 mp_count_bits(&key->n), key->heap);
2298#endif
2299 if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen)
2300 ret = RSA_BUFFER_E;
2301 else if (ret >= 0 && pad != NULL) {
2302#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
2303 signed char c;
2304#endif
2305
2306 /* only copy output if not inline */
2307 if (outPtr == NULL) {
2308#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
2309 word32 i, j;
2310 int start = (int)((size_t)pad - (size_t)key->data);
2311
2312 for (i = 0, j = 0; j < key->dataLen; j++) {
2313 out[i] = key->data[j];
2314 c = ctMaskGTE(j, start);
2315 c &= ctMaskLT(i, outLen);
2316 /* 0 - no add, -1 add */
2317 i += -c;
2318 }
2319#else
2320 XMEMCPY(out, pad, ret);
2321#endif
2322 }
2323 else
2324 *outPtr = pad;
2325
2326#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
2327 ret = ctMaskSelInt(ctMaskLTE(ret, outLen), ret, RSA_BUFFER_E);
2328 ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret, RSA_BUFFER_E);
2329#else
2330 if (outLen < (word32)ret)
2331 ret = RSA_BUFFER_E;
2332#endif
2333 }
2334
2335 key->state = RSA_STATE_DECRYPT_RES;
2336
2337 FALL_THROUGH;
2338 }
2339 case RSA_STATE_DECRYPT_RES:
2340 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
2341 defined(HAVE_CAVIUM)
2342 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
2343 pad_type != WC_RSA_PSS_PAD) {
2344 if (ret > 0) {
2345 /* convert result */
2346 byte* dataLen = (byte*)&key->dataLen;
2347 ret = (dataLen[0] << 8) | (dataLen[1]);
2348
2349 if (outPtr)
2350 *outPtr = in;
2351 }
2352 }
2353 #endif
2354 break;
2355
2356 default:
2357 ret = BAD_STATE_E;
2358 break;
2359 }
2360
2361 /* if async pending then return and skip done cleanup below */
2362 if (ret == WC_PENDING_E
2363 #ifdef WC_RSA_NONBLOCK
2364 || ret == FP_WOULDBLOCK
2365 #endif
2366 ) {
2367 return ret;
2368 }
2369
2370 key->state = RSA_STATE_NONE;
2371 wc_RsaCleanup(key);
2372
2373 return ret;
2374}
2375
2376
2377#ifndef WOLFSSL_RSA_VERIFY_ONLY
2378/* Public RSA Functions */
2379int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
2380 RsaKey* key, WC_RNG* rng)
2381{
2382 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
2383 RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
2384 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2385}
2386
2387
2388#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
2389int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
2390 word32 outLen, RsaKey* key, WC_RNG* rng, int type,
2391 enum wc_HashType hash, int mgf, byte* label,
2392 word32 labelSz)
2393{
2394 return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT,
2395 RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng);
2396}
2397#endif /* WC_NO_RSA_OAEP */
2398#endif
2399
2400
2401#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2402int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
2403{
2404 WC_RNG* rng = NULL;
2405#ifdef WC_RSA_BLINDING
2406 rng = key->rng;
2407#endif
2408 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
2409 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
2410 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2411}
2412
2413
2414#ifndef WC_NO_RSA_OAEP
2415int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
2416 RsaKey* key, int type, enum wc_HashType hash,
2417 int mgf, byte* label, word32 labelSz)
2418{
2419 WC_RNG* rng = NULL;
2420#ifdef WC_RSA_BLINDING
2421 rng = key->rng;
2422#endif
2423 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
2424 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash,
2425 mgf, label, labelSz, 0, rng);
2426}
2427#endif /* WC_NO_RSA_OAEP */
2428
2429
2430int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
2431 word32 outLen, RsaKey* key)
2432{
2433 WC_RNG* rng = NULL;
2434#ifdef WC_RSA_BLINDING
2435 rng = key->rng;
2436#endif
2437 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
2438 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
2439 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2440}
2441
2442#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
2443int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
2444 word32 outLen, RsaKey* key, int type,
2445 enum wc_HashType hash, int mgf, byte* label,
2446 word32 labelSz)
2447{
2448 WC_RNG* rng = NULL;
2449#ifdef WC_RSA_BLINDING
2450 rng = key->rng;
2451#endif
2452 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
2453 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label,
2454 labelSz, 0, rng);
2455}
2456#endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */
2457#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
2458
2459
2460int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
2461{
2462 WC_RNG* rng = NULL;
2463#ifdef WC_RSA_BLINDING
2464 rng = key->rng;
2465#endif
2466 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
2467 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
2468 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2469}
2470
2471#ifndef WOLFSSL_RSA_VERIFY_ONLY
2472int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
2473 RsaKey* key)
2474{
2475 WC_RNG* rng;
2476
2477 if (key == NULL) {
2478 return BAD_FUNC_ARG;
2479 }
2480
2481 rng = NULL;
2482#ifdef WC_RSA_BLINDING
2483 rng = key->rng;
2484#endif
2485 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
2486 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
2487 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2488}
2489#endif
2490
2491#ifdef WC_RSA_PSS
2492/* Verify the message signed with RSA-PSS.
2493 * The input buffer is reused for the ouput buffer.
2494 * Salt length is equal to hash length.
2495 *
2496 * in Buffer holding encrypted data.
2497 * inLen Length of data in buffer.
2498 * out Pointer to address containing the PSS data.
2499 * hash Hash algorithm.
2500 * mgf Mask generation function.
2501 * key Public RSA key.
2502 * returns the length of the PSS data on success and negative indicates failure.
2503 */
2504int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out,
2505 enum wc_HashType hash, int mgf, RsaKey* key)
2506{
2507 return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, -1, key);
2508}
2509
2510/* Verify the message signed with RSA-PSS.
2511 * The input buffer is reused for the ouput buffer.
2512 *
2513 * in Buffer holding encrypted data.
2514 * inLen Length of data in buffer.
2515 * out Pointer to address containing the PSS data.
2516 * hash Hash algorithm.
2517 * mgf Mask generation function.
2518 * key Public RSA key.
2519 * saltLen Length of salt used. -1 indicates salt length is the same as the
2520 * hash length.
2521 * returns the length of the PSS data on success and negative indicates failure.
2522 */
2523int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out,
2524 enum wc_HashType hash, int mgf, int saltLen,
2525 RsaKey* key)
2526{
2527 WC_RNG* rng = NULL;
2528#ifdef WC_RSA_BLINDING
2529 rng = key->rng;
2530#endif
2531 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
2532 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
2533 hash, mgf, NULL, 0, saltLen, rng);
2534}
2535
2536/* Verify the message signed with RSA-PSS.
2537 * Salt length is equal to hash length.
2538 *
2539 * in Buffer holding encrypted data.
2540 * inLen Length of data in buffer.
2541 * out Pointer to address containing the PSS data.
2542 * hash Hash algorithm.
2543 * mgf Mask generation function.
2544 * key Public RSA key.
2545 * returns the length of the PSS data on success and negative indicates failure.
2546 */
2547int wc_RsaPSS_Verify(byte* in, word32 inLen, byte* out, word32 outLen,
2548 enum wc_HashType hash, int mgf, RsaKey* key)
2549{
2550 return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf, -1, key);
2551}
2552
2553/* Verify the message signed with RSA-PSS.
2554 *
2555 * in Buffer holding encrypted data.
2556 * inLen Length of data in buffer.
2557 * out Pointer to address containing the PSS data.
2558 * hash Hash algorithm.
2559 * mgf Mask generation function.
2560 * key Public RSA key.
2561 * saltLen Length of salt used. -1 indicates salt length is the same as the
2562 * hash length.
2563 * returns the length of the PSS data on success and negative indicates failure.
2564 */
2565int wc_RsaPSS_Verify_ex(byte* in, word32 inLen, byte* out, word32 outLen,
2566 enum wc_HashType hash, int mgf, int saltLen,
2567 RsaKey* key)
2568{
2569 WC_RNG* rng = NULL;
2570#ifdef WC_RSA_BLINDING
2571 rng = key->rng;
2572#endif
2573 return RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
2574 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
2575 hash, mgf, NULL, 0, saltLen, rng);
2576}
2577
2578
2579/* Checks the PSS data to ensure that the signature matches.
2580 * Salt length is equal to hash length.
2581 *
2582 * in Hash of the data that is being verified.
2583 * inSz Length of hash.
2584 * sig Buffer holding PSS data.
2585 * sigSz Size of PSS data.
2586 * hashType Hash algorithm.
2587 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
2588 * NULL is passed in to in or sig or inSz is not the same as the hash
2589 * algorithm length and 0 on success.
2590 */
2591int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig,
2592 word32 sigSz, enum wc_HashType hashType)
2593{
2594 return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz, 0);
2595}
2596
2597/* Checks the PSS data to ensure that the signature matches.
2598 *
2599 * in Hash of the data that is being verified.
2600 * inSz Length of hash.
2601 * sig Buffer holding PSS data.
2602 * sigSz Size of PSS data.
2603 * hashType Hash algorithm.
2604 * saltLen Length of salt used. -1 indicates salt length is the same as the
2605 * hash length.
2606 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
2607 * NULL is passed in to in or sig or inSz is not the same as the hash
2608 * algorithm length and 0 on success.
2609 */
2610int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig,
2611 word32 sigSz, enum wc_HashType hashType,
2612 int saltLen, int bits)
2613{
2614 int ret = 0;
2615 byte sigCheck[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ];
2616
2617 (void)bits;
2618
2619 if (in == NULL || sig == NULL ||
2620 inSz != (word32)wc_HashGetDigestSize(hashType))
2621 ret = BAD_FUNC_ARG;
2622
2623 if (ret == 0) {
2624 if (saltLen == -1) {
2625 saltLen = inSz;
2626 #ifdef WOLFSSL_SHA512
2627 /* See FIPS 186-4 section 5.5 item (e). */
2628 if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE)
2629 saltLen = RSA_PSS_SALT_MAX_SZ;
2630 #endif
2631 }
2632 else if (saltLen < -1 || (word32)saltLen > inSz)
2633 ret = PSS_SALTLEN_E;
2634 }
2635
2636 /* Sig = Salt | Exp Hash */
2637 if (ret == 0) {
2638 if (sigSz != inSz + saltLen)
2639 ret = BAD_PADDING_E;
2640 }
2641
2642 /* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */
2643 if (ret == 0) {
2644 XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ);
2645 XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz);
2646 XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, saltLen);
2647 ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + saltLen,
2648 sigCheck, inSz);
2649 }
2650 if (ret == 0) {
2651 if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) {
2652 WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error");
2653 ret = BAD_PADDING_E;
2654 }
2655 }
2656
2657 return ret;
2658}
2659
2660
2661/* Verify the message signed with RSA-PSS.
2662 * The input buffer is reused for the ouput buffer.
2663 * Salt length is equal to hash length.
2664 *
2665 * in Buffer holding encrypted data.
2666 * inLen Length of data in buffer.
2667 * out Pointer to address containing the PSS data.
2668 * digest Hash of the data that is being verified.
2669 * digestLen Length of hash.
2670 * hash Hash algorithm.
2671 * mgf Mask generation function.
2672 * key Public RSA key.
2673 * returns the length of the PSS data on success and negative indicates failure.
2674 */
2675int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
2676 const byte* digest, word32 digestLen,
2677 enum wc_HashType hash, int mgf, RsaKey* key)
2678{
2679 int ret = 0, verify, saltLen, hLen, bits = 0;
2680
2681 hLen = wc_HashGetDigestSize(hash);
2682 if (hLen < 0)
2683 return hLen;
2684 if ((word32)hLen != digestLen)
2685 return BAD_FUNC_ARG;
2686
2687 saltLen = hLen;
2688 #ifdef WOLFSSL_SHA512
2689 /* See FIPS 186-4 section 5.5 item (e). */
2690 bits = mp_count_bits(&key->n);
2691 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
2692 saltLen = RSA_PSS_SALT_MAX_SZ;
2693 #endif
2694
2695 verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key);
2696 if (verify > 0)
2697 ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify,
2698 hash, saltLen, bits);
2699 if (ret == 0)
2700 ret = verify;
2701
2702 return ret;
2703}
2704
2705
2706/* Verify the message signed with RSA-PSS.
2707 * Salt length is equal to hash length.
2708 *
2709 * in Buffer holding encrypted data.
2710 * inLen Length of data in buffer.
2711 * out Pointer to address containing the PSS data.
2712 * outLen Length of the output.
2713 * digest Hash of the data that is being verified.
2714 * digestLen Length of hash.
2715 * hash Hash algorithm.
2716 * mgf Mask generation function.
2717 * key Public RSA key.
2718 * returns the length of the PSS data on success and negative indicates failure.
2719 */
2720int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen,
2721 const byte* digest, word32 digestLen,
2722 enum wc_HashType hash, int mgf,
2723 RsaKey* key)
2724{
2725 int ret = 0, verify, saltLen, hLen, bits = 0;
2726
2727 hLen = wc_HashGetDigestSize(hash);
2728 if (hLen < 0)
2729 return hLen;
2730 if ((word32)hLen != digestLen)
2731 return BAD_FUNC_ARG;
2732
2733 saltLen = hLen;
2734 #ifdef WOLFSSL_SHA512
2735 /* See FIPS 186-4 section 5.5 item (e). */
2736 bits = mp_count_bits(&key->n);
2737 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
2738 saltLen = RSA_PSS_SALT_MAX_SZ;
2739 #endif
2740
2741 verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash,
2742 mgf, saltLen, key);
2743 if (verify > 0)
2744 ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify,
2745 hash, saltLen, bits);
2746 if (ret == 0)
2747 ret = verify;
2748
2749 return ret;
2750}
2751
2752#endif
2753
2754#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2755int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
2756 RsaKey* key, WC_RNG* rng)
2757{
2758 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
2759 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
2760 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
2761}
2762
2763#ifdef WC_RSA_PSS
2764/* Sign the hash of a message using RSA-PSS.
2765 * Salt length is equal to hash length.
2766 *
2767 * in Buffer holding hash of message.
2768 * inLen Length of data in buffer (hash length).
2769 * out Buffer to write encrypted signature into.
2770 * outLen Size of buffer to write to.
2771 * hash Hash algorithm.
2772 * mgf Mask generation function.
2773 * key Public RSA key.
2774 * rng Random number generator.
2775 * returns the length of the encrypted signature on success, a negative value
2776 * indicates failure.
2777 */
2778int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
2779 enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng)
2780{
2781 return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf, -1, key, rng);
2782}
2783
2784/* Sign the hash of a message using RSA-PSS.
2785 *
2786 * in Buffer holding hash of message.
2787 * inLen Length of data in buffer (hash length).
2788 * out Buffer to write encrypted signature into.
2789 * outLen Size of buffer to write to.
2790 * hash Hash algorithm.
2791 * mgf Mask generation function.
2792 * saltLen Length of salt used. -1 indicates salt length is the same as the
2793 * hash length.
2794 * key Public RSA key.
2795 * rng Random number generator.
2796 * returns the length of the encrypted signature on success, a negative value
2797 * indicates failure.
2798 */
2799int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
2800 enum wc_HashType hash, int mgf, int saltLen, RsaKey* key,
2801 WC_RNG* rng)
2802{
2803 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
2804 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
2805 hash, mgf, NULL, 0, saltLen, rng);
2806}
2807#endif
2808#endif
2809
2810#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || !defined(WOLFSSL_SP_MATH)
2811int wc_RsaEncryptSize(RsaKey* key)
2812{
2813 int ret;
2814
2815 if (key == NULL) {
2816 return BAD_FUNC_ARG;
2817 }
2818
2819 ret = mp_unsigned_bin_size(&key->n);
2820
2821#ifdef WOLF_CRYPTO_DEV
2822 if (ret == 0 && key->devId != INVALID_DEVID) {
2823 ret = 2048/8; /* hardware handles, use 2048-bit as default */
2824}
2825#endif
2826
2827 return ret;
2828}
2829#endif
2830
2831#ifndef WOLFSSL_RSA_VERIFY_ONLY
2832/* flatten RsaKey structure into individual elements (e, n) */
2833int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
2834 word32* nSz)
2835{
2836 int sz, ret;
2837
2838 if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
2839 return BAD_FUNC_ARG;
2840 }
2841
2842 sz = mp_unsigned_bin_size(&key->e);
2843 if ((word32)sz > *eSz)
2844 return RSA_BUFFER_E;
2845 ret = mp_to_unsigned_bin(&key->e, e);
2846 if (ret != MP_OKAY)
2847 return ret;
2848 *eSz = (word32)sz;
2849
2850 sz = wc_RsaEncryptSize(key);
2851 if ((word32)sz > *nSz)
2852 return RSA_BUFFER_E;
2853 ret = mp_to_unsigned_bin(&key->n, n);
2854 if (ret != MP_OKAY)
2855 return ret;
2856 *nSz = (word32)sz;
2857
2858 return 0;
2859}
2860#endif
2861
2862#endif /* HAVE_FIPS */
2863
2864
2865#ifndef WOLFSSL_RSA_VERIFY_ONLY
2866static int RsaGetValue(mp_int* in, byte* out, word32* outSz)
2867{
2868 word32 sz;
2869 int ret = 0;
2870
2871 /* Parameters ensured by calling function. */
2872
2873 sz = (word32)mp_unsigned_bin_size(in);
2874 if (sz > *outSz)
2875 ret = RSA_BUFFER_E;
2876
2877 if (ret == 0)
2878 ret = mp_to_unsigned_bin(in, out);
2879
2880 if (ret == MP_OKAY)
2881 *outSz = sz;
2882
2883 return ret;
2884}
2885
2886
2887int wc_RsaExportKey(RsaKey* key,
2888 byte* e, word32* eSz, byte* n, word32* nSz,
2889 byte* d, word32* dSz, byte* p, word32* pSz,
2890 byte* q, word32* qSz)
2891{
2892 int ret = BAD_FUNC_ARG;
2893
2894 if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz)
2895 ret = 0;
2896
2897 if (ret == 0)
2898 ret = RsaGetValue(&key->e, e, eSz);
2899 if (ret == 0)
2900 ret = RsaGetValue(&key->n, n, nSz);
2901#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2902 if (ret == 0)
2903 ret = RsaGetValue(&key->d, d, dSz);
2904 if (ret == 0)
2905 ret = RsaGetValue(&key->p, p, pSz);
2906 if (ret == 0)
2907 ret = RsaGetValue(&key->q, q, qSz);
2908#else
2909 /* no private parts to key */
2910 if (d == NULL || p == NULL || q == NULL || dSz == NULL || pSz == NULL
2911 || qSz == NULL) {
2912 ret = BAD_FUNC_ARG;
2913 }
2914 else {
2915 *dSz = 0;
2916 *pSz = 0;
2917 *qSz = 0;
2918 }
2919#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
2920
2921 return ret;
2922}
2923#endif
2924
2925
2926#ifdef WOLFSSL_KEY_GEN
2927
2928/* Check that |p-q| > 2^((size/2)-100) */
2929static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size)
2930{
2931 mp_int c, d;
2932 int ret;
2933
2934 if (p == NULL || q == NULL)
2935 return BAD_FUNC_ARG;
2936
2937 ret = mp_init_multi(&c, &d, NULL, NULL, NULL, NULL);
2938
2939 /* c = 2^((size/2)-100) */
2940 if (ret == 0)
2941 ret = mp_2expt(&c, (size/2)-100);
2942
2943 /* d = |p-q| */
2944 if (ret == 0)
2945 ret = mp_sub(p, q, &d);
2946
2947 if (ret == 0)
2948 ret = mp_abs(&d, &d);
2949
2950 /* compare */
2951 if (ret == 0)
2952 ret = mp_cmp(&d, &c);
2953
2954 if (ret == MP_GT)
2955 ret = MP_OKAY;
2956
2957 mp_clear(&d);
2958 mp_clear(&c);
2959
2960 return ret;
2961}
2962
2963
2964/* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096.
2965 * This number was calculated using a small test tool written with a common
2966 * large number math library. Other values of nlen may be checked with a subset
2967 * of lower_bound. */
2968static const byte lower_bound[] = {
2969 0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84,
2970 0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F,
2971 0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C,
2972 0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15,
2973/* 512 */
2974 0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3,
2975 0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39,
2976 0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A,
2977 0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68,
2978/* 1024 */
2979 0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E,
2980 0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B,
2981 0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A,
2982 0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33,
2983 0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC,
2984 0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D,
2985 0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E,
2986 0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A,
2987/* 2048 */
2988 0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD,
2989 0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C,
2990 0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51,
2991 0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7,
2992 0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F,
2993 0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF,
2994 0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07,
2995 0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2,
2996/* 3072 */
2997 0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33,
2998 0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2,
2999 0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82,
3000 0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80,
3001 0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05,
3002 0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23,
3003 0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B,
3004 0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1
3005/* 4096 */
3006};
3007
3008
3009/* returns 1 on key size ok and 0 if not ok */
3010static WC_INLINE int RsaSizeCheck(int size)
3011{
3012 if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) {
3013 return 0;
3014 }
3015
3016#ifdef HAVE_FIPS
3017 /* Key size requirements for CAVP */
3018 switch (size) {
3019 case 1024:
3020 case 2048:
3021 case 3072:
3022 case 4096:
3023 return 1;
3024 }
3025
3026 return 0;
3027#else
3028 return 1; /* allow unusual key sizes in non FIPS mode */
3029#endif /* HAVE_FIPS */
3030}
3031
3032
3033static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen,
3034 int* isPrime, WC_RNG* rng)
3035{
3036 int ret;
3037 mp_int tmp1, tmp2;
3038 mp_int* prime;
3039
3040 if (p == NULL || e == NULL || isPrime == NULL)
3041 return BAD_FUNC_ARG;
3042
3043 if (!RsaSizeCheck(nlen))
3044 return BAD_FUNC_ARG;
3045
3046 *isPrime = MP_NO;
3047
3048 if (q != NULL) {
3049 /* 5.4 - check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */
3050 ret = wc_CompareDiffPQ(p, q, nlen);
3051 if (ret != MP_OKAY) goto notOkay;
3052 prime = q;
3053 }
3054 else
3055 prime = p;
3056
3057 ret = mp_init_multi(&tmp1, &tmp2, NULL, NULL, NULL, NULL);
3058 if (ret != MP_OKAY) goto notOkay;
3059
3060 /* 4.4,5.5 - Check that prime >= (2^(1/2))(2^((nlen/2)-1))
3061 * This is a comparison against lowerBound */
3062 ret = mp_read_unsigned_bin(&tmp1, lower_bound, nlen/16);
3063 if (ret != MP_OKAY) goto notOkay;
3064 ret = mp_cmp(prime, &tmp1);
3065 if (ret == MP_LT) goto exit;
3066
3067 /* 4.5,5.6 - Check that GCD(p-1, e) == 1 */
3068 ret = mp_sub_d(prime, 1, &tmp1); /* tmp1 = prime-1 */
3069 if (ret != MP_OKAY) goto notOkay;
3070 ret = mp_gcd(&tmp1, e, &tmp2); /* tmp2 = gcd(prime-1, e) */
3071 if (ret != MP_OKAY) goto notOkay;
3072 ret = mp_cmp_d(&tmp2, 1);
3073 if (ret != MP_EQ) goto exit; /* e divides p-1 */
3074
3075 /* 4.5.1,5.6.1 - Check primality of p with 8 rounds of M-R.
3076 * mp_prime_is_prime_ex() performs test divisions against the first 256
3077 * prime numbers. After that it performs 8 rounds of M-R using random
3078 * bases between 2 and n-2.
3079 * mp_prime_is_prime() performs the same test divisions and then does
3080 * M-R with the first 8 primes. Both functions set isPrime as a
3081 * side-effect. */
3082 if (rng != NULL)
3083 ret = mp_prime_is_prime_ex(prime, 8, isPrime, rng);
3084 else
3085 ret = mp_prime_is_prime(prime, 8, isPrime);
3086 if (ret != MP_OKAY) goto notOkay;
3087
3088exit:
3089 ret = MP_OKAY;
3090notOkay:
3091 mp_clear(&tmp1);
3092 mp_clear(&tmp2);
3093 return ret;
3094}
3095
3096
3097int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz,
3098 const byte* qRaw, word32 qRawSz,
3099 const byte* eRaw, word32 eRawSz,
3100 int nlen, int* isPrime, WC_RNG* rng)
3101{
3102 mp_int p, q, e;
3103 mp_int* Q = NULL;
3104 int ret;
3105
3106 if (pRaw == NULL || pRawSz == 0 ||
3107 eRaw == NULL || eRawSz == 0 ||
3108 isPrime == NULL) {
3109
3110 return BAD_FUNC_ARG;
3111 }
3112
3113 if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0))
3114 return BAD_FUNC_ARG;
3115
3116 ret = mp_init_multi(&p, &q, &e, NULL, NULL, NULL);
3117
3118 if (ret == MP_OKAY)
3119 ret = mp_read_unsigned_bin(&p, pRaw, pRawSz);
3120
3121 if (ret == MP_OKAY) {
3122 if (qRaw != NULL) {
3123 ret = mp_read_unsigned_bin(&q, qRaw, qRawSz);
3124 if (ret == MP_OKAY)
3125 Q = &q;
3126 }
3127 }
3128
3129 if (ret == MP_OKAY)
3130 ret = mp_read_unsigned_bin(&e, eRaw, eRawSz);
3131
3132 if (ret == MP_OKAY)
3133 ret = _CheckProbablePrime(&p, Q, &e, nlen, isPrime, rng);
3134
3135 ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E;
3136
3137 mp_clear(&p);
3138 mp_clear(&q);
3139 mp_clear(&e);
3140
3141 return ret;
3142}
3143
3144
3145int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
3146 const byte* qRaw, word32 qRawSz,
3147 const byte* eRaw, word32 eRawSz,
3148 int nlen, int* isPrime)
3149{
3150 return wc_CheckProbablePrime_ex(pRaw, pRawSz, qRaw, qRawSz,
3151 eRaw, eRawSz, nlen, isPrime, NULL);
3152}
3153
3154#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \
3155 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
3156/* Make an RSA key for size bits, with e specified, 65537 is a good e */
3157int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
3158{
3159#ifndef WC_NO_RNG
3160 mp_int p, q, tmp1, tmp2, tmp3;
3161 int err, i, failCount, primeSz, isPrime = 0;
3162 byte* buf = NULL;
3163
3164 if (key == NULL || rng == NULL)
3165 return BAD_FUNC_ARG;
3166
3167 if (!RsaSizeCheck(size))
3168 return BAD_FUNC_ARG;
3169
3170 if (e < 3 || (e & 1) == 0)
3171 return BAD_FUNC_ARG;
3172
3173#ifdef WOLF_CRYPTO_DEV
3174 if (key->devId != INVALID_DEVID) {
3175 int ret = wc_CryptoDev_MakeRsaKey(key, size, e, rng);
3176 if (ret != NOT_COMPILED_IN)
3177 return ret;
3178 }
3179#endif
3180
3181#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
3182 defined(WC_ASYNC_ENABLE_RSA_KEYGEN)
3183 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
3184 #ifdef HAVE_CAVIUM
3185 /* TODO: Not implemented */
3186 #elif defined(HAVE_INTEL_QA)
3187 return IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng);
3188 #else
3189 if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_MAKE)) {
3190 WC_ASYNC_TEST* testDev = &key->asyncDev.test;
3191 testDev->rsaMake.rng = rng;
3192 testDev->rsaMake.key = key;
3193 testDev->rsaMake.size = size;
3194 testDev->rsaMake.e = e;
3195 return WC_PENDING_E;
3196 }
3197 #endif
3198 }
3199#endif
3200
3201 err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL);
3202
3203 if (err == MP_OKAY)
3204 err = mp_set_int(&tmp3, e);
3205
3206 /* The failCount value comes from NIST FIPS 186-4, section B.3.3,
3207 * process steps 4.7 and 5.8. */
3208 failCount = 5 * (size / 2);
3209 primeSz = size / 16; /* size is the size of n in bits.
3210 primeSz is in bytes. */
3211
3212 /* allocate buffer to work with */
3213 if (err == MP_OKAY) {
3214 buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA);
3215 if (buf == NULL)
3216 err = MEMORY_E;
3217 }
3218
3219 /* make p */
3220 if (err == MP_OKAY) {
3221 isPrime = 0;
3222 i = 0;
3223 do {
3224#ifdef SHOW_GEN
3225 printf(".");
3226 fflush(stdout);
3227#endif
3228 /* generate value */
3229 err = wc_RNG_GenerateBlock(rng, buf, primeSz);
3230 if (err == 0) {
3231 /* prime lower bound has the MSB set, set it in candidate */
3232 buf[0] |= 0x80;
3233 /* make candidate odd */
3234 buf[primeSz-1] |= 0x01;
3235 /* load value */
3236 err = mp_read_unsigned_bin(&p, buf, primeSz);
3237 }
3238
3239 if (err == MP_OKAY)
3240 err = _CheckProbablePrime(&p, NULL, &tmp3, size, &isPrime, rng);
3241
3242#ifdef WOLFSSL_FIPS
3243 i++;
3244#else
3245 /* Keep the old retry behavior in non-FIPS build. */
3246 (void)i;
3247#endif
3248 } while (err == MP_OKAY && !isPrime && i < failCount);
3249 }
3250
3251 if (err == MP_OKAY && !isPrime)
3252 err = PRIME_GEN_E;
3253
3254 /* make q */
3255 if (err == MP_OKAY) {
3256 isPrime = 0;
3257 i = 0;
3258 do {
3259#ifdef SHOW_GEN
3260 printf(".");
3261 fflush(stdout);
3262#endif
3263 /* generate value */
3264 err = wc_RNG_GenerateBlock(rng, buf, primeSz);
3265 if (err == 0) {
3266 /* prime lower bound has the MSB set, set it in candidate */
3267 buf[0] |= 0x80;
3268 /* make candidate odd */
3269 buf[primeSz-1] |= 0x01;
3270 /* load value */
3271 err = mp_read_unsigned_bin(&q, buf, primeSz);
3272 }
3273
3274 if (err == MP_OKAY)
3275 err = _CheckProbablePrime(&p, &q, &tmp3, size, &isPrime, rng);
3276
3277#ifdef WOLFSSL_FIPS
3278 i++;
3279#else
3280 /* Keep the old retry behavior in non-FIPS build. */
3281 (void)i;
3282#endif
3283 } while (err == MP_OKAY && !isPrime && i < failCount);
3284 }
3285
3286 if (err == MP_OKAY && !isPrime)
3287 err = PRIME_GEN_E;
3288
3289 if (buf) {
3290 ForceZero(buf, primeSz);
3291 XFREE(buf, key->heap, DYNAMIC_TYPE_RSA);
3292 }
3293
3294
3295 /* Setup RsaKey buffers */
3296 if (err == MP_OKAY)
3297 err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
3298 if (err == MP_OKAY)
3299 err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
3300
3301 /* Software Key Calculation */
3302 if (err == MP_OKAY) /* tmp1 = p-1 */
3303 err = mp_sub_d(&p, 1, &tmp1);
3304 if (err == MP_OKAY) /* tmp2 = q-1 */
3305 err = mp_sub_d(&q, 1, &tmp2);
3306 if (err == MP_OKAY) /* tmp3 = lcm(p-1, q-1), last loop */
3307 err = mp_lcm(&tmp1, &tmp2, &tmp3);
3308 /* make key */
3309 if (err == MP_OKAY) /* key->e = e */
3310 err = mp_set_int(&key->e, (mp_digit)e);
3311 if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */
3312 err = mp_invmod(&key->e, &tmp3, &key->d);
3313 if (err == MP_OKAY) /* key->n = pq */
3314 err = mp_mul(&p, &q, &key->n);
3315 if (err == MP_OKAY) /* key->dP = d mod(p-1) */
3316 err = mp_mod(&key->d, &tmp1, &key->dP);
3317 if (err == MP_OKAY) /* key->dQ = d mod(q-1) */
3318 err = mp_mod(&key->d, &tmp2, &key->dQ);
3319 if (err == MP_OKAY) /* key->u = 1/q mod p */
3320 err = mp_invmod(&q, &p, &key->u);
3321 if (err == MP_OKAY)
3322 err = mp_copy(&p, &key->p);
3323 if (err == MP_OKAY)
3324 err = mp_copy(&q, &key->q);
3325
3326#ifdef HAVE_WOLF_BIGINT
3327 /* make sure raw unsigned bin version is available */
3328 if (err == MP_OKAY)
3329 err = wc_mp_to_bigint(&key->n, &key->n.raw);
3330 if (err == MP_OKAY)
3331 err = wc_mp_to_bigint(&key->e, &key->e.raw);
3332 if (err == MP_OKAY)
3333 err = wc_mp_to_bigint(&key->d, &key->d.raw);
3334 if (err == MP_OKAY)
3335 err = wc_mp_to_bigint(&key->p, &key->p.raw);
3336 if (err == MP_OKAY)
3337 err = wc_mp_to_bigint(&key->q, &key->q.raw);
3338 if (err == MP_OKAY)
3339 err = wc_mp_to_bigint(&key->dP, &key->dP.raw);
3340 if (err == MP_OKAY)
3341 err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw);
3342 if (err == MP_OKAY)
3343 err = wc_mp_to_bigint(&key->u, &key->u.raw);
3344#endif
3345
3346 if (err == MP_OKAY)
3347 key->type = RSA_PRIVATE;
3348
3349 mp_clear(&tmp1);
3350 mp_clear(&tmp2);
3351 mp_clear(&tmp3);
3352 mp_clear(&p);
3353 mp_clear(&q);
3354
3355 /* Perform the pair-wise consistency test on the new key. */
3356 if (err == 0)
3357 err = wc_CheckRsaKey(key);
3358
3359 if (err != 0) {
3360 wc_FreeRsaKey(key);
3361 return err;
3362 }
3363
3364#ifdef WOLFSSL_XILINX_CRYPT
3365 if (wc_InitRsaHw(key) != 0) {
3366 return BAD_STATE_E;
3367 }
3368#endif
3369 return 0;
3370#else
3371 return NOT_COMPILED_IN;
3372#endif
3373}
3374#endif /* !FIPS || FIPS_VER >= 2 */
3375#endif /* WOLFSSL_KEY_GEN */
3376
3377
3378#ifdef WC_RSA_BLINDING
3379int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
3380{
3381 if (key == NULL)
3382 return BAD_FUNC_ARG;
3383
3384 key->rng = rng;
3385
3386 return 0;
3387}
3388#endif /* WC_RSA_BLINDING */
3389
3390#ifdef WC_RSA_NONBLOCK
3391int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb)
3392{
3393 if (key == NULL)
3394 return BAD_FUNC_ARG;
3395
3396 if (nb) {
3397 XMEMSET(nb, 0, sizeof(RsaNb));
3398 }
3399
3400 /* Allow nb == NULL to clear non-block mode */
3401 key->nb = nb;
3402
3403 return 0;
3404}
3405#ifdef WC_RSA_NONBLOCK_TIME
3406int wc_RsaSetNonBlockTime(RsaKey* key, word32 maxBlockUs, word32 cpuMHz)
3407{
3408 if (key == NULL || key->nb == NULL) {
3409 return BAD_FUNC_ARG;
3410 }
3411
3412 /* calculate maximum number of instructions to block */
3413 key->nb->exptmod.maxBlockInst = cpuMHz * maxBlockUs;
3414
3415 return 0;
3416}
3417#endif /* WC_RSA_NONBLOCK_TIME */
3418#endif /* WC_RSA_NONBLOCK */
3419
3420#endif /* NO_RSA */
Note: See TracBrowser for help on using the repository browser.